A FortiGate administrator notices that traffic from a specific subnet is being dropped unexpectedly. The security policy allows the traffic, and there are no firewall policies blocking it. What is the most efficient first step to identify the cause of the drops?
Trap 1: Run 'diagnose debug flow' with the source IP and look for 'no…
Debug flow is useful but may not show drops that occur before policy matching, such as route issues.
Trap 2: Enable 'deny-log' on all policies and check logs for the subnet.
If traffic is not matched by any policy, deny-log won't capture it.
Trap 3: Enable global traffic logging and review logs after some traffic…
Global logging may generate excessive logs and not pinpoint the issue quickly.
- A
Use the 'diag sniffer packet any "host 10.0.1.0/24" 4' command to capture packets and analyze where they are dropped.
Packet sniffer with filter can capture the actual packets and show the drop reason in the output.
- B
Run 'diagnose debug flow' with the source IP and look for 'no matching policy' or 'dropped' messages.
Why wrong: Debug flow is useful but may not show drops that occur before policy matching, such as route issues.
- C
Enable 'deny-log' on all policies and check logs for the subnet.
Why wrong: If traffic is not matched by any policy, deny-log won't capture it.
- D
Enable global traffic logging and review logs after some traffic passes.
Why wrong: Global logging may generate excessive logs and not pinpoint the issue quickly.