Fortigate traffic troubleshooting

I got into a spot this past week trying to diagnose flow of traffic from remotely connected networks to a DMZ. This remote network was connected to the LOCAL interface.

Start with a packet sniff. Connect to the device or VDOM that has the interfaces that you want to use for sniffing.

FORTIGATE# diagnose sniffer packet [interface name] 'host [ip address]'

Note: When the source address was selected, no traffic could be picked up… remember that routers you dont control may also have NAT and strange routing configurations. Never take things for granted.

On a Fortigate unit that is not handling high traffic load and with a low average CPU load you can enable a flow diagnostic. This will give you details based on the rule that is denying your packet (or passing).

FORTIGATE# diagnose debug enable
FORTIGATE# diagnose debug console timestamp enable
FORTIGATE# diagnose debug flow show console enable
FORTIGATE# diagnose debug flow filter 'host [ip address]'
FORTIGATE# diagnose debug flow trace start [count of packets]

This will give you debug information required to reduce the scope of your search and may even point you to the exact issue. Look into the filter options to change your scope of traffic you diagnose.

-Istvan