[FortiGate의 자주 쓰는 debug 명령]



1. diagnose debug flow

diag debug flow 명령은 FortiGate 의 inbound->outbound 트래픽의 flow를 확인할 수 있습니다.

filter, show, trace 3가지로 구성



FGT82C3109600076 # diagnose debug flow filter addr 122.49.65.221

FGT82C3109600076 # diagnose debug flow show console enable
show trace messages on console

FGT82C3109600076 # diagnose debug flow trace start 10



FGT82C3109600076 # id=36870 trace_id=21 msg="vd-root received a packet(proto=1, 122.49.65.222:1024->122.49.67.40:8) from port2."
id=36870 trace_id=21 msg="Find an existing session, id-0004a929, original direction"
id=36870 trace_id=22 msg="vd-root received a packet(proto=1, 122.49.67.40:1024->122.49.65.222:0) from local."





2. diagnose sniffer packet



FGT82C3109600076 # diagnose sniffer packet any "icmp" 4

문법
# diag sniffer packet <interface> <'filter'> <verbose> <count> <a>

<interface> can be an Interface name or "any" for all Interfaces.
<'filter'> is a very powerful filter functionality which will be described in more detail.
<verbose> means the level of verbosity as described already.
<count> the number of packets the sniffer reads before stopping. '0'이면 무한수행.
<a> absolute timestamps를 화면에 출력(하지만 반드시 <count> 가 있을때만 유효) defailt는 Relative timstamps이므로, 상대적인 시간만 나옴.

<verbose>
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

diagnose sniffer packet any "" 4 0 a

패킷 스니퍼
- ICMP확인
dia sniff packet port3 icmp 100
- TCP SYN 100개 확인
dia sniff packet port3 'tcp[13]==2' 100 0 a
- TCP SYN & SYN ACK 100개 확인
dia sniff packet port3 'tcp[13]&2==2' 100





3. NP2 ASIC accelerate enable/disable

FG3K6A3407600192 (global) # diagnose npu np2 fastpath
e2prom View E2PROM data
fastpath Configure fastpath
fastpath-sniffer Configure fastpath sniffer by port
list Display all NP2 devices
performance View NP2 performance
register View NP2 registers
status View NP2 device status

FG3K6A3407600192 (global) # diagnose npu np2 fastpath disable 0





4. NP4 ASIC accelerate enable/disable

# diagnose npu np4 fastpath disable 0

주의1) NP4 Fast Path disabled. Please clear session to clear existing path.

주의2) traffic log는 session is expired 되어야 기록됨.




설정법 .

==================================================================

diag debug flow filter <name> <value>

- 디버그 흐름추적 필터 추가 <필터옵션> <필터값/없으면any>

diag debug flow show console enable

- 디버그 내용 접속화면에 표시

diag debug flow show function-name enable

- 디버그 흐름추적시 사용된 함수이름 표시

diag debug flow trace start <repeat number>

- 디버그 흐름추적을 할 갯 수

diag debug enable

- 디버그 시작

==================================================================



예제 1. (외부와의 통신 디버깅)

인터페이스의 출발지, 세션의 종류, 적용된 정책, 적용된 vdom, 적용된 라우팅 등을 많은 정보를 볼 수 있음.

==================================================================

diag debug flow filter add 192.168.10.4

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow trace start 100

diag debug enable

==================================================================

...to stop the debug, type "diag debug flow trace stop"



20085 trace_id=29 func=get_new_addr line=1240 msg="find SNAT: IP-222.110.157.103, port-46024"

20085 trace_id=29 func=fw_forward_handler line=320 msg="Allowed by Policy-5: SNAT"

20085 trace_id=29 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->222.110.157.103:46024"

20085 trace_id=30 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."

20085 trace_id=30 func=resolve_ip_tuple line=2908 msg="allocate a new session-02bb75c1"

20085 trace_id=30 func=rpdb_srv_match line=422 msg="Match policy routing: to 222.234.226.3 via ifindex-3"

20085 trace_id=30 func=vf_ip4_route_input line=1599 msg="find a route: gw-121.131.216.126 via wan1"

20085 trace_id=30 func=get_new_addr line=1240 msg="find SNAT: IP-121.131.216.116, port-46025"

20085 trace_id=30 func=fw_forward_handler line=320 msg="Allowed by Policy-7: SNAT"

20085 trace_id=30 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"

20085 trace_id=31 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."

20085 trace_id=31 func=resolve_ip_tuple_fast line=2836 msg="Find an existing session, id-02bb75c1, original direction"

20085 trace_id=31 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"





예제2. (TP모드의 내부끼리의 통신 디버깅)

==================================================================

diag debug flow filter add 192.168.10.4

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow trace start 100

diag debug enable

==================================================================

...to stop the debug, type "diag debug flow trace stop"

Example of debug flow output when traffic flows :

id=20085 trace_id=113 msg="vd-tp_mode received a packet(proto=6, 192.168.10.4:4370->192.168.10.2:23) from internal."

id=20085 trace_id=113 msg="Find an existing session, id-00000a40, original direction"

id=20085 trace_id=113 msg="enter fast path"

id=20085 trace_id=113 msg="send out via dev-dmz1, dst-mac-00:01:02:03:04:05"