Fortigate Firewall Troubleshooting : Become Expert in 30 minutes.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys I'm so - Emma I welcome you to my youtube channel hope you all are doing well so today's video is on troubleshooting how you can do the troubleshooting importing your firewall it is very detailed video so it is very long video but if you want to be expert then obviously you should watch this video from very starting to the end and if you are just coming here to see how the video is then I would say don't watch it watch it only when you want to do when you want to learn it properly ok in this video I've used three things diagonally for diagonals debug and I'm a system session so you can get this commands easily in my website or in a Google you can go in my website thank you for your calm and from there you will get but I think there is no website which will explain you how effectively you can use this command so I have told you that in my complete video how can you use these commands to do any kind of troubleshooting you need three things source IP destination IP and the port number and if you have these three things you will come to know from where the packet is coming inside the firewall and from where it is going outside what policy should be hit what should be the routing so if you you should get these three things and you will watch my video and you will become expert and you can do any kind of terms ready in before they get firewall because if you see any kind of scenario is involved with these three things okay so I would request you also do comment if you liked my video if you don't like my video then also please do a comment and let me know why you don't like my video maybe I would like to improve that okay but it gives me happiness like if it is really helpful for you it is free video and I made it because before I'm making I saw there is no a video in the YouTube which explained in detail how to use these commands okay so before moving into the screen I will request you to go into my a website thank you for your calm and there also you will get these commands where I am you going to use and in couple of days we'll also put another video which will help you to tell that what are the best ways to do the troubleshooting it's not always you should doubt on your firewall but there are other ways so as well okay so let's move into my desktop today I will be explaining you about how you can do the troubleshooting and the detailed troubleshooting part I have explained in my another video and as the latest video I have created you can get the link on description or on the top ok so in this video I will explain you what is the difference between diagnose sniffer c'mon and diagnose debug command and when you should use these both commands okay let's move so this is our topology where I will explain you how things works in our lab in our lab I will create this one area from this one where our system is directly connected to over photogate firewall and FortiGate firewall is having this configuration in the LAN port they have 10 10 10 10 IP and in the ran port this is the IP address in the management this is the IP address so how do configure these things I've explained in my video that link I have shared with you only in the description and you can go them and you can see the contradiction part ok so to this video is just to understand the difference between different diagnose methods ok so let's move suppose this is your actual topology in your office and obviously there would be switches routers coming in between ok the first thing is that you should be aware whether traffic is reaching to your photogate or not suppose this person is saying that I am NOT able to access internet or this person want to go to DMZ and is saying that I'm not able to exist the DNS server ok the first question is is its traffic coming to the firewood or nada so to get the traffic up to the firewall not the game traffic to see if the traffic is coming up to our firewall or not we can easily check that how with logs okay if you have 40 analyzer it's very easy you can just check the logs with the source IP address okay if suppose you do not have created a policy and then also you will get the logs but you need to enable implicit policy okay I'll show you implicit policy okay I'll show you how to check the implicit policy so you need to log into your firewall okay this is the IP I start working let's see why it is not working let's check the IP address of our firewall I mean I've been Aegean and in near my pin quantity interface and add it one two to the ten to zero address that's alright and now let's check the connectivity of VMware that's good and they should be finger lock strike 168 thing is coming and in our configuration SC TPS setp is also configured okay and why this is not working well let me check you fireplace neither you should never use a sitting s with HTTP it should work it's working or photogate it will always work with HTTP and in Palo Alto it will work with HTTPS in d3 and their lab not in actual environment okay if you continue in the lab that's only the scenario let's go to the policy ipv4 and here is your implicit policy and in this implicit policy you can enable it double click this already enable you can edit it and you can just you need to dog violation traffic if you will not and ever this you can never see traffic in deep locks and you will always think that traffic is not reaching up to your firewall okay if you will think like that then your your troubleshooting will never be successful so put implicitly simply implicit policy that Lobby is not enabled and you will see the traffic locks and you will see traffic is not reaching up to the firewall and you will tell to that guy ok traffic is not coming up to my firewall I cannot resolve our issue ok so that happens many times so be careful and emulate ok the next thing is even though suppose you forward to enabling even though you can get receive D traffic and what is the matter the matter is you apply this sniffer command use this network okay don't forget is having that sniffer turn in bill I will show you how you can use it but the thing is that there where you can apply that suppose this is not working this is not working okay these all things are not working and or any one of the thing is not working is it cannot be like all things stop working suddenly maybe any one thing is not working and if you got the issue in the landfill suppose you want to capture the traffic in the van pole so you can apply the traffic capture in a van for or you want to apply traffic only for specific IP ten to ten hundred and this IP and also you want to apply for this destination IP address okay on if you only want to apply for the van for so you can do these things by the sniffer you can come to know where the traffic is coming or not whether the traffic is coming here but it's not when the packet is going outside and if we are not receiving the return packet then you can check all those things with this sniffer packet so this is really very helpful you cannot come to know these things in the logs okay if we want to specifically see if the traffic is hitting to this port and it is hitting to this port we need to apply the diagnose sniffer we cannot see it in the log so it is for detailed troubleshooting okay deep troubleshooting so let's go to our let me show you this thing once he ate ten to ten head at me okay so as I told you we can capture the traffic anywhere okay so what I will do I will show you my interfaces okay so how you didn't check interfaces front of the face so if you will run this command from here you will come to know about your interfaces and their configuration so fourth one this is our management interface okay I am NOT giving it name you should give it a name so that you can come to your phone there and port number two is my LAN port here you can see allies is a land okay so what I will do I will apply the ping and will try to see the traffic in important umber - okay let's do that this is my system and this is connected to the LAN side let's try to initiate the ping and here what do you need to do this diagnose sniffer packet now if I put here any it means I want to see the traffic for any interface and if I will hit an enter you can see a lot of traffic so you should never use this this is my lab environment I can do that but you should not do it in your running environment because there is a lot of traffic going on you can see how many packets has been and it would be very difficult for you to do the troubleshooting so the first step to do the troubleshooting is open the putty login to your firewall right click here change the setting go to logging option all settings browse and save your file somewhere ok I will give some name maybe [Music] you can give robot so are just some applications another temporary twenty-something okay with the date it's good always if you are troubleshooting daily you shouldn't be able to give a good name and you should be able to identify your file which file is for what purpose okay so now you have saved your packet why you have to save and not the package sorry define because if you will not say if you go up and this has some limitation from from there I cannot see what has gone upside okay maybe there will be some settings in the putti and you can see the up also but I never checked it it's good for me I always save the file okay so don't use it so you should be aware about your interfaces so you can apply the command diagonals never packet in spite of any given type code number two I would not recommend you to apply on guarantee on the port directly like this way okay why because obviously land port would be getting the traffic from lot of pieces okay but suppose you have configured a new port and this is your new scenario and you know you are just configuring it and it's having very less traffic then you can apply the traffic on port number two maybe it's only you know that you're just trying to initiate the traffic from that suppose you have created a new DMZ and you have placed one test machine there and you are trying to check the traffic and in that case you can apply on the fourth we have to apply on the port hole so in some troubleshooting scenarios okay so you can do that you have that option the next thing is you can also further specify the IP address post okay suppose in port number 2 there is a lot of traffic and we do not want to see all the traffic because people become very difficult for you to do the troubleshooting so you can only apply the traffic to that particular host and you will see the traffic see progressed and replies because in reply okay there is another thing you can also apply the traffic to another post and a Tokyo feeder if you know that this is the destination so you can apply it to the destination also but you need to put a post here okay and you could now start getting the request and reply only specifically for that okay there is another filter you can author like the traffic for the proto so ICMP works on equal to one so yeah one more thing you need to add this filter inside this quote okay there this is a sign you need to paste this before start in the end okay and this is the beside with the enter button okay so you can hit enter and you will start getting with protocol okay suppose you want to forward the protocol number but you remember the port number then you can also type a port number and you can just mention the port number and you can suppose your traffic is going 180 and it will not work see I have not closed it with this this semicolon or problem okay so you need to type this so you will start getting big traffic for that suppose let me initiate the traffic from here select I think I like might not be working maybe L understand dog okay okay it's not working how to enable it just go to the control panel and I think I can get all pink of nature in a patient resort and for a patient desire you need to click on turn on of the features and here you have telnet why I'm showing you this because you should have knowledge of that because we have to do the troubleshooting and we should be aware that from where we can enable it talent if you don't know how to enable it you should check it from somewhere or from my video you now already know that but it is important for for you ok sorry I'm please come on getting on 80 now it's connecting is trying to connect but I know there is nothing here this doesn't exist but we have applied our filter and we should see against so what it says to you traffic is coming up to my firewall okay traffic is coming up to my firewall so I am receiving the traffic it doesn't matter if there is anything at that side it doesn't really matter because that is part of application maybe there is no server or then how it will work but our purposes whether we are receiving the traffic or not okay so this is how you can apply be sniffer how you can use the sniffer if I have to tell you how I use this sniffer then what I do I do not even apply the port number because it wastes my time to search for the port number I just say any because why I put any why I do not put any port number because your firewall is like a router and it it do not like the broadcast and every port will be having a different IP address so if you specify M goes here 10 or 10 dot and dot hundred so RL will automatically come to know which side this host is because obviously the traffic would be coming from any of the final code okay so let's go back here so it will start getting the traffic so it is the easiest way for me and sometimes I need to put another IP the option of or also you can put it on a table it now you are saying sorry always put host you are saying give me a traffic for this odd this any of these ideas so for this what you need to do maybe we can do again the same IP address and let's go back here now you start seeing the traffic for both okay control see I just interrupted it so it's a beauty you can interpret any time suppose you want to see only ten packets so there is further more detailed explanation on that this is what grows one two three four suppose I put a four and after that I said I only want ten packets okay so it will give me the ten packets that's it if you account these are ten packets you want to count to see - okay so these are two packets so this is the packet count you can see there is no timing in between okay we want absolute timing this is I think you yeah so time this ace time but this is very not good time we cannot rate this time let me let me try to do this I think let me see yeah this is the filter for the timing for 0 a 0 you need to put 0 and then you need to put a is for absolute timing when there is another thing whenever for ticket support will ask from here to provide us the sniffer because they want to see the traffic in the Wireshark so how they will say you they will say just apply this filter and put 6 0 and it will give you packet in very detailed format I think this is hexadecimal format and they can convert this packet in dy shot and you can see each and everything TCP other IP header everything whatever a packet contains ok so these are different level of for our clothes 6 world world was for giving you packet with more information there is a fiber bras ok you will get some of the more information for world rolls so if from here you don't get much information ok so by default it is the one ok you will get the one so you will get not much information because it's I simply you do not see good information here let me apply me we're either connect tell Matt hit bone let's try them obviously it should not work and apply a room capture and put it let's see the traffic so yeah that's what I want to show you you will see here sequence number okay this is the sequence number we will see here if you don't put anything and then apply again because it would be expired let's try it's connecting already let's see now the traffic okay so you guys you can compare so this is the same version when I press one all I do not type the word blood so this is the default that you will see okay so this is how you can use this network more detailed what you can do is I you should only use any and then you should place this post maybe there are some scenario where you think that the from another interface same IP is coming which is coming from the land it is it doesn't give any sense to me it should not happen but if if your network is design in anyhow so you can apply the interface but I never apply the interface because in base the time you have to check from which interface in the companies the interface names are very big maybe they have a VLANs long VLAN and you need to type in so it's a better always just to type this one and put or or and ok and you can see the traffic alright and I also told you how you can yeah one more thing before I forget about that thing you can also put source source 10.10 dot it now let's try to do that thing the working traffic it it it so that this advantage of applying the source is you will never see the reply and you can thing you will be thinking that I'm not getting the reply maybe there is some issue okay but if you will only put the host then you will see the traffic request and reply both okay so this is the reading but in some cases when you have to apply the traffic suppose you are not getting the replied back okay we will do the terminal you're not getting the reply back in our command case and you want to see if you're getting any reply from the other interface or not so let's put first in a port number two okay we applied the traffic on port number two let's see if you are receiving enough okay all right so we have received the same in the port number two and now let's apply it in four I think three is my outgoing port let me check network interface three is my one interface and let's apply the same trap same again and let's go back here and see so you can see here you do not receive the traffic in the van why you do not receive the traffic in the one maybe there is no policy for this to go outside one thing right what we can do is just try four eight eight eight eight there are so many things reason can be so many I'll explain you one by one everything let's apply for it make it simple and you see here in the van interface you are receiving the request and the request is coming from this IP and this is your naked eye P okay and this is the destination but if you will apply in be only in before - then let's compare here you do not see v1 92 this is our van into the siding because here you receive only traffic from the land and land here is having this source and this destination because it is not netted but when the traffic will reach to the van interface it should be enacted and the traffic should be sent by the public IP in our case obviously this is a private IP but in your case it should be public I think and the traffic will go from the public IP or the netted IP to the destination this should be expected behavior okay so in our case in some time maybe you some people can and how they do the drunk troubleshooting is so coarse one person is saying that I am NOT able to comment come taste okay great and not it okay any IP for this obviously it will always go to the viral because this is having a default gateway as a firewall okay and we will apply what is the destination so we will apply it as ten hundred this is a lot for cycling okay and let's see we see the packet here or not so you're seeing the packet and you just say okay I'm not getting a cynic back you can see that then apply it here why you say because you as per you firewall will take this in and it will send out the syn now cynic has to be sent back by the destination host okay you will say that but have you ever applied the traffic on port number three as well just to check if you are getting the traffic back from that or not or you have got the traffic up to port three from your land size means let's go back to the diagram traffic came from here it has done a telnet increased here and we have seen since in here have you seen gone outside with the matted IP have you seen that if you have not seen that then you're troubleshooting is how you have not done the proper troubleshooting so this is how you can see the traffic on the post if you want to see ok the traffic is coming from the port one is it exiting out or not in this case you need to use the diagnose debug command like this table command will help you to know if there is any policy or routing or netting available for this traffic which you are putting a packet for this traffic the tunnel traffic ok if there is any policy then packet will hole sign to landfill if there is no policy your packet the packet will be in the fire but it will never go to the port number three it will be received here and we drop receive there and drop ok and you will say ok scene is going syn ack it's not for me but if you will not see if there is any policy or something or the traffic is reaching up to four three the your proper shooting is incomplete so after doing the sniffer and after doing the port 3 here you came to know ok the back traffic itself is not being sent by the firewall to these LAN interface so what you need to do is you need to check if there is any policy or not there is routing nothing you can also check the policy with these locks it's very easy but to compare if that policy is having that proper route to both side time as debug is a good thing you check it but it is having two or three commands that you need to put and in other fire words like Palo Alto or Cisco they have in tracer that generates a dummy packet and that is really very helpful come on with the one command you will come to know everything if it is having matting if it is having policy if it is having routing that's really useful putting it doesn't have anything like that so this is a kind of comparison I told you okay so let's see does it have policy diagnose debug and diagnosed evil first thing that you need to do is disable may be diagnosed about you for returning then you do diagnosed they don't reset why maybe somebody has already set a filter so you reset the enlisting filter now you start your filter tightness deeper slow diagonals even flow up to here two or three commands are same you can cram it diagnostic flow filter then you have multiple options you need to do question mark and you will see multiple options okay I never use source address I have told you above because you will never see the reply packet I always use address this is the best for doing the troubleshooting use address and then type your address dot 100 then you can apply for the dynamic flow filter port a proto port number 80 okay now you need to diagnose deep good slow you need to show it show in the previous version there was a console command console enable but that command is not in newer version newer means version 5 point 6 + are not having that command console then you need to press the never enter but that command doesn't work in the new problem new foggers as a link function name enable there is another command I must've a flow show I pro enable if you run this come on you get additional information ok click OK and finally you need to run another command diagnose evil flow trace you need to start the trace and you need to tell the firewall on the packets you want okay because this command when you will start the diagnostic it will not stop it control see ok so it's better to put any number here like I put hundred ok I 100 packets and after that you automatically stop ok they're diagnosed people diagnosed deeper enable ok before doing and ever let me see ok nothing is going on here now I'll go to my CLI I will just enable it and I'll go back here I need to generate you traffic where I was because this is real-time capturing real-time we are capturing the thing ok so the traffic is coming to my firewall now let's understand what it is saying ok control C we have stopped it it will not stop in the control C ok maybe I can I can show you because it has dropped as well that has talked of you pest controls it will not stop you need to say diagnosed people disabled when you press this button then it will be stopped okay now let's see our packets what we have seen so far okay I did this the route receive the packet proto six it means it is the TCP this is source this new destination over port number 80 from port number two and this is the same pattern same okay so this is a locator new session that's the second message and in a group came from the port number two we don't have put out fire release saying I don't have put out okay so to check a port out they need to do the routing find a route so it has given a come on find out who you are all then you say yeah I have a route I have a gateway this why I put number three I can send the packet outside okay now let's go wrong here okay so we'll see one match except match all Savannah smashed smashed try to get NAT now it has to get a matting to send outside there are two type of netting when it's destination and another is source not source net happen after policy in putting it when it has to send the traffic outside that happens before before even routing the traffic okay I have explained this in my another video in detail fine source slit and it has found the source name don't return for my people okay what is left everything is okay it got everything it needs only three things it needs gateway to go outside once it is having get them installing then it will check for the policy when it is having policy inside the policy there is nothing also that we enable and forget if your photogate is not configured as a central line so you have source net also there you have everything then go back in the next story pulses smashed this is nothing there are some unimportant messages you will see now the message says then port 2 is in out is put 3 ok so everything is already allowed by policy one source not as max is that 110 200 will be added to this one everything is ok but for packet miss our packet is going outside but our packet is never getting the reply from here you will be confirmed that there is no issue in the firewall okay there were only three things which you can see which are there but you cannot see me return traffic okay so these things happens alright so in these kind of cases you can never see the traffic in your pan let me show you again diagonals a packet for free now the host 10.10 dirt tender and okay and Gribble will never see the traffic why you will not see the traffic because this IP that you have applied this private IP your landside IP if you want to see traffic at the van natten traffic what you need to put you need to put your public data lightly this I think this this I think because now you have seen everything is aligned everything is allowed why I'm not able to see the traffic another thing is maybe you can put here the destination actual destination or you just put your napkin IP see here you can give now receiving the packet at the destination sorry at the outgoing interface see I don't know control see public IP is sending a packet outside I don't know from where this I became this is something different we should initiate the traffic again where he 10 to 4 1 10 to 4 1 see here 10 to 4 1 well the best thing is just apply the destination then got to dot 4 dot 1 why you should always apply the destination in the band interface because there will be a lot of packets that are getting nakid from the same ip address you would be having your destination interface so there will be lot of packets that will be get Natick so like in our case you can see there are a lot of communication happening so it's not a good troubleshooting but troubleshooting is always when you specify things properly who's this and who's another host you define ok now let's try to initiate the traffic again hey you can see the same now we are getting the traffic but we should get okay that's fine now you I think you are more confident you cannot understand how you have to apply the sin where you will apply the same what will happen just to recap let me go back to the diagram so when the traffic is coming here and you are applying the capture only on the landfill then you need to specify your this IP address and this is source IP address source okay and host destination host also but do not specify SRC or DST because you will not get the reply packet back okay so that's not a good troubleshooting when you want to see if your photogate is sending a can outside then what you need to do you need to apply the packet sorry the outside interface IP address earlier I have applied the wrong IP in the outside interface also because I want to show you the diagonals come on but in the real scenario you will definitely not receive the packet here it will not get netted because there would not be any policy so just to create scenario in front of you know your scenario in your firewall in your office in your firewall there will be very specific policies in my case the policy says allow anything here services are any if I will honest like to ping here and I'm quite okay and now let's go back to our vocalizing and let's I will try to put 80 okay and what I will do yeah this is the same let's try this nature for it and let's see what we see so here you don't see any traffic because traffic is coming on port number two I will show you what number two it's coming on port number two let me show you obviously it takes some time to get us waiting okay now we will see here see here you can see the sim packet in port number two in the language space but that packet is not going to give an interface because there is no policy to check that if there is any policy or not with what we will do tankers diagonals never because we already have a filter applied it should work but it should work if you do not work and show you again how to apply it see it as well so just I interrupted it no it will not do them too simple I need to do Geithner's debug disabled controls he will not work here so here policy zero is mass action drop from here you came to know there is no policy you want to see if there is any wrong seaport two powerful three there is a route okay but there is no policy okay if there is no policy then obviously there is no source nodding so from here this is how you can do the troubleshooting you can come to know the packet wait actually is the issue 80% your problems are related to one source is not able to access the another destination okay from one to another traffic is not working the things that you need to ask from that person is for society nation IP destination all rest of the things you will come to know by yourself if you have the potential of the firewall you will come to know from where to where it is getting matter and how it's getting matted everything another good command is diagnosed by class system on station and then list and then crap and then you can put get ignorance that's very good come on I really like it obviously you don't have any session just create the session and I'm here see sorry so you don't have any any session because if you don't have any policy you cannot have any session okay but sorry yeah obviously policy and you are getting the traffic but you don't have any pulse you will not get any session session gets created only if it matches the policy let's do something else and now we can see the session because there is a policy and it matched what is a benefit of this command from this command if you quickly you want to come to know like this IP is getting acted to which IP address what is the proper nod for that so you can come to know from here see the source IP this is the destination IP and this is the mattad IP means your public IP in your case okay from here you will come to know and you would like to see what is the reverse snack they buy when the reply will come back it will come back from this source and reply will be on this destination and it will finally get converted to decided I hope you will your concept of troubleshooting is now clear it will resolve your 80% of the issues there IPSec troubleshooting and furthermore troubleshooting on different topics maybe I'll create a video on that if you like my video please press the like button if you don't like my video please press the dislike button and also put the comment why you don't like the video if you liked the video then also please put the comment ok bye you

Info

Channel: Technical_Scoop

Views: 48,964

Rating: undefined out of 5

Keywords: Fortigate Firewall troubleshooting, Fortigate Troubleshoot, fortigate debug commands, fortigate snifer commands, fortigate session

Id: rDlhMJ9EKkE

Channel Id: undefined

Length: 44min 44sec (2684 seconds)

Published: Sat Feb 29 2020