Debug Commands - New

Entering the correct vdom/gobal Config
Remember to enter the correct vdom or global configuration tree before configuring anything:
config global
config vdom
edit <vdom-name>
To find a CLI command within the configuration, you can use the pipe sign “|” with “grep” (similar to
“include” on Cisco devices). Note the “-f” flag to show the whole config tree in which the keywords was
found, e.g.:
show | grep -f ipv6
1
show full-configuration | grep -f ipv6
General Information
The very basics:
1 get system interface physical #overview of hardware interfaces
2 get hardware nic <nic-name> #details of a single network interface,
3 same as: diagnose hardware deviceinfo nic <nic-name>
4 fnsysctl ifconfig <nic-name> #kind of hidden command to see more interface stats such as
5 errors
6 get system status #==show version
7 get system performance status #CPU and network usage
8 diagnose sys top #top with all forked processed
9 diagnose sys top-summary #top easier, incl. CPU and mem bars. Forks are displayed by [x13]
1 or whatever
0
1
1 execute dhcp lease-list
1 diagnose ip arp list
2 diagnose ipv6 address list
1 diagnose ipv6 neighbor-cache list
3 diagnose sys ntp status
1 diagnose autoupdate versions #lists the attack definition versions, last update, etc.
4 diagnose log test #generated all possibe log entries
1 diagnose test application dnsproxy 6 #shows the IP addresses of FQDN objects
5 diagnose debug crashlog read #shows crashlog, a status of 0 indicates a normal close of a
1 process!
General Network Troubleshooting

Which is basically ping and traceroute?
Execute ping-options ?
execute ping-options source <ip-address-of-the-interface>
1 execute ping <hostname|ip>

2
3 execute ping6-options ?
4
5
6 execute ping6 <hostname|ip>
execute traceroute <hostname|ip>
execute tracert6 <hostname|ip>

Routing
get router info routing-table all #routing table
get router info6 routing-table #IPv6 without the "all" keyword
1 get router info kernel #Forwarding Information Base

2
3 get router info6 kernel
4
5 get router <routing-protocol> #basic information about the enabled routing protocol
6
7 diagnose firewall proute list #policy-based routing
diagnose firewall proute6 list
diagnose ip rtcache list #route cache = current sessions w/ routing information
DHCP
execute dhcp lease-list
execute dhcp lease-clear <ip address>
execute dhcp lease-clear all
diag sniffer packet any “port 67 or port 68” 6 0 a
diag deb reset

diag deb application dhcps -1
diag deb en
Session Table
Display the current active sessions:
get system session list #rough view with NAT, only IPv4
diagnose sys session filter clear

1
2 diagnose sys session filter ?
3
4
diagnose sys session filter dst 8.8.8.8
5
6
diagnose sys session filter dport 53
diagnose sys session list #show the session table with the filter just set
Di?VPN
TO FLUSH THE TUNNELS
# diag vpn tunnel flush <phase1 name>
# diag vpn tunnel reset <phase1 name>
Scenario1: [If tunnel is not up]

----------------------------------------
>>open putty client, start the session logging
You can start the logging, by following the below document
http://kb.fortinet.com/kb/documentLink.do?externalID=FD36043
>>connect to your fortigate, and execute the below commands simultaneously on all the 3 putty
sessions
Putty1:
------------------------------
diagnose debug reset

diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 x.x.x.x ------------where x.x.x.x is the remote gatewayIP
diagnose debug app ike -1
diagnose debug enable
After 5-10sec, disable the logs by executing

diagnose debug disable
Putty2:
---------------------------
>>Simultaneously open an another session of putty, start the logging and run the below command
diagnose sniffer packet any "host b.b.b.b " 6 0 a
Where b.b.b.b is the remote gateway address
Putty3:
--------------------
get vpn ike gateway <name>
get vpn ipsec tunnel name <name>
get vpn ipsec tunnel details
diagnose vpn tunnel list
diagnose vpn ipsec status
get vpn ipsec stats tunnel
get vpn ipsec tunnel summary
get router info routing-table database
Scenario2: [If the tunnel is up and traffic is not passing through it]
------------------------------------------------------------------------
>>open puyty client, start the session logging
>>connect to your fortigate, run the below commands and initiate a ping from source to destination
Putty1:
---------------------

diagnose debug console timestamp enabled
diagnose debug flow show fun en
diagnose debug flow filter clear
diagnose debug flow filter saddr b.b.b.b -------------where b.b.b.b is the source IP address from where you
are initiating the ping from
diagnose debug flow filter daddr y.y.y.y --------------where y.y.y.y is the destination IP address to where
you are initiating the ping to
diagnose debug flow filter proto 1
diagnose debug flow trace start 100

diagnose debug flow trace stop
Putty2:
---------------------
>>Simultaneously open an another session of putty, start the logging and run the below command
diagnose sniffer packet any "host <remote-gw> and esp" 6 0 a
Putty3:
--------------------
get vpn ike gateway <name>
get vpn ipsec tunnel name <name>
get vpn ipsec tunnel details
diagnose vpn tunnel list
diagnose vpn ike gateway list
diagnose vpn ipsec status
get vpn ipsec stats tunnel
get vpn ipsec tunnel summary
get router info routing-table database
Log
For investigating the log entries (similar to the GUI), use the following filters, etc.:
execute log filter reset
execute log filter category event
1 execute log filter field #press enter for options

2
3 execute log filter field dstport 8001
4
5
6 execute log filter view-lines 1000
execute log filter start-line 1
execute log display
HIGH CPU
1. Is this issue occurring after a firmware upgrade or configuration change?

2. Are you seeing a high CPU on the unit all the time or intermittently during peak hours?
3. Kindly confirm the number of users for this unit
4. Capture the screenshot of the 24 hour utilization history from the resource utilization widget
5. Configuration file
>>connect to your fortigate, and execute the below commands
#diag sys flash list

#get system status
#get hardware status
#get system performance status (run this command 5 times in interval of 1 minutes)
#diag sys top 1 40 (Run for 30 Sec and CTRL C to stop)
#diag sys top-summary (Run for 30 Sec and CTRL C to stop)
#diagnose autoupdate versions
#diagnose hardware sys shm
#diag hard sys mem
#diag hard sys cpu
#diag hard sys slab
#diag sys session stat
#diag debug crashlog read
# diagnose hardware deviceinfo disk
# get log gui-display
# get log disk setting
# get log memory setting
#diagnose debug report
If vdom
config vdom
edit <vdom name>

#get log memory setting
#get log disk setting
If multiple cores are involved
diagnose sys profile cpumask <core-id>

diagnose sys profile start
<wait for few seconds>
diagnose sys profile stop
diagnose sys profile show order
MEMORY USAGE
Below are some of the recommended actions that will help to save memory resource:
(1) lower AV threshold

please go to Firewall > Protocol options > Edit the one which is being used in the Firewall policy, lower
the oversize threshold to 1 MB for all protocols.
It has to be done on CLI.con ip
config firewall profile-protocol-options

edit <profile>
config http
set oversize-limit 1
end
config ftp
end
config imap
end
config mapi
end
config pop3
end
config smtp
end
config nntp
end
next
end
(2) Using 'all_default' IPS sensor in your firewall policy is not recommended.
Please configure the profile to scan for specific OS, applications and protocols of appropriate severity.
For e.g if you have only windows PC and servers in your environment, you can select OS = Windows, and
select only relevant applications. If you do not want to scan for low and medium severity you can specify
the correct severity options as high and critical. By doing this you will reduce the number of predefined
IPS signatures the unit has to match the flow with.
(3) change default session TTL:

config system session-ttl
set default 300
end
If you would like to set session ttl for a particular port, please follow the following KB article:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30171
(4)Reducing some of the global timer can also reduce load, please run the following commands:
config system global
set tcp-halfclose-timer 30
set tcp-halfopen-timer 10
set tcp-timewait-timer 1
end
(5)If you are using extended database for virus scan, please change it to normal
config antivirus settings
set default-db normal
end
get sys stat

get sys perf stat
diag sys top - and press "m" to sort it by memory usage
diag debug report
SSL-VPN
>>connect to your fortigate, execute the below commands and then initiate the connection via
Forticlient
diag debug reset
diag debug application fnbamd -1
diag debug appl sslvpn -1
diag debug enable
Wait until you observe the disconnection. Once the connection gets disconnected the disable the logs by
using
diag debug disable
And also enable logging in the FortiClient by following the below path:
File --> Settings --> Logging --> select Log Level as debug from the dropdown
Click on clear logs, and then click on ok.
Click on Close at the bottom.
Once the connection is terminated, go to file-->Settings-->Logging--> click on export logs
Save the file and attach it to the ticket.
To check the connected users:
get vpn ssl monitor

execute vpn sslvpn list
L2TP
diag deb reset

diag deb en
diag deb application ike -1
diag deb application l2tp -1
diag deb application ppp -1
After executing the above commands, connect to the VPN on the android device
Wait till you get the unsuccessful message, and execute the below command to stop the logs
diag deb dis
VIP
--the latest config file

--the VIP name which is having the issue
--the policy-id related to it
>>connect to your fortigate, execute the below commands and ping the VIP external IP

diagnose debug flow show console en
diagnose debug flow filter addr x.x.x.x ----where x.x.x.x is the public IP address of the external PC

>>Simultaneously open an another session of putty, start the logging and execute the below command
diagnose sniffer packet any "host x.x.x.x and icmp" 6 0 a ------------where x.x.x.x is the public IP address of
the external PC
After 5-10sec, disable the sniffer by pressing ctrl+c

HTTPSD
>>connect to your fortigate, execute the below commands and try to open the Dashboard section in the
GUI
Putty1:
diag debug reset

diagnose debug console timestamp enable
diag web-ui debug enable
diagnose debug application httpsd -1
diag debug enable
Wait till the page opens and disable the logs by executing
diagnose debug application httpsd 0
diagnose web-ui debug disable
WAD----5.6
diag wad debug enable level <choose your level>

diag wad debug enable category <choose your category like ssl or ALL>
diag debug en
wait for 5-10 sec and then stop the logs by using
diag deb dis
Debug and sniffer

diagnose debug flow show console en
diagnose debug flow filter addr 4.2.2.2

>>Simultaneously open an another session of putty, start the logging and execute the below command
diagnose sniffer packet any "host 4.2.2.2 and icmp" 6 0 a
After 5-10sec, disable the sniffer by pressing ctrl+c
TRAFFIC SHAPING
diagnose system tos-based-priority

diagnose firewall shaper traffic-shaper
diagnose firewall shaper per-ip-shaper
CONSOLE LOGS
#diag debug reset

#diag debug kernel level 7
#diag debug cli 8
#diag debug console timestamp enable
#diag debug enable
#diag debug comlog enable

#diag debug comlog info
#diag debug comlog read
DEVICE DETECTION
diag user device list

diag debug reset
diag debug console timestamp enable
diag debug appl src-vis -1
diag debug appl netscan 31
diag debug enable
You can copy paste the commands directly to putty. Please run them few minutes
before you connect with the device that has the issue with, user should browse too.
Please provide me with an IP address and MAC address of the user.
To disable debug:
diag debug disable (can be typed even when interrupted by printed text)
diag debug reset
diag user device list
MODEM ISSUES
(1)
For troubleshooting will need:
- the PIN code (if is required).
- the APN name
- provider name
- name of service or it's description
- authentication data (username, password)
- used authentication method (pap, chap, ms-chap ...)
- serial number of modem (or version of used firmware)
(2)
# Is it detected on the USB as a modem?
fnsysctl cat /proc/bus/usb/devices
show system modem
show system 3g-modem custom
(3)
# Is it detected correctly?
diagnose sys modem detect
diag sys modem external-modem
diag sys modem query
diag sys modem cmd ati
(4)
# Is it supported model?
fnsysctl cat /etc/modem_list.conf
# Alternatively check the list version only
diagnose autoupdate versions | grep -A 3 Modem
###
(5)
# Is it detected on the USB as a modem?
fnsysctl cat /proc/bus/usb/devices
show system modem
show system 3g-modem custom
(6)
# If the modem is detected as a modem.
# Have to respond at least on one serial console.
# Unfortunatelly don't know on which one.
# One by one check ALL of them if the modem is responding
# For first one please type

diagnose sys modem com /dev/ttyusb0
# Console should open the dialog and should be possible to write command
ATI
# The command should tell us the name of modem
# To close the console please press Ctrl+w key
# And repaeat for other consoles

ATI
# Press Ctrl+w to terminate the dialog
ATI

ATI

ATI
# If one port is selected (responded for ATI command), can be set as port for communication
config system modem

set wireless-port 2 #fill number of the port ttyusb1(+1)
end
(7)
### Dialling process debug
diag debug reset
diagnose debug app ppp -1
diagnose debug app modem -1
diagnose debug app lted -1
diag debug enable
# and
execute modem dial
# To finish
execute modem hangup

diag debug disable
(8) Config file and details requested above

Please check and update us further.
HA
Debugzone: debugzone is where the config changes are first stored before applying them to the running
config.
Checksum: It contains the checksum of the configuration that is actually running in the device
FOR ---5.2
>>connect to your fortigate, and capture the output of the below commands from both the devices
(Slave and Master):
get system status

get system ha
diag sys ha status
diag sys flash list
diag sys ha cluster-csum
diag sys ha showcsum
diag sys ha showcsum 1
diagnose sys ha cached-csum <vdom name>
diag debug crashlog read
To connect Slave unit, execute the below command from CLI of Master unit.
exec ha manage ?
exec ha manage <slave_id>? : If suppose slave_id is 1
exec ha manage 1
Manual HA synchronization
execute ha synchronize start
If checksum is not calculated properly

# diagnose sys ha csum-recalculate
5.4/5.6

(Slave and Master):
get system status

get system ha
diag sys ha status
diag sys ha checksum show
diag sys ha checksum cluster
diag sys ha checksum show global
diag sys ha checksum show root
diag sys ha checksum show <vdomname> --------------if vdoms are present, the command would be "diag sys
ha checksum show vdom-test" if the vdom configured is "vdom-test"
diag sys ha checksum cached root
diag sys ha checksum cached <vdomname> --------------if vdoms are present, the command would be "diag
sys ha checksum show vdom-test" if the vdom configured is "vdom-test"
diag sys ha checksum cached global
diag debug crashlog read
diag sys flash list
To connect Slave unit, execute the below command from CLI of Master unit.
exec ha manage ?
exec ha manage <slave_id>? : If suppose slave_id is 1
exec ha manage 1
Manual synchronization
execute ha synchronize start
If checksum is not calculated properly

# diagnose sys ha checksum recalculate
HASYNC/HATALK
(Slave and Master):

diagnose debug application hatalk -1
diagnose debug application hasync -1
wait for couple of minutes, and then disable the logs by executing
SNMP
Putty1:
-----------------

diagnose debug application snmpd -1
wait for 2-3min, and then disable the debug by executing the below command
Putty2:
------------------
diagnose sniffer packet any "port 161 or port 162" 6 0 a
wait for 2-3min, and then stop the sniffer by pressing ctrl+c
FSSO
#diag debug authd fsso filter

#diag debug authd fsso list
#diag deb authd fsso server-status
#diag deb authd fsso clear-logons
#diag deb authd fsso refresh-logons
#diag deb authd fsso refresh-groups
#diag sniffer packet internal “port 8000 and host <collector agent ip>” 4 0 a
#diag debug application authd -1

#diag firewall iprope authserver
FSSO TROUBLESHOOTING
> Are you using agent based or fortigate polling mode?
> Run the following commands on the effected client

ipconfig /all
echo %logonserver%
echo %username%
net use
time /T
date /T
> Run the following commands on DC.

dsquery user -name <value>
netstat -a -o -n
> Collector Agent

- FSSO Version
- Collector Agent mode:- dc agent or polling.
- Check the username & password on both fortigate & Collector Agent settings like is it configured same.
- How are groups configured on the Group Filter settings of Collector Agent as well as on the fortigate?
- Which mode is selected for groups in Directory Access settings of the collector agent i.e. Standard or
Advanced.
- Collector Agent Logs by setting the log level to Debugging level and log size to 200 MB on all Collector
Agents.
Location:- C:\Program Files\Fortinet\FSAE\
- Copy of exported config or FSSO registry from all DCs (dc agent mode)
32 bit:- [HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE]
64 bit:- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE]
> Run the following commands on the fortigate.

- To Check FGT Connectivity status with collector agent
# diagnose debug enable
# diagnose debug authd fsso server-status
- If the server is not in Connected State

# diag debug application authd -1
# diag debug enable
- If FGT connectivity is not getting established with collector agent

# diag sniffer packet internal 'port 8000 and host <collector agent ip>' 3
- To List current logons

# diag debug authd fsso filter source <IP_Address_Having_Issue>
# diag debug authd fsso list
# diag debug application authd 8256
# diag debug enable
- Request CA to send logged-on users list to FGT

# diagnose debug authd fsso refresh-logons
- Clear logon info in FGT. Users must logoff/logon

# diagnose debug authd fsso clear-logons
- Request CA to send monitored groups to FGT

# diagnose debug authd fsso refresh-groups
Polling Mode : - Type - Poll Active Directory Server

------------------------------------------------------------------------------------------
- Show FSSO AD Server Detail

# diagnose debug fsso-polling detail
- Show FSSO AD Server Summary.

# diagnose debug fsso-polling summary
- Connected users (IP, groups, last logon time)

# diagnose debug fsso-polling user
- Clear all logons. Users must relogon

# diagnose debug fsso-polling refresh-user 0
# diagnose sniffer packet any 'host <server ip> and tcp port 445' 3
#diagnose debug application fssod -1

diagnose debug application authd -1
diagnose debug application fnbamd -1
LDAP
get sys status

diag sys flash list
diag firewall auth list
diag test authserver ldap <server_name> <username> <password>
for ex: if the ldap server is "Ldap123" with username "test" and password "test123", the above
command will be as below
diag test authserver ldap Ldap123 test test123

>>connect to your fortigate, execute the below commands and then try to authenticate
diag deb reset

diag deb console timestamp enable
diag deb application fnbamd -1
diag deb en
Once the issue is observed, wait for some time and then disable the logs by executing
diag deb dis
TACACS+
get sys status

diag sys flash list
diag firewall auth list
diag test authserver tacacs+ <server_name> <username> <password>
for ex: if the tacacs+ server is "tacacs123" with username "test" and password "test123", the above
command will be as below
diag test authserver tacacs+ tacacs123 test test123
Putty1:
-------------------
diag deb reset

diag deb application fnbamd -1
diag deb en
Once the issue is observed, wait for some time and then disable the logs by executing
diag deb dis
Putty2:
------------------
diagnose sniffer packet any “host x.x.x.x” 6 0 a ----------where x.x.x.x is the tacacs+ server IP
Wait for some time and then stop the sniffer by pressing ctrl+c
https://blog.synack.co.uk/2017/10/15/pcap-tacacs-pcap-file/
RADIUS
Putty1:
--------------------
diagnose sniffer packet any "port 1812 or port 1813" 6 0 a
after executing the command reproduce the issue
press ctrl+c to stop the sniffer
Putty2:
---------------------------

diagnose debug application fnbamd -1
diag debug enable
diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <username>
<password>
for ex: if the radius server is "radius123", using “mschap” with username "test" and password "test123",
the above command will be as below
diag test authserver radius radius123 mschap test test123
after executing the above, execute the below command to disable the debug
URL FILTER
>>connect to your fortigate, execute the below commands and then try to access the URL
# diagnose debug application urlfilter -1

# diagnose debug urlfilter src-addr x.x.x.x or test-url
# diagnose debug enable
Wait until the page throws a message , and then stop the debug by executing
IPS
diag test application ipsmonitor 1

diag ips memory status
diag ips memory pool
diag ips session status
diag ips session performance
diag ips session list
diag ips signature status
diag ips urlfilter status
diag hardware sysinfo interrupts
diag ips raw status
diag ips dissector status
diag ips packet status
PPPOE ISSUES
>>connect to your fortigate, execute the below commands simultaneously on all the putty sessions
during the time of the issue
Putty1:
-------------------
diagnose debug application ppp -1
wait for some time and the disable the logs by executing
diagnose debug diable
Putty2:
-------------
diagnose sniffer packet wan1 "none" 6 0 a
to stop the sniffer press ctrl+c
Putty3:
-------
diag sniffer packet any "ether[0x0c:2] == 0x8863 or ether[0x0c:2] == 0x8864" 6 0 a
DDNS
diagnose test application ddnscd 3

#diagnose debug reset
#diagnose debug application ddnscd -1
#diagnose debug console timestamp enable
#diagnose debug enable
To stop the debug, type:
#diag debug disable

#diag debug reset
DLP
>>connect to your fortigate, execute the below commands
diag debug reset

diag debug app scanunit -1
diag debug app dlp -1
diag debug enable
Once the file is uploaded, stop the debug by executing the below commands
diag deb dis

diag deb reset
INTERNET SLOWNESS

--from when are you observing this issue?
--the policy-id the issue is concerned with?
--was there any config change or firmware upgrade done recently?
--What is the speed setting from the ISP, like 100Mbps or 1000Mbps?
--What is the speed setting on FGT?
--What speed do you get when do a speedtest on the speedtest websites?
Please also provide the output of the following.
--Make a seperate policy for the test PC and then try to access the website, check the speed
--if still its slow, disable all the UTM profiles and then check
--Make sure the speed is same on the interface and in the ISP, if there is a difference, make it same
--try to change the ISP and then check
--connect a PC directly to the fortigate and check, if it works, fine its not an issue with fortigate
--if it still does not, then bypass the fortigate and check
--if it works,. Check the interface drops on both lan and wan port
--disable offloading in the policy
--try to change the mss value in the policy
>>connect to your fortigate, execute the below commands during the time of the issue:
Assume wan1 is connected to your ISP, you can find wan1 speed setting by running following CLI:
config system interface

edit wan1
get
#diag hardware deviceinfo nic wan1

#diag sys flash list
#get system status
#get system performance status (run this command 5 times in interval of 1 minutes)
#diagnose autoupdate versions
#diagnose hardware sys shm
#diagnose hardware sys cpu
#diag hard sys mem
#diag hard sys slab
#diag sys session stat
#diag firewall statistic show
Putty-2
Execute the below command and try to access any website

diag sniffer packet any “host x.x.x.x” 6 0 a --------where x.x.x.x is the website IP address
You can see the IP by executing the below commands in the command prompt
nslookup <website name>
Once the page is loaded, stop the sniffer by pressing ctrl+c
NETSCAN
Netscan process is the network vulnerability scanner. The Network Vulnerability Scan helps you to
protect your network assets by scanning them for security weaknesses.
(more info here: http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-managing-
devices-52/Devices_vscan.htm )
We tried to stop the process using the following command, but these commands don't exist, altogether
execute netscan import
execute netscan list
execute netscan start scan
execute netscan status
#execute netscan stop
WEBCACHE
# diag wacs stats

# diag sys top
# diagnose wad webcache list 10m
{if vdom , run on vdom}
# diag debug reset
# diag deb app wa_cs -1 ///not available in 6.0
# diag debug app waocs -1
# diag deb app wabcs -1
# diag deb en
ISSUES WITH VOIP

--policy-id related to the issue
--Are you making an outbound or inbound call?
--Was this working previously or is this a new configuration?
--What is the port used for communication?
--What is the protocol used? H323 or SIP
--Where is the location of the PBX?
--Is the communication over vpn or over internet?
--Are you able to get the phones registered? Or is it an issue with voice traffic?
--Is SDP paylod NAT required in your setup?
--How is the RTP flow? Please provide a network diagram with the call flow information.
Please provide the output of the following by opening multiple SSH sessions to the firewall:
>>connect to your fortigate, and execute the below commands and try to make a call
Putty1:
-------------------
diag debug reset

diag debug flow filter clear
diag debug flow filter addr x.x.x.x -----where x.x.x.x is the source IP of the phone you are making a call
from
diag debug console timestamp en
diag debug flow show console en
diag debug flow show function-name en
diag debug flow trace start 10000
diag debug enable
You can stop the debug by using:

diag debug dis
diag debug reset
Putty2:
--------------------
diag sniffer packet any 'host x.x.x.x' 6 0 a x -----where x.x.x.x is the source IP of the phone you are
making a call from
stop the sniffer by pressing Ctrl+C (to stop sniffer)

VIDEO CONFERENCING CALL

--the policy-id in picture
--What is your video conference device IP address and What public IP its getting NATed to?
--Are you making an outbound or inbound call?
--What is the IP of destination VC device? I mean the remote VC device public IP.
--Is the SDP nat or ALG functionality on firewall needed? Or this needs to be turned off?
--is the connection over internet or over a VPN or MPLS network?
Putty1:
----------------------------

diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow filter addr x.x.x.x -------where x.x.x.x is the remote VC device
Wait for some time and then disable the logs by executing
Putty2:
--------------------
diag sniffer packet any "host x.x.x.x" 6 0 a -------where x.x.x.x is the remote VC device
Wait for some time and then disable the sniffer by pressing ctrl+c
ALERT EMAIL

>>connect to your fortigate, execute the below commands during the time of the issue:
diag deb reset

diag deb application alertemail -1
diag deb enable
Wait for some time and then stop the logs by executing
diag deb dis
To test the alertmails, you can send a test mail by executing

diag log alertmail tests
DISK ISSUES
#get log disk setting

#get log memory setting
# exe disk list
# diag hard dev disk
# diagnose sys logdisk quota
# diagnose sys logdisk usage
# diagnose hardware sys shm
# diag hardware sys mem
# fnsysctl df -h
# fnsysctl ls /var/log/<vdom-name> -l -----------execute for all vdoms
# print dir /var/log/<vdom-name> ----------------execute for all vdom
# diag hard smartctl -a /dev/sdb ----for 200D
POWER SUPPY/FAN PROBLEM

execute sensor detail
execute sensor list
diag alertconsole list
diagnose debug application ipmc -1
Once the output is collected please turn off debug using below commands:

Note: If you do not get the output immediately then please let the command run until there is any
output.
SSD UPGRADE
- Kindly run the below command and check FGT's current SSD disk firmware Version is SFPS918A or
SFPS925C.
Note: If the FortiGate has any VDOM’s configured, the below commands must be performed in the
global context (meaning typing “config global <enter>” before)
# diag hard smartctl -a /dev/sda ----for 100D

# diag hard smartctl -a /dev/sdb ----for 200D
CLI output extract may look like below:
=== START OF INFORMATION SECTION ===

Device Model: xxGB SATA Flash Drive
Serial Number: XXXXXXXXXXXXXXXXXX
Firmware Version: SFPS918A or SFPS925C
- If yes, SSD disk firmware update is needed. Please find enclosed special firmware. Follow steps to
apply:
- Verify MD5 checksum (d02f295754a1c29e05ede549d8a6c8d1 FGT_100D-v5-build9134-FORTINET.out)
- Backup running configuration.
- back-up the logs stored on the SSD if they are required to be retained. The CLI command to backup the
logs is:
# exec backup memory alllogs ftp <ip address> <user> <password>
- upload this firmware from System information widget the same way as it was normal firmware update
- it will result in reboot 2 times!
- after that, FortiGate will boot up to the same firmware as it is running
- Attached file is compatible only with 5.2.x firmware!! If you use another version, please let me know
and I will send you compatible image.
- After you finish the upgrade, please run following commands to verify:
# diag hard smartctl -a /dev/sda (SSD Firmware version should be than SFPS928G instead of current
SFPS918A or SFPS925C)
# diag hard deviceinfo disk
Please schedule maintenance window as SSD firmware upgrade will result in 5 - 10 minutes outage. I will
wait for your feedback.
Thank you for the time on call !
>> From the logs I can see multiple process are in "D" state.
>> Processes can get stuck in D state in case they are waiting for I/O disk operation. If there is some
problem with the file system or disk, this can result in multiple processes stuck.
>> Kindly provide the output of below mentioned command for further trouble shooting.
Note: If the FortiGate has any VDOM’s configured, the below commands must be performed in the
global context (meaning typing “config global <enter>” before)
#diagnose hardware smartctl -a /dev/sda
FORTICLOUD
Putty1:
-------------------
show full log fortiguard setting

show full system fortiguard
show full system central-management
diagnose test application forticldd 1

diagnose test application miglogd 20
show full-configuration log setting
execute log fortiguard test-connectivity

diagnose log kernel-stats
putty2:
-----------------------

diag debug application miglogd -1
diag debug enable
After 5-10sec, stop the debug by executing
Putty3:
----------------------------
diag sniffer packet any "port 514" 4 0 a
After 5-10 sec, stop the sniffer by pressing ctrl+c
VULNERABILITIES
Based on the description i understand that you have following vulnerabilities discovered and wanted to
Fix
1.May i know to which IP the Scan was initiated ? Was the scan done for fortigate public ip ?
2.Is there any https,SSH or ssl vpn enabled on fortigate public IP ? If yes may i know its corresponding
port numbers ?
3.Could you please attach us the IP where the scan was done and the ports for which the scan was
done ?
4.Also please attach the latest config file
NOTE: Assuming the Scan is ran for fortigate public IP
FORTITOKEN
# diag fortitoken info

# show user fortitoken
# show full | grep -f FTK
http://kb.fortinet.com/kb/documentLink.do?externalId=FD36637
Could you please remove the fortitokens from the users if already assigned?
Next delete the existing tokens, once done execute below query in the command line
execute fortitoken-mobile import 0000-0000-0000-0000-0000
After that you will see your FortiTokens appear again.
execute fortitoken-mobile renew <serial number>
INT-FTG1-DC2 # diag firewall iprope lookup 161.71.6.8 64428 194.170.244.55 44300 tcp port17
diag firewall ipropr [Ke list
<No.> Number, hexadecimal.
INT-FTG1-DC2 # diag firewall iprope list 394

diag firewall iprope state
diag debug flow sh ip en
Kindly Provide below mentioned details during the time of the issue for further troubleshooting .
> Run the following commands on the affected client

ipconfig /all
echo %logonserver%
echo %username%
net use
time /T
date /T
On fortigate
Putty 1:
# diag debug authd fsso filter source x.x.x.x

# diag debug authd fsso list
# diag debug application authd -1
# diag debug enable
Here x.x.x.x is the source IP of workstation that you are using.

Once this is set initiate the traffic.
Once debug output has been captured, to stop debug use:
diag debug dis
diag debug reset
On CA (Collector Agent) FSAE

-------------
Immediately copy of the collectoragent.log file from C:\Program Files\Fortinet\FSAE\

Screen capture of "Show logon user" marking that IP and User entry having issue if present.
Screen capture of "Show Service Status"
Collector Agent Logon Event Logs.

Debug Commands - New

Uploaded by

Copyright:

Available Formats

Debug Commands - New

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Debug Commands - New

Uploaded by

Copyright:

Available Formats

Entering the correct vdom/gobal Config

2 get hardware nic <nic-name> #details of a single network interface,

3 same as: diagnose hardware deviceinfo nic <nic-name>

6 get system status #==show version

7 get system performance status #CPU and network usage

8 diagnose sys top #top with all forked processed

1 execute dhcp lease-list

1 diagnose ip arp list

2 diagnose ipv6 address list

1 diagnose ipv6 neighbor-cache list

3 diagnose sys ntp status

4 diagnose log test #generated all possibe log entries

1 diagnose test application dnsproxy 6 #shows the IP addresses of FQDN objects

General Network Troubleshooting

execute ping-options source <ip-address-of-the-interface>

1 execute ping <hostname|ip>

execute traceroute <hostname|ip>

execute tracert6 <hostname|ip>

get router info6 routing-table #IPv6 without the "all" keyword

1 get router info kernel #Forwarding Information Base

diagnose firewall proute6 list

diagnose ip rtcache list #route cache = current sessions w/ routing information

diag sniffer packet any “port 67 or port 68” 6 0 a

diag deb reset

diagnose sys session filter clear

# diag vpn tunnel flush <phase1 name>

# diag vpn tunnel reset <phase1 name>

Scenario1: [If tunnel is not up]

You can start the logging, by following the below document

diagnose debug reset

After 5-10sec, disable the logs by executing

diagnose sniffer packet any "host b.b.b.b " 6 0 a

Where b.b.b.b is the remote gateway address

get vpn ipsec tunnel details

diagnose vpn tunnel list

diagnose vpn ipsec status

get vpn ipsec stats tunnel

get vpn ipsec tunnel summary

get router info routing-table database

You can start the logging, by following the below document

diagnose debug reset

After 5-10sec, disable the logs by executing

get vpn ipsec tunnel name <name>

get vpn ipsec tunnel details

diagnose vpn tunnel list

diagnose vpn ike gateway list

diagnose vpn ipsec status

get vpn ipsec stats tunnel

get vpn ipsec tunnel summary

get router info routing-table database

execute log filter category event

1 execute log filter field #press enter for options

execute log filter start-line 1

execute log display

1. Is this issue occurring after a firmware upgrade or configuration change?

>>open putty client, start the session logging

You can start the logging, by following the below document

>>connect to your fortigate, and execute the below commands