[FortiGate의 자주 쓰는 debug 명령]

[FortiGate의 자주 쓰는 debug 명령]

 

1. diagnose debug flow

 

diag debug flow 명령은 FortiGate 의 inbound->outbound 트래픽의 flow를 확인할 수 있습니다.

 

filter, show, trace 3가지로 구성

 

FGT82C3109600076 # diagnose debug flow filter addr 122.49.65.221

 

FGT82C3109600076 # diagnose debug flow show console enable

show trace messages on console

 

FGT82C3109600076 # diagnose debug flow trace start 10

 

FGT82C3109600076 # id=36870 trace_id=21 msg="vd-root received a packet(proto=1, 122.49.65.222:1024->122.49.67.40:8) from port2."

id=36870 trace_id=21 msg="Find an existing session, id-0004a929, original direction"

id=36870 trace_id=22 msg="vd-root received a packet(proto=1, 122.49.67.40:1024->122.49.65.222:0) from local."

 

2. diagnose sniffer packet

 

FGT82C3109600076 # diagnose sniffer packet any "icmp" 4

 

문법

# diag sniffer packet <interface> <'filter'> <verbose> <count> <a>

 

<interface> can be an Interface name or "any" for all Interfaces.

<'filter'> is a very powerful filter functionality which will be described in more detail.

<verbose> means the level of verbosity as described already.

<count> the number of packets the sniffer reads before stopping. '0'이면 무한수행.

<a> absolute timestamps를 화면에 출력(하지만 반드시 <count> 가 있을때만 유효) defailt는 Relative timstamps이므로, 상대적인 시간만 나옴.

 

<verbose>

1: print header of packets

2: print header and data from ip of packets

3: print header and data from ethernet of packets (if available)

4: print header of packets with interface name

5: print header and data from ip of packets with interface name

6: print header and data from ethernet of packets (if available) with intf name

 

diagnose sniffer packet any "" 4 0 a

 

패킷 스니퍼

- ICMP확인

dia sniff packet port3 icmp 100

- TCP SYN 100개 확인

dia sniff packet port3 'tcp[13]==2' 100 0 a

- TCP SYN & SYN ACK 100개 확인

dia sniff packet port3 'tcp[13]&2==2' 100

 

3. NP2 ASIC accelerate enable/disable

 

FG3K6A3407600192 (global) # diagnose npu np2 fastpath

e2prom View E2PROM data

fastpath Configure fastpath

fastpath-sniffer Configure fastpath sniffer by port

list Display all NP2 devices

performance View NP2 performance

register View NP2 registers

status View NP2 device status

 

FG3K6A3407600192 (global) # diagnose npu np2 fastpath disable 0

 

4. NP4 ASIC accelerate enable/disable

 

# diagnose npu np4 fastpath disable 0

 

주의1) NP4 Fast Path disabled. Please clear session to clear existing path.

 

주의2) traffic log는 session is expired 되어야 기록됨.

 

설정법 .

 

==================================================================

 

diag debug flow filter <name> <value>

 

- 디버그 흐름추적 필터 추가 <필터옵션> <필터값/없으면any>

 

diag debug flow show console enable

 

- 디버그 내용 접속화면에 표시

 

diag debug flow show function-name enable

 

- 디버그 흐름추적시 사용된 함수이름 표시

 

diag debug flow trace start <repeat number>

 

- 디버그 흐름추적을 할 갯 수

 

diag debug enable

 

- 디버그 시작

 

==================================================================

예제 1. (외부와의 통신 디버깅)

 

인터페이스의 출발지, 세션의 종류, 적용된 정책, 적용된 vdom, 적용된 라우팅 등을 많은 정보를 볼 수 있음.

 

==================================================================

 

diag debug flow filter add 192.168.10.4

 

diag debug flow show console enable

 

diag debug flow show function-name enable

 

diag debug flow trace start 100

 

diag debug enable

 

==================================================================

 

...to stop the debug, type "diag debug flow trace stop"

 

 

 

20085 trace_id=29 func=get_new_addr line=1240 msg="find SNAT: IP-222.110.157.103, port-46024"

 

20085 trace_id=29 func=fw_forward_handler line=320 msg="Allowed by Policy-5: SNAT"

 

20085 trace_id=29 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->222.110.157.103:46024"

 

20085 trace_id=30 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."

 

20085 trace_id=30 func=resolve_ip_tuple line=2908 msg="allocate a new session-02bb75c1"

 

20085 trace_id=30 func=rpdb_srv_match line=422 msg="Match policy routing: to 222.234.226.3 via ifindex-3"

 

20085 trace_id=30 func=vf_ip4_route_input line=1599 msg="find a route: gw-121.131.216.126 via wan1"

 

20085 trace_id=30 func=get_new_addr line=1240 msg="find SNAT: IP-121.131.216.116, port-46025"

 

20085 trace_id=30 func=fw_forward_handler line=320 msg="Allowed by Policy-7: SNAT"

 

20085 trace_id=30 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"

 

20085 trace_id=31 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."

 

20085 trace_id=31 func=resolve_ip_tuple_fast line=2836 msg="Find an existing session, id-02bb75c1, original direction"

 

20085 trace_id=31 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"

 

예제2. (TP모드의 내부끼리의 통신 디버깅)

 

==================================================================

 

diag debug flow filter add 192.168.10.4

 

diag debug flow show console enable

 

diag debug flow show function-name enable

 

diag debug flow trace start 100

 

diag debug enable

 

==================================================================

 

...to stop the debug, type "diag debug flow trace stop"

 

Example of debug flow output when traffic flows :

 

id=20085 trace_id=113 msg="vd-tp_mode received a packet(proto=6, 192.168.10.4:4370->192.168.10.2:23) from internal."

id=20085 trace_id=113 msg="Find an existing session, id-00000a40, original direction"

id=20085 trace_id=113 msg="enter fast path"

id=20085 trace_id=113 msg="send out via dev-dmz1, dst-mac-00:01:02:03:04:05"