Saturday, November 4, 2023

Perform Packet Capture in FortiGate Firewall

Here's a link in using the packet capture tool or sniffer in a FortiGate firewall.

To perform packet capture in FortiGate, select a VDOM: internet > Network > Diagnostics > select Interface: Internet (wan) > Packet Capture.

 

You can optionally enable/toggle Filters to narrow down Host, Port and Protocol  number.


I've used the switch SVI to perform ping test from the "inside" LAN.

 

SW01#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  unassigned      YES NVRAM  up                    up     

Vlan300                172.x.x.5    YES manual up                    up     

FastEthernet0/1        unassigned      YES unset  up                    up     

<OUTPUT TRUNCATED>

SW01#ping 8.8.8.8 source 172.x.x.5

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 172.x.x.5

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

 

Enable/toggle Filters > select Filtering syntax: Basic (default) > type Host: 172.x.x.5 > click Start Capture.

 

You can observe the Packet Capture in FortiGate web GUI or click Save as pcap for offline analysis.

 

The .pcap file will be saved under Downloads folder (in Windows).

To view the current FortiGate IP sessions (5-tuple), go to Dashboard > FortiView Sessions.

To view in CLI, you can use the get system session list command. Use grep to filter the command output.

 

FG-FW01_PRI # config vdom

 

FG-FW01_PRI (vdom) # edit internet

current vf=internet:4

FG-FW01_PRI (internet) # get system session list | grep 172.x.x.5

tcp     3576   172.x.x.5:49269 202.x.x.30:49269 54.151.118.105:443 -      

tcp     3599   172.x.x..5:43013 202.x.x.30:43013 104.82.75.211:80 -        

icmp    29     172.x.x.5:10  202.x.x.30:60426 8.8.8.8:8        -          

tcp     3564   172.x.x.5:29031 202.x.x.30:29031 54.151.118.105:443

 

Here's a link in using the debug flow tool in a FortiGate firewall.

There's no equivalent packet-tracer command in FortiGate which generates a virtual packet to verify routing, ACL and NAT similar to Cisco ASA firewall. To find the matching Firewall Policy rule, use Debug Flow or diagnose debug flow CLI command:

 

Go to VDOM: internet > Network > Diagnostics > Debug flow tab.

 

Type the number of packets (count): 100 (default) > enable/toggle Filters > select Filter type: Basic (default) > select IP type: IPv4 (default) > type IP address: 8.8.8.8 > select Protocol: ICMP.

Click Start debug flow.

Generate packets to capture. Click Stop debug flow when finished.

 

SW01#ping 8.8.8.8 source 172.x.x.5 repeat 100

 

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 172.x.x.5

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (100/100), round-trip min/avg/max = 1/4/9 ms

 

You can view offline or save as CSV file.

Notice policy-2 is matched and SNAT (Source NAT) is used.


Below are the diagnose debug CLI commands:

 

diagnose debug reset   // CLEAR ALL DIAGNOSE SETTINGS

 

diagnose debug flow filter addr <SOURCE OR DESTINATION IP>   // BY DEFAULT THERE'S NO FILTER, DEFINE OR NARROW DOWN SPECIFIC IP

 

diagnose flow trace start <PACKET COUNT>

 

diagnose debug enable   // TURN ON DEBUG

 

diagnose debug disable   // TURN OFF DEBUG, SIMILAR TO CISCO'S undebug all

 

 

 

FG-FW01_PRI # config vdom   // GO TO A VDOM

 

FW01_PRI (vdom) # edit internet

current vf=internet:4

 

FW01_PRI (internet) # diagnose debug reset

 

FW01_PRI (internet) # diagnose debug flow

filter     Trace packet with filter.

filter6    Trace packet with IPv6 filter.

trace      Start/stop trace.

show       Enable/disable display of trace on console.

 

FW01_PRI (internet) # diagnose debug flow filter

clear      Clear filter.

vd         Index of virtual domain.

vd-name    Name of virtual domain.

proto      Protocol number.

addr       IP address.

saddr      Source IP address.

daddr      Destination IP address.

port       port

sport      Source port.

dport      Destination port.

negate     Inverse filter.

 

FW01_PRI (internet) # diagnose debug flow filter addr

<xxx.xxx.xxx.xxx>    Host IP (ip1/from).

 

FW01_PRI (internet) # diagnose debug flow filter addr 8.8.8.8

 

FW01_PRI (internet) # diagnose debug flow trace

start     Start trace.

stop      Stop trace.

start6    Start IPv6 trace.

stop6     Stop IPv6 trace.

 

FW01_PRI (internet) # diagnose debug flow trace start

<xxx>    Repeat number.

 

FW01_PRI (internet) # diagnose debug flow trace start 100

 

FW01_PRI (internet) # diagnose debug enable

 

FW01_PRI (internet) # id=65308 trace_id=5 func=print_pkt_detail line=5868 msg="vd-internet:0 received a packet(proto=1, 172.x.x.5:13->8.8.8.8:2048) tun_id=0.0.0.0 from LAG1-INSIDE. type=8, code=0, id=13, seq=0."

id=65308 trace_id=5 func=init_ip_session_common line=6049 msg="allocate a new session-0026c30d, tun_id=0.0.0.0"

id=65308 trace_id=5 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-202.x.x.1 via wan"

id=65308 trace_id=5 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=53, len=3"

id=65308 trace_id=5 func=get_new_addr line=1228 msg="find SNAT: IP-202.x.x.30(from IPPOOL), port-60429"

id=65308 trace_id=5 func=fw_forward_handler line=922 msg="Allowed by Policy-2: SNAT"

id=65308 trace_id=5 func=ids_receive line=428 msg="send to ips"

id=65308 trace_id=5 func=__ip_session_run_tuple line=3485 msg="SNAT 172.x.x.5->202.x.x.30:60429"

id=65308 trace_id=6 func=print_pkt_detail line=5868 msg="vd-internet:0 received a packet(proto=1, 8.8.8.8:60429->202.x.x.30:0) tun_id=0.0.0.0 from wan. type=0, code=0, id=60429, seq=0."

id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-0026c30d, reply direction"

id=65308 trace_id=6 func=__ip_session_run_tuple line=3498 msg="DNAT 202.x.x.30:0->172.x.x.5:13"

id=65308 trace_id=6 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-172.x.x.5 via LAG1-INSIDE"

id=65308 trace_id=6 func=npu_handle_session44 line=1199 msg="Trying to offloading session from wan to LAG1-INSIDE, skb.npu_flag=00000000 ses.state=00010204 ses.npu_state=0x04001008"

id=65308 trace_id=6 func=fw_forward_dirty_handler line=414 msg="state=00010204, state2=00000001, npu_state=04001008"

id=65308 trace_id=7 func=print_pkt_detail line=5868 msg="vd-internet:0 received a packet(proto=1, 172.x.x.5:13->8.8.8.8:2048) tun_id=0.0.0.0 from LAG1-INSIDE. type=8, code=0, id=13, seq=1."

id=65308 trace_id=7 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-0026c30d, original direction"

id=65308 trace_id=7 func=npu_handle_session44 line=1199 msg="Trying to offloading session from LAG1-INSIDE to wan, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04001008"

id=65308 trace_id=7 func=ip_session_install_npu_session line=358 msg="npu session installation succeeded"

id=65308 trace_id=7 func=fw_forward_dirty_handler line=414 msg="state=00010204, state2=00000001, npu_state=04001408"

id=65308 trace_id=7 func=__ip_session_run_tuple line=3485 msg="SNAT 172.x.x.5->202.x.x.30:60429"

id=65308 trace_id=8 func=print_pkt_detail line=5868 msg="vd-internet:0 received a packet(proto=1, 8.8.8.8:60429->202.x.x.30:0) tun_id=0.0.0.0 from wan. type=0, code=0, id=60429, seq=1."

id=65308 trace_id=8 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-0026c30d, reply direction"

id=65308 trace_id=8 func=__ip_session_run_tuple line=3498 msg="DNAT 202.x.x.30:0->172.x.x.5:13"

id=65308 trace_id=8 func=npu_handle_session44 line=1199 msg="Trying to offloading session from wan to LAG1-INSIDE, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04001408"

id=65308 trace_id=8 func=ip_session_install_npu_session line=358 msg="npu session installation succeeded"

id=65308 trace_id=8 func=fw_forward_dirty_handler line=414 msg="state=00010204, state2=00000001, npu_state=04001c08"

 

FW01_PRI (internet) # diagnose debug disable

 

 

You can use the Policy lookup tool (with magnifying glass icon) under Firewall Policy.

 

Select Incoming Interface: LAG1-INSIDE > select IP Version (IPv4 by default) > select Protocol: TCP (default) > type Source: 172.x.x.5 > type Destination: 8.8.8.8 > type Destination Port: 8 (ICMP request) > click Search.

The matching Firewall Policy will be selected/highlighted in red.