본문 바로가기

업무이야기/Security

[FortiGate의 자주 쓰는 debug 명령]

by 쫑콩아빠 2018. 5. 8.
728x90
[FortiGate의 자주 쓰는 debug 명령]
 
1. diagnose debug flow
 
diag debug flow 명령은 FortiGate 의 inbound->outbound 트래픽의 flow를 확인할 수 있습니다.
 
filter, show, trace 3가지로 구성
 
FGT82C3109600076 # diagnose debug flow filter addr 122.49.65.221
 
FGT82C3109600076 # diagnose debug flow show console enable
show trace messages on console
 
FGT82C3109600076 # diagnose debug flow trace start 10
 
FGT82C3109600076 # id=36870 trace_id=21 msg="vd-root received a packet(proto=1, 122.49.65.222:1024->122.49.67.40:8) from port2."
id=36870 trace_id=21 msg="Find an existing session, id-0004a929, original direction"
id=36870 trace_id=22 msg="vd-root received a packet(proto=1, 122.49.67.40:1024->122.49.65.222:0) from local."
 
2. diagnose sniffer packet
 
FGT82C3109600076 # diagnose sniffer packet any "icmp" 4
 
문법
# diag sniffer packet <interface> <'filter'> <verbose> <count> <a>
 
<interface> can be an Interface name or "any" for all Interfaces.
<'filter'> is a very powerful filter functionality which will be described in more detail.
<verbose> means the level of verbosity as described already.
<count> the number of packets the sniffer reads before stopping. '0'이면 무한수행.
<a> absolute timestamps를 화면에 출력(하지만 반드시 <count> 가 있을때만 유효) defailt는 Relative timstamps이므로, 상대적인 시간만 나옴.
 
<verbose>
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
 
diagnose sniffer packet any "" 4 0 a
 
패킷 스니퍼
- ICMP확인
dia sniff packet port3 icmp 100
- TCP SYN 100개 확인
dia sniff packet port3 'tcp[13]==2' 100 0 a
- TCP SYN & SYN ACK 100개 확인
dia sniff packet port3 'tcp[13]&2==2' 100
 
3. NP2 ASIC accelerate enable/disable
 
FG3K6A3407600192 (global) # diagnose npu np2 fastpath
e2prom View E2PROM data
fastpath Configure fastpath
fastpath-sniffer Configure fastpath sniffer by port
list Display all NP2 devices
performance View NP2 performance
register View NP2 registers
status View NP2 device status
 
FG3K6A3407600192 (global) # diagnose npu np2 fastpath disable 0
 
4. NP4 ASIC accelerate enable/disable
 
# diagnose npu np4 fastpath disable 0
 
주의1) NP4 Fast Path disabled. Please clear session to clear existing path.
 
주의2) traffic log는 session is expired 되어야 기록됨.
 
설정법 .
 
==================================================================
 
diag debug flow filter <name> <value>
 
- 디버그 흐름추적 필터 추가 <필터옵션> <필터값/없으면any>
 
diag debug flow show console enable
 
- 디버그 내용 접속화면에 표시
 
diag debug flow show function-name enable
 
- 디버그 흐름추적시 사용된 함수이름 표시
 
diag debug flow trace start <repeat number>
 
- 디버그 흐름추적을 할 갯 수
 
diag debug enable
 
- 디버그 시작
 
==================================================================
예제 1. (외부와의 통신 디버깅)
 
인터페이스의 출발지, 세션의 종류, 적용된 정책, 적용된 vdom, 적용된 라우팅 등을 많은 정보를 볼 수 있음.
 
==================================================================
 
diag debug flow filter add 192.168.10.4
 
diag debug flow show console enable
 
diag debug flow show function-name enable
 
diag debug flow trace start 100
 
diag debug enable
 
==================================================================
 
...to stop the debug, type "diag debug flow trace stop"
 
 
 
20085 trace_id=29 func=get_new_addr line=1240 msg="find SNAT: IP-222.110.157.103, port-46024"
 
20085 trace_id=29 func=fw_forward_handler line=320 msg="Allowed by Policy-5: SNAT"
 
20085 trace_id=29 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->222.110.157.103:46024"
 
20085 trace_id=30 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."
 
20085 trace_id=30 func=resolve_ip_tuple line=2908 msg="allocate a new session-02bb75c1"
 
20085 trace_id=30 func=rpdb_srv_match line=422 msg="Match policy routing: to 222.234.226.3 via ifindex-3"
 
20085 trace_id=30 func=vf_ip4_route_input line=1599 msg="find a route: gw-121.131.216.126 via wan1"
 
20085 trace_id=30 func=get_new_addr line=1240 msg="find SNAT: IP-121.131.216.116, port-46025"
 
20085 trace_id=30 func=fw_forward_handler line=320 msg="Allowed by Policy-7: SNAT"
 
20085 trace_id=30 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"
 
20085 trace_id=31 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."
 
20085 trace_id=31 func=resolve_ip_tuple_fast line=2836 msg="Find an existing session, id-02bb75c1, original direction"
 
20085 trace_id=31 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"
 
예제2. (TP모드의 내부끼리의 통신 디버깅)
 
==================================================================
 
diag debug flow filter add 192.168.10.4
 
diag debug flow show console enable
 
diag debug flow show function-name enable
 
diag debug flow trace start 100
 
diag debug enable
 
==================================================================
 
...to stop the debug, type "diag debug flow trace stop"
 
Example of debug flow output when traffic flows :
 
id=20085 trace_id=113 msg="vd-tp_mode received a packet(proto=6, 192.168.10.4:4370->192.168.10.2:23) from internal."
id=20085 trace_id=113 msg="Find an existing session, id-00000a40, original direction"
id=20085 trace_id=113 msg="enter fast path"
id=20085 trace_id=113 msg="send out via dev-dmz1, dst-mac-00:01:02:03:04:05"

 

 

728x90

'업무이야기 > Security' 카테고리의 다른 글

Scheduled Daily Reboot of FortiGate  (0) 2018.05.08
FortiGate DNS Translation  (0) 2018.05.08
Fortigate IPv6 over IPv4 VPN Tunnel  (0) 2018.05.08
FortiGate Service Objects Category별 우선 순위  (0) 2018.05.08
FortiSandbox Cluster  (0) 2018.05.08