Scribd
Upload
75 views9 pages

Laboratorio 15

The document describes troubleshooting a network connectivity issue between a local client and a Linux server. The steps include using diagnostic commands on FortiGate to check traffic, CPU usage, and interfaces. A sniffer shows ICMP packets arriving but not being routed. The debug flow tool reveals the implicit default policy is dropping traffic. Editing the firewall policy to allow all services fixes the issue.

Uploaded by

manuteoihu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
75 views9 pages

Laboratorio 15

The document describes troubleshooting a network connectivity issue between a local client and a Linux server. The steps include using diagnostic commands on FortiGate to check traffic, CPU usage, and interfaces. A sniffer shows ICMP packets arriving but not being routed. The debug flow tool reveals the implicit default policy is dropping traffic. Editing the firewall policy to allow all services fixes the issue.

Uploaded by

manuteoihu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Exercise 1: Determining What Is

Happening Now
In this exercise, you will use CLI commands to get information about FortiGate, such as
traffic volume, CPU usage, memory usage, and the ARP table.

Run Diagnostic Commands


You will run some diagnostic commands and make a note of some of the information
displayed.

To run diagnostic commands


1. On the Local-FortiGate CLI, log in with the username admin and
password password.

2. Find the following information and write down your answers in the space provided—
refer to the list of commands that follows to get the answers:

Field Value

Firmware branch point

Current HA mode

Host name

CPU utilization

Memory utilization

Average network usage

Average session setup


rate

Negotiated speed and


duplex mode for interface
port1

MTU for port1

MAC address for the IP


address 10.200.1.254
Field Value

Name of the process


consuming the most CPU
(if any)

Name of the process


consuming the most
memory

Enter the following


CLI commands to
find the information
requested above:

get system status

get system
performance status

get hardware nic


port1

get system arp

diagnose sys top 1

(Press Shift+P to
order the processes
by CPU
usage, Shift+M to
order them by
memory usage,
or Q to stop.)

3. Close the Local-FortiGate CLI session.

Exercise 2: Troubleshooting a
Connectivity Problem
In this exercise, you will use the sniffer and debug flow tool to troubleshoot a network
connectivity problem.
Identify the Problem
As you will see in this procedure, there is a network connectivity problem between the
Local-Client VM and the Linux server.

To identify the problem


1. On the Local-Client VM, open a terminal window.

2. Enter the following command to start a continuous ping to the Linux server (IP
address 10.200.1.254):

ping 10.200.1.254

The ping is failing. You will use the sniffer and debug flow tool on Local-FortiGate to find
out why.

3. Do not close the terminal window—keep the ping running.

Use the Sniffer

Take the Expert


Challenge!
Now that you understand what
the problem is, try to fix it
without looking at the FortiGate
configuration. Use the built-in
sniffer and debug flow tool to
troubleshoot the problem.

If you require assistance, or to


verify your work, use the step-
by-step instructions that follow.

After you complete the


challenge, see Test the Fix on
page 1.

You will start troubleshooting by sniffing the ICMP traffic going to the Linux server.

To use the sniffer


1. On the Local-FortiGate CLI, log in with the username admin and
password password.

2. Enter the following command to sniff the ICMP traffic to 10.200.1.254:

diagnose sniffer packet any "icmp and host 10.200.1.254" 4

3. Observe the output.

interfaces=[any]

filters=[icmp and host 10.200.1.254]

5.439019 port3 in 10.0.1.10 -> 10.200.1.254: icmp: echo request

10.442347 port3 in 10.0.1.10 -> 10.200.1.254: icmp: echo request

15.444343 port3 in 10.0.1.10 -> 10.200.1.254: icmp: echo request

20.545397 port3 in 10.0.1.10 -> 10.200.1.254: icmp: echo request

The packets are arriving on FortiGate, but FortiGate is not routing them.

4. Press Ctrl+C to stop the sniffer.

Use the GUI Debug Flow Tool


You will run the GUI debug flow tool to get information about why FortiGate is dropping the
packets.

To use the GUI debug flow tool


1. Connect to the Local-FortiGate GUI, and then log in with the username admin and
password password.

2. Click Network > Diagnostics, and then click the Debug Flow tab.

3. In the Number of packets field, change the value to 3 packets.

4. Enable Filters, and then configure the following settings:

Field Value

IP address 10.200.1.254
Field Value

Protocol ICMP

5. Click Start debug flow.

The output should be similar to the following example:

FortiGate receives the ICMP packet from 10.0.1.10 to 10.200.1.254 from port3.

vd-root:0 received a packet(proto=1, 10.0.1.10:6->10.200.1.254:2048) tun_id=0.0.0.0 from


port3. type=8, code=0, id=6, seq=34033.

It creates a new session.

allocate a new session-0000fc20, tun_id=0.0.0.0

It finds a route for the destination 10.200.1.254 through port1.

find a route: flag=00000000 gw-0.0.0.0 via port1


It drops the packet. The debug flow shows the error message.

Denied by forward policy check (policy 0)

The Denied by forward policy check message indicates that a firewall policy denied the
traffic. It could be either a denied policy that the administrator explicitly configured, or the
implicit denied policy for traffic that does not match a configured policy.

The policy 0 indicates that the default implicit policy denied the traffic. If an explicitly
configured policy blocked the traffic, its policy ID number would be indicated in this output,
instead of 0.

Fix the Problem


Now that you have found the cause of the problem, you will fix it.

To fix the problem


1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

2. Look at the firewall policies.

The Full_Access firewall policy does not allow ICMP traffic (only HTTP)—this is why
FortiGate is dropping the ping packets.

3. Edit the Full_Access firewall policy.

4. Change the service from HTTP to ALL.

5. Click OK.

Test the Fix


You will test to confirm that the configuration change fixed the problem.

To test the fix


1. On the Local-Client VM, check the terminal window to see if the continuous ping is
working now.

2. Press Ctrl+C to stop the ping, but leave the terminal open.

3. On the Local-FortiGate CLI session where you are running debug commands, clear
all the ICMP sessions from the session table, using the following commands:

diagnose sys session filter clear


diagnose sys session filter proto 1

diagnose sys session clear

4. Continuing on the Local-FortiGate GUI, click Network > Diagnostics, and then
click the Debug Flow tab.

5. In the Number of packets field, change the value to 3 packets.

6. Enable Filters, and then configure the following settings:

Field Value

IP address 10.200.1.254

Protocol ICMP

7. Click Start debug flow.

There should not be any output yet, because the ping is not running.

8. Return to the terminal window, and then start the ping again.

ping 10.200.1.254

9. Check the debug flow output.


It is a bit different now. The error message is not displayed and you can see a few new
logs.

The firewall policy with the ID 1 is allowing traffic.

Allowed by Policy-1: SNAT

FortiGate applies source NAT (SNAT).

SNAT 10.0.1.10->10.200.1.1:60424

Additionally, you can see the debug flow logs from the return (ping reply) packets.

vd-root:0 received a packet(proto=1, 10.200.1.254:60424->10.200.1.1:0) tun_id=0.0.0.0


from port1. type=0, code=0, id=60424, seq=1.

Find an existing session, id-00010feb, reply direction

DNAT 10.200.1.1:0->10.0.1.10:7

find a route: flag=00000000 gw-0.0.0.0 via port3


The procedure in
this exercise
describes what you
should usually do
when
troubleshooting
connectivity
problems on
FortiGate. Sniff the
traffic first to check
that the packets are
arriving on
FortiGate and that
FortiGate is routing
them correctly. If
the sniffer shows
that FortiGate is
dropping the traffic,
use the debug flow
tool to find out why.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy