Tuesday, September 3, 2013

Fortigate VPN Debug log filter for IKE

During debugging VPN on Fortigate you may see logs from other active VPN's as well and if you running your firewall in MSP environment and have multiple customers hosted and they have VPN's then its not your good day...!!

Use below filters to make your life easy when debugging VPN IKE on Fortigates

diag  vpn ike  log-filter ?
clear        erase the current filter
dst-addr4    the IPv4 destination address range to filter by
dst-addr6    the IPv6 destination address range to filter by
dst-port     the destination port range to filter by
interface    interface that IKE connection is negotiated over
list         display the current filter
name         the phase1 name to filter by
negate       negate the specified filter parameter
src-addr4    the IPv4 source address range to filter by
src-addr6    the IPv6 source address range to filter by
src-port     the source port range to filter by
vd           index of virtual domain. -1 matches all


Once the filter is in place, you can then run debug using below command;

diag debug application ike -3


No comments:

Post a Comment