In this blog, we will look at the FortiGate diag debug flow output messages & what they are trying to tell you.
I've been dabbing with Fortigates ever since 3.0 came out ( since 2005 ) and it still surprises me on the pure amount of individuals, that struggles with diagnostics and those that don't even use the diag debug flow.
In this post I'm going to show you some output messages and how to interpet them.
1st up:
You try to ping , ssh or web into a fortigate and you are denied. Diag debug flow will show you something of the following;
So this means; " whatever interface your trying to access did now have the correct < set allowaccess> statement "
e.g ( webgui interface configurations )
or via the cli;
2nd:
This message below is "10 out of 10" times one of the following;
1: a deny firewall policy ( it even tells you so :) )
2: firewall policy missed-ordered or sequence# ( our most specific and denys should be 1st in the order )
3: error in your firewall policy ( typo , wrong address, wrong interface , service or a combination of erros )
4: or a missing firewall policy ( if it's not allowed it's denied )
Bottom line check your firewall policies and go thru them with a fine tooth comb.
3rd and final: ( my favorite )
When your working with sslvpn or tunnels this is a common error. It's also seen when you have internal LANs being routed behind another device like a internal router & you have no route for the source(s) in the FGT route table.
In the above 10 out of 10 times it's any of the following;
1: routes installed incorrectly
2: no route installed ( it's missing )
Bottom line ;"your routing is screwed up" . Monitor your route table and validate the next-hop gateway is correct & the correct interface.
Diagnostics with diag debug flow is simple and straight.
It frustrate me to see junior/senior Fortigate engineers struggling to diagnostic connections problems, and they DON'T ever bother to use the built-in diagnostics tools or just bypass the process of making a packet capture.
The fortigate is one of the best firewalls on the market to trouble-shoot ( period ). You will not find anything as simple or as easy.
These commands should be routine in our everyday activities and before you waste time throwing things into the mix;
diag debug flow
diag sniffer
And finally, we have the means to make packet captures on most any newer fortigates.
So instead of guessing, shoot-n-pray, or just using the "trial--n--error" process, start using the diag debug flow cmds :)
Ken Felix
Freelance Network/Security Engineer
kfelix ---a---t--- hyperfeed --d-o-t-- com
^ ^
=( @ @ ) =
~
/ \
No comments:
Post a Comment