Fortigate Packet Flow Troubleshooting: Common Issues

Troubleshooting Fortigate Packet Flow issues can be complex. Here’s an overview of common Fortigate Packet Flow troubleshooting issues and steps to resolve them.

Fortigate Packet Flow Troubleshooting Issues

1. Incorrect Firewall Policies

• Issue: Traffic is dropped due to misconfigured firewall policies.
• Troubleshooting:
  • Verify that policies are correctly configured for source, destination, and services.
  • Check policy order and make sure no unintended policy is overriding the expected rule.
  • Use the command diagnose firewall proute list to check the routing of packets through policies.

2. NAT Misconfigurations

• Issue: Traffic fails due to incorrect or missing NAT configurations.
• Troubleshooting:
  • Check NAT rules with diagnose firewall iprope lookup.
  • Confirm source and destination NAT configurations.
  • Use packet capture (diagnose sniffer packet any) to confirm whether traffic is being translated correctly.

3. Routing Issues

• Issue: Traffic doesn’t reach the destination due to routing misconfigurations.
• Troubleshooting:
  • Verify the routing table with get router info routing-table all.
  • Use traceroute or ping to confirm reachability to the destination.
  • Check static and dynamic routing configurations (OSPF, BGP).

4. Session Handling

• Issue: Sessions may fail due to timeouts or not being properly cleared.
• Troubleshooting:
  • List sessions using diagnose sys session list.
  • Clear specific sessions using diagnose sys session clear.
  • Ensure session TTL (time-to-live) values are correctly set and not too aggressive.

5. Zone and Interface Mismatch

• Issue: Traffic dropped due to incorrect interface or zone configurations.
• Troubleshooting:
  • Verify interface assignments and zone configuration.
  • Use the command diagnose netlink brctl name list to check zone interface mappings.

6. SSL/TLS Decryption Issues

• Issue: Misconfigured SSL/TLS decryption profiles leading to traffic drop.
• Troubleshooting:
  • Check SSL/SSH inspection profile and confirm if traffic is being inspected as expected.
  • Analyze logs and packet captures to verify if decrypted traffic is handled correctly.
  • Review the certificate configuration for any mismatches or invalid certificates.

7. DNS Misconfigurations

• Issue: Incorrect DNS settings can prevent the firewall from resolving domain names.
• Troubleshooting:
  • Verify DNS server settings using get system dns.
  • Ensure that DNS servers are reachable and properly configured.
  • Check logs for DNS query failures.

8. High Availability (HA) Failover Issues

• Issue: Traffic disruption during HA failover or improper HA synchronization.
• Troubleshooting:
  • Verify HA status using get system ha status.
  • Check HA synchronization logs and event history for any failover issues.
  • Monitor traffic during failover events with packet captures.

9. IPS Blocking Legitimate Traffic

• Issue: False positives in IPS (Intrusion Prevention System) may block legitimate traffic.
• Troubleshooting:
  • Review IPS logs for blocked traffic patterns.
  • Create exceptions for legitimate traffic in the IPS profile.
  • Tune IPS signatures to reduce false positives.

10. Session Helpers (VoIP, FTP, etc.)

• Issue: Incorrect session helper configuration can cause issues with specific protocols (e.g., VoIP, FTP).
• Troubleshooting:
  • Check session helper configuration with show system session-helper.
  • Disable session helpers if causing issues and configure specific policies instead.
  • Review logs for protocol-specific traffic drops.

11. VLAN Misconfigurations

• Issue: Traffic dropped due to incorrect VLAN tagging or trunk configuration.
• Troubleshooting:
  • Verify VLAN settings with diagnose netlink vlan.
  • Ensure proper tagging on both FortiGate and connected switches.
  • Use packet captures to see if traffic is being tagged or dropped.

12. Licensing and Feature Restrictions

• Issue: Traffic blocked due to expired licenses or disabled features (e.g., antivirus, web filtering).
• Troubleshooting:
  • Verify license status using get system status.
  • Ensure all necessary features (web filtering, antivirus, etc.) are licensed and active.
  • Review logs for license-related blocking events.

13. IPSec VPN Issues

• Issue: IPSec tunnels may not establish or drop traffic due to misconfigurations.
• Troubleshooting:
  • Verify VPN settings and phase 1/phase 2 configuration.
  • Use diagnose vpn tunnel list to check the status of VPN tunnels.
  • Check logs for any negotiation or key exchange failures.

14. Traffic Shaping or Bandwidth Management Issues

• Issue: Traffic might be limited or dropped due to traffic shaping rules.
• Troubleshooting:
  • Verify traffic shaping policies with diagnose firewall shaper traffic-log.
  • Adjust bandwidth limits or create new shaping policies for critical traffic.

15. Multicast/Unicast Forwarding Issues

• Issue: FortiGate might drop multicast or broadcast traffic if not configured correctly.
• Troubleshooting:
  • Verify multicast routing configuration using get router info multicast.
  • Ensure proper multicast forwarding or IGMP settings.
  • Use packet captures to analyze multicast traffic flow.

Each of these issues can be diagnosed using FortiGate’s packet capture tools, session monitoring, and log analysis. Knowing where to look in the FortiGate system is key to efficiently troubleshooting packet flow problems.