Archive

Archive for the ‘Technical Knowledge Base’ Category

Tools for Troubleshooting Fortigate IPSEC Tunnels

March 5th, 2010
3 comments

It is possible to debug IPSec in FortiOS 3.0 using the command:

FGT_FRW01# diagnose debug app ike -1 X.X.X.X
FGT_FRW01# diag debug enable

where X.X.X.X is the Remote Gateway IP.

In FortiOS 4.0 the filter must be configured separately:

FGT_FRW01# diagnose vpn ike log-filter ?
clear	erase the current filter
dst-addr4	the IPv4 destination address range to filter by
dst-addr6	the IPv6 destination address range to filter by
dst-port	the destination port range to filter by
interface	interface that IKE connection is negotiated over
list	display the current filter
name	the phase1 name to filter by
negate	negate the specified filter parameter
src-addr4	the IPv4 source address range to filter by
src-addr6	the IPv6 source address range to filter by
src-port	the source port range to filter by
vd	index of virtual domain. 0 matches all

Once the filter has been set, IKE debugs can be started using the commands:

FGT_FRW01# diag debug application ike -1
FGT_FRW01# diag debug enable

Other useful commands to list ike and ipsec SA:

List ike security associations (phase1):

FGT_FRW01# diag vpn gateway list

List IPSEC security associations (phase2):

FGT_FRW01# diag vpn tunnel list

david Technical Knowledge Base , , ,

Traffic Monitoring on the Fortigate

February 20th, 2009
No comments

One of the most useful diagnostic tools I use in network security is the ability to “sniff” the network traffic as it passes through the Internet gateway.
Read more…

david Technical Knowledge Base