Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

Configuring WAN optimization

Configuring WAN optimization

This chapter describes FortiGate WAN optimization client server architecture and other concepts you need to understand to be able to configure FortiGate WAN optimization.

 

Client/server architecture

Traffic across a WAN typically consists of clients on a client network communicating across a WAN with a remote server network. The clients do this by starting communication sessions from the client network to the server network. These communication sessions can be open text over the WAN or they can be encrypted by SSL VPN or IPsec VPN.

To optimize these sessions, you can add WAN optimization security policies to the client-side FortiGate unit to accept sessions from the client network that are destined for the server network. The client-side FortiGate unit is located between the client network and the WAN. WAN optimization security policies include WAN optimization profiles that control how the traffic is optimized.

The client-side FortiGate unit must also include the IP address of the server-side FortiGate unit in its WAN optimization peer configuration. The server-side FortiGate unit is located between the server network and the WAN, The peer configuration allows the client-side FortiGate unit to find the server-side FortiGate unit and attempt to establish a WAN optimization tunnel with it.

For the server-side FortiGate unit you must add a security policy with wanopt as the Incoming Interface. This security policy allows the FortiGate unit to accept WAN optimization sessions from the client-side FortiGate unit. For the server-side FortiGate unit to accept a WAN optimization connection it must have the client-side FortiGate unit in its WAN optimization peer configuration.

WAN optimization profiles are only added to the client-side WAN optimization security policy. The server-side FortiGate unit employs the WAN optimization settings set in the WAN optimization profile on the client-side FortiGate unit.

 

Client/server architecture

When both peers are identified the FortiGate units attempt to establish a WAN optimization tunnel between them. WAN optimization tunnels use port 7810. All optimized data flowing across the WAN between the client- side and server-side FortiGate units use this tunnel. WAN optimization tunnels can be encrypted use SSL encryption to keep the data in the tunnel secure.

Any traffic can be sent through a WAN optimization tunnel. This includes SSL and IPsec VPN traffic. However, instead of configuring SSL or IPsec VPN for this communication you can add SSL encryption using the WAN optimization tunnel.

In addition to basic identification by peer host ID and IP address you can configure WAN optimization authentication using certificates and pre-shared keys to improve security. You can also configure FortiGate units involved in WAN optimization to accept connections from any identified peer or restrict connections to specific peers.

The FortiClient application can act in the same manner as a client-side FortiGate unit to optimize traffic between a computer running FortiClient and a FortiGate unit.

Web caching topologies

Web caching topologies

FortiGate web caching can be added to any security policy and any HTTP or HTTPS traffic accepted by that security policy can be cached on the FortiGate unit hard disk. This includes WAN optimization and explicit web proxy traffic. The network topologies for these scenarios are very similar. They involved a FortiGate unit installed between users and web servers with web caching enabled.

A typical web-caching topology includes one FortiGate unit that acts as a web cache server. Web caching is enabled in a security policy and the FortiGate unit intercepts web page requests accepted by the security policy, requests web pages from the web servers, caches the web page contents, and returns the web page contents to the users. When the FortiGate unit intercepts subsequent requests for cached web pages, the FortiGate unit contacts the destination web server just to check for changes.

 

Web caching topology

You can also configure reverse proxy web-caching. In this configuration, users on the Internet browse to a web server installed behind a FortiGate unit. The FortiGate unit intercepts the web traffic (HTTP and HTTPS) and caches pages from the web server. Reverse proxy web caching on the FortiGate unit reduces the number of requests that the web server must handle, leaving it free to process new requests that it has not serviced before.

 

Reverse proxy web caching topology

WCCP topologies

You can operate a FortiGate unit as a Web Cache Communication Protocol (WCCP) router or cache engine. As a router, the FortiGate unit intercepts web browsing requests from client web browsers and forwards them to a WCCP cache engine. The cache engine returns the required cached content to the client web browser. If the cache server does not have the required content it accesses the content, caches it and returns the content to the client web browser.

 

WCCP topology

Example network topologies

Example network topologies

FortiGate WAN optimization consists of a number of techniques that you can apply to improve the efficiency of communication across your WAN. These techniques include protocol optimization, byte caching, web caching, SSL offloading, and secure tunneling. Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiGate units to reduce the amount of data transmitted across the WAN. Web caching stores web pages on FortiGate units to reduce latency and delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web servers onto FortiGate SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN.

You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP and HTTPS traffic, you can also apply protocol optimization and web caching.

You can configure a FortiGate unit to be an explicit web proxy server for both IPv4 and IPv6 traffic and an explicit FTP proxy server. Users on your internal network can browse the Internet through the explicit web proxy server or connect to FTP servers through the explicit FTP proxy server. You can also configure these proxies to protect access to web or FTP servers behind the FortiGate unit using a reverse proxy configuration.

Web caching can be applied to any HTTP or HTTPS traffic, this includes normal traffic accepted by a security policy, explicit web proxy traffic, and WAN optimization traffic.

You can also configure a FortiGate unit to operate as a Web Cache Communication Protocol (WCCP) client or server. WCCP provides the ability to offload web caching to one or more redundant web caching servers.

FortiGate units can also apply security profiles to traffic as part of a WAN optimization, explicit web proxy, explicit FTP proxy, web cache and WCCP configuration. Security policies that include any of these options can also include settings to apply all forms of security profiles supported by your FortiGate unit.

 

Basic WAN optimization topology

The basic FortiGate WAN optimization topology consists of two FortiGate units operating as WAN optimization peers intercepting and optimizing traffic crossing the WAN between the private networks.

 

Security device and WAN optimization topology

 

FortiGate units can be deployed as security devices that protect private networks connected to the WAN and also perform WAN optimization. In this configuration, the FortiGate units are configured as typical security devices for the private networks and are also configured for WAN optimization. The WAN optimization configuration intercepts traffic to be optimized as it passes through the FortiGate unit and uses a WAN optimization tunnel with another FortiGate unit to optimize the traffic that crosses the WAN.

You can also deploy WAN optimization on single-purpose FortiGate units that only perform WAN optimization. In the out of path WAN optimization topology shown below, FortiGate units are located on the WAN outside of the private networks. You can also install the WAN optimization FortiGate units behind the security devices on the private networks.

The WAN optimization configuration is the same for FortiGate units deployed as security devices and for single- purpose WAN optimization FortiGate units. The only differences would result from the different network topologies.

Other new explicit proxy features

Other new explicit proxy features

 

New explicit proxy firewall address types (284753)

New explicit proxy firewall address types improve granularity over header matching for explicit web proxy policies. You can enable this option using the Show in Address List button on the Address and Address Group New/Edit forms under Policy & Objects > Addresses.

 

The following new address types have been added:

  • URL Pattern – destination address
  • Host Regex Match – destination address
  • URL Category – destination address (URL filtering)
  • HTTP Method – source address
  • User Agent – source address
  • HTTP Header – source address
  • Advanced (Source) – source address (combines User Agent, HTTP Method, and HTTP Header)
  • Advanced (Destination) – destination address (combines Host Regex Match and URL Category)

 

Disclaimer messages can be added to explicit proxy policies (273208)

Disclaimer options are now available for each explicit proxy policy or split policy of ID-based policy. This feature allows you to create user exceptions for specific URL categories (including warning messages) based on user groups.

The Disclaimer Options are configured under Policy & Objects > Explicit Proxy Policy. You can also configure a disclaimer for each Authentication Rule by setting Action to Authenticate.

 

Disclaimer explanations

  • Disable: No disclaimer (default setting).
  • By Domain: The disclaimer will be displayed on different domains. The explicit web proxy will check the referring header to mitigate the javascript/css/images/video/etc page.
  • By Policy: The disclaimer will be displayed ifa the HTTP request matches a different explicit firewall policy.
  • By User: The disclaimer will be displayed when a new user logs on.

 

Firewall virtual IPs (VIPs) can be used with Explicit Proxy policies (234974)

The explicit web-proxy will now accept VIP addresses for destination address. If an external IP matches a VIP policy, the IP is changed to the mapped-IP of the VIP.

 

Implement Botnet features for explicit policy (259580)

The option scan-botnet-connections has been added to the firewall explicit proxy policy.

 

Syntax:

config firewall explicit-proxy-policy edit <policyid>

set scan-botnet-connections [disable/block/monitor]

end

 

where:

disable means do not scan connections to botnet servers. block means block connections to botnet servers. monitor means log connections to botnet servers.

 

Add HTTP.REFERRER URL to web filter logs (260538)

Added support for the referrer field in the HTTP header on webfilter log, this field along with others in the HTTP header are very useful in heuristic analysis /search for malware infested hosts.

 

Adding guest management to explicit web proxy (247566)

Allow user group with type Guest to be referenced in explicit-proxy-policy.

Wan Optimization

Wan Optimization

The FortiOS Handbook chapter contains the following sections:

  • Example network topologies provides an overview of FortiGate WAN optimization best practices and technologies and some of the concepts and rules for using them. We recommend that you begin with this chapter before attempting to configure your FortiGate unit to use WAN optimization.
  • Configuring WAN optimization provides basic configuration for WAN optimization rules, including adding rules, organizing rules in the rule list and using WAN optimization addresses. This chapter also explains how WAN optimization accepts sessions, as well as how and when you can apply security profiles to WAN optimization traffic.
  • Peers and authentication groups describes how to use WAN optimization peers and authentication groups to control access to WAN optimization tunnels.
  • Configuration examples describes basic active-passive and peer-to-peer WAN optimization configuration examples.

This chapter is a good place to start learning how to put an actual WAN optimization network together.

  • Web caching and SSL offloading describes how web caching works to cache HTTP and HTTPS, how to use SSL offloading to improved performance of HTTPS websites, and includes web caching configuration examples.
  • FortiClient WAN optimization describes how FortiGate and FortiClient WAN optimization work together and includes an example configuration.
  • The FortiGate explicit web proxy describes how to configure the FortiGate explicit web proxy, how users connect to the explicit web proxy, and how to add web caching to the explicit web proxy.
  • The FortiGate explicit FTP proxy describes how to configure the FortiGate explicit FTP proxy and how users connect to the explicit FTP proxy.
  • FortiGate WCCP describes FortiGate WCCP and how to configure WCCP and the WCCP client.
  • Diagnose commands describes get and diagnose commands available for troubleshooting WAN optimization, web cache, and WCCP.

 

 

Whats new in FortiOS 5.4

 

Toggle Disk Usage for logging or wan-opt (290892)

Both logging and WAN Optimization use hard disk space to save data. For FortiOS 5.4 you cannot use the same hard disk for WAN Optimization and logging.

  • If the FortiGate has one hard disk, then it can be used for either disk logging or WAN optimization, but not both. By default, the hard disk is used for disk logging.
  • If the FortiGate has two hard disks, then one disk is always used for disk logging and the other disk is always used for WAN optimization.

On the FortiGate, go to System > Advanced > Disk Settings to switch between Local Log and WAN Optimization.

 

You can also change disk usage from the CLI using the following command:

configure system global

set disk-usage {log | wanopt}

end

 

The Toggle Disk Usage feature is supported on all new “E” Series models, while sup- port for “D” Series models may vary.

Please refer to the Feature Platform Matrix for more information.

Changing the disk setting formats the disk, erases current data stored on the disk and disables either disk logging or WAN Optimization.

You can configure WAN Optimization from the CLI or the GUI. To configure WAN Optimization from the GUI you must go to System > Feature Select and turn on WAN Optimization.

Remote logging (including logging to FortiAnalyzer and remote Syslog servers) is not affected by using the single local hard disk for WAN Optimization.

 

Enabling WAN Optimization affects more than just disk logging

In addition to affecting WAN Optimization, the following table shows other features affected by the FortiGate disk configuration.

 

Features affected by Disk Usage as per the number of internal hard disks on the FortiGate

Feature Logging Only

(1 hard disk)

WAN Opt. Only

(1 hard disk)

Logging & WAN Opt. (2 hard disks)
 

Logging

 

Supported

 

Not supported

 

Supported

 

Report/Historical

FortiView

 

Supported

 

Not supported

 

Supported

 

Firewall Packet Capture (Policy Capture and Inter- face Capture)

 

Supported

 

Not supported

 

Supported

 

AV Quarantine

 

Supported

 

Not supported

 

Supported

 

IPS Packet Cap- ture

 

Supported.

 

Not supported

 

Supported

 

DLP Archive

 

Supported

 

Not supported

 

Supported

Feature                    Logging Only

(1 hard disk)

WAN Opt. Only

(1 hard disk)

Logging & WAN Opt. (2 hard disks)

 

SandboDB & Results

FortiSandbox database and results are also stored on disk, but will not be affected by this feature.

 

MAPI AV scanning is supported over WAN Optimization (267975)

AV works on MAPI when WAN Optimization is used.

Distributing WAN optimization, explicit proxy, and web caching to multiple CPU Cores

Distributing WAN optimization, explicit proxy, and web caching to multiple CPU Cores

By default WAN optimization, explicit proxy and web caching is handled by half of the CPU cores in a FortiGate unit. For example, if your FortiGate unit has 4 CPU cores, by default two will be used for WAN optimization, explicit proxy and web caching. You can use the following command to change the number of CPU cores that are used.

config system global

set wad-worker-count <number>

end

 

The value for <number> can be between 1 and the total number of CPU cores in your FortiGate unit. Adding more cores may enhance WAN optimization, explicit proxy and web caching performance and reduce the performance of other FortiGate systems.

Chapter 30 – WAN Optimization, Web Cache, Explicit

Chapter 30 – WAN Optimization, Web Cache, Explicit Proxy, and WCCP

 

Toggling Disk Usage for logging or wan-opt

Both logging and WAN Optimization use hard disk space to save data. For FortiOS 5.4 you cannot use the same hard disk for WAN Optimization and logging.

  • If the FortiGate has one hard disk, then it can be used for either disk logging or WAN optimization, but not both. By default, the hard disk is used for disk logging.
  • If the FortiGate has two hard disks, then one disk is always used for disk logging and the other disk is always used for WAN optimization.

On the FortiGate, go to System > Advanced > Disk Settings to switch between Local Log and WAN Optimization.

 

You can also change disk usage from the CLI using the following command:

configure system global

set disk-usage {log | wanopt}

end

 

The Toggle Disk Usage feature is supported on all new “E” Series models, while sup- port for “D” Series models may vary.

Please refer to the Feature Platform Matrix for more information.

Changing the disk setting formats the disk, erases current data stored on the disk and disables either disk logging or WAN Optimization.

You can configure WAN Optimization from the CLI or the GUI. To configure WAN Optimization from the GUI you must go to System > Feature Select and turn on WAN Optimization.

Remote logging (including logging to FortiAnalyzer and remote Syslog servers) is not affected by using the single local hard disk for WAN Optimization.

 

Enabling WAN Optimization affects more than just disk logging

In addition to affecting WAN Optimization, the following table shows other features affected by the FortiGate disk configuration.

to multiple CPU Cores Proxy, and WCCP

 

 

Features affected by Disk Usage as per the number of internal hard disks on the FortiGate

Feature Logging Only

(1 hard disk)

WAN Opt. Only

(1 hard disk)

Logging & WAN Opt. (2 hard disks)
 

Logging

 

Supported

 

Not supported

 

Supported

 

Report/Historical

FortiView

 

Supported

 

Not supported

 

Supported

 

Firewall Packet Capture (Policy Capture and Inter- face Capture)

 

Supported

 

Not supported

 

Supported

 

AV Quarantine

 

Supported

 

Not supported

 

Supported

 

IPS Packet Cap- ture

 

Supported.

 

Not supported

 

Supported

 

DLP Archive

 

Supported

 

Not supported

 

Supported

Sandbox

DB & Results

FortiSandbox database and results are also stored on disk, but will not be affected by this feature.

SIP debugging

SIP debugging

SIP debug log format

Assuming that diagnose debug console timestamp is enabled then the following shows the debug that is generated for an INVITE if diag debug appl sip -1 is enabled:

2010-01-04 21:39:59 sip port 26 locate session for 192.168.2.134:5061 -> 172.16.67.192:5060

2010-01-04 21:39:59 sip sess 0x979df38 found for 192.168.2.134:5061 -> 172.16.67.192:5060

2010-01-04 21:39:59 sip port 26 192.168.2.134:5061 -> 172.16.67.192:5060

2010-01-04 21:39:59 sip port 26 read [(0,515) (494e56495445207369703a73657276696365403139322e3136382e322e3130303a35303630205349502f322e300d0a5669613a2

05349502f322e302f554450203132372e302e312e313a353036313b6272616e63683d7a39684734624b2d363832372d3632302d3

00d0a46726f6d3a2073697070203c7369703a73697070403132372e302e312e313a353036313e3b7461673d36383237534950705

4616730303632300d0a546f3a20737574203c7369703a73657276696365403139322e3136382e322e3130303a353036303e0d0a4

3616c6c2d49443a203632302d36383237403132372e302e312e310d0a435365713a203120494e564954450d0a436f6e746163743 a207369703a73697070403132372e302e312e313a353036310d0a4d61782d466f7277617264733a2037300d0a5375626a6563743 a20506572666f726d616e636520546573740d0a436f6e74656e742d547970653a206170706c69636174696f6e2f7364700d0a436 f6e74656e742d4c656e6774683a20203132390d0a0d0a763d300d0a6f3d757365723120353336353537363520323335333638373

6333720494e20495034203132372e302e312e310d0a733d2d0d0a633d494e20495034203132372e302e312e310d0a743d3020300 d0a6d3d617564696f2036303031205254502f41565020300d0a613d7274706d61703a302050434d552f383030300d0a)(INVITE sip:service@192.168.2.100:5060 SIP/2.0..Via: SIP/2.0/UDP

127.0.1.1:5061;branch=z9hG4bK-6827-620-0..From: sipp

%lt;sip:sipp@127.0.1.1:5061>;tag=6827SIPpTag00620..To: sut

%lt;sip:service@192.168.2.100:5060>..Call-ID: 620-6827@127.0.1.1..CSeq: 1

INVITE..Contact: sip:sipp@127.0.1.1:5061..Max-Forwards: 70..Subject: Performance

Test..Content-Type: application/sdp..Content-Length: 129….v=0..o=user1 53655765

2353687637 IN IP4 127.0.1.1..s=-..c=IN IP4 127.0.1.1..t=0 0..m=audio 6001 RTP/AVP

0..a=rtpmap:0 PCMU/8000..)]

2010-01-04 21:39:59 sip port 26 len 515

2010-01-04 21:39:59 sip port 26 INVITE ‘192.168.2.100:5060’ addr 192.168.2.100:5060

2010-01-04 21:39:59 sip port 26 CSeq: 1 INVITE

2010-01-04 21:39:59 sip port 26 Via: UDP 127.0.1.1:5061 len 14 received 0 rport 0 0 branch ‘z9hG4bK-

6827-620-0’

2010-01-04 21:39:59 sip port 26 From: ‘sipp ;tag=6827SIPpTag00620’ URI ‘sip:sipp@127.0.1.1:5061‘ tag

‘6827SIPpTag00620’

2010-01-04 21:39:59 sip port 26 To: ‘sut ‘ URI ‘sip:service@192.168.2.100:5060‘ tag ”

2010-01-04 21:39:59 sip port 26 Call-ID: ‘620-6827@127.0.1.1

2010-01-04 21:39:59 sip port 26 Contact: ‘127.0.1.1:5061’ addr 127.0.1.1:5061 expires 0

2010-01-04 21:39:59 sip port 26 Content-Length: 129 len 3

2010-01-04 21:39:59 sip port 26 sdp o=127.0.1.1 len=9

2010-01-04 21:39:59 sip port 26 sdp c=127.0.1.1 len=9

2010-01-04 21:39:59 sip port 26 sdp m=6001 len=4

2010-01-04 21:39:59 sip port 26 find call 0 ‘620-6827@127.0.1.1

2010-01-04 21:39:59 sip port 26 not found

2010-01-04 21:39:59 sip port 26 call 0x97a47c0 open (collision (nil))

2010-01-04 21:39:59 sip port 26 call 0x97a47c0 open txn 0x979f7f8 INVITE dir 0

2010-01-04 21:39:59 sip port 26 sdp i: 127.0.1.1:6001

2010-01-04 21:39:59 sip port 26 policy id 1 is_client_vs_policy 1 policy_dir_rev 0

2010-01-04 21:39:59 sip port 26 policy 1 not RTP policy

2010-01-04 21:39:59 sip port 26 learn sdp from stream address

2010-01-04 21:39:59 sip port 26 call 0x97a47c0 sdp 172.16.67.198:43722

2010-01-04 21:39:59 sip port 26 call 0x97a47c0 txn 0x979f7f8 127.0.1.1:5061 find new address and port

2010-01-04 21:39:59 sip port 26 call 0x97a47c0 txn 0x979f7f8 127.0.1.1:5061 find new address and port

2010-01-04 21:39:59 sip port 26 call 0x97a47c0 txn 0x979f7f8 127.0.1.1:5061 find new address and port

2010-01-04 21:39:59 sip port 30 write 192.168.2.134:5061 -> 172.16.67.192:5060 (13,539)

2010-01-04 21:39:59 sip port 30 write [(13,539)

50d0a436f6e746163743a207369703a73697070403137322e31362e36372e3139383a34333732350d0a4d61782d466f727761726

4733a2037300d0a5375626a6563743a20506572666f726d616e636520546573740d0a436f6e74656e742d547970653a206170706 c69636174696f6e2f7364700d0a436f6e74656e742d4c656e6774683a20203133380d0a0d0a763d300d0a6f3d757365723120353

3363535373635203233353336383736333720494e20495034203137322e31362e36372e3139380d0a733d2d0d0a633d494e20495

034203137322e31362e36372e3139380d0a743d3020300d0a6d3d617564696f203433373232205254502f41565020300d0a613d7

274706d61703a302050434d552f383030300d0a)(INVITE sip:service@172.16.67.192:5060 SIP/2.0..Via: SIP/2.0/UDP

172.16.67.198:52065;branch=z9hG4bK-6827-620-0..From: sipp ;tag=6827SIPpTag00620..To: sut ..Call-ID: 620-

6827@127.0.1.1..CSeq: 1 INVITE..Contact: sip:sipp@172.16.67.198:43725..Max-Forwards: 70..Subject: Performance Test..Content-Type: application/sdp..Content-Length: 138….v=0..o=user1 53655765 2353687637

IN IP4 172.16.67.198..s=-..c=IN IP4 172.16.67.198..t=0 0..m=audio 43722 RTP/AVP 0..a=rtpmap:0

PCMU/8000..)]

 

SIPproxy filter per VDOM

You can use the diagnose sys sip-proxy xxx command in a VDOM to get info about how SIP is operating in each VDOM.

 

SIPproxy filter command

Use the diagnose system sip-proxy filter to filter diagnose information for the SIP ALG. The following filters are available:

 

diag sys sip-proxy filter vd

diag sys sip-proxy filter dst-addr4 diag sys sip-proxy filter dst-addr6 diag sys sip-proxy filter dst-port

diag sys sip-proxy filter identity-policy diag sys sip-proxy filter negate

diag sys sip-proxy filter policy

diag sys sip-proxy filter policy-type diag sys sip-proxy filter profile-group diag sys sip-proxy filter src-addr4

diag sys sip-proxy filter src-addr6 diag sys sip-proxy filter src-port diag sys sip-proxy filter vd

diag sys sip-proxy filter voip-profile

You can clear, view and negate/invert the sense of a filter using these commands:

 

diag sys sip-proxy filter clear diag sys sip-proxy filter list diag sys sip-proxy filter negate

 

SIP debug log filtering

You can filter by VDOM/IP/PORT and by policy and VoIP profile. The filtering can be controlled by:

diagnose system sip-proxy log-filter

 

The list of filters is:

diag sys sip-proxy log-filter vd

diag sys sip-proxy log-filter dst-addr4 diag sys sip-proxy log-filter dst-addr6 diag sys sip-proxy log-filter dst-port

diag sys sip-proxy log-filter identity-policy diag sys sip-proxy log-filter policy

diag sys sip-proxy log-filter policy-type diag sys sip-proxy log-filter profile-group diag sys sip-proxy log-filter src-addr4

diag sys sip-proxy log-filter src-addr6

diag sys sip-proxy log-filter src-port diag sys sip-proxy log-filter vd

diag sys sip-proxy log-filter voip-profile

 

You can clear, view and negate/invert the sense of a filter using these commands:

diag sys sip-proxy log-filter clear diag sys sip-proxy log-filter list diag sys sip-proxy log-filter negate

 

SIP debug setting

Control of the SIP debug output is governed by the following command

diagnose debug application sip <debug_level_int>

Where the <debug_level_int> is a bitmask and the individual values determine whether the listed items are logged or not. The <debug_level_int> can be:

1                                 Configuration changes, mainly addition/deletion/modification of virtual domains.

2                                 TCP connection accepts or connects, redirect creation.

4                                 Create or delete a session.

16                               Any IO read or write.

32                               An ASCII dump of all data read or written.

64                               Include HEX dump in the above output.

128                             Any activity related to the use of the FortiCarrier dynamic profile feature to determine the correct profile-group to use.

256                             Log summary of interesting fields in a SIP call.

1024                           Any activity related to SIP geo-redundancy.

2048                           Any activity related to HA syncing of SIP calls.

 

Display SIP rate-limit data

You can use the diagnose sys sip-proxy meters command to display SIP rate limiting data. For the following command output rate 1 shows that the current (over last second) measured rate for INVITE/ACK and BYTE was 1 per second, the peak 1 shows that the peak rate recorded is 1 per second, the max 0 shows that there is no maximum limit set, the count 18 indicates that 18 messages were received and drop 0 indicates that none were dropped due to being over the limit.

diag sys sip-proxy meters sip

sip vd: 0

sip policy: 1

sip identity-policy: 0 sip policy-type: IPv4

sip profile-group:

sip dialogs: 18

sip dialog-limit: 0

sip UNKNOWN: rate 0 peak 0 max 0 count 0 drop 0 sip ACK: rate 1 peak 1 max 0 count 18 drop 0

sip BYE: rate 1 peak 1 max 0 count 18 drop 0 sip CANCEL: rate 0 peak 0 max 0 count 0 drop 0 sip INFO: rate 0 peak 0 max 0 count 0 drop 0

sip INVITE: rate 1 peak 1 max 0 count 18 drop 0 sip MESSAGE: rate 0 peak 0 max 0 count 0 drop 0 sip NOTIFY: rate 0 peak 0 max 0 count 0 drop 0 sip OPTIONS: rate 0 peak 0 max 0 count 0 drop 0 sip PRACK: rate 0 peak 0 max 0 count 0 drop 0 sip PUBLISH: rate 0 peak 0 max 0 count 0 drop 0 sip REFER: rate 0 peak 0 max 0 count 0 drop 0

sip REGISTER: rate 0 peak 0 max 0 count 0 drop 0 sip SUBSCRIBE: rate 0 peak 0 max 0 count 0 drop 0 sip UPDATE: rate 0 peak 0 max 0 count 0 drop 0

sip PING: rate 0 peak 0 max 0 count 0 drop 0

sip YAHOOREF: rate 0 peak 0 max 0 count 0 drop 0