Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.0 Administration Guide
    8.0.0
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Flow Trace Filtering by Content Routing Policy and Debug Duration Control (8.0.0)

    Flow Trace Filtering by Content Routing Policy and Debug Duration Control (8.0.0)

    FortiWeb 8.0.0 introduces two enhancements to its debug infrastructure to improve troubleshooting efficiency and operational safety:

    • Flow trace filtering by content routing policy enables targeted diagnostics in scenarios where multiple content routing policies share the same virtual server.

    • Debug duration control automatically disables debug output after a configured time, helping prevent performance degradation caused by forgotten debug sessions.

    These features extend the filtering and control mechanisms introduced in earlier versions and are especially useful in high-scale or production environments where minimizing debug overhead is critical.

    Summary of Enhancements:

    CLI Command

    Enhancement
    diagnose debug flow filter content-routing-policy <policy_name> Adds support for filtering flow trace output by content routing policy name, enabling more targeted debugging in multi-policy deployments. Available only in Reverse Proxy mode. See Content Routing Policy Filtering.
    diagnose debug duration <minutes> Introduces time-based control for debug output. Automatically disables debug after the configured duration to reduce performance impact from long-running sessions. See Debug Duration Management.
    diagnose debug info Enhanced to display the global debug state and all active flow filters, including the new content routing policy filter and duration-based state. See CLI Output Enhancements.

    Content Routing Policy Filtering

    FortiWeb 8.0.0 introduces a new command, diagnose debug flow filter content-routing-policy, which allows you to filter flow trace output by content routing policy name. This enhancement is designed for environments where many content routing policies share a single virtual server—such as FortiWeb Cloud or multi-tenant setups—making it difficult to isolate debug traffic using only virtual server IP or policy ID.

    This filter is available only in Reverse Proxy mode and takes effect during the server pool selection stage, which occurs on the first HTTP request of a session.

    Behavior:

    • When the first HTTP request in a client connection matches the specified content routing policy, the entire session is marked for debug.

    • In this context, a session includes both the frontend and any associated backend connections initiated as part of the same client request flow.

    • Once matched, all subsequent requests within that connection—regardless of which routing policy they trigger—will produce debug output.

    • The match state is stored in the session and persists for the duration of the connection even if flow filter has been modified

    Example:
    FortiWeb # diagnose debug flow filter content-routing-policy ?
<policy name>    the policy name
root.HTTPcr_policy
root.HTTPcr2
root.HTTPcr50
root.opo

FortiWeb # diagnose debug flow filter content-routing-policy root.HTTPcr_policy
FortiWeb # diagnose debug flow trace start
FortiWeb # diagnose debug flow filter client-ip 1.2.3.4
FortiWeb # diagnose debug flow filter server-ip 5.6.7.8
FortiWeb # diagnose debug flow filter server-port 8080

    Debug Duration Management

    The new command, diagnose debug duration, has been added to allow time-based control of debug output. This enhancement ensures that debug sessions automatically terminate after a specified duration, reducing the risk of performance issues caused by extended or forgotten debug states.

    Key points:

    • The timer starts when diagnose debug enable is issued.

    • When the duration expires, the global debug state is automatically disabled.

    • Existing debug filters remain configured but inactive until re-enabled with diagnose debug enable.

    • Use diagnose debug disable or diagnose debug reset to fully clear debug settings.

    Example:
    FortiWeb # diagnose debug duration
diagnose debug duration is unlimited

FortiWeb # diagnose debug duration 60
duration is set to 60 minutes

FortiWeb # diagnose debug duration
The current duration is 60 minutes

FortiWeb # diagnose debug enable

FortiWeb # diagnose debug duration
The current duration is 60 minutes, 0 minutes and 2 seconds have passed

    CLI Output Enhancements

    The output of diagnose debug info has been updated to reflect the new debug infrastructure introduced in this release. These updates improve visibility into the global debug configuration and make it easier to verify which filters are active across the system.

    New output fields:

    • global debug state: Indicates whether global debug output is currently enabled. This setting is independent of any traffic-specific debug filters or ongoing SSH sessions.

    • filter: content-routing-policy <name>: Displays the name of the currently active content routing policy filter, if configured. This filter affects debug output for matching traffic sessions, not administrative sessions.

    These enhancements reduce ambiguity in multi-session environments and improve confidence when verifying whether debugging is enabled system-wide.

    Example:

    Before setting debug duration and the content routing policy flow trace filtering:

    FortiWeb # diagnose debug info
global debug state:             disable
debug output:                   disable
console output:                 disable
serial output:                  disable
debug timestamp:                disable
sysinit output:                 disabled
writedisk:                      0
CLI debug level:                3
Modules disabled status:        disabled
Modules disabled:               None
flow-filter:
    flow trace: 0
    filter: flow-detail 1
    filter: http-detail 0
    filter: session-detail:     0
    filter: url condition not set.

    After enabling flow trace filtering for a specific content routing policy and client/server connection:

    FortiWeb # diagnose debug info
global debug state:             enable
debug output:                   disable
console output:                 disable
serial output:                  disable
debug timestamp:                disable
sysinit output:                 disabled
writedisk:                      0
CLI debug level:                3
Modules disabled status:        disabled
Modules disabled:               None
flow-filter:
    flow trace: 1
    filter: client_ip 1.2.3.4
    filter: server_ip 5.6.7.8
    filter: server_port 8080
    filter: content-routing policy root.HTTPcr_policy
    filter: flow-detail 1
    filter: http-detail 0
    filter: session-detail:     0
    filter: url condition not set.

    In this example, flow tracing has been enabled for traffic from client IP 1.2.3.4 to server IP 5.6.7.8 on port 8080, where the session matches the content routing policy HTTPcr_policy. The flow trace detail level is set to 1.

    However, debug output remains disabled for this SSH session, meaning that even though the filters are configured and global debug is enabled, the CLI will not display flow trace output until debug output is explicitly enabled using diagnose debug enable. This distinction helps avoid confusion when troubleshooting in environments with multiple administrators or sessions.

    Previous
    Next

    Flow Trace Filtering by Content Routing Policy and Debug Duration Control (8.0.0)

    Flow Trace Filtering by Content Routing Policy and Debug Duration Control (8.0.0)

    FortiWeb 8.0.0 introduces two enhancements to its debug infrastructure to improve troubleshooting efficiency and operational safety:

    • Flow trace filtering by content routing policy enables targeted diagnostics in scenarios where multiple content routing policies share the same virtual server.

    • Debug duration control automatically disables debug output after a configured time, helping prevent performance degradation caused by forgotten debug sessions.

    These features extend the filtering and control mechanisms introduced in earlier versions and are especially useful in high-scale or production environments where minimizing debug overhead is critical.

    Summary of Enhancements:

    CLI Command

    Enhancement
    diagnose debug flow filter content-routing-policy <policy_name> Adds support for filtering flow trace output by content routing policy name, enabling more targeted debugging in multi-policy deployments. Available only in Reverse Proxy mode. See Content Routing Policy Filtering.
    diagnose debug duration <minutes> Introduces time-based control for debug output. Automatically disables debug after the configured duration to reduce performance impact from long-running sessions. See Debug Duration Management.
    diagnose debug info Enhanced to display the global debug state and all active flow filters, including the new content routing policy filter and duration-based state. See CLI Output Enhancements.

    Content Routing Policy Filtering

    FortiWeb 8.0.0 introduces a new command, diagnose debug flow filter content-routing-policy, which allows you to filter flow trace output by content routing policy name. This enhancement is designed for environments where many content routing policies share a single virtual server—such as FortiWeb Cloud or multi-tenant setups—making it difficult to isolate debug traffic using only virtual server IP or policy ID.

    This filter is available only in Reverse Proxy mode and takes effect during the server pool selection stage, which occurs on the first HTTP request of a session.

    Behavior:

    • When the first HTTP request in a client connection matches the specified content routing policy, the entire session is marked for debug.

    • In this context, a session includes both the frontend and any associated backend connections initiated as part of the same client request flow.

    • Once matched, all subsequent requests within that connection—regardless of which routing policy they trigger—will produce debug output.

    • The match state is stored in the session and persists for the duration of the connection even if flow filter has been modified

    Example:
    FortiWeb # diagnose debug flow filter content-routing-policy ?
<policy name>    the policy name
root.HTTPcr_policy
root.HTTPcr2
root.HTTPcr50
root.opo

FortiWeb # diagnose debug flow filter content-routing-policy root.HTTPcr_policy
FortiWeb # diagnose debug flow trace start
FortiWeb # diagnose debug flow filter client-ip 1.2.3.4
FortiWeb # diagnose debug flow filter server-ip 5.6.7.8
FortiWeb # diagnose debug flow filter server-port 8080

    Debug Duration Management

    The new command, diagnose debug duration, has been added to allow time-based control of debug output. This enhancement ensures that debug sessions automatically terminate after a specified duration, reducing the risk of performance issues caused by extended or forgotten debug states.

    Key points:

    • The timer starts when diagnose debug enable is issued.

    • When the duration expires, the global debug state is automatically disabled.

    • Existing debug filters remain configured but inactive until re-enabled with diagnose debug enable.

    • Use diagnose debug disable or diagnose debug reset to fully clear debug settings.

    Example:
    FortiWeb # diagnose debug duration
diagnose debug duration is unlimited

FortiWeb # diagnose debug duration 60
duration is set to 60 minutes

FortiWeb # diagnose debug duration
The current duration is 60 minutes

FortiWeb # diagnose debug enable

FortiWeb # diagnose debug duration
The current duration is 60 minutes, 0 minutes and 2 seconds have passed

    CLI Output Enhancements

    The output of diagnose debug info has been updated to reflect the new debug infrastructure introduced in this release. These updates improve visibility into the global debug configuration and make it easier to verify which filters are active across the system.

    New output fields:

    • global debug state: Indicates whether global debug output is currently enabled. This setting is independent of any traffic-specific debug filters or ongoing SSH sessions.

    • filter: content-routing-policy <name>: Displays the name of the currently active content routing policy filter, if configured. This filter affects debug output for matching traffic sessions, not administrative sessions.

    These enhancements reduce ambiguity in multi-session environments and improve confidence when verifying whether debugging is enabled system-wide.

    Example:

    Before setting debug duration and the content routing policy flow trace filtering:

    FortiWeb # diagnose debug info
global debug state:             disable
debug output:                   disable
console output:                 disable
serial output:                  disable
debug timestamp:                disable
sysinit output:                 disabled
writedisk:                      0
CLI debug level:                3
Modules disabled status:        disabled
Modules disabled:               None
flow-filter:
    flow trace: 0
    filter: flow-detail 1
    filter: http-detail 0
    filter: session-detail:     0
    filter: url condition not set.

    After enabling flow trace filtering for a specific content routing policy and client/server connection:

    FortiWeb # diagnose debug info
global debug state:             enable
debug output:                   disable
console output:                 disable
serial output:                  disable
debug timestamp:                disable
sysinit output:                 disabled
writedisk:                      0
CLI debug level:                3
Modules disabled status:        disabled
Modules disabled:               None
flow-filter:
    flow trace: 1
    filter: client_ip 1.2.3.4
    filter: server_ip 5.6.7.8
    filter: server_port 8080
    filter: content-routing policy root.HTTPcr_policy
    filter: flow-detail 1
    filter: http-detail 0
    filter: session-detail:     0
    filter: url condition not set.

    In this example, flow tracing has been enabled for traffic from client IP 1.2.3.4 to server IP 5.6.7.8 on port 8080, where the session matches the content routing policy HTTPcr_policy. The flow trace detail level is set to 1.

    However, debug output remains disabled for this SSH session, meaning that even though the filters are configured and global debug is enabled, the CLI will not display flow trace output until debug output is explicitly enabled using diagnose debug enable. This distinction helps avoid confusion when troubleshooting in environments with multiple administrators or sessions.

    Previous
    Next