Troubleshooting FortiGate Firewalls

“Troubleshooting FortiGate firewalls” cover FortiGate CLI options, routing overview, firewall sessions and TCP states followed by a live debug packet flow that will certainly help you in resolving most of your day-to-day issues in a Fortinet security environment.

Troubleshooting FortiGate Firewalls – How to become a firewall Guru!

Fortinet CLI options

show | get | diagnose | execute

Show – Used to view configurations on the firewall

Get  – Used to check runtime values once the device is configured and operational

Diagnose – To gather diagnostic information e.g. for debugging hardware, system, and IP networking issue

Execute – To run system management utilities such as backups, upgrades and network diagnostic utilities such as nslookup, ping, traceroute and tcpdump etc.

VDOMs

•VDOMs are virtual domains that divide a FortiGate firewall into two or more independent virtual devices. They can have separate firewall policies, routing, NAT and VPN settings for each network.

To enter a VDOM, you give following commands.

config vdom
edit <vdom name>

Below are some useful troubleshooting commands on Fortigate firewalls

execute ping <IP address>
execute traceroute <IP address>
execute telnet <IP address> <port no.>

get system status – to view version, S/N, vdoms, HA cluster, sys time etc.
show full-configuration – to view running-config
get router info routing table <all/protocol/database> – to view routing details
get system ha status – to view HA cluster status and details

Note that in order to source an address, you need to do ping-options/traceroute-options first.

FortiGate Routing

It is a Stateful firewall – For any session, FortiGate performs a route lookup twice.

•For the first packet sent by the originator
•For the first reply packet coming from the responder

Routing information is written to the session table. Like any other firewall, it supports static routing, dynamic routing and policy based routing – PBR has precedence over the routing table. It also supports IPv6 and ECMP (Equal cost multi-pathing) and can route well-known Internet services (Google DNS, Apple DNS etc) via specific WAN interfaces. It also supports RPF that helps protect against IP spoofing attacks.

Session tables are useful when verifying open connections. For example, if you have a web browser open to browse Google or Facebook, you would expect a session entry from your computer on port 80 or 443 to the IP address for the destination website.

The session table stores following information about a session.

Source and destination addresses, port numbers, state and timeout
Source and destination interfaces
Source and destination NAT actions
Also, maximum concurrent sessions and new sessions/sec

To display the session tablediagnose sys session list

TCP States

It is important to learn TCP States in order to have in-depth understanding while troubleshooting FortiGate firewalls. In any session, we have to deal with the protocol and its state depending upon the protocol

proto – protocol number
proto_state – state of the session (depending on protocol)

Note that proto_state is always a 2-digit number because the FortiGate is a stateful firewall (keeps the track of both directions of the session). For example, ICMP traffic (ping) has no state and is always 00.

ICMP – proto = 1 | proto_state = 00

Packet capture, also known as sniffing, records some or all of the packets seen by a network interface and helps diagnose issues that are not detected otherwise. The Sniffer works like tcpdump. It doesn’t show any details of firewall policy decisions unlike debug flow. Can be done via CLI or GUI and once completed, you can view it in a network analyzer such as Wireshark

In case you have any queries or want to connect with Haider Khalid, please feel free to drop a comment or follow him on LinkedIn. Also, if this has been helpful, then please subscribe to our Youtube channel – Our Technology Planet for more exciting stuff and videos.

The following two tabs change content below.

Haider Khalid

IP Network Engineer, CCIE# 52939
Haider Khalid is a Cisco Certified Network Engineer (CCIE# 52939) who has worked with several ISPs & Telecom vendors in Pakistan, Middle East and the UK. He is always keen to learn new technologies and likes to share them with his peers and other people. In case of any questions or feedback, please feel free to drop a comment below or connect with him on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *