Firewall Solution: diagnose debug flow

Wednesday, September 25, 2013

diagnose debug flow

FGT # diagnose debug flow filter daddr <dst_server_ip>
FGT # diagnose debug flow show console enable
FGT # diagnose debug enable
FGT # diagnose debug flow trace start 1000

id=36870 trace_id=400 msg="vd-root received a packet(proto=17, 192.168.3.20:1470-><dns_server_ip>:53) from to_client."
id=36870 trace_id=400 msg="allocate a new session-00002a55"
id=36870 trace_id=400 msg="find a route: gw-172.16.0.254 via to_server"
id=36870 trace_id=400 msg="find SNAT: IP-172.16.0.100, port-36150"
id=36870 trace_id=400 msg="Denied by end point ip filter check"

Once the test is complete, the debug outputs should be disabled by using the commands:

# diag debug flow trace stop
# diag debug reset
# diag debug disable

1 comment:

AnonymousApril 17, 2020 at 9:38 AM
It is very helpfull for everyone.. thanks foe sharing this information Kalyx transcanding connections
ReplyDelete
Replies

Add comment