I would like to know if there is not Fortigates an equivalent of the packet-tracer command that we can find on the ASA.
Here is an example of execution for those who don't know it:
NAT and pass :
lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit tcp any any eq www
access-list inside-in remark Allows DNS
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside-network
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.3.20/9876 to 81.56.15.183/9876
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94755, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Blocked by ACL:
lev5505# packet-tracer input inside tcp 192.168.3.20 9876 8.8.8.8 81
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Is there any equivalent on the Fortigates ?
On the Fortigate you actually don't have command with capability to generate a dummy packet like on your cisco ASA. But the closest utility will be "diagnose debug flow" commands. The difference is that, with fortigate you need real traffic traversing through the firewall.
Below are the complete commands that you need to execute:
I do beleive the closest thing you will find to that on Fortinet devices is the sniffer utility (can be accessed with: diagnose sniffer ?) I forget the exact options after this point but it should be what you're looking for.
It is name "diagnose debug flow trace" on fortigate
https://blog.webernetz.net/2015/12/21/cli-commands-for-troubleshooting-fortigate-firewalls/
Before implementing any rule/policy in Cisco ASA we have an option to check weather similar rule is already present in firewall rule base by using packet tracer command or during troubleshooting we can check by using packet tracer command if the connection is allowed or deny without initiating any actual traffic, this is 1 of the good feature I like of CISCO ASA but the same is not available in Fortigate firewalls.
To fulfill similar kind of requirement in Fortigate firewall best we can do by diagnose debug commands which will required someone to initiate traffic.
An example in order to show an output packet can be:
diagnose firewall iprope lookup "source IP" "source port" "destination IP" "destination port" "protocol" "interface"
Example:
It is a test to Google DNS from SSL VPN, the result of this is below:
It doesn´t match with any policy so that it takes the default deny rule 0.
I hope this can help you
@Thabo has the best answer, but I'll add another useful one:
Where filter can be the usual
host 1.2.3.4 and udp
you desire (See a man page for tcpdump if you're not familiar with the filter syntax). It'll show the matching packet at every interface and show you the interface it matches on. (If the packet is forwarded, it can show as many as 6 matches as it passes through vlan -> port aggregate -> physical port, then the same going back out)Ref: https://kb.fortinet.com/kb/documentLink.do?externalID=11186