在Fortigate防火墙上Troubleshooting,绝大多数情况下,用好Diagnose Sniffer和Diagnose debug这两个命令就能解决很多问题。
一般来说,Troubleshooting时,先用Sniffer命令查看数据包到底有没有到达防火墙,然后用Debug命令来查看数据包达到防火墙后是怎样的处理流程。
Sniffer命令格式:
Fortigate# diagnose sniffer packet 举例:抓包IP地址10.2.22.21与202.103.24.68之间所有的DNS通信 FG200D3915807028 # diagnose sniffer packet any 'port 53 and host 10.2.22.21 and 202.103.24.68' 输出结果示例: interfaces=[any] filters=[port 53 and host 10.2.22.21 and 202.103.24.68] 23.015563 10.2.22.21.53751 -> 202.103.24.68.53: udp 48 23.043507 202.103.24.68.53 -> 10.2.22.21.53751: udp 64 23.044743 10.2.22.21.53752 -> 202.103.24.68.53: udp 48 Sniffer命令支持几种不同详尽程度的输出方式,在输入完抓包命令之后打个问号可以显示输出详尽程度的选项 FG200D3915807028 # diagnose sniffer packet any 'port 53 and host 10.2.22.21 and 202.103.24.68' ? 1: print header of packets 2: print header and data from ip of packets 3: print header and data from ethernet of packets (if available) 4: print header of packets with interface name 5: print header and data from ip of packets with interface name 6: print header and data from ethernet of packets (if available) with intf name 或者直接在抓包命令后加个“空格+数字1-6\",例如 FG200D3915807028 # diagnose sniffer packet any 'port 53 and host 10.2.22.21 and 202.103.24.68' 6 输出的结果示例如下: interfaces=[any] filters=[port 53 and host 10.2.22.21 and 202.103.24.68] 21.327456 OA-Zone in 10.2.22.21.61158 -> 202.103.24.68.53: udp 47 0x0000 0000 0000 0001 18c5 8a1b 3cdc 0800 4500 ..........<...E. 0x0010 004b 05d0 0000 7f11 3310 0a02 1615 ca67 .K......3......g 0x0020 1844 eee6 0035 0037 daef 0003 0100 0001 .D...5.7........ 0x0030 0000 0000 0000 0377 7777 0473 6f68 7503 .......www.sohu. 0x0040 636f 6d0c 6d69 6372 6f70 6174 7465 726e com. 0x0050 0363 6f6d 0000 0100 01 ..... 21.349692 OA-Zone out 202.103.24.68.53 -> 10.2.22.21.61158: udp 63 0x0000 0000 0000 0000 906c ac02 5579 0800 4500 .......l..Uy..E. 0x0010 005b 0000 4000 3b11 3cd0 ca67 1844 0a02 .[..@.;.<..g.D.. 0x0020 1615 0035 eee6 0047 82d7 0003 8180 0001 ...5...G........ 0x0030 0001 0000 0000 0377 7777 0473 6f68 7503 .......www.sohu. 0x0040 636f 6d0c 6d69 6372 6f70 6174 7465 726e com 0x0050 0363 6f6d 0000 0100 01c0 0c00 0100 0100 ............ 0x0060 0002 5800 0471 5043 1c ..X..qPC. 21.350943 OA-Zone in 10.2.22.21.61159 -> 202.103.24.68.53: udp 47 0x0000 0000 0000 0001 18c5 8a1b 3cdc 0800 4500 ..........<...E. 0x0010 004b 05d3 0000 7f11 330d 0a02 1615 ca67 .K......3......g 0x0020 1844 eee7 0035 0037 bfed 0004 0100 0001 .D...5.7........ 0x0030 0000 0000 0000 0377 7777 0473 6f68 7503 .......www.sohu. 0x0040 636f 6d0c 6d69 6372 6f70 6174 7465 726e com 0x0050 0363 6f6d 0000 1c00 01 ..... 21.371071 OA-Zone out 202.103.24.68.53 -> 10.2.22.21.61159: udp 90 0x0000 0000 0000 0000 906c ac02 5579 0800 4500 .......l..Uy..E. 0x0010 0076 0000 4000 3b11 3cb5 ca67 1844 0a02 .v..@.;.<..g.D.. 0x0020 1615 0035 eee7 0062 f73e 0004 8180 0001 ...5...b.>...... 0x0030 0000 0001 0000 0377 7777 0473 6f68 7503 .......www.sohu. 0x0040 636f 6d0c 6d69 6372 6f70 6174 7465 726e com 0x0050 0363 6f6d 0000 1c00 01c0 1900 0600 0100 ............ 0x0060 0000 3c00 1f07 6465 6661 756c 7400 c03b ..<...default..; 0x0070 0000 0007 0000 0384 0000 0258 0001 5180 ...........X..Q. 0x0080 0000 003c ...< 4 packets received by filter Debug命令用于观察防火墙对数据流的处理,可以得知该数据流被处理后的结果,在命令行下输入一下命令,开启对数据流的监控,然后在客户端上模拟产生触发条件的流量,再返回FortiGate终端查看输出结果。 Fortigate#diagnose debug enable #开启Debug功能 Fortigate#diagnose debug flow show console enable show trace messages on console #将Debug信息输出到终端 Fortigate#diagnose debug flow filter Fortigate#diagnose debug flow trace start 20 #抓取数据包的数量 举例抓取客户端地址10.2.22.21使用DNS服务器202.103.24.68做DNS解析时防火墙的数据包处理过程: FG200D3915807028 # diagnose debug enable FG200D3915807028 # diagnose debug flow show console enable show trace messages on console FG200D3915807028 # diagnose debug flow filter port 53 FG200D3915807028 # diagnose debug flow filter saddr 10.2.22.21 FG200D3915807028 # diagnose debug flow filter daddr 202.103.24.68 FG200D3915807028 # diagnose debug flow trace start 10 模拟产生流量后,输出结果如下: FG200D3915807028 # id=20085 trace_id=1 func=print_pkt_detail line=4378 msg=\"vd-root received a packet(proto=17, 10.2.22.21:65401->202.103.24.68:53) from OA-Zone. \" id=20085 trace_id=1 func=init_ip_session_common line=4527 msg=\"allocate a new session-006eacf3\" id=20085 trace_id=1 func=vf_ip4_route_input line=1596 msg=\"find a route: flags=00000000 gw-**.**.**.yx, via wan2\" id=20085 trace_id=1 func=fw_forward_handler line=670 msg=\"Allowed by Policy-26: SNAT\" id=20085 trace_id=1 func=__ip_session_run_tuple line=2523 msg=\"SNAT 10.2.22.21->**.**.**.yy:65401\" id=20085 trace_id=1 func=__ip_session_run_tuple line=2574 msg=\"run helper-dns-udp(dir=original)\" 其他常用Troubleshooting命令 diagnose ip rtcache list //调试ip包收发情况 show router policy get router info routing table all // 查看路由表(生效的路由表) execute ping-options source 192.168.1.1 ----带源ping get router info kernel //查看fib表 diag ip address list //查看ip地址列表 diag ip arp list //查看ARP表 get router info protocols //查看协议状况 因篇幅问题不能全部显示,请点此查看更多更全内容