Wednesday, June 26, 2013

diag debug flow troubleshooting

In this blog, we will look at the FortiGate  diag debug  flow output messages & what they are trying to tell you.

I've been dabbing with Fortigates ever since 3.0 came out ( since 2005 ) and it still surprises me  on the pure amount of  individuals,  that struggles with diagnostics and those that don't even use the  diag debug flow.

In this post I'm going to show you some output messages and how to interpet them.

1st  up:

You try to ping , ssh or web into a fortigate and you are denied. Diag debug flow will show you something of the following;

So this means; " whatever interface your trying to access did now have the correct < set allowaccess> statement "

e.g ( webgui interface configurations )

or via the cli;


This  message  below is "10 out of 10" times one of the following;

1: a deny firewall policy ( it even tells you so :) )
2: firewall policy missed-ordered or sequence#  ( our most specific and denys should be 1st in the order )
3: error in your firewall policy ( typo , wrong address, wrong  interface , service or a combination of erros )
4: or a missing firewall policy ( if it's not allowed it's denied )

Bottom line check your firewall policies and go thru them with a fine tooth comb.

3rd and final: ( my favorite )

When your working with  sslvpn or tunnels this is a common  error. It's also seen when you have internal LANs being routed behind another device like a internal router & you have no route for the source(s) in the FGT route table.

In the above 10 out of 10 times it's any of the following;

1: routes installed  incorrectly
2: no route installed ( it's missing )

Bottom line ;"your routing is screwed up" . Monitor your route table and validate the next-hop gateway is correct & the correct interface.

Diagnostics with diag debug flow is simple and straight.

It frustrate me to see  junior/senior  Fortigate engineers struggling to diagnostic connections problems, and they DON'T ever bother to use the built-in diagnostics tools or just bypass the process of making a packet capture.

The fortigate is one of the best firewalls on the market to trouble-shoot ( period ). You will not find anything as simple or as easy.

These commands should be routine in our everyday  activities and before you waste time throwing things into the mix;

diag debug flow
diag sniffer

And finally, we have  the means to make  packet  captures on most any newer fortigates.

 So instead of guessing, shoot-n-pray, or just using the "trial--n--error" process, start using the diag debug flow  cmds :)

Ken Felix
Freelance Network/Security Engineer
kfelix  ---a---t--- hyperfeed --d-o-t-- com

    ^        ^
=( @   @ ) =
      /     \

1 comment: