This post represents common Session and Traffic Debugging commands for FortiGate Firewalls.
- The command get system interface to is used to display detailed information about the network interfaces, which to determine the configuration of each interface when using the debug commands.
This command shows:
- Interface names (e.g., port1, wan1, lan)
- IP addresses
- Status (up/down)
- Role (LAN/WAN/DMZ/etc.)
- MAC address
- MTU
- Link speed and duplex
- Interface type (physical, VLAN, etc.)
FGT6 # get system interface == [ port1 ] name: port1 mode: dhcp ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable == [ port2 ] name: port2 mode: static ip: 192.168.3.1 255.255.255.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable == [ port3 ] name: port3 mode: static ip: 192.168.20.16 255.255.255.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable == [ port4 ] name: port4 mode: static ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable == [ naf.root ] name: naf.root ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable src-check: disable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable == [ l2t.root ] name: l2t.root ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable == [ ssl.root ] name: ssl.root ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable == [ fortilink ] name: fortilink mode: static ip: 10.255.1.1 255.255.255.0 status: up netbios-forward: disable type: aggregate netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
- Verify which policy traffic will match based on 5 tuple (source IP, source port, destination IP, destination port and protocol) using the command: –
diagnose firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>
The command will confirm if traffic is allowed and which policy ID it matched or whether traffic is denied.
FGT6 # diagnose firewall iprope lookup 192.168.3.2 3000 8.8.8.8 80 tcp port2 policy id=65308 trace_id=26 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-192.168.20.1 via port3" No authentication. firewall policy id: 1 firewall proxy-policy id: 0 matched policy_type: policy policy_action: accept
Traffic matched firewall policy rule #1, run the command show firewall policy 1 to view the configuration of that policy.
FGT6 # show firewall policy 1 config firewall policy edit 1 set name "Internet" set srcintf "port2" set dstintf "port3" set action accept set srcaddr "LAN" set dstaddr "all" set schedule "always" set service "HTTP" "HTTPS" "DNS" set logtraffic all next end
Running the diagnose firewall iprope lookup command again with incorrect parameters, the output will confirm the default action is deny.
FGT6 # diagnose firewall iprope lookup 192.168.3.2 300 8.8.8.8 344 tcp port2 policy id=65308 trace_id=29 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-192.168.20.1 via port3" id=65308 trace_id=29 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2" No authentication. No policy matched sec_default_action: deny firewall policy id: 0 firewall proxy-policy id: 0
- Use the get system session list command in FortiGate shows a real-time list of active sessions going through the firewall. This will confirm the traffic is NAT translated
FGT6 # get system session list PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT igmp -22 10.255.1.1:0 - 224.0.0.22:0 - tcp 3596 192.168.6.10:60048 - 192.168.20.16:443 - icmp 58 192.168.3.2:8 192.168.20.16:60425 8.8.8.8:8 - udp 148 192.168.20.16:1061 - 96.45.45.45:53 - udp 143 192.168.20.16:1061 - 96.45.46.46:53 - tcp 3287 192.168.6.10:60053 - 192.168.20.16:443 - tcp 3568 192.168.20.16:5878 - 96.45.45.45:53 -
- The command diagnose sys session filter and diagnose sys session listis one of the most important tools used to filter traffic and help spot problems and avoid being overwhelmed with too much information.
To narrow down the session list to just those sessions coming from a specific source IP, use the following commands: –
diag sys session filter src <source ip> diag sys session list
FGT6 # diag sys session list total session: 0 FGT6 # id=65308 trace_id=41 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=1, 192.168.3.2:12->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=12, seq=0." id=65308 trace_id=41 func=init_ip_session_common line=6073 msg="allocate a new session-000002db" id=65308 trace_id=41 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-192.168.20.1 via port3" id=65308 trace_id=41 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2" id=65308 trace_id=41 func=get_new_addr line=1268 msg="find DNAT: IP-192.168.20.16, port-60429" id=65308 trace_id=41 func=fw_forward_handler line=995 msg="Allowed by Policy-2: SNAT" id=65308 trace_id=41 func=ip_session_confirm_final line=3111 msg="npu_state=0x100, hook=4" id=65308 trace_id=41 func=__ip_session_run_tuple line=3444 msg="SNAT 192.168.3.2->192.168.20.16:60429"
From the output above, we can determine
- Packet (ICMP type 8 code 0) is received from 192.168.3.2 to 8.8.8.8
- A new session is allocated
- The FortiGate performs a route lookup
- NAT is performed using the IP address of egress interfaces (192.168.20.16)
- Traffic is allowed by policy rule number #2
To confirm the configuration of policy rule number #2 the traffic matched, run the command show firewall policy 2
FGT6 # show firewall policy 2 config firewall policy edit 2 set name "Ping" set srcintf "port2" set dstintf "port3" set action accept set srcaddr "LAN" set dstaddr "all" set schedule "always" set service "PING" set logtraffic all next end
To confirm the Central SNAT policies, run the command show firewall central-snat-map
FGT6 # show firewall central-snat-map config firewall central-snat-map edit 1 set srcintf "port2" set dstintf "port3" set orig-addr "LAN" set dst-addr "all" next end