How can I
verify that traffic is being accepted by (or hitting) a security policy?
You can use the diagnose debug flow command to show packet flow through the FortiGate unit. As packets are received you can view debug messages to show how the FortiGate unit processes them. The following command sequence displays packet flow for packets with IP address 10.10.20.30.
The command
output shows what happens after one packet is received:
• a new
session is allocated,
• a route is
found for the packet,
• its source
NAT IP and port number are selected,
• It is
matched with a policy (in this case policy ID 5),
• Source is
performed and the packet is forwarded.
|
diagnose
debug enable
diagnose
debug flow show console enable
show
trace messages on console
diagnose
debug flow filter add 10.10.20.30
diagnose
debug flow trace start 100
|
We can use
the following filters:
|
Option
|
Description
|
|
addr
|
IP address
|
|
clear
|
Clear filter
|
|
daddr
|
Destination IP address
|
|
dport
|
Destination port
|
|
negate
|
Inverse filter
|
|
port
|
Port
|
|
proto
|
Protocol number
|
|
saddr
|
Source IP address
|
|
sport
|
Source port
|
|
vd
|
index of virtual domain
|
The number
after the trace start indicates how many lines to show in the console output.
רכשתם שטח לבנייה ? יופי עכשיו צרו קשר { קבלן בנייה } האוס בנייה וייזמות - קבלן בניין בדרום הכנסו לאתר להתרשם ולא תטעו
ReplyDelete