How to Diagnose Traffic issue between 2 hosts with a Fortigate Firewall?

Context of a real-life scenario:

For one of my customers, I needed to configure strict Firewall rules between VLANS. In VLAN A had an Exchange Server and in VLAN B, a Veeam Server that needed to backup the Exchanger server VM.

Each time I tried to run a backup of the Exchange server Veeam returned me a network error (RPC Unavailable). Even if I authorized the predefined RPC service in the Firewall Policy Rule, it didn’t work.

The best thing to permit understand what’s going wrong is to use built-in sniffer of the Fortigate Unit. Depending of the Fortigate Unit model you have the sniffer utility is available in the GUI or via CLI or both. More your unit is near from entry level model, more you will need to run advanced tools from CLI.

In all cases, my preferred way for Troubleshooting is the CLI. Let’s begin with it.

Run the Fortigate Sniffer utility from the CLI:

  1. How to access the CLI on the fortigate unit?

You have 2 options:

  • in the GUI interface (Yes Yes!!! from the GUI 🙂 )
  • run an SSH session from any SSH client (Putty stays the most current and most used)

For more information on Putty, please go on the official website (Putty Website)

If you want to keep a log of what you’ve done and be able to display a big quantity of information, I strongly recommend you to use Putty instead of the CLI integrated by default in the GUI interface.

From the GUI

  1. open the URL of your firewall
  2. Login to the web interface
  3. click on CLI Widget as show here
fortigate-clifromgui
WebInterface

From the SSH client

Prerequisite: Enable SSH Server on the Interface of the Fortigate Unit from where the SSH Client will run.

Example: Your server where Putty is installed has IP 10.0.0.23 and your Fortigate unit has an IP of 10.0.0.1. Be sure to enable SSH on the interface where the Fortigate has its IP 10.0.0.1 via the GUI

fortigategui_enablessh

Procedure:

  1. Run Putty or any other SSH client from your server
  2. Connect to the Fortigate by entering its IP
  3. Type your credentials
  4. Launch a sniffer session by typing the following command:

diag sniffer packet <interface_name> <‘filter’> <verbose> <count>

in real case scenario here is what you should type if you want to see the traffic between host A 192.168.0.229 and host B 172.17.0.35

diag sniffer packet any ‘src host 172.17.0.35 and dst host 192.168.0.229’ 1

Command Explanation:

diag sniffer packet: Is the sniffer running
any: is the interface name on which the sniffer should listen for traffic that needs to be monitored. In my case I’ve chosen ANY as the hosts are located on 2 different interfaces.
‘src host 172.17.0.35 and dst host 192.168.0.229’: is the filter. I want to see only the traffic between host A & B with no protocol filtering
1: is the verbose level of the sniffer

Note: Concerning the verbose level of the sniffer you have 6 levels. Choose the appropriate one depending of the issue you need to resolve

Verbosity levels:

1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name

Output:

144.718932 192.168.0.229.64314 -> 172.17.0.35.135: psh 3914262130 ack 63685806
144.718952 192.168.0.229.64314 -> 172.17.0.35.135: psh 3914262130 ack 63685806
144.720622 192.168.0.229.64316 -> 172.17.0.35.11500: syn 2197328095
144.755747 192.168.0.229.64314 -> 172.17.0.35.135: ack 63685886
144.755805 192.168.0.229.64314 -> 172.17.0.35.135: ack 63685886
144.755825 192.168.0.229.64314 -> 172.17.0.35.135: ack 63685886
147.708245 192.168.0.229.64316 -> 172.17.0.35.11500: syn 2197328095
153.708268 192.168.0.229.64316 -> 172.17.0.35.11500: syn 2197328095
174.760978 192.168.0.229.64314 -> 172.17.0.35.135: rst 3914262210 ack 63685886
174.761066 192.168.0.229.64314 -> 172.17.0.35.135: rst 3914262210 ack 63685886
174.761090 192.168.0.229.64314 -> 172.17.0.35.135: rst 3914262210 ack 63685886
174.761393 192.168.0.229.64315 -> 172.17.0.35.20553: rst 780143497 ack 3214492343
174.761460 192.168.0.229.64315 -> 172.17.0.35.20553: rst 780143497 ack 3214492343
174.761481 192.168.0.229.64315 -> 172.17.0.35.20553: rst 780143497 ack 3214492343
188.353298 192.168.0.229.64313 -> 172.17.0.35.445: rst 2393120380 ack 3596781657
188.353391 192.168.0.229.64313 -> 172.17.0.35.445: rst 2393120380 ack 3596781657
188.353414 192.168.0.229.64313 -> 172.17.0.35.445: rst 2393120380 ack 3596781657

In my case, I could determine that some RPC ports and CIFS ports were blocked as the firewall returned me some rst (reset from source commands)