Fortinet black logo

CLI Reference

diagnose debug flow

diagnose debug flow

Use this command to debug particular traffic flows. Debug messages for traffic matching the filter and mask are displayed to the terminal screen.

Syntax

diagnose debug flow filter {addr <addr>|saddr <addr>|daddr <addr>|proto <integer>|virtual-server <VS-name>|clear|negate <addr|saddr|daddr|proto>|show}

diagnose debug flow mask {packet|session|persist|drop|layer4-server-loadbalance|all|custom <mask>}

diagnose debug flow show

diagnose debug flow start [<count>]

diagnose debug flow stop

filter

Specify filters. Issue multiple commands to add filters. Use the negate option to define "not in" matching.

Filters determine the traffic flows for which the debug logs are written. You can match flows based on host address, source address, destination address, and protocol.

mask

Specify a mask that sets the type of data written to the screen.

show

Show current status, filters, and mask options.

start

Start debugging. The [<count>] option specifies a number of debug lines to output.

stop

Stop debugging.

Example

FortiADC-docs # diagnose debug flow ?
filter filter
mask mask
show Stop trace.
start Start trace.
stop Stop trace.
FortiADC-docs # diagnose debug flow stop
FortiADC-VM # diagnose debug flow filter ?
addr IP address.
clear Clear filter.
daddr Destination IP address.
negate negate
proto Protocol number.
saddr Source IP address.
show Show filter configuration.
virtual-server virtual server
FortiADC-docs # diagnose debug flow filter saddr 3.3.3.3
FortiADC-docs # diagnose debug flow filter daddr 4.4.4.4
FortiADC-docs # diagnose debug flow filter proto 1
FortiADC-docs # diagnose debug flow filter virtual-server VS1
FortiADC-VM # diagnose debug flow mask ?
all all debug info.
custom custom flow mask.
ddos ddos protection info.
drop drop packet info.
ips ips protection info.
layer4-server-loadbalance l4 loadbalance debug info.
packet packet info(default is on).
persist-cache persistence cache info.
session session info.
FortiADC-docs # diagnose debug flow mask all
FortiADC-VM # diagnose debug flow start
Start flow debug, set debug info count to 1000000000

FortiADC-VM # diagnose debug flow show
---------running status && config-----------
----flow debug is running, remain count 1000000000
----flow filter-------------
proto: any
host addr: 50.1.0.100-50.1.0.100
Host saddr: any
Host daddr: any
Virtual server : VS1
----flow mask---------------
layer4-server-loadbalance
---------current terminal config-----------
----flow filter-------------
proto: any
host addr: 50.1.0.100-50.1.0.100
Host saddr: any
Host daddr: any
Virtual server: VS1
----flow mask---------------
layer4-server-loadbalance

FortiADC-VM # [03-15 12:56:56] [trace id:1]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] Create session fwd:M c:50.1.0.1:57028 v:50.1.0.100:80 l:50.1.0. 1:57028 d:50.1.2.3:80 conn->flags:80140 conn->refcnt:2
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [S...]
[03-15 12:56:56] TCP input [S...] 50.1.0.1:57028->50.1.2.3:80 state: NONE->SYN_ RECV conn->refcnt:2
[03-15 12:56:56] After DNAT: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] NAT xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [S.A.]
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:2]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] TCP input [..A.] 50.1.0.1:57028->50.1.2.3:80 state: SYN_RECV-> ESTABLISHED conn->refcnt:2
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:3]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [..A.]
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [..A.]
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:4]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:5]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [.FA.]
[03-15 12:56:56] TCP input [.FA.] 50.1.0.1:57028->50.1.2.3:80 state: ESTABLISHE D->CLOSE_WAIT conn->refcnt:2
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [.FA.]
[03-15 12:56:56] TCP output [.FA.] 50.1.0.1:57028->50.1.2.3:80 state: CLOSE_WAI T->TIME_WAIT conn->refcnt:2
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:6]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:59] Expire session TCP c:50.1.0.1:57028 v:50.1.0.100:80 d:50.1.2.3: 80 fwd:M s:5 conn->flags:80100 conn->refcnt:0 dest->refcnt:2
FortiADC-docs # diagnose debug flow stop			

diagnose debug flow

Use this command to debug particular traffic flows. Debug messages for traffic matching the filter and mask are displayed to the terminal screen.

Syntax

diagnose debug flow filter {addr <addr>|saddr <addr>|daddr <addr>|proto <integer>|virtual-server <VS-name>|clear|negate <addr|saddr|daddr|proto>|show}

diagnose debug flow mask {packet|session|persist|drop|layer4-server-loadbalance|all|custom <mask>}

diagnose debug flow show

diagnose debug flow start [<count>]

diagnose debug flow stop

filter

Specify filters. Issue multiple commands to add filters. Use the negate option to define "not in" matching.

Filters determine the traffic flows for which the debug logs are written. You can match flows based on host address, source address, destination address, and protocol.

mask

Specify a mask that sets the type of data written to the screen.

show

Show current status, filters, and mask options.

start

Start debugging. The [<count>] option specifies a number of debug lines to output.

stop

Stop debugging.

Example

FortiADC-docs # diagnose debug flow ?
filter filter
mask mask
show Stop trace.
start Start trace.
stop Stop trace.
FortiADC-docs # diagnose debug flow stop
FortiADC-VM # diagnose debug flow filter ?
addr IP address.
clear Clear filter.
daddr Destination IP address.
negate negate
proto Protocol number.
saddr Source IP address.
show Show filter configuration.
virtual-server virtual server
FortiADC-docs # diagnose debug flow filter saddr 3.3.3.3
FortiADC-docs # diagnose debug flow filter daddr 4.4.4.4
FortiADC-docs # diagnose debug flow filter proto 1
FortiADC-docs # diagnose debug flow filter virtual-server VS1
FortiADC-VM # diagnose debug flow mask ?
all all debug info.
custom custom flow mask.
ddos ddos protection info.
drop drop packet info.
ips ips protection info.
layer4-server-loadbalance l4 loadbalance debug info.
packet packet info(default is on).
persist-cache persistence cache info.
session session info.
FortiADC-docs # diagnose debug flow mask all
FortiADC-VM # diagnose debug flow start
Start flow debug, set debug info count to 1000000000

FortiADC-VM # diagnose debug flow show
---------running status && config-----------
----flow debug is running, remain count 1000000000
----flow filter-------------
proto: any
host addr: 50.1.0.100-50.1.0.100
Host saddr: any
Host daddr: any
Virtual server : VS1
----flow mask---------------
layer4-server-loadbalance
---------current terminal config-----------
----flow filter-------------
proto: any
host addr: 50.1.0.100-50.1.0.100
Host saddr: any
Host daddr: any
Virtual server: VS1
----flow mask---------------
layer4-server-loadbalance

FortiADC-VM # [03-15 12:56:56] [trace id:1]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] Create session fwd:M c:50.1.0.1:57028 v:50.1.0.100:80 l:50.1.0. 1:57028 d:50.1.2.3:80 conn->flags:80140 conn->refcnt:2
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [S...]
[03-15 12:56:56] TCP input [S...] 50.1.0.1:57028->50.1.2.3:80 state: NONE->SYN_ RECV conn->refcnt:2
[03-15 12:56:56] After DNAT: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] NAT xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [S.A.]
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:2]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] TCP input [..A.] 50.1.0.1:57028->50.1.2.3:80 state: SYN_RECV-> ESTABLISHED conn->refcnt:2
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:3]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [..A.]
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [..A.]
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:4]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:5]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [.FA.]
[03-15 12:56:56] TCP input [.FA.] 50.1.0.1:57028->50.1.2.3:80 state: ESTABLISHE D->CLOSE_WAIT conn->refcnt:2
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [.FA.]
[03-15 12:56:56] TCP output [.FA.] 50.1.0.1:57028->50.1.2.3:80 state: CLOSE_WAI T->TIME_WAIT conn->refcnt:2
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:6]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:59] Expire session TCP c:50.1.0.1:57028 v:50.1.0.100:80 d:50.1.2.3: 80 fwd:M s:5 conn->flags:80100 conn->refcnt:0 dest->refcnt:2
FortiADC-docs # diagnose debug flow stop