Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Anthony_E
Community Manager
Community Manager

Created on ‎02-13-2024 12:37 AM Edited on ‎03-19-2024 11:15 PM By Staff

Article Id 299115

Technical Tip: Collecting debug flow output for troubleshooting

Description

This article describes what basic set of outputs to collect, and how, for troubleshooting with TAC.
Scope

FortiWeb.
Solution

Follow the steps below.

 

  1. Prepare the setup.
  • Enable debug flow through the FortiWeb CLI, log the output to a text file.

 

diag deb reset <- To clear any already set debug.

diag deb flow filter flow-detail 4

diag deb flow filter client-ip <Client IP>

diag deb flow filter server-ip <the FortiWeb VIP>

diag deb flow trace start

diag deb enable

 

Starting from version 7.0.2 and above: To collect the SSL keys to support and record TLS traffic, the 'diag deb flow filter pserver-ip' command has been introduced. Below is an example: 

 

diag deb flow filter http-detail 4

diag deb flow filter flow-detail 4

diag deb flow filter session-detail 2

diag deb flow filter client-ip <CLIENT IP>

diag deb flow filter server-ip <the FortiWeb VIP IP>

diag deb flow trace start

diag deb enable

 

  • At the same time, start packet capture on the FortiWeb,one for frontend connection (Client <-> FortiWeb) and one for backend connection (FortiWeb <-> Server). If there are multiple backend servers, repeat this for each server.
  • Option 1 (preferred), use the GUI:
    System - > Network - > Packet Capture.

 

  • Option 2 (when GUI access is not available), use the CLI (through a different SSH session):

 

diag network sniffer packet any "port 443" 6

 

One can put IP to the filter list, e.g.

 

diag network sniffer packet any "port 443 and host 10.1.1.1" 6'

 

  1. Generate the outputs.
  • Initiate request from the client and reproduce the issue.
  • In case a browser is used, clear the cache and restart it or use an anonymous window before initiating the request.

 

  1. Cleanup.
  • Stop the packet capture (in CLI by pressing CTRL+C).
  • Disable the debug flow.

 

diag deb flow trace stop

diag deb disa

 

  1. Collect.
  • Download the pcap files from FortiWeb and zip them together with the debug flow output text file and System Debug File:
  • To enable debug:
    1. Go to System > Config > Feature Visibility. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category.
    2. Locate System Features.
    3. Enable Debug.
    4. Select Apply.
  • Download debug logs from System -> Maintenance -> Debug -> Download.
415
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.