Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

diagnose debug flow

Use this command to debug particular traffic flows. Debug messages for traffic matching the filter and mask are displayed to the terminal screen.

Syntax

diagnose debug flow filter {addr <addr>|saddr <addr>| daddr <addr>| proto <integer>|clear|negate <addr|saddr|daddr|proto>|show}

diagnose debug flow mask {packet|session|persist|drop|all|custom <mask>}

diagnose debug flow show

diagnose debug flow start [<count>]

diagnose debug flow stop

 

filter

Specify filters. Issue multiple commands to add filters. Use the negate option to define "not in" matching.

Filters determine the traffic flows for which the debug logs are written. You can match flows based on host address, source address, destination address, and protocol.

mask

Specify a mask that sets the type of data written to the screen.

show

Show current status, filters, and mask options.

start

Start debugging. The [<count>] option specifies a number of debug lines to output.

stop

Stop debugging.

Example

FortiADC-docs # diagnose debug flow ?

filter filter

mask mask

show Stop trace.

start Start trace.

stop Stop trace.

 

FortiADC-docs # diagnose debug flow stop

 

FortiADC-docs # diagnose debug flow filter ?

addr IP address.

clear Clear filter.

daddr Destination IP address.

negate negate

proto Protocol number.

saddr Source IP address.

show Show filter configuration.

 

FortiADC-docs # diagnose debug flow filter saddr 3.3.3.3

FortiADC-docs # diagnose debug flow filter daddr 4.4.4.4

FortiADC-docs # diagnose debug flow filter proto 1

 

FortiADC-docs # diagnose debug flow mask ?

all all

debug info.

custom custom flow mask.

drop drop packet info.

packet packet info(default is on).

persist-cache persistence cache info.

session session info.

 

FortiADC-docs # diagnose debug flow mask all

 

FortiADC-docs # diagnose debug flow show

---------running status && config-----------

----flow debug is not running

---------current terminal config-----------

----flow filter-------------

proto: 1

Host addr: any

Host saddr: 3.3.3.3

host daddr: 4.4.4.4

----flow mask---------------

packet session persist-cache drop

 

FortiADC-docs # diagnose debug flow start

Start flow debug, set debug info count to 1000000000

 

FortiADC-VM (root) # [trace id:11]recv a ip packet, MAC 00:0c:29:4d:fe:84 -> 00:0c:29:b2:41:f2 3.3.3.3 -> 4.4.4.4 iif port2 proto 1dent 0 flags 0x40 length 84 ttl 64

[trace id:11]record reverse route info into session: iif port2 mac 00:0c:29:4d:fe:84

[trace id:11]No session matched, create new session

[trace common]tuple src 0x3030303 sport 0, dst 0x4040404 dport 0, proto

[trace common]use dest address hash, len=1

[trace common]iif 7 oif 0 tuple src 0x3030303 dst 0x4040404 proto 1 sport 0 dport 0

[trace common]matched policy 1

[trace common]llb route table id 4097

[trace id:11]find input route interface vlan100 nexthop 5.5.100.1

[trace id:11]ip output by if vlan100

[trace id:11]DSTCACHE: save dst dir 0, nexthop 5.5.100.1 dev vlan100 filled into SESSION prot 1 [3.3.3.3:24104, 4.4.4.4:2048] -> [4.4.4.4:24104, 3.3.3.3:0]

[trace id:11]Confirm conntrack:protocol 1, In if 0 3.3.3.3:24104 -> 4.4.4.4:2048 Reverse:In if 0 4.4.4.4:24104 -> 3.3.3.3:0

[trace id:11]ip finish output2 nexthop by route 0x1640505 if vlan100

[trace id:12]recv a ip packet, MAC 00:0c:29:44:92:d2 -> 00:0c:29:b2:41:10 4.4.4.4 -> 3.3.3.3 iif vlan100 proto 1dent 6851 flags 0x0 length 84 ttl 63

[trace id:12]Session found

[trace id:12]find input route interface port2 nexthop 0.0.0.0

[trace id:12]ip output by if port2

[trace id:12]DSTCACHE: save dst dir 1, nexthop 0.0.0.0 dev port2 filled into SESSION prot 1 [3.3.3.3:24104, 4.4.4.4:2048] -> [4.4.4.4:24104, 3.3.3.3:0]

[trace id:12]Transmit packet by reverse route, dev port2 dest mac 00:0c:29:4d:fe:84

 

FortiADC-docs # diagnose debug flow stop

diagnose debug flow

Use this command to debug particular traffic flows. Debug messages for traffic matching the filter and mask are displayed to the terminal screen.

Syntax

diagnose debug flow filter {addr <addr>|saddr <addr>| daddr <addr>| proto <integer>|clear|negate <addr|saddr|daddr|proto>|show}

diagnose debug flow mask {packet|session|persist|drop|all|custom <mask>}

diagnose debug flow show

diagnose debug flow start [<count>]

diagnose debug flow stop

 

filter

Specify filters. Issue multiple commands to add filters. Use the negate option to define "not in" matching.

Filters determine the traffic flows for which the debug logs are written. You can match flows based on host address, source address, destination address, and protocol.

mask

Specify a mask that sets the type of data written to the screen.

show

Show current status, filters, and mask options.

start

Start debugging. The [<count>] option specifies a number of debug lines to output.

stop

Stop debugging.

Example

FortiADC-docs # diagnose debug flow ?

filter filter

mask mask

show Stop trace.

start Start trace.

stop Stop trace.

 

FortiADC-docs # diagnose debug flow stop

 

FortiADC-docs # diagnose debug flow filter ?

addr IP address.

clear Clear filter.

daddr Destination IP address.

negate negate

proto Protocol number.

saddr Source IP address.

show Show filter configuration.

 

FortiADC-docs # diagnose debug flow filter saddr 3.3.3.3

FortiADC-docs # diagnose debug flow filter daddr 4.4.4.4

FortiADC-docs # diagnose debug flow filter proto 1

 

FortiADC-docs # diagnose debug flow mask ?

all all

debug info.

custom custom flow mask.

drop drop packet info.

packet packet info(default is on).

persist-cache persistence cache info.

session session info.

 

FortiADC-docs # diagnose debug flow mask all

 

FortiADC-docs # diagnose debug flow show

---------running status && config-----------

----flow debug is not running

---------current terminal config-----------

----flow filter-------------

proto: 1

Host addr: any

Host saddr: 3.3.3.3

host daddr: 4.4.4.4

----flow mask---------------

packet session persist-cache drop

 

FortiADC-docs # diagnose debug flow start

Start flow debug, set debug info count to 1000000000

 

FortiADC-VM (root) # [trace id:11]recv a ip packet, MAC 00:0c:29:4d:fe:84 -> 00:0c:29:b2:41:f2 3.3.3.3 -> 4.4.4.4 iif port2 proto 1dent 0 flags 0x40 length 84 ttl 64

[trace id:11]record reverse route info into session: iif port2 mac 00:0c:29:4d:fe:84

[trace id:11]No session matched, create new session

[trace common]tuple src 0x3030303 sport 0, dst 0x4040404 dport 0, proto

[trace common]use dest address hash, len=1

[trace common]iif 7 oif 0 tuple src 0x3030303 dst 0x4040404 proto 1 sport 0 dport 0

[trace common]matched policy 1

[trace common]llb route table id 4097

[trace id:11]find input route interface vlan100 nexthop 5.5.100.1

[trace id:11]ip output by if vlan100

[trace id:11]DSTCACHE: save dst dir 0, nexthop 5.5.100.1 dev vlan100 filled into SESSION prot 1 [3.3.3.3:24104, 4.4.4.4:2048] -> [4.4.4.4:24104, 3.3.3.3:0]

[trace id:11]Confirm conntrack:protocol 1, In if 0 3.3.3.3:24104 -> 4.4.4.4:2048 Reverse:In if 0 4.4.4.4:24104 -> 3.3.3.3:0

[trace id:11]ip finish output2 nexthop by route 0x1640505 if vlan100

[trace id:12]recv a ip packet, MAC 00:0c:29:44:92:d2 -> 00:0c:29:b2:41:10 4.4.4.4 -> 3.3.3.3 iif vlan100 proto 1dent 6851 flags 0x0 length 84 ttl 63

[trace id:12]Session found

[trace id:12]find input route interface port2 nexthop 0.0.0.0

[trace id:12]ip output by if port2

[trace id:12]DSTCACHE: save dst dir 1, nexthop 0.0.0.0 dev port2 filled into SESSION prot 1 [3.3.3.3:24104, 4.4.4.4:2048] -> [4.4.4.4:24104, 3.3.3.3:0]

[trace id:12]Transmit packet by reverse route, dev port2 dest mac 00:0c:29:4d:fe:84

 

FortiADC-docs # diagnose debug flow stop