Friday, June 25, 2010

VPN Debug Enhancements

In newer versions of FortiOS (such as 4.0 MR1 and MR2) Fortinet has enhanced the capability of debugging individual VPN connections terminating on Fortigate firewalls.
Previously when debugging connections you only had the ability to filter IKE traffic by destination IP. The new "diag vpn ike log-filter" command has added several more filter criteria which you can use for troubleshooting VPN connections. Using this command is extremely helpful in cases where you have several active VPN sessions on your firewall. The console will most likely be spammed with log messages from tunnels which you are not interested in. To filter VPN connections use the following syntax:

diag vpn ike log-filter

Available options are:
clear erase the current filter
dst-addr4 the IPv4 destination address range to filter by
dst-addr6 the IPv6 destination address range to filter by
dst-port the destination port range to filter by
interface interface that IKE connection is negotiated over
list display the current filter
name the phase1 name to filter by
negate negate the specified filter parameter
src-addr4 the IPv4 source address range to filter by
src-addr6 the IPv6 source address range to filter by
src-port the source port range to filter by
vd index of virtual domain. -1 matches all

For example if you have a VPN tunnel from your firewall to a remote gateway with IP you would use the following commands:
  • diag vpn ike log-filter dst-addr4
  • diag debug enable
  • diag debug console
  • diag debug app ike 200
Now only log messages matching a destination address of will be displayed.

Also don't forget to reset your debug level when you are done to conserve system resources:
  • diag debug disable
  • diag debug reset

No comments: