FortiGate Debug Flow

Troubleshooting traffic issues with debug flow

Debug Flow is a very useful tool when used with the proper filters.  The debug flow utility is used to debug traffic behavior on a FortiGate firewall.  When using debug flow without applying any filters there is too much data output to be useful to diagnosing issues.  When using debug flow with the correct filters the filtered output can narrow down specific traffic flows and behavior and help focus your debugging efforts.

Commands

CLI commands associated with the debug flow utility

diagnose debug disable - used to disable debug command
diagnose debug flow trace stop - stop trace of debugging
diagnose debug flow filter clear - clear all debug filters
diagnose debug reset - resets all debug commands in use
diagnose debug flow filter addr x.x.x.x - filter on a specific IP address
diagnose debug flow show function-name enable - show function name
diagnose debug console timestamp enable - enable timestamp in debug command
diagnose debug flow trace start 1000 - enables the number of trace lines in the debug output

diagnose debug flow filter proto - pick a specific protocol number

diagnose debug enable - enables the debug command



Debug Flow Tips/Tricks:

Below are some useful examples that show you how to get specific when using the debug flow utilitity. The goal when using this utility is to try and be as specific as possible when focusing in on a particular issue.

Filter on a specific type of protocol 


diagnose debug flow filter proto (choose protocol number)

protocol number 1 = ICMP

protocol number 6 = TCP

protocol number 17 = UDP



Filter only on UDP traffic that from a specific IP address.

diagnose debug flow filter addr x.x.x.x

diagnose debug flow filter proto 17


Filter only on a port number 


diagnose debug flow filter port X

X = port number examples 22=ssh, 25=smtp, 80=http, 443=https


Filter only on port number and IP address


diagnose debug flow filter addr x.x.x.x

diagnose debug flow filter port 80


Filter only on source or destination port


diagnose debug flow filter sport 80  → filter with the source port for http 

diagnose debug flow filter dport 25 → filter with the destination port for smtp


Filter only on source or destination IP address


diagnose debug flow filter saddr x.x.x.x → filter with the source IP address x.x.x.x

diagnose debug flow filter daddr y.y.y.y → filter with the destination IP address y.y.y.y


Summary

The debug flow command is a great utility to assist engineers troubleshooting traffic flows on Fortigate firewalls. Be sure to disable your debug flow commands when you are finished using them so you are not producing log data and consuming resources when you no longer need them.