Debug flow will help you troubleshoot the logic process the FortiGate takes when forwarding traffic. We will go over some specifics on reading debug flow: - Traffic direction - Interfaces - Routing - Policy Matching - Trace ID - Session matching - "No matching IPsec selector, drop" message - "Allowed by Policy" message - "reverse path check fail, drop" message - "Denied by forward policy check (policy 0)" message Debug Flow Command Review: diag debug flow filter #view the current filter diag debug flow filter clear #clear the debug flow filter diag debug flow filter proto 1 #filter for protocol 1 diag debug flow filter addr diag debug console timestamp enable #enable timestamp in outputs diag debug flow trace start x #how many packets to trace/debug diag debug enable #enable the debug diag debug disable #disable the debug diag debug reset #reset all debug parameters (includes debug flow filter clear) 0:00 Overview 0:38 Debug Flow Filter 2:07 Example #1 - working example 4:45 Example #2 - non-working example 6:49 Example #3 - another non-working example