Troubleshooting Guide for FortiGate Firewalls

Here's a comprehensive list of troubleshooting commands for FortiGate firewalls, grouped by category, to help you quickly diagnose and resolve issues:

General System References:

Show FortiGate Details: Use this command to view the current firewall version, IPS/Virus/App-DB versions, serial number, and other system details.

FG-maattoos# get system status


Check CPU, Memory, and Load Usage: Monitor the system's resource utilization to ensure optimal performance.

FG-maattoos# get system performance status


Check WHO is using CPU, Memory: Identify processes or users consuming high CPU or memory.

FG-maattoos# diag sys top-all


Show Hardware Acceleration: Verify the hardware acceleration settings of your firewall.

FG-maattoos# get system npu

FG-maattoos# get system np6xlite


Check HA Status: Verify the high availability (HA) status of your FortiGate cluster.

FG-maattoos# get system ha status

FG-maattoos# diagnose sys ha status


Check Session Table: View the session table of the firewall to check the maximum sessions against used sessions.

FG-maattoos# diagnose sys session full-stat


Show Interface Settings: Check the configuration of a specific interface for issues.

FG-maattoos# diagnose hardware deviceinfo nic port1


Check IP Addresses: View all assigned IP addresses on the firewall.

FG-maattoos# diag ip address list


Show ARP Entries: Display ARP (Address Resolution Protocol) entries on the firewall.

FG-maattoos# get system arp


Get Routing Table: Check the routing table of the firewall.

FG-maattoos# get router info routing-table all


FortiGate VPN Troubleshoot Guide:

Get VPN Tunnel List: View a list of active VPN tunnels.

FG-maattoos# diagnose vpn tunnel list


Enable VPN Debugging for a Specific VPN: Debug and troubleshoot specific VPN tunnels.

diagnose debug enable

diagnose debug console timestamp enable

diagnose vpn ike log filter name <VPN-name>

diagnose debug application ike -1

diag vpn tunnel up IPSEC_PHASE2 IKE_Phase1


Authentication Debugging:

RADIUS: Test RADIUS authentication and connectivity.

#diagnose test authserver radius-direct <RADIUS_IP> <RADIUS_PORT> <RADIUS_PASSWORD>

#diagnose test authserver radius <RADIUS_NAME> <protocol-chap|pap|mschap|mschap2> <username> <password>


FSSO: Debug FSSO (Fortinet Single Sign-On) authentication.

#diag debug authd fsso summary

#diag debug enable

#diag debug authd fsso list

#diag debug authd fsso server-status


Restart FortiGate Daemons:

Restart IPS Monitor Daemon: Restart the IPS (Intrusion Prevention System) monitor daemon.

FG-maattoos# diag test application ipsmonitor 99


Packet Sniffing and Flow Monitor:

Sniffing Traffic: Capture and analyze network traffic for troubleshooting purposes.

#diag sniffer packet any <'filter'> 6 0 a


Session Flows: Monitor and analyze session flows on the firewall.

#diag debug enable

#diag debug flow filter <filter>

#diag debug flow trace start 100


Use these commands carefully and refer to Fortinet documentation for more detailed information. Happy troubleshooting!

No comments: