Advanced FortiGate installation and setup : Quick reference to common diagnose commands
Quick reference to common diagnose commands
FortiOS diagnose commands, commonly called diag commands, are powerful CLI commands that allow you to see what is happening at a low level. You can find more information about diag and get commands in the Troubleshooting chapter of the FortiOS Handbook.
To find out more information about diagnose command options, enter the command followed by a ?, for example, diagnose debug application ?
debug application
Display detailed debugging information for FortiGate software systems. For example:
diagnose debug application ike -1
For debugging IPsec VPN.
diagnose debug application sslvpn -1
For debugging IPsec VPN, see “Debugging FortiGate configurations” .
diagnose debug application urlfilter -1
For debugging URL filtering, see “Debugging FortiGate configurations” .
debug flow
Show packet flow through the FortiGate unit. As packets are received you can view debug messages to show how the FortiGate unit processes them. The following commands will send 100 packets of output to the console of the packet flow including the IP address.
diagnose debug enable
diagnose debug flow show console enable
diagnose debug flow filter add
diagnose debug flow trace start 100
debug info
Display information about how debug is currently configured on your FortiGate unit. Run this before doing a series of diag debug commands, so you know what filters are in place. Otherwise, your output may not what you expected. See “Debugging FortiGate configurations” .
firewall statistic show
Display throughput information for the firewall broken down by both packets and bytes. Categories include common applications such as DNS, FTP, IM, P2P, and VoIP and also includes the lower level protocols — TCP, UDP, ICMP, and IP.
fortitoken drift
Display the drift for each configured FortiToken registered on the FortiGate unit.
hardware certificate
Verify all FortiGate unit certificates. For each certificate the name, test performed and the results are listed.
hardware deviceinfo disk
Display all disks in the FortiGate unit. This includes hard disks, and SSD disks. The information includes partitions, size, type, and available space.
hardware deviceinfo nic eth0
Display information about the network card attached to the interface. The information displayed varies by the type of NIC. It will include the VLAN id, state, link, speed, counts for received and transmitted packets and bytes. The MAC for this NIC is Current_HWaddr and Permant_HWaddr, and this is only place you can see both the old and new MAC when it is changed.
ips urlfilter status
Display statistics for URL filters. This includes number of requests, responses, pending responses, errors, timeouts, blocked, and allowed.
netlink brctl list
Display the information from the bridging table in the FortiGate unit. This is useful when troubleshooting transparent mode. Once you have the bridge names, you can check their forwarding domain using diag netlink brctl domain <bridge_name>.
sniffer packet any “port 80” 4
Capture packets on any FortiGate interface that are on port 80, commonly used by HTTP. Verbosity level 4 displays packet header information and interface names. You can use this information to test security policies, network connections, or find where missing packets are going. See “Troubleshooting by sniffing packets (packet capture)” .
sys session full-stat
Display details about the session table including its size, the sessions in each state, errors, and other statistics.
test log
Generate default log messages. This allows you to test logging features such as remote log server connections. See “Creating a backup log solution”
test update info
Display information about the update daemon including the last set of messages from the update daemon, the current object versions, the next scheduled updates, and counters for various updates for pass, fail, and retry.
vpn tunnel list
Display all configured IPsec VPN tunnels in the current VDOM. This is useful to compare settings on both ends of a tunnel that is having problems.