debug flow trace
Use this command to trace the flow of packets through the FortiWeb appliance’s processing modules and network stack.
Before you can see any debug logs, you must first enable debug log output using the command
diagnose debug.
To use this command, your administrator account’s access control profile requires only r permission in any profile area.
Syntax
Variable | Description | Default |
trace {start | stop} | Select whether to enable (start) or disable (stop) the recording of packet flow trace debug log messages. | No default. |
Example
This example configures a filter based on the packet destination IP 172.120.20.48, enables messages from each packet processing module, enables packet flow traces, then finally begins generating the debug logs that are enabled for output (in this case, only packet trace debug logs).
Because the filters are configured before debug logging is enabled, the administrator can type the filter without being interrupted by debug log output to the CLI.
diagnose debug flow filter server-ip 172.20.120.48
diagnose debug flow flow module-detail on
diagnose debug flow trace start
diagnose debug enable
Output:
FortiWeb # session_id=251 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.225:49428"
session_id=251 packet_id=0 msg="HTTP parsing client packet success"
session_id=251 packet_id=0 policy_name="policy1" msg="
Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GLOBAL_WHITE_LIST, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_BRUCE_FORCE_LOGIN, Execution:3, Process error:0, Action:ACCEPT
Module name:HTTP_CONSTRAINTS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_START_PAGES, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PAGE_ACCESS_RULE, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:ROBOT_CONTROL_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT
Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_SIG_DETECT_PROCESS, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT
"
session_id=502 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.225:49429"
session_id=502 packet_id=0 msg="HTTP parsing client packet success"
session_id=502 packet_id=0 policy_name="policy1" msg="
Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_GLOBAL_WHITE_LIST, Execution:4, Process error:1, Action:ACCEPT
Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_BRUCE_FORCE_LOGIN, Execution:1, Process error:0, Action:ACCEPT
Module name:HTTP_CONSTRAINTS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_START_PAGES, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_PAGE_ACCESS_RULE, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT
Module name:ROBOT_CONTROL_PROCESS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT
Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_SIG_DETECT_PROCESS, Execution:1, Process error:0, Action:ACCEPT
Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT
Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT
Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT
"
session_id=0 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.48:47368"
session_id=1 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.48:59682"
session_id=252 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.48:47376"
session_id=503 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.48:59687"
session_id=754 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.48:47382"
session_id=2 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.48:47385"
session_id=253 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.48:47387"
diag debug disable
FortiWeb #
Session lines contain the name of the matching server policy (policy_name), the packet identifier (packet_ID), and TCP session ID (session_id), as well as a log message (msg) indicating one or more of the following:
• the source IP address and port number of the packet (e.g. Receive packet from client 172.20.120.225:49428)
• the success or failure of FortiWeb’s HTTP parser’s attempt to analyze the HTTP headers and payload of the packet into pieces that can be scanned or modified by modules (e.g. HTTP parsing client packet success or Packet dropped by detection module,and module number=11)
| If the debug logs indicate that the HTTP protocol parser may be encountering an error condition, you can temporarily disable it and allow packets to bypass it to verify if this is the case. See noparse {enable | disable} in “server-policy policy”. |
If enabled, module lines contain messages from each FortiWeb feature module as it processes the packet (e.g.
Module name:WAF_PROTECTED_SERVER_CHECK for the feature that tests for an allowed
Host: name in the request). The module logs are displayed in their order of execution (for details, see the
FortiWeb Administration Guide). These messages indicate:
• whether or not the module executed, and if not, the reason (e.g. Execution:1)
• processing errors, if any (e.g. Process error:0)
• whether a module has allowed or blocked the packet (e.g. Action:ACCEPT or Action:FOLLOWUP_ACCEP)
For non-execution reasons, possible status codes are:
• Execution:1 — The module is disabled, and therefore is being skipped.
• Execution:2 — The module is not supported in the current deployment mode, and therefore is being skipped.
• Execution:3 — The client IP address is whitelisted, and therefore the module is being skipped.
• Execution:4 — URL access policy has caused the module to be skipped.
Related topics