Log messages

Log messages often contain clues that can aid you in determining the cause of a problem. FortiMail units can record log messages when errors occur that cause failures, upon significant changes, and upon processing events.

Depending on the type, log messages may appear in either the history, event, antivirus, or antispam logs. For example:

• To determine when and why an email was quarantined, you might examine the Classifier and Disposition fields in the history log.
• To determine if an antiSpam scan query was able to reach the FDN, you might examine the Message field in the antispam log.

During troubleshooting, you may find it useful to reduce the logging severity threshold for more verbose logs, to include more information on less severe events.

For example, when the FortiMail unit cannot reach the FDN or override server for FortiGuard

Antispam queries, the associated log message in the antispam log has a severity level of Notification. If your severity threshold is currently greater than Notification (such as Warning or Error), the FortiMail unit will not record that log message, and you will not be notified of the error. Often this error might occur due to temporary connectivity problems, and is not critical. However, if you are frequently encountering this issue, you may want to lower the severity threshold to determine how often the issue is occurring and whether the cause of the problem is persistent.

Similar to how the FortiMail unit will not record log messages below the severity threshold, if the FortiMail unit is not enabled to record event, history, antivirus, and antispam log messages, you will not be able to analyze the log messages for events of that type. During troubleshooting, be sure that log messages are enabled for the type of event that you want to analyze.

To configure the severity threshold, go to Log and Report > Log Setting and set the logging level on one or both of the tabs. To enable logging of different types of events, select applicable options under Logging Policy Configuration on either or both tabs.

Greylist and sender reputation displays

If an SMTP client is unable to send email despite being able to initiate SMTP connections to or through the FortiMail unit, and is receiving SMTP error codes that indicate temporary failure or permanent rejection, verify that the SMTP client has not been temporarily blocked by the greylist or sender reputation features.

To view the lists of SMTP clients and their statuses with those features, go to Monitor > Greylist > Display and Monitor > Sender Reputation > Display, respectively.

Mail queues and quarantines

If email has not successfully passed to or through the FortiMail unit, but you have been able to successfully initiate the SMTP connection and send the email and have not received any SMTP error codes, verify that delivery has not been delayed and that the email message has not been quarantined.

To view the mail queues, go to Monitor> Mail Queue, then select a mail queue tab. To view the per-recipient or system quarantine, go to Monitor > Quarantine, then select either the Personal Quarantine or System Quarantine tab.

Packet capture

Packet capture, also known as sniffing, records some or all of the packets seen by a network interface. By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect.

FortiMail units have a built-in sniffer. Packet capture on FortiMail units is similar to that of

FortiGate units. To use the built-in sniffer, connect to the CLI and enter the following command: diagnose sniffer packet <interface_str> ‘<filter_str>’

<verbosity_level_int> <packet_count_int> where:

• <interface_str> is the name of a network interface, such as port1,or enter any for all interfaces.
• ‘<filter_str>’ is the sniffer filter that specifies which protocols and port numbers that you do or do not want to capture, such as ‘tcp port 25’,or enter none for no filters.
• <verbosity_level_int> is an integer indicating the depth of packet headers and payloads to display.
• <packet_count_int> is the number of packets the sniffer reads before stopping. Packet capture output is printed to your CLI display until you stop it by pressing Ctrl + C, or until it reaches the number of packets that you have specified to capture.

Packet capture can be very resource intensive. To minimize the performance impact on your

FortiMail unit, use packet capture only during periods of minimal traffic, with a serial console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.

For example, you might selectively capture packets for FortiGuard Antispam queries occurring through port1 (commands that you would type are highlighted in bold; responses from the FortiMail unit are not bolded):

FortiMail-400 # diag sniffer packet port1 ‘udp port 8889’ 3

2.685841 172.16.1.10.47319 -> 212.95.252.120.8889: udp 64 0x0000 0009 0f84 27fe 0009 0f15 02e8 0800 4500….’………E.

0x0010 005c 0000 4000 4011 44ff ac14 78a5 d45f.\..@.@.D…x.._ 0x0020 fc78 b8d7 22b9 0048 9232 6968 726a b3c5.x..”..H.2ihrj..

0x0030 776c 2d2f 5a5f 545e 4555 5b5f 425b 545fwl-/Z_T^EU[_B[T_

0x0040 4559 6b6a 776b 646e 776c 6b6a 772b 646eEYkjwkdnwlkjw+dn 0x0050 776c 6b6a 776b 646e 776c 6b6a 776b 86a9wlkjwkdnwlkjwk..

0x0060 db73 21e1 5622 c618 7d6c               .s!.V”..}l

Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using encodings other than US-ASCII. It is usually preferable to analyze the output by loading it into in a network protocol analyzer application such as Wireshark (http://www.wireshark.org/).

For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output. Methods may vary. See the documentation for your CLI client.

Requirements

• terminal emulation software such as PuTTY
• a plain text editor such as Notepad
• a Perl interpreter
• network protocol analyzer software such as Wireshark

To view packet capture output using PuTTY and Wireshark

1. On your management computer, start PuTTY.
2. Use PuTTY to connect to the FortiMail appliance using either a local serial console, SSH, or Telnet connection. For details, see the FortiMail CLI Reference.
3. Type the packet capture command, such as:

diag sniffer packet port1 ‘tcp port 25’ 3

but do not press Enter yet.

4. In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select Change Settings.

A dialog appears where you can configure PuTTY to save output to a plain text file.

5. In the Category tree on the left, go to Session > Logging.
6. In Session logging, select Printable output.
7. In Log file name, click the Browse button, then choose a directory path and file name such as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. (You do not need to save it with the .log file extension.)
8. Click Apply.
9. Press Enter to send the CLI command to the FortiMail unit, beginning packet capture.

10.If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze, press Ctrl + C to stop the capture.

11.Close the PuTTY window.

12.Open the packet capture file using a plain text editor such as Notepad.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~=

FortiMail-2000 #

These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not delete them, they could interfere with the script in the next step.

14.Convert the plain text file to a format recognizable by your network protocol analyzer application.

You can convert the plain text file to a format (.pcap) recognizable by Wireshark (formerly called Ethereal) using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer.

To use fgt2eth.pl, open a command prompt, then enter a command such as the following:

fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap

where:

• pl is the name of the conversion script; include the path relative to the current directory, which is indicated by the command prompt
• txt is the name of the packet capture’s output file; include the directory path relative to your current directory
• pcap is the name of the conversion script’s output file; include the directory path relative to your current directory where you want the converted output to be saved

Figure 63:Converting sniffer output to .pcap format

15.Open the converted file in your network protocol analyzer application. For further instructions, see the documentation for that application.

Figure 64:Viewing sniffer output in Wireshark

For additional information on packet capture, see the Fortinet Knowledge Center article Using the FortiOS built-in packet sniffer.

For more information on CLI commands, see the FortiMail CLI Reference.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!