Difference between revisions of "Advanced troubleshooting"

From Tech-Wiki
Jump to: navigation, search
 
(4 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
  diag sniffer packet any '!port 22' 4 10 <tsformat>
 
  diag sniffer packet any '!port 22' 4 10 <tsformat>
 
  interfaces=[any]  (interface name can be specified)
 
  interfaces=[any]  (interface name can be specified)
  filters=[!port 22]  (none can be used as well)
+
  filters=[udp and !port 22 and port 1812 and host 10.1.1.1]  (none can be used as well)
 
  level=4 (print interface name and header)
 
  level=4 (print interface name and header)
 
  count=10 (packets to dump)
 
  count=10 (packets to dump)
Line 19: Line 19:
  
 
VPN debug commands:
 
VPN debug commands:
  diag vpn tunnel list
+
  diag vpn tunnel list | get ipsec tunnel list | get vpn ipsec tunnel summary
 
  diag vpn ike log filter name <phase1-name>
 
  diag vpn ike log filter name <phase1-name>
 
  diag vpn ike log filter src-addr4 <peer>
 
  diag vpn ike log filter src-addr4 <peer>
Line 59: Line 59:
 
  diag debug cli 8  
 
  diag debug cli 8  
 
  diag debug enable
 
  diag debug enable
 +
 +
Contract and License check
 +
exec log fortiguard test-connectivity
 +
get system fortiguard-service status
  
 
Initialize the Log disk
 
Initialize the Log disk
 
  exec formatlogdisk
 
  exec formatlogdisk
 +
 +
Troubleshooting FSSO
 +
diagnose debug authd fsso filter ?
 +
diagnose debug authd fsso list
 +
diagnose debug authd fsso refresh-logons
 +
diagnose debug authd fsso refresh-groups
 +
get user adgrp
  
 
Clear configuration (load factory defaults) but retains network interface configurations
 
Clear configuration (load factory defaults) but retains network interface configurations

Latest revision as of 17:45, 21 October 2020


Doing a packet capture (sniffer)

diag sniffer packet any '!port 22' 4 10 <tsformat>
interfaces=[any]  (interface name can be specified)
filters=[udp and !port 22 and port 1812 and host 10.1.1.1]  (none can be used as well)
level=4 (print interface name and header)
count=10 (packets to dump)
tsformat=l (none specified then relative time, l-localtime)

Packet flow debug - Equivalent to FW Monitor in Check Point, to evaluate the packet being accepted, forwarded or denied:

diag debug flow show function enable
diag debug flow show console enable
diag debug flow filter addr 10.31.101.22
diag debug flow filter port 80
diag debug enable
diag debug flow trace start 100
diag debug disable

VPN debug commands:

diag vpn tunnel list | get ipsec tunnel list | get vpn ipsec tunnel summary
diag vpn ike log filter name <phase1-name>
diag vpn ike log filter src-addr4 <peer>
diag debug application ike -1 (or 255)
diag debug enable
diag vpn tunnel flush  <phase1-name>
diag vpn tunnel reset  <phase1-name>
diag debug disable

Reset/Clear VPN Tunnels

diag vpn ike restart
diag vpn ike gateway clear name <name_P1>
diag vpn ike gateway flush name <name_P1>

IPS information and bypass mode

 diag test application ipsmonitor <number>
  1-display engine information
  2-enable/disable IPS engine
  5-Toggle bypass status
  99-restart IPS engines/monitor

Restart IPS engine

diag test application ipsengine 99

Restart WebFilter

 diag test application urlfilter 99

Test authentication

diag test auth ldap <server> <username> <password>
diag test auth radius <server> <chap|pap|mschap|mschap2> <username> <password>

Display diagnostic information for the web cache database daemon (wacs).

diag wacs clear
diag wacs recents
diag wacs restart
diag wacs stats

Debug WebUI activity

diag debug cli 8 
diag debug enable

Contract and License check

exec log fortiguard test-connectivity 
get system fortiguard-service status 

Initialize the Log disk

exec formatlogdisk

Troubleshooting FSSO

diagnose debug authd fsso filter ?
diagnose debug authd fsso list
diagnose debug authd fsso refresh-logons
diagnose debug authd fsso refresh-groups
get user adgrp

Clear configuration (load factory defaults) but retains network interface configurations

execute factoryreset2 
exec reset all-except-ip (fortimanager/fortianalyzer)

It’s possible to load a new firmware without writing to the flash (just to evaluate it). Connect to serial console, set up a TFTP server, boot, interrupt it before 3 sec, then get the new firmware but choose to run it instead of save it