Here's a comprehensive list of troubleshooting commands for FortiGate firewalls, grouped by category, to help you quickly diagnose and resolve issues:
General System References:
Show FortiGate Details: Use this command to view the current firewall version, IPS/Virus/App-DB versions, serial number, and other system details.
FG-maattoos# get system status
Check CPU, Memory, and Load Usage: Monitor the system's resource utilization to ensure optimal performance.
FG-maattoos# get system performance status
Check WHO is using CPU, Memory: Identify processes or users consuming high CPU or memory.
FG-maattoos# diag sys top-all
Show Hardware Acceleration: Verify the hardware acceleration settings of your firewall.
FG-maattoos# get system npu
FG-maattoos# get system np6xlite
Check HA Status: Verify the high availability (HA) status of your FortiGate cluster.
FG-maattoos# get system ha status
FG-maattoos# diagnose sys ha status
Check Session Table: View the session table of the firewall to check the maximum sessions against used sessions.
FG-maattoos# diagnose sys session full-stat
Show Interface Settings: Check the configuration of a specific interface for issues.
FG-maattoos# diagnose hardware deviceinfo nic port1
Check IP Addresses: View all assigned IP addresses on the firewall.
FG-maattoos# diag ip address list
Show ARP Entries: Display ARP (Address Resolution Protocol) entries on the firewall.
FG-maattoos# get system arp
Get Routing Table: Check the routing table of the firewall.
FG-maattoos# get router info routing-table all
FortiGate VPN Troubleshoot Guide:
Get VPN Tunnel List: View a list of active VPN tunnels.
FG-maattoos# diagnose vpn tunnel list
Enable VPN Debugging for a Specific VPN: Debug and troubleshoot specific VPN tunnels.
diagnose debug enable
diagnose debug console timestamp enable
diagnose vpn ike log filter name <VPN-name>
diagnose debug application ike -1
diag vpn tunnel up IPSEC_PHASE2 IKE_Phase1
Authentication Debugging:
RADIUS: Test RADIUS authentication and connectivity.
#diagnose test authserver radius-direct <RADIUS_IP> <RADIUS_PORT> <RADIUS_PASSWORD>
#diagnose test authserver radius <RADIUS_NAME> <protocol-chap|pap|mschap|mschap2> <username> <password>
FSSO: Debug FSSO (Fortinet Single Sign-On) authentication.
#diag debug authd fsso summary
#diag debug enable
#diag debug authd fsso list
#diag debug authd fsso server-status
Restart FortiGate Daemons:
Restart IPS Monitor Daemon: Restart the IPS (Intrusion Prevention System) monitor daemon.
FG-maattoos# diag test application ipsmonitor 99
Packet Sniffing and Flow Monitor:
Sniffing Traffic: Capture and analyze network traffic for troubleshooting purposes.
#diag sniffer packet any <'filter'> 6 0 a
Session Flows: Monitor and analyze session flows on the firewall.
#diag debug enable
#diag debug flow filter <filter>
#diag debug flow trace start 100
Use these commands carefully and refer to Fortinet documentation for more detailed information. Happy troubleshooting!