Difference between revisions of "Advanced troubleshooting"
From Tech-Wiki
| Line 27: | Line 27: | ||
diag vpn tunnel reset <phase1-name> | diag vpn tunnel reset <phase1-name> | ||
diag debug disable | diag debug disable | ||
| + | |||
| + | Reset/Clear VPN Tunnels | ||
| + | diag vpn ike restart | ||
| + | diag vpn ike gateway clear | ||
IPS information and bypass mode | IPS information and bypass mode | ||
Revision as of 16:27, 3 October 2017
Doing a packet capture (sniffer)
diag sniffer packet any '!port 22' 4 10 <tsformat> interfaces=[any] (interface name can be specified) filters=[!port 22] (none can be used as well) level=4 (print interface name and header) count=10 (packets to dump) tsformat=l (none specified then relative time, l-localtime)
Packet flow debug - Equivalent to FW Monitor in Check Point, to evaluate the packet being accepted, forwarded or denied:
diag debug flow show function enable diag debug flow show console enable diag debug flow filter addr 10.31.101.22 diag debug flow filter port 80 diag debug enable diag debug flow trace start 100 diag debug disable
VPN debug commands:
diag vpn tunnel list diag vpn ike log filter name <phase1-name> diag vpn ike log filter src-addr4 <peer> diag debug application ike -1 (or 255) diag debug enable diag vpn tunnel flush <phase1-name> diag vpn tunnel reset <phase1-name> diag debug disable
Reset/Clear VPN Tunnels
diag vpn ike restart diag vpn ike gateway clear
IPS information and bypass mode
diag test application ipsmonitor <number> 1-display engine information 2-enable/disable IPS engine 5-Toggle bypass status 99-restart IPS engines/monitor
Restart IPS engine
diag test application ipsengine 99
Restart WebFilter
diag test application urlfilter 99
Test authentication
diag test auth ldap <server> <username> <password> diag test auth radius <server> <chap|pap|mschap|mschap2> <username> <password>
Display diagnostic information for the web cache database daemon (wacs).
diag wacs clear diag wacs recents diag wacs restart diag wacs stats
Debug WebUI activity
diag debug cli 8 diag debug enable
Clear configuration (load factory defaults) but retains network interface configurations
execute factoryreset2 exec reset all-except-ip (fortimanager/fortianalyzer)
It’s possible to load a new firmware without writing to the flash (just to evaluate it). Connect to serial console, set up a TFTP server, boot, interrupt it before 3 sec, then get the new firmware but choose to run it instead of save it