Tuesday, September 3, 2013

Fortigate VPN Debug log filter for IKE

During debugging VPN on Fortigate you may see logs from other active VPN's as well and if you running your firewall in MSP environment and have multiple customers hosted and they have VPN's then its not your good day...!!

Use below filters to make your life easy when debugging VPN IKE on Fortigates

diag  vpn ike  log-filter ?
clear        erase the current filter
dst-addr4    the IPv4 destination address range to filter by
dst-addr6    the IPv6 destination address range to filter by
dst-port     the destination port range to filter by
interface    interface that IKE connection is negotiated over
list         display the current filter
name         the phase1 name to filter by
negate       negate the specified filter parameter
src-addr4    the IPv4 source address range to filter by
src-addr6    the IPv6 source address range to filter by
src-port     the source port range to filter by
vd           index of virtual domain. -1 matches all


Once the filter is in place, you can then run debug using below command;

diag debug application ike -3


1 comment:

  1. Wow, cool post. I'd like to write like this too - taking time and real hard work to make a great article... but I put things off too much and never seem to get started. Thanks though. Check it out

    ReplyDelete

Restrict SSH access to Management IP address ranges - Juniper EX Switches

People from Cisco world would always wonder that how to restrict ssh access to a Juniper EX switch to fewer hosts or ranges Here is how y...