04/12/2014

Debugging FortiGate configurations

Advanced FortiGate installation and setup : Debugging FortiGate configurations

Debugging FortiGate configurations

Problem
Im having problems configuring my FortiGate unit. Ive heard of debug commands, how do I use them?

Solution
FortiGate units have built-in diagnose debug commands that can be used to debug the operation of any FortiGate
software system by displaying debug messages on the CLI console as the system operates. When you find the
problem you can correct the configuration and run the diagnose debug command again to verify that the system
now operates correctly.
Before performing any debugging, you should connect to the FortiGate CLI with a
terminal program that supports storing the output to a file for later reference. If you do
not save the output to a file, you will miss valuable debugging information.

Keep in mind that debugging consumes system resources and may affect performance.
In most cases this will not be a problem, but if your FortiGate unit is running at 100
percent resource usage already, it is likely that running the debug application will cause
the FortiGate unit to drop more packets or sessions, and generally increase its
overloaded behavior. The worst is when you are sniffing packets, which can use 10
percent or more of the system resources.

http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_ts_debug.html

1/4

04/12/2014

Debugging FortiGate configurations

To use the diagnose debug commands you must check the current debug configuration, enable debugging,
select a software system for which to display debugging information, collect and analyze the results, and stop
displaying debugging information. In general you can follow this command sequence:
diagnose debug info
diagnose debug <software-system> <debug-level>
diagnose debug enable
diagnose debug disable
The following debug commands are also useful:
diagnose debug reset to reset the debug configuration to a default state.

diagnose debug report Fortinet support may ask you to run this command and send them the output.
This is an exhaustive report that runs many different diagnose commands to gather a
large amount of information. It may take up to 20 minutes to run on a FortiGate unit with
a complex configuration and may temporarily affect system performance.

Example diagnose debug procedure for an SSL VPN portal

This procedure describes typical steps for displaying debug information for the SSL VPN configuration described in
Setting up remote web browsing for internal sites through SSL VPN . You can use similar steps to display debug
info for many other software systems.
1 Verify the current debug configuration by entering the following command:
diagnose debug info
debug output:
disable
console timestamp:
disable
console no user log message:
disable
CLI debug level:
3
This is a good command to run first, so you know what filters are in place and so on; otherwise, you may start
debugging and wonder why the output is not what you expected. This output above indicates that debug output is
disabled so debug messages are not displayed. The output also indicates that debugging has not been enabled
for any software systems.
2 Enter the following command to display debug messages for SSL VPN.
diagnose debug application sslvpn -1
This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed
results.
You can view all the debug options by entering diagnose debug ? or diagnose
debug application ?

3 Enter the following command to verify the debug configuration:

diagnose debug info
debug output:
disable
console timestamp:
disable
console no user log message:
disable
sslvpn debug level:
-1 (0xffffffff)
CLI debug level:
3
This output verifies that SSL VPN debugging is enabled with a debug level of -1.
4 Enable displaying debug messages by entering the following command:
diagnose debug enable
5 Log into the SSL VPN portal. The CLI displays debug messages similar to the following.
diagnose debug enable
http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_ts_debug.html

2/4

04/12/2014

Debugging FortiGate configurations

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization

(172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256)
Mac=SHA1
Just the first few messages are shown for an SSL VPN user connecting to the portal from IP address
172.20.120.12. The messages show the connection being accepted and SSL VPN negotiation taking place.
You can view and analyze the debug messages or save them to a text file using your terminal program.
6 Enter the following command to stop displaying debug messages:
diagnose debug disable
If there is a lot of output scrolling by quickly, you may not be able to see the command as you enter it.

Debugging authentication
Any time a FortiGate unit authenticates a user, the authd daemon is responsible. This is true if the user is logging in
through SSL VPN, connecting over IPsec VPN from FortiClient, and even if certificates are involved. You can use
the following command to debug authentication:
diagnose debug application authd -1
diagnose debug enable
authd_http.c:1910 authd_http_connect: called
authd_http.c:3071 authd_http_change_state: called
change state to: 3
authd_http.c:1112 authd_http_read: called
authd_http.c:2383 authd_http_wait_req: called
authd_http.c:2443 authd_http_read_req: called
authd_http_common.c:276 authd_http_read_http_message: called
authd_http_common.c:229 authd_http_is_full_http_message: called
authd_http.c:4899 authd_http_on_method_get: called
authd_http.c:2098 authd_http_check_auth_action: called
authd_http.c:3071 authd_http_change_state: called
change state to: 2
The output shows the messages the authentication daemon is receiving and the resulting state changes. This
authentication session was between a FortiGate unit and FortiClient during an IPsec VPN session setup.

Debugging IPsec VPN

You can use the diag debug application ike -1 command to display all the VPN related traffic, especially
for initial negotiations. By doing this, it will give you the information to find and fix errors that you would only be
guessing at, otherwise.

Debugging URL filtering

Have you tried to set up URL filters only to have the URLs still come through? The diag debug information can help
you determine what is going on under the hood, such as Blocking all web sites except those you specify using a
whitelist .
For example, if one user at 172.20.120.18 is complaining the URL filter is not working for them you can enter the
command:
#diag debug disable
http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_ts_debug.html

3/4

04/12/2014

Debugging FortiGate configurations

#diag debug application urlfilter -1

#diag debug enable
This is very useful if you want to test some new URL filter patterns. The following sample output from this set of
commands for a group of URLs that you have included in the UTM Web Filtering Advanced Filtering list, such as
*.ro, would appear as:
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38:
d=www.example.ro:80, id=22, vfid=0, type=0, client=10.10.80.110, url=/favicon.ico"
Checking urlfilter list 4
Url filter deny action
This output shows one attempt to browse to http://www.example.ro, which is a match to the blocked *.ro
sites. From this output, we can see the URL, who was going there (the client IP address of 10.10.80.110), and the
action - URL filter deny action. It is good to note that the ID number will increment by one for each message
matched like this. From this information, we now know the *.ro URL filter is working properly for a client on the
10.10.80.0 subnet.

Debugging packet flow

You can use the diag debug flow command to show packet flow through the FortiGate unit. As packets are
received, you can view debug messages to show how the FortiGate unit processes them. For more information, see
Verifying that traffic is accepted by a security policy .

http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_ts_debug.html

4/4