Deconn Technical Services

How to filter IKE & IPSec negotiation output in FortiOS 4.0

It is possible to debug IPSec in FortiOS 3.0 using the command:

# diagnose debug app ike -1 X.X.X.X

where X.X.X.X is the Remote Gateway IP.

a. In FortiOS 4.0 the filter must be configured separately:

# diagnose vpn ike log-filter?
clear erase the current filter
dst-addr4 the IPv4 destination address range to filter by
dst-addr6 the IPv6 destination address range to filter by
dst-port the destination port range to filter by
interface interface that IKE connection is negotiated over
list display the current filter
name the phase1 name to filter by
negate negate the specified filter parameter
src-addr4 the IPv4 source address range to filter by
src-addr6 the IPv6 source address range to filter by
src-port the source port range to filter by
vd index of virtual domain. 0 matches all

b. Once the filter has been set, IKE debugs can be started using the commands:

# diag debug application ike -1
# diag debug enable

Other useful commands to list ike and ipsec SA:

List ike security associations (phase1):
# diag vpn gateway list

List IPSEC security associations (phase2):
# diag vpn tunnel list

david Technical Knowledge Base

In short:  “Any defined set of proactive services that are remotely delivered and prepaid on a recurring basis.”  This is the definition given by Erick Simpson, the CIO of Intelligent Enterprise during an interview with Robin Robins, a prominent technology marketing professional.
Read more…

david Professional Development

I recall 5 years ago when we first started installing Fortigate firewalls. A large source of revenue was virus and malware program removal and rebuilding machine after hopeless infections.

It was really no fun providing these reactive services. Sure the money was good, but was it really the best way for our clients to be spending their hard-earned money?
Read more…

david Professional Development Fortinet

One of the most useful diagnostic tools I use in network security is the ability to “sniff” the network traffic as it passes through the Internet gateway.
Read more…

david Technical Knowledge Base Fortinet

In January 2004, we had about 120 fairly regular clients who called for technical support, project management and technical consulting. After the housing market slump began in 2006 we saw several of our customers go bankrupt, reorganize, or just disappear.
Read more…

david Professional Development