Deconn Technical Services

It is possible to debug IPSec in FortiOS 3.0 using the command:

FGT_FRW01# diagnose debug app ike -1 X.X.X.X
FGT_FRW01# diag debug enable

where X.X.X.X is the Remote Gateway IP.

In FortiOS 4.0 the filter must be configured separately:

FGT_FRW01# diagnose vpn ike log-filter ?
clear	erase the current filter
dst-addr4	the IPv4 destination address range to filter by
dst-addr6	the IPv6 destination address range to filter by
dst-port	the destination port range to filter by
interface	interface that IKE connection is negotiated over
list	display the current filter
name	the phase1 name to filter by
negate	negate the specified filter parameter
src-addr4	the IPv4 source address range to filter by
src-addr6	the IPv6 source address range to filter by
src-port	the source port range to filter by
vd	index of virtual domain. 0 matches all

Once the filter has been set, IKE debugs can be started using the commands:

FGT_FRW01# diag debug application ike -1
FGT_FRW01# diag debug enable

Other useful commands to list ike and ipsec SA:

List ike security associations (phase1):

FGT_FRW01# diag vpn gateway list

List IPSEC security associations (phase2):

FGT_FRW01# diag vpn tunnel list

david Technical Knowledge Base diagnose, Fortigate, Fortinet, IPSEC

I recall 5 years ago when we first started installing Fortigate firewalls. A large source of revenue was virus and malware program removal and rebuilding machine after hopeless infections.

It was really no fun providing these reactive services. Sure the money was good, but was it really the best way for our clients to be spending their hard-earned money?
Read more…

david Professional Development Fortinet

One of the most useful diagnostic tools I use in network security is the ability to “sniff” the network traffic as it passes through the Internet gateway.
Read more…

david Technical Knowledge Base Fortinet