FortiPAM HTTP filter
When turning on the HTTP category debug, it can generate a lot of traces from the GUI. In the case where GUI traffic is not needed, using the FortiPAM HTTP filter helps clean out traffic that is not required.
You must have system administrator and CLI permissions to use the FortiPAM HTTP filter. |
To use the FortiPAM trace filter feature:
- In the CLI console, enter the following command to set the debug category to http:
diagnose wad debug enable category http
- Optionally, enter the following command to set the debug level:
diagnose wad debug enable level <level>
- Use the following CLI command to set up a filter for the FortiPAM traffic:
diagnose wad filter pam
Variable
Description
none
Reset FortiPAM filter setting.
All the HTTP traffic traces are displayed.
internal
Internal FortiPAM trace.
HTTP traffic with
/pam api-gateway
is displayed, e.g., FortiClient and secret launcher traffic.tcp-forward
TCP-forward trace.
Traffic trace with
/tcp api-gateway
is displayed, e.g., TCP tunneling information when starting a launcher.both
Internal FortiPAM and TCP-forward trace.
HTTP traffic with
/tcp
and/pam api-gateway
is displayed.For most cases, the
both
option is recommended for the filter.The FortiPAM filter can be used with
diagnose wad filter drop-unknown-session 1
to ignore more information during session initialization.
Examples
-
Turning on
drop-unknown-session
with theinternal
option (diagnose wad filter pam internal
) and launching a secret shows the following trace:PAM # [I][p:1070][s:930509823][r:2694] wad_http_req_proc_policy: 10453 ses_ctx:ct|Pvx|M|H|C|A1 fwd_srv=<nil>[I][p:1070][s:930509823][r:2694] wad_dump_fwd_http_resp: 2663 hreq=0x7f34b46a2e58 Forward response from Internal:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 309
[I][p:1070][s:930509826][r:2701] wad_dump_fwd_http_resp: 2663 hreq=0x7f34b46a2e58 Forward response from Internal:
HTTP/1.1 200 OK
Proxy-Agent: FortiPAM/1.0
X-Range: bytes=773458-
Content-Length: 0
-
Turning on
drop-unknown-session
with thetcp-forward
option (diagnose wad filter pam tcp-forward
) and launching a secret shows the following trace:[I][p:1070][s:930509852][r:2799] wad_http_req_check_vs_tunnel_type :5182 Check redir PROXY port=22((null))
[I][p:1070][s:930509852][r:2799] wad_http_req_check_vs_tunnel_type :5190 TCP tunnel detected without type.
[I][p:1070][s:930509852][r:2799] wad_dump_fwd_http_resp :2663 hreq=0x7f34b46a41f8 Forward response from Internal:
HTTP/1.1 101 Switching Protocols
Upgrade: tcp-forwarding/1.0
Connection: Upgrade