FortiGate資料流分析 debug flow
1.工具說明
在防火牆部署中,經常會遇到防火牆接收到了資料包,但並未進行轉發。可以通過diagnose debug flow 命令來對資料包的處理過程進行跟蹤,可以清晰檢視資料包再各個功能模組內的處理過程,判斷出資料包如何被轉發或者丟棄。
2.命令介紹
diagnose debug enable 開啟debug功能
diagnose debug flow show console enable 開始flow的輸出
diagnose debug flow filter add 119.253.62.131 定製過濾器,支援多種過濾;可以新增多個組合的過濾器
diagnose debug flow trace start 6 定義所要跟蹤資料包的數量
diagnose debug flow filter 檢視過濾器的配置
3.過濾引數
FGT# diagnose debug flow filter
addr IP address. // ip地址
clear Clear filter. // 清除過濾器
daddr Destination IP address. // 目的地址
dport Destination port. //目的埠
negate Inverse filter. //反向過濾
port port // 介面, 如port1
proto Protocol number. // 協議, 如6,tcp協議, 17 udp, 1 icmp
saddr Source IP address. //源地址
sport Source port. // 源埠
vd Index of virtual domain. //vdom
4.分析示例
1)
FGT# id=36871 trace_id=1 msg="vd-root received a packet(proto=6, 192.168.1.110:51661->119.253.62.131:80) from internal."id=36871 trace_id=1 msg="allocate a new session-00016920"
//internal口收到資料,建立新會話
id=36871 trace_id=1 msg="find a route: gw-192.168.118.1 via wan1" //查詢到路由表
id=36871 trace_id=1 msg="find SNAT: IP-192.168.118.28, port-43333" //檢測存在NAT配置
id=36871 trace_id=1 msg="Allowed by Policy-1: SNAT" // 匹配策略,ID1
id=36871 trace_id=1 msg="SNAT 192.168.1.110->192.168.118.28:43333" //做NAT
id=36871 trace_id=3 msg="vd-root received a packet(proto=6, 119.253.62.131:80->192.168.118.28:43333) from wan1." // Wan1口收到返回資料包
id=36871 trace_id=3 msg="Find an existing session, id-00016920, reply direction" //資料包匹配會話id-0001692
id=36871 trace_id=3 msg="DNAT 192.168.118.28:43333->192.168.1.110:51661"
/做反向的DNAT
id=36871 trace_id=3 msg="find a route: gw-192.168.1.110 via internal" //查詢路由,傳送到internal口
id=36871 trace_id=5 msg="vd-root received a packet(proto=6, 192.168.1.110:51661->119.253.62.131:80) from internal." //internal口收到後續資料包
id=36871 trace_id=5 msg="Find an existing session, id-00016920, original direction" //匹配會話id-0001692
id=36871 trace_id=5 msg="enter fast path" //直接轉發
id=36871 trace_id=5 msg="SNAT 192.168.1.110->192.168.118.28:43333" //NAT
2)策略拒絕訪問
FGT# id=36871 trace_id=23 msg="vd-root received a packet(proto=6, 192.168.1.110:51768->119.253.62.131:80) from internal."
id=36871 trace_id=23 msg="allocate a new session-00017537"
id=36871 trace_id=23 msg="find a route: gw-192.168.118.1 via wan1"
id=36871 trace_id=23 msg="Denied by forward policy check" //直接被策略拒絕,檢查策略配置問題
3)常見debug flow結果
msg="iprope_in_check() check failed, drop"
沒有該項策略,或策略不匹配,資料包被丟棄
msg="Denied by forward policy check"
策略動作拒絕,或命中隱含策略, 資料包被拒絕
msg="reverse path check fail, drop"
反向路徑,即源路由檢查失敗,丟棄資料包
會話經由 session-helper 處理
msg="run helper-ftp(dir=original)"