[FortiGate의 자주 쓰는 debug 명령]
1. diagnose debug flow
diag debug flow 명령은 FortiGate 의 inbound->outbound 트래픽의 flow를 확인할 수 있습니다.
filter, show, trace 3가지로 구성
FGT82C3109600076 # diagnose debug flow filter addr 122.49.65.221
FGT82C3109600076 # diagnose debug flow show console enable
show trace messages on console
FGT82C3109600076 # diagnose debug flow trace start 10
FGT82C3109600076 # id=36870 trace_id=21 msg="vd-root received a packet(proto=1, 122.49.65.222:1024->122.49.67.40:8) from port2."
id=36870 trace_id=21 msg="Find an existing session, id-0004a929, original direction"
id=36870 trace_id=22 msg="vd-root received a packet(proto=1, 122.49.67.40:1024->122.49.65.222:0) from local."
2. diagnose sniffer packet
FGT82C3109600076 # diagnose sniffer packet any "icmp" 4
문법
# diag sniffer packet <interface> <'filter'> <verbose> <count> <a>
<interface> can be an Interface name or "any" for all Interfaces.
<'filter'> is a very powerful filter functionality which will be described in more detail.
<verbose> means the level of verbosity as described already.
<count> the number of packets the sniffer reads before stopping. '0'이면 무한수행.
<a> absolute timestamps를 화면에 출력(하지만 반드시 <count> 가 있을때만 유효) defailt는 Relative timstamps이므로, 상대적인 시간만 나옴.
<verbose>
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
diagnose sniffer packet any "" 4 0 a
패킷 스니퍼
- ICMP확인
dia sniff packet port3 icmp 100
- TCP SYN 100개 확인
dia sniff packet port3 'tcp[13]==2' 100 0 a
- TCP SYN & SYN ACK 100개 확인
dia sniff packet port3 'tcp[13]&2==2' 100
3. NP2 ASIC accelerate enable/disable
FG3K6A3407600192 (global) # diagnose npu np2 fastpath
e2prom View E2PROM data
fastpath Configure fastpath
fastpath-sniffer Configure fastpath sniffer by port
list Display all NP2 devices
performance View NP2 performance
register View NP2 registers
status View NP2 device status
FG3K6A3407600192 (global) # diagnose npu np2 fastpath disable 0
4. NP4 ASIC accelerate enable/disable
# diagnose npu np4 fastpath disable 0
주의1) NP4 Fast Path disabled. Please clear session to clear existing path.
주의2) traffic log는 session is expired 되어야 기록됨.
설정법 .
==================================================================
diag debug flow filter <name> <value>
- 디버그 흐름추적 필터 추가 <필터옵션> <필터값/없으면any>
diag debug flow show console enable
- 디버그 내용 접속화면에 표시
diag debug flow show function-name enable
- 디버그 흐름추적시 사용된 함수이름 표시
diag debug flow trace start <repeat number>
- 디버그 흐름추적을 할 갯 수
diag debug enable
- 디버그 시작
==================================================================
예제 1. (외부와의 통신 디버깅)
인터페이스의 출발지, 세션의 종류, 적용된 정책, 적용된 vdom, 적용된 라우팅 등을 많은 정보를 볼 수 있음.
==================================================================
diag debug flow filter add 192.168.10.4
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable
==================================================================
...to stop the debug, type "diag debug flow trace stop"
20085 trace_id=29 func=get_new_addr line=1240 msg="find SNAT: IP-222.110.157.103, port-46024"
20085 trace_id=29 func=fw_forward_handler line=320 msg="Allowed by Policy-5: SNAT"
20085 trace_id=29 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->222.110.157.103:46024"
20085 trace_id=30 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."
20085 trace_id=30 func=resolve_ip_tuple line=2908 msg="allocate a new session-02bb75c1"
20085 trace_id=30 func=rpdb_srv_match line=422 msg="Match policy routing: to 222.234.226.3 via ifindex-3"
20085 trace_id=30 func=vf_ip4_route_input line=1599 msg="find a route: gw-121.131.216.126 via wan1"
20085 trace_id=30 func=get_new_addr line=1240 msg="find SNAT: IP-121.131.216.116, port-46025"
20085 trace_id=30 func=fw_forward_handler line=320 msg="Allowed by Policy-7: SNAT"
20085 trace_id=30 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"
20085 trace_id=31 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."
20085 trace_id=31 func=resolve_ip_tuple_fast line=2836 msg="Find an existing session, id-02bb75c1, original direction"
20085 trace_id=31 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"
예제2. (TP모드의 내부끼리의 통신 디버깅)
==================================================================
diag debug flow filter add 192.168.10.4
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable
==================================================================
...to stop the debug, type "diag debug flow trace stop"
Example of debug flow output when traffic flows :
id=20085 trace_id=113 msg="vd-tp_mode received a packet(proto=6, 192.168.10.4:4370->192.168.10.2:23) from internal."
id=20085 trace_id=113 msg="Find an existing session, id-00000a40, original direction"
id=20085 trace_id=113 msg="enter fast path"
id=20085 trace_id=113 msg="send out via dev-dmz1, dst-mac-00:01:02:03:04:05"
