Fortinet - Analysing Network Problems with a FortiGate
Fortinet
Networks are becoming more and more complex and confusing. Therefore, tools are needed to analyse and identify problems.
A FortiGate firewall offers a wide range of tools here. Today I would like to introduce a few and explain how to use them.
The simplest tool is of course the classic ping, which is executed in a FortiGate via the CLI with the command execute ping. However, there are still possibilities to use the ping in a more targeted way. To do this, use the command execute ping-options <'parameter'>. The following parameters can be used here:
-
adaptive-ping
FortiGate sends the next packet as soon as the last response has been received. - data-size <'bytes'> Specify the datagram size in bytes.
- df-bit <'yes | no'> Set df-bit to yes to prevent the ICMP packet from being fragmented. Set df-bit to no to allow fragmentation of the ICMP packet.
- pattern <'2-byte_hex'> Used to fill the optional data buffer at the end of the ICMP packet. The size of the buffer is specified with the parameter data_size. This allows you to send out packets of different sizes to test the effect of the packet size on the connection.
- repeat-count <'repeats'> Specify how often the ping is to be repeated.
- Source {auto | <'source-intf_ip'> } Specify the FortiGate interface from which the ping should be sent. If you specify auto, the FortiGate unit selects the source address and interface based on the route to the <'host-name_str'> or <'host_ip'>. Specifying the IP address of a FortiGate interface is used to test connections to different network segments from the specified interface.
- timeout <'seconds'> Specify in seconds how long to wait until the ping time has elapsed.
- tos <'service_type'> Set the ToS (Type of Service) field in the packet header to give an indication of the desired quality of service.
- Minimiselowdelay Delay
- throughput Maximise throughput
- reliability Maximise reliability
- Minimiselowcost costs
-
ttl
Specify the time to live. Time to live is the number of hops the ping packet is allowed to make before it is discarded or returned. - validate-reply {yes | no} Select yes to validate response data.
- view-settings Displays the current settings of the ping options.
- reset Reset settings.
Of course, you can combine options to get the desired result. Here is an example:
Execute ping-options source 192.168.10.254 repeat-count 50
execute ping 10.10.10.234
This combination would execute a ping with the source address 192.168.10.254 and the destination address 10.10.10.234. 50 PING packets would be sent.
If you want to find out which firewall rule applies in a specific case, you can also find this out via the CLI. The following command is used for this:
diag firewall iprope lookup <'src_ip'> <'src_port'> <'dst_ip'> <'dst_port'> <'protocol'> <'Source interface'>
- <'src_ip'> Source address
- <'src_port'> Source port
- <'dst_ip'> Destination address
- <'dst_port'> Destination port
- <'protocol'> Which protocol is to be simulated, for example TCP or UDP
- <'source interface'> Source interface from which the request is to be simulated
If the requests are executed correctly, you get results like this:
FortiGate # diag firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 udp port2
FortiGate # diag firewall iprope lookup 10.187.1.100 12345 8.8.8 53 tcp port2
The first query results in the firewall policy with ID 0. This would be the implicit deny rule which is always at the bottom and blocks any network traffic that did not fit into one of the previous rules.
With the second query we get the result that the firewall policy with ID 2 is responsible. This ensures that the correct firewall rule is applied.
But what do you do if everything seems to fit, but it still doesn't run cleanly?
Then you have to look at the network traffic directly. FortiGate offers several possibilities for this. Via the WebGUI or the CLI.
Packet capture via WebGUI
Via Network --> Packet Capture in the FortiGate WebGUI you can quickly generate data for analysis with the help of a few options.
- Select the interface on which the FortiGate should collect the data.
- The number of packets to be collected, the maximum is 10,000.
If you activate the filters, you still have the following useful options:
- Host(s) Enter addresses whose data is to be collected. You can enter multiple addresses with a , . Example: 192.168.10.254, 10.10.10.234
- Port(s) Here again you can define several ports separated by a , . Example: 443, 80
- VLAN(s) If you use several VLANs on one interface in your network, you can specify the VLANs specifically. Example: 1, 4096
- Protocol(s) Here you enter the numbers of the protocols you want to analyse. You can find the numbers in the official IANA documentation: IANA Protocol numbers
- Include IPv6 Packets This allows you to record not only IPv4 packets, but also IPv6 packets, should they be used in your network.
- IncludeNon-IP Packets If you want to record ARP, DHCP or other protocols that do not always use IPs, you can record them via this option.
Save the selection. This can then be selected under Network -> Packet Capture. You can start the recording via the right-click menu.
If you download the recording, which is also possible while the recording is still running, you will receive a PCAP file which you can open and view in an analysis tool such as Wireshark.
Packet sniffing via CLI
You can also quickly and conveniently observe targeted network traffic via the command line.
The command is structured as follows:
diag sniffer packet <'interface'> <'filter'> <'verbose'> <'count'> a
- <'interface'> The interface to be used for eavesdropping. The name is required here. Example: wan1 or WLAN-Gaeste. Please note that the name is case-sensitive. If you have a tunnel interface called WLAN-Gaeste, wlan-gaeste will not work.
- <'filter'> Probably the most complex and powerful parameter. Here you have several possibilities that can be combined:
-
src|dst host
Specification of the source or destination address. - arp|ip|gre|esp|udp|tcp Which protocols are to be monitored.
-
port
Which port is to be monitored. - <'verbose'> How extensively the packets are to be recorded:
- 1: Output headers of packets.
- 2: Output headers and data of IP packets.
- 3: Output header and data of Ethernet of packets.
- 4: Output headers of packets with interface names.
- 5: Output headers and data from IP of packets with interface names.
- 6: Output headers and data from Ethernet of packets with interface name.
-
How many packets are to be recorded. If a 0 is entered here, recording is permanent. Recording can be stopped with Ctrl+C. - a Absolute time stamps are then used here. Normally, the time is displayed in ascending order from the start of the recording in seconds. The parameter then displays the current time and date.
Example: diag sniffer packet internal 'host 192.168.0.130 and 192.168.0.1 and tcp port 80' 1
Here, only network traffic is recorded that has taken place between the two hosts on port 80 with the TCP protocol.
I hope I was able to give you a good first impression of the FortiGate's analysis methods.