Debug flow will help you troubleshoot the logic process the FortiGate takes when forwarding traffic.
We will go over some specifics on reading debug flow:
- Traffic direction
- Interfaces
- Routing
- Policy Matching
- Trace ID
- Session matching
- "No matching IPsec selector, drop" message
- "Allowed by Policy" message
- "reverse path check fail, drop" message
- "Denied by forward policy check (policy 0)" message
Debug Flow Command Review:
diag debug flow filter #view the current filter
diag debug flow filter clear #clear the debug flow filter
diag debug flow filter proto 1 #filter for protocol 1
diag debug flow filter addr x.x.x.x
diag debug console timestamp enable #enable timestamp in outputs
diag debug flow trace start x #how many packets to trace/debug
diag debug enable #enable the debug
diag debug disable #disable the debug
diag debug reset #reset all debug parameters (includes debug flow filter clear)
0:00 Overview
0:38 Debug Flow Filter
2:07 Example #1 - working example
4:45 Example #2 - non-working example
6:49 Example #3 - another non-working example
29 июл 2024