Advanced troubleshooting
From Tech-Wiki
Revision as of 17:20, 11 July 2016 by Fabricio.Lima (Talk | contribs)
Packet flow debug - Equivalent to FW Monitor in Check Point, to evaluate the packet being accepted, forwarded or denied:
diag debug flow show function enable diag debug flow show console enable diag debug flow filter addr 10.31.101.22 diag debug flow filter port 80 diag debug enable diag debug flow trace start 100 diag debug disable
VPN debug commands:
diag vpn ike log filter name <phase1-name> diag vpn ike log filter src-addr4 <peer> diag debug application ike -1 (or 255) diag debug enable diag vpn tunnel list diag vpn tunnel flush <phase1-name> diag vpn tunnel reset <phase1-name> diag debug enable (then disable it)
IPS information and bypass mode
diag test application ipsmonitor <number> 1-display engine information 2-enable/disable IPS engine 5-Toggle bypass status 99-restart IPS engines/monitor
Restart IPS engine
diag test application ipsengine 99
Restart WebFilter
diag test application urlfilter 99
Test authentication
diag test auth ldap <server> <username> <password> diag test auth radius <server> <chap|pap|mschap|mschap2> <username> <password>
Display diagnostic information for the web cache database daemon (wacs).
diag wacs clear diag wacs recents diag wacs restart diag wacs stats
Debug WebUI activity
diag debug cli 8 diag debug enable
Clear configuration (load factory defaults) but retains network interface configurations
execute factoryreset2 exec reset all-except-ip (fortimanager/fortianalyzer)
It’s possible to load a new firmware without writing to the flash (just to evaluate it). Connect to serial console, set up a TFTP server, boot, interrupt it before 3 sec, then get the new firmware but choose to run it instead of save it