Wednesday, March 20, 2013

Flow Diagnostic (fortigate)

-->
In these next series of posts, I will go over some basic diagnostic  methods for netscreen, fortigate and cisco ASA. As firewall admins, we need to know how to aid in t-shooting. Blindly changing rules, rebooting, and host of other steps are typically a hail mary and accomplish nothing.


1st up,

Flow diagnostic  on the Fortigates series are simple. 


Why we do this is mainly to trouble-shoot L3/L4 fwpolicies rules. And to validate what’s being hit and the policy-id involved, any nat'ing or if encryption is taking place.



First  check the debug  options , too see if any one left something running or to clear any post debugs sessions;


SomeFWFGT01 # diag debug info

debug output:                       disable

console timestamp:   disable

console no user log message:           disable

CLI debug level:        3


if anything is set you might want to clear it;


diag debug reset



2nd, we what to set up debug to be enabled before we start;



SomeFWFGT01 # diag debug enable



SomeFWFGT01 #


Third, we want to set up the flow diagnostic and similar to my flow diag with netscreens,  we have  filters options in the FortiOS;



SomeFWFGT01 # diag debug flow

filter     trace packet with filter

filter6    trace packet with ipv6 filter

show       whether to display trace on console

trace      start/stop trace



SomeFWFGT01 # diag debug flow filter

addr      ip address

clear     clear filter

daddr     dest ip address

dport     destination port

negate    inverse filter

port      port

proto     protocol number

saddr     source ip address

sport     source port

vd        index of virtual domain



note: filter6 are for ipv6 filters

Here I’m going to be very specific,  and place a flow filter for the google dns server
8.8.8.8 and port 53

 diag debug flow filter daddr 8.8.8.8
diag debug flow filter dport 53


Third, Now that we have the flow filter-set. We need to tell the firewall to display the traces on the console




SomeFWFGT01 # diag debug flow show console enable

show trace messages on console

And lastly, we start the trace;



SomeFWFGT01 # diag debug flow  trace start 1000


 NOTE: The above says to start , and display the  1st 1K traces


Now when interesting traffic matches our filter we will get a trace;

SomeFWFGT01 # id=36871 trace_id=217 msg="vd-root received a packet(proto=17, 10.10.100.9:46883->8.8.8.8:53) from WEB_NET01."
id=36871 trace_id=217 msg="allocate a new session-301981cb"
id=36871 trace_id=217 msg="find a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=217 msg="find SNAT: IP-192.0.2.2, port-30639"
id=36871 trace_id=217 msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=217 msg="SNAT 10.10.100.9->192.0.2.2:30639"
id=36871 trace_id=217 msg="run helper-dns-udp(dir=original)"
id=36871 trace_id=218 msg="vd-root received a packet(proto=17, 10.10.100.9:52631->8.8.8.8:53) from WEB_NET01."
id=36871 trace_id=218 msg="allocate a new session-30198221"
id=36871 trace_id=218 msg="find a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=218 msg="find SNAT: IP-192.0.2.2, port-40219"
id=36871 trace_id=218 msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=218 msg="SNAT 10.10.100.9->192.0.2.2:40219"
id=36871 trace_id=218 msg="run helper-dns-udp(dir=original)"
id=36871 trace_id=219 msg="vd-root received a packet(proto=17, 10.10.100.9:51360->8.8.8.8:53) from WEB_NET01."
id=36871 trace_id=219 msg="allocate a new session-3019827d"
id=36871 trace_id=219 msg="find a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=219 msg="find SNAT: IP-192.0.2.2, port-26668"
id=36871 trace_id=219 msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=219 msg="SNAT 10.10.100.9->192.0.2.2:26668"
id=36871 trace_id=219 msg="run helper-dns-udp(dir=original)"
id=36871 trace_id=220 msg="vd-root received a packet(proto=17, 10.10.100.9:45227->8.8.8.8:53) from WEB_NET01."
id=36871 trace_id=220 msg="allocate a new session-3019ab4d"
id=36871 trace_id=220 msg="find a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=220 msg="find SNAT: IP-192.0.2.2, port-45095"
id=36871 trace_id=220 msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=220 msg="SNAT 10.10.100.9->192.0.2.2:45095"
id=36871 trace_id=220 msg="run helper-dns-udp(dir=original)"
id=36871 trace_id=221 msg="vd-root received a packet(proto=17, 10.10.100.9:59618->8.8.8.8:53) from WEB_NET01."
id=36871 trace_id=221 msg="allocate a new session-3019ab63"
id=36871 trace_id=221 msg="find a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=221 msg="find SNAT: IP-192.0.2.2, port-47214"
id=36871 trace_id=221 msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=221 msg="SNAT 10.10.100.9->192.0.2.2:47214"
id=36871 trace_id=221 msg="run helper-dns-udp(dir=original)"



Each trace is marked with a trace_id, and the key take aways are the following;
  
    
  •   Interface dst/src ( directionality ) 
  •    Fwpolicy ID
  •     Session allocation
  •   is SNAT/DNAT  ( NAT )
  •   Allowed or Denied ( action )

As with the  netscreen, we need to remind our selves to reset the diag debug fuction to conserve on memory.

 diag debug reset

Next post will be cisco ASA and then I will wrapped up with PaloAlto series. With these last three, we have  the means to capture data  and run pcaps for exporting. I will cover that in unique post.

Ken Felix Freelance Network/Security Engineer
Kfelix at hyperfeed  <d-o-t> com

No comments:

Post a Comment