The denied message indicates that the traffic was blocked. The following is an example of debug flow output for traffic that has no matching security policy, and is in turn blocked by the FortiGate unit. To stop all other debug activities, enter the command:
This is useful for looking at the flow without flooding your log or displaying too much information. The start 100 argument in the above list of commands will limit the output to 100 packets from the flow. To debug the packet flow in the CLI, enter the following commands:įGT# diag debug flow filter add FGT# diag debug flow show console enableįGT# diag debug flow show function-name enable The following configuration assumes that PC1 is connected to the internal interface of the FortiGate unit and has an IP address of 10.11.101.200. Before performing the debug on any NP4 interfaces, you should disable offloading on those interfaces. If your FortiGate unit has FortiASIC NP4 interface pairs that are offloading traffic, this will change the packet flow. Debugging the packet flow requires a number of debug commands to be entered as each one configures part of the debug action, with the final command starting the debug. If you have determined that network traffic is not entering and leaving the FortiGate unit as expected, debug the packet flow.ĭebugging can only be performed using CLI commands. Traffic should come in and leave the FortiGate unit.
0 kommentar(er)
