Sie sind auf Seite 1von 21

09/01/13

Fortigate troubleshooting commands itsecworks

RSS Subscribe: RSS feed itsecworks It is all about security and co I have already met

Fortigate troubleshooting commands


Posted on July 18, 2011 0

i 4 Votes With my requirements for any networking layer 3 device I collected the basic commands that we have to know or you will not be able to manage your fortigate. Okay, okay this is a bullshit, I just update this page since it is the number one post on my site.. :-) 1.0 Check the basic settings and firewall states Check the system status Check the hardware performance Check the High Availability state Check the session table of the firewall 2.0 Check the interface settings Check the state, speed and duplexity an IP of the interfaces Check the ARP Table 3.0 Check the Routing Table Check the matching route 4.0 VPN Troubleshooting Change the tunnel state Check the tunnel state Check packet counters for the tunnel 5.0 sniffertrace
itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ 1/21

09/01/13

Fortigate troubleshooting commands itsecworks

6.0 View logging on cli Configure logging Viewing the logs 7.0 Backup and Restore

1.0 Check the basic settings and firewall states

Check the system status


to see the actual software version, operational mode, HA, etc and the system time: m y f i r e w a l l 1#g e ts y ss t a t u s V e r s i o n :F o r t i g a t e 5 0 Bv 4 . 0 , b u i l d 0 5 3 5 , 1 2 0 5 1 1( M R 3P a t c h7 ) V i r u s D B :1 4 . 0 0 0 0 0 ( 2 0 1 1 0 8 2 41 7 : 1 7 ) E x t e n d e dD B :1 4 . 0 0 0 0 0 ( 2 0 1 1 0 8 2 41 7 : 0 9 ) I P S D B :3 . 0 0 1 5 0 ( 2 0 1 2 0 2 1 52 3 : 1 5 ) F o r t i C l i e n ta p p l i c a t i o ns i g n a t u r ep a c k a g e :1 . 5 2 9 ( 2 0 1 2 1 0 0 91 0 : 0 0 ) S e r i a l N u m b e r :F G T 5 0 B 1 2 3 4 5 6 7 8 9 0 B I O Sv e r s i o n :0 4 0 0 0 0 1 0 L o gh a r dd i s k :N o ta v a i l a b l e H o s t n a m e :m y f i r e w a l l 1 O p e r a t i o nM o d e :N A T C u r r e n tv i r t u a ld o m a i n :r o o t M a xn u m b e ro fv i r t u a ld o m a i n s :1 0 V i r t u a ld o m a i n ss t a t u s :1i nN A Tm o d e ,0i nT Pm o d e V i r t u a ld o m a i nc o n f i g u r a t i o n :d i s a b l e F I P S C Cm o d e :d i s a b l e C u r r e n tH Am o d e :s t a n d a l o n e D i s t r i b u t i o n :I n t e r n a t i o n a l B r a n c hp o i n t :2 3 4 R e l e a s eV e r s i o nI n f o r m a t i o n :M R 3P a t c h7 S y s t e mt i m e :T h uN o v1 51 3 : 1 2 : 3 02 0 1 2 to see what the firewall has seen so far, the traffic mix:

itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

2/21

09/01/13

Fortigate troubleshooting commands itsecworks

m y f i r e w a l l 1#g e ts y s t e mp e r f o r m a n c ef i r e w a l ls t a t i s t i c s g e t t i n gt r a f f i cs t a t i s t i c s . . . B r o w s i n g :5 4 4 0 8 3p a c k e t s ,8 0 6 7 9 9 4 2b y t e s D N S :1 9 3 3 3p a c k e t s ,2 4 0 0 8 3 1b y t e s E M a i l :5 2p a c k e t s ,3 1 3 2b y t e s F T P :0p a c k e t s ,0b y t e s G a m i n g :0p a c k e t s ,0b y t e s I M :0p a c k e t s ,0b y t e s N e w s g r o u p s :0p a c k e t s ,0b y t e s P 2 P :0p a c k e t s ,0b y t e s S t r e a m i n g :0p a c k e t s ,0b y t e s T F T P :0p a c k e t s ,0b y t e s V o I P :0p a c k e t s ,0b y t e s G e n e r i cT C P :1 3 4 6 0p a c k e t s ,1 3 0 1 8 7 9b y t e s G e n e r i cU D P :7 0 5 6p a c k e t s ,6 4 7 1 5 6b y t e s G e n e r i cI C M P :1 7 2p a c k e t s ,1 1 8 0 4b y t e s G e n e r i cI P :2 6p a c k e t s ,8 3 2b y t e s

Check the hardware performance


to see what is the state of the cpu and the uptime:

m y f i r e w a l l 1#g e ts y s t e mp e r f o r m a n c es t a t u s C P Us t a t e s :0 %u s e r0 %s y s t e m0 %n i c e1 0 0 %i d l e C P U 0s t a t e s :0 %u s e r0 %s y s t e m0 %n i c e1 0 0 %i d l e M e m o r ys t a t e s :4 8 %u s e d A v e r a g en e t w o r ku s a g e :1k b p si n1m i n u t e ,0k b p si n1 0m i n u t e s ,0k b p si n3 0 A v e r a g es e s s i o n s :0s e s s i o n si n1m i n u t e ,0s e s s i o n si n1 0m i n u t e s ,0s e s s i o n s A v e r a g es e s s i o ns e t u pr a t e :0s e s s i o n sp e rs e c o n di nl a s t1m i n u t e ,0s e s s i o n s V i r u sc a u g h t :0t o t a li n1m i n u t e I P Sa t t a c k sb l o c k e d :0t o t a li n1m i n u t e U p t i m e :2 4d a y s , 1 1h o u r s , 2 5m i n u t e s to see the high cpu eaters, in case of high cpu usage:

itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

3/21

09/01/13

Fortigate troubleshooting commands itsecworks

m y f i r e w a l l 1#g e ts y s t e mp e r f o r m a n c et o p R u nT i m e : 2 4d a y s ,1 1h o u r sa n d2 6m i n u t e s 0 U ,0 S ,1 0 0 I ;2 4 9 T ,1 1 9 F ,6 0 K F i n i t X X X X X X X X X X X 1 S 0 . 0 c m d b s v r 2 3 S 0 . 0 z e b o s _ l a u n c h e r 2 7 S 0 . 0 u p l o a d d 2 8 S 0 . 0 m i g l o g d 2 9 S 0 . 0 m i g l o g d 3 0 S 0 . 0 h t t p s d 3 1 S 0 . 0 n s m 3 2 S 0 . 0 r i p d 3 3 S 0 . 0 r i p n g d 3 4 S 0 . 0 o s p f d 3 5 S 0 . 0 p r o x y d 3 6 S 0 . 0 w a d _ d i s k d 3 7 S 0 . 0 s c a n u n i t d 3 8 S< 0 . 0 o s p f 6 d 3 9 S 0 . 0 b g p d 4 0 S 0 . 0 i s i s d 4 1 S 0 . 0 p r o x y a c c e p t o r 4 2 S 0 . 0 p r o x y w o r k e r 4 3 S 0 . 0 g e t t y 4 4 S< 0 . 0

4 . 5 6 . 8 4 . 7 4 . 6 5 . 9 4 . 6 7 . 0 1 . 1 0 . 9 0 . 9 0 . 9 4 . 6 4 . 6 4 . 9 0 . 9 1 . 0 0 . 9 0 . 7 1 . 8 4 . 6

Check the High Availability state


to get the High Availability state info with get command: m y f i r e w a l l 1#g e ts y sh as t a t u s M o d e l :3 1 1 M o d e :a p G r o u p :0 D e b u g :0 s e s _ p i c k u p :e n a b l e M a s t e r : 2 5 4m y f i r e w a l l 1F G 3 1 1 B 1 1 1 1 1 1 1 1 1 10 S l a v e: 1 2 8m y f i r e w a l l 2F G 3 1 1 B 1 1 1 1 1 1 1 1 1 21 n u m b e ro fv c l u s t e r :1 v c l u s t e r1 :w o r k1 0 . 0 . 0 . 1 M a s t e r : 0F G 3 1 1 B 1 1 1 1 1 1 1 1 1 1 S l a v e: 1F G 3 1 1 B 1 1 1 1 1 1 1 1 1 2 with show command the configuration: (it is worth use the full-configuration to see all the default settings)
4/21

09/01/13

Fortigate troubleshooting commands itsecworks

In the example I set the followings: the hearbeat goes on port5 and with backup on port6 stateful failover is enabled the priority in Ha for this cluster unit (The fortigate has a default setting for priority, there will be only one master if you do not set it on the cluster members. This is cool.) and the monitored ports: port4, port6, port6 m y f i r e w a l l 1#s h o wf u l l c o n f i g u r a t i o ns y s t e mh a c o n f i gs y s t e mh a s e tg r o u p i d0 s e tg r o u p n a m e" F G T H A " s e tm o d ea p s e tp a s s w o r dE N C s e th b d e v" p o r t 5 "2 0" p o r t 6 "1 0 s e tr o u t e t t l1 0 s e tr o u t e w a i t0 s e tr o u t e h o l d1 0 s e ts y n c c o n f i ge n a b l e s e te n c r y p t i o nd i s a b l e s e ta u t h e n t i c a t i o nd i s a b l e s e th b i n t e r v a l2 s e th b l o s t t h r e s h o l d6 s e th e l o h o l d d o w n2 0 s e ta r p s5 s e ta r p s i n t e r v a l8 s e ts e s s i o n p i c k u pe n a b l e s e tl i n k f a i l e d s i g n a ld i s a b l e s e tu n i n t e r r u p t a b l e u p g r a d ee n a b l e s e tv c l u s t e r 2d i s a b l e s e to v e r r i d ee n a b l e s e tp r i o r i t y2 5 4 s e tm o n i t o r" p o r t 4 "" p o r t 5 "" p o r t 6 " u n s e tp i n g s e r v e r m o n i t o r i n t e r f a c e s e tp i n g s e r v e r f a i l o v e r t h r e s h o l d0 s e tp i n g s e r v e r f l i p t i m e o u t6 0 e n d with the diagnose command the state again:

itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

5/21

09/01/13

Fortigate troubleshooting commands itsecworks

m y f i r e w a l l 1#d i a g n o s es y sh as t a t u s H Ai n f o r m a t i o n S t a t i s t i c s t r a f f i c . l o c a l=s : 2 0 9 6 7 1 2p : 2 5 4 1 2 3 8 1 6 2b : 1 9 7 2 1 2 3 7 2 9 7 0 8 t r a f f i c . t o t a l=s : 9 4 9 7 4 6 5p : 2 5 4 1 2 3 8 4 9 6b : 1 9 7 2 1 2 3 9 7 7 4 5 9 a c t i v i t y . f d b=c : 0q : 0 M o d e l = 3 1 1 ,M o d e = 2G r o u p = 0D e b u g = 0 n v c l u s t e r = 1 ,s e s _ p i c k u p = 1 H Ag r o u pm e m b e ri n f o r m a t i o n :i s _ m a n a g e _ m a s t e r = 1 . F G 3 1 1 B 1 1 1 1 1 1 1 1 1 1 ,0 .M a s t e r : 2 5 4m y f i r e w a l l 1 F G 3 1 1 B 1 1 1 1 1 1 1 1 1 2 ,1 .S l a v e : 1 2 8m y f i r e w a l l 2 v c l u s t e r1 ,s t a t e = w o r k ,m a s t e r _ i p = 1 0 . 0 . 0 . 1 ,m a s t e r _ i d = 0 : F G 3 1 1 B 1 1 1 1 1 1 1 1 1 1 ,0 .M a s t e r : 2 5 4m y f i r e w a l l 1 ( p r i o = 0 ,r e v = 0 ) F G 3 1 1 B 1 1 1 1 1 1 1 1 1 2 ,1 .S l a v e : 1 2 8m y f i r e w a l l 2 ( p r i o = 1 ,r e v = 1 ) The secondary cluster unit is off: m y f i r e w a l l 1#d i a g n o s es y sh as t a t u s H Ai n f o r m a t i o n S t a t i s t i c s t r a f f i c . l o c a l=s : 2 8 6 1 1 7p : 7 7 5 9 8 9 7 8 2 5b : 3 0 6 4 5 2 2 0 3 5 8 7 2 t r a f f i c . t o t a l=s : 2 0 5 3 4 1 0 7 1p : 7 7 5 9 8 9 7 8 2 5b : 3 0 6 4 5 2 2 0 3 5 8 7 2 a c t i v i t y . f d b =c : 0q : 0 M o d e l = 3 0 0 ,M o d e = 2G r o u p = 0D e b u g = 0 n v c l u s t e r = 1 ,s e s _ p i c k u p = 1 H Ag r o u pm e m b e ri n f o r m a t i o n :i s _ m a n a g e _ m a s t e r = 1 . F G 3 0 0 A 3 9 0 7 5 0 6 6 3 0 ,0 .M a s t e r : 2 5 4m y f i r e w a l l 1 v c l u s t e r1 ,s t a t e = w o r k ,m a s t e r _ i p = 1 0 . 0 . 0 . 1 ,m a s t e r _ i d = 0 : F G 3 0 0 A 3 9 0 7 5 0 6 6 3 0 ,0 .M a s t e r : 2 5 4m y f i r e w a l l 1 ( p r i o = 0 ,r e v = 0 )

Check the session table of the firewall


the values from the session table of the firewall (the max against the used):

itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

6/21

m y f i r e w a l l 1#d i a gs y ss e s s i o nf u l l s t a t s e s s i o nt a b l e : t a b l e _ s i z e = 6 5 5 3 6m a x _ d e p t h = 1u s e d = 2 e x p e c ts e s s i o nt a b l e : t a b l e _ s i z e = 1 0 2 4m a x _ d e p t h = 0u s e d = 0 m i s ci n f o : s e s s i o n _ c o u n t = 1s e t u p _ r a t e = 0e x p _ c o u n t = 0c l a s h = 0 m e m o r y _ t e n s i o n _ d r o p = 0e p h e m e r a l = 0 / 1 6 3 6 8r e m o v e a b l e = 0 h a _ s c a n = 0 d e l e t e = 0 ,f l u s h = 0 ,d e v _ d o w n = 0 / 0 T C Ps e s s i o n s : 1i nE S T A B L I S H E Ds t a t e f i r e w a l le r r o rs t a t : e r r o r 1 = 0 0 0 0 0 0 0 0 e r r o r 2 = 0 0 0 0 0 0 0 0 e r r o r 3 = 0 0 0 0 0 0 0 0 e r r o r 4 = 0 0 0 0 0 0 0 0 t t = 0 0 0 0 0 0 0 0 c o n t = 0 0 0 0 0 0 0 0 i d s _ r e c v = 0 0 0 0 0 0 0 0 u r l _ r e c v = 0 0 0 0 0 0 0 0 a v _ r e c v = 0 0 0 0 0 0 0 0 f q d n _ c o u n t = 0 0 0 0 0 0 0 0 t c pr e s e ts t a t : s y n c q f = 0a c c e p t q f = 0n o l i s t e n e r = 1 1 0 2 5d a t a = 0s e s = 0i p s = 0 Check the sessions The following list has only one session, that may be a DNS request from 192.168.227.97 to .the dns server 65.39.139.53. Do not use this command on live system with many traffic, it lists all sessions and that has no sence.

m y f i r e w a l l#d i a gs y ss e s s i o nl i s t s e s s i o ni n f o :p r o t o = 1 7p r o t o _ s t a t e = 0 1d u r a t i o n = 2 2 1 4e x p i r e = 1 2 3t i m e o u t = 0f l a g s o r i g i n s h a p e r = r e p l y s h a p e r = p e r _ i p _ s h a p e r = h a _ i d = 0h a k e y = 2 8 3 1 0 p o l i c y _ d i r = 0t u n n e l = / s t a t e = l o c a l s t a t i s t i c ( b y t e s / p a c k e t s / a l l o w _ e r r ) :o r g = 5 0 9 5 / 7 6 / 1r e p l y = 8 7 5 7 / 7 5 / 1t u p l e s = 2 o r g i n > s i n k :o r go u t > p o s t ,r e p l yp r e > i nd e v = 1 0 > 1 2 / 1 2 > 1 0g w y = 0 . 0 . 0 . 0 / 1 9 2 . 1 6 h o o k = o u td i r = o r ga c t = n o o p1 9 2 . 1 6 8 . 2 2 7 . 9 7 : 5 4 2 2 3 > 6 5 . 3 9 . 1 3 9 . 5 3 : 5 3 ( 0 . 0 . 0 . 0 : 0 ) h o o k = i nd i r = r e p l ya c t = n o o p6 5 . 3 9 . 1 3 9 . 5 3 : 5 3 > 1 9 2 . 1 6 8 . 2 2 7 . 9 7 : 5 4 2 2 3 ( 0 . 0 . 0 . 0 : 0 ) m i s c = 0p o l i c y _ i d = 0a u t h _ i n f o = 0c h k _ c l i e n t _ i n f o = 0v d = 0s e r i a l = 0 0 4 7 c 5 b 4t o s = f f / f d d _ t y p e = 0d d _ r u l e _ i d = 0 t o t a ls e s s i o n7 You can filter to the session that you looking for (example):
itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ 7/21

09/01/13

m y f i r e w a l l 1#d i a g n o s es y ss e s s i o nf i l t e rs r c1 9 2 . 1 6 8 . 2 2 7 . 1 2 9 m y f i r e w a l l 1#d i a gs y ss e s s i o nl i s t

2.0 Check the interface settings

Check the state, speed and duplexity an IP of the interfaces


m y f i r e w a l l 1#g e ts y s t e mi n t e r f a c ep h y s i c a l = =[ o n b o a r d ] = = [ i n t e r n a l ] m o d e :s t a t i c i p :1 9 2 . 1 6 8 . 2 2 4 . 6 52 5 5 . 2 5 5 . 2 5 5 . 2 2 4 i p v 6 :: : / 0 s t a t u s :u p s p e e d :1 0 0 M b p s( D u p l e x :f u l l ) = = [ w a n 1 ] m o d e :s t a t i c i p :3 . 3 . 3 . 32 5 5 . 2 5 5 . 2 5 4 . 0 i p v 6 :: : / 0 s t a t u s :u p s p e e d :1 0 0 M b p s( D u p l e x :f u l l ) = = [ w a n 2 ] m o d e :s t a t i c i p :0 . 0 . 0 . 00 . 0 . 0 . 0 i p v 6 :: : / 0 s t a t u s :d o w n s p e e d :n / a = = [ m o d e m ] m o d e :p p p o e i p :0 . 0 . 0 . 00 . 0 . 0 . 0 i p v 6 :: : / 0 s t a t u s :d o w n s p e e d :n / a Check the MAC and the state of the interfaces. The name of the interface in the example below is internal.
itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

Here you can see following in the output - Interface name - MAC - Link state - Speed - Duplex - MTU - Packet and Byte counters - Errors m y f i r e w a l l 1#d i a g n o s eh a r d w a r ed e v i c e i n f on i ci n t e r n a l D e s c r i p t i o n i p 1 7 5 c v d e v P a r t _ N u m b e r N / A D r i v e r _ N a m e i p 1 7 5 c D r i v e r _ V e r s i o n 1 . 0 1 S y s t e m _ D e v i c e _ N a m e i n t e r n a l C u r r e n t _ H W a d d r 0 0 : 0 9 : 0 f : d 6 : c 0 : a c P e r m a n e n t _ H W a d d r 0 0 : 0 9 : 0 f : d 6 : c 0 : a c L i n k u p S p e e d 1 0 0 D u p l e x f u l l S t a t e u p ( 0 x 0 0 0 0 1 0 0 3 ) P o r t _ n o 1 P o r t _ B i t s 0 x 7 L i n k _ B i t s 0 x 1 M T U _ S i z e 1 5 0 0 R x _ P a c k e t s 6 9 4 T x _ P a c k e t s 4 R x _ B y t e s 8 0 3 4 8 T x _ B y t e s 2 1 4 R x _ E r r o r s 0 T x _ E r r o r s 0 R x _ D r o p p e d 0 T x _ D r o p p e d 0 M u l t i c a s t 0 C o l l i s i o n s 0 R x _ L e n g t h _ E r r o r s 0 R x _ O v e r _ E r r o r s 0 R x _ C R C _ E r r o r s 0 R x _ F r a m e _ E r r o r s 0 R x _ F I F O _ E r r o r s 0 R x _ M i s s e d _ E r r o r s 0 T x _ A b o r t e d _ E r r o r s 0 T x _ C a r r i e r _ E r r o r s 0 T x _ F I F O _ E r r o r s 0 T x _ H e a r t b e a t _ E r r o r s 0 T x _ W i n d o w _ E r r o r s 0
itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ 9/21

09/01/13

Fortigate troubleshooting commands itsecworks

Check the ARP Table


This contains the permanent and the dynamic ARP entries m y f i r e w a l l 1#g e ts y s t e ma r p A d d r e s s A g e ( m i n ) H a r d w a r eA d d r 4 . 4 . 4 . 6 6 0 0 0 : 0 8 : d a : 5 2 : 3 3 : b 6 4 . 4 . 4 . 7 4 1 6 0 0 : 2 1 : 9 b : 9 4 : 3 8 : 4 4 4 . 4 . 4 . 1 3 1 0 0 0 : 0 0 : 0 c : 0 7 : a c : 2 3 4 . 4 . 4 . 1 5 0 1 0 0 : 0 9 : 0 f : 0 9 : 0 1 : 3 b 4 . 4 . 3 . 3 0 0 2 : 0 0 : 5 e : 4 7 : c 1 : a 3

I n t e r f a c e p o r t 4 p o r t 2 p o r t 6 p o r t 6 p o r t 5

3.0 Check the Routing Table


In this example we route everything through a vpn tunnel, called fortigw-311b:

m y f i r e w a l l 1#g e tr o u t e ri n f or o u t i n g t a b l ea l l C o d e s :K-k e r n e l ,C-c o n n e c t e d ,S-s t a t i c ,R-R I P ,B-B G P O-O S P F ,I A-O S P Fi n t e ra r e a N 1-O S P FN S S Ae x t e r n a lt y p e1 ,N 2-O S P FN S S Ae x t e r n a lt y p e2 E 1-O S P Fe x t e r n a lt y p e1 ,E 2-O S P Fe x t e r n a lt y p e2 i-I S I S ,L 1-I S I Sl e v e l 1 ,L 2-I S I Sl e v e l 2 ,i a-I S I Si n t e ra r e *-c a n d i d a t ed e f a u l t S * S C S S C C C 0 . 0 . 0 . 0 / 0[ 5 / 0 ]i sd i r e c t l yc o n n e c t e d ,f o r t i g w 3 1 1 b 1 0 . 0 . 0 . 0 / 8[ 1 0 / 0 ]v i a3 . 3 . 3 . 1 ,w a n 1 3 . 3 . 3 . 0 / 2 3i sd i r e c t l yc o n n e c t e d ,w a n 1 4 . 4 . 3 . 4 8 / 3 2[ 1 0 / 0 ]v i a3 . 3 . 3 . 1 ,w a n 1 4 . 4 . 3 . 6 6 / 3 2[ 1 0 / 0 ]v i a3 . 3 . 3 . 1 ,w a n 1 ,[ 0 / 5 0 ] 1 9 2 . 1 6 8 . 2 2 3 . 1 7 / 3 2i sd i r e c t l yc o n n e c t e d ,g r e 1 1 9 2 . 1 6 8 . 2 2 3 . 1 8 / 3 2i sd i r e c t l yc o n n e c t e d ,g r e 1 1 9 2 . 1 6 8 . 2 2 4 . 6 4 / 2 7i sd i r e c t l yc o n n e c t e d ,i n t e r n a l

Check the matching route


itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ 10/21

Are you looking for a spesific route in a big database? No problem use the details: m y f i r e w a l l 1#g e tr o u t e ri n f or o u t i n g t a b l ed e t a i l s1 0 . 2 0 . 1 0 0 . 1 0 R o u t i n ge n t r yf o r1 0 . 0 . 0 . 0 / 8 K n o w nv i a" s t a t i c " ,d i s t a n c e1 0 ,m e t r i c0 ,b e s t *3 . 3 . 3 . 1 ,v i aw a n 1

4.0 VPN Troubleshooting


The most significant part for vpn is the time on the devices. The check the time use the following command: m y f i r e w a l l 1#g e ts y ss t a t u s V e r s i o n :F o r t i g a t e 5 0 Bv 4 . 0 , b u i l d 0 6 3 2 , 1 2 0 7 0 5( M R 3P a t c h8 ) V i r u s D B :1 4 . 0 0 0 0 0 ( 2 0 1 1 0 8 2 41 7 : 1 7 ) E x t e n d e dD B :1 4 . 0 0 0 0 0 ( 2 0 1 1 0 8 2 41 7 : 0 9 ) I P S D B :3 . 0 0 1 5 0 ( 2 0 1 2 0 2 1 52 3 : 1 5 ) F o r t i C l i e n ta p p l i c a t i o ns i g n a t u r ep a c k a g e :1 . 1 3 1 ( 2 0 1 2 0 7 0 52 0 : 5 4 ) S e r i a l N u m b e r :F G T 5 0 B 1 2 3 4 5 6 7 8 9 1 B I O Sv e r s i o n :0 4 0 0 0 0 1 0 L o gh a r dd i s k :N o ta v a i l a b l e H o s t n a m e :m y f i r e w a l l 1 O p e r a t i o nM o d e :N A T C u r r e n tv i r t u a ld o m a i n :r o o t M a xn u m b e ro fv i r t u a ld o m a i n s :1 0 V i r t u a ld o m a i n ss t a t u s :1i nN A Tm o d e ,0i nT Pm o d e V i r t u a ld o m a i nc o n f i g u r a t i o n :d i s a b l e F I P S C Cm o d e :d i s a b l e C u r r e n tH Am o d e :s t a n d a l o n e D i s t r i b u t i o n :I n t e r n a t i o n a l B r a n c hp o i n t :6 3 2 R e l e a s eV e r s i o nI n f o r m a t i o n :M R 3P a t c h8 S y s t e mt i m e :F r iN o v1 61 7 : 3 1 : 0 32 0 1 2

Change the tunnel state


Bring up a vpn tunnel manually. No traffic required.

itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

11/21

m y f i r e w a l l#d i a gv p nt u n n e lu pp h a s e 2 n a m ep h a s e 1 n a m e Shut down a vpn tunnel manually. m y f i r e w a l l#d i a gv p nt u n n e ld o w np h a s e 2 n a m ep h a s e 1 n a m e

Check the tunnel state


If there is no SA that means the tunnel is down and does not work. To see if the tunnel is up we need to check if any SA exist. To see if the tunnel is up you can use the diagnose vpn tunnel list name or diagnose vpn tunnel dumpsa command. Tunnel state is down Tunnel does not exist if there is no output of the commands below: m y f i r e w a l l 1#d i a g n o s ev p nt u n n e ll i s tn a m em y p h a s e 1 l i s ti p s e ct u n n e lb yn a m e si nv d0 with the dumpsa command: m y f i r e w a l l 1#d i a gv p nt u n n e ld u m p s a The output of the command below shows zero sa (no security association) m y f i r e w a l l 3#d i a g n o s ev p nt u n n e ls t a t d e v = 1t u n n e l = 0p r o x y i d = 1s a = 0c o n c = 0u p = 0

Tunnel state is up
Informations from the output of the command below: - vpn peers - encrypted traffic (source and destination) - traffic counters for encrypted traffic - SPI for encrypt and decrypt - Encryption method
itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ 12/21

09/01/13

Fortigate troubleshooting commands itsecworks

In the following output the second tunnel with the name fortigw-311b-wlan-ph2 is down.

m y f i r e w a l l#d i a g n o s ev p nt u n n e ll i s tn a m ef o r t i g w 3 1 1 b l i s ti p s e ct u n n e lb yn a m e si nv d0 n a m e = f o r t i g w 3 1 1 bv e r = 1s e r i a l = 12 . 2 . 2 . 2 : 0 > 1 . 1 . 1 . 1 : 0l g w y = d y nt u n = i n t fm o d e = a p r o x y i d _ n u m = 2c h i l d _ n u m = 0r e f c n t = 8i l a s t = 2o l a s t = 2 s t a t :r x p = 5 2 5 0 4 8t x p = 5 3 8 9 0 8r x b = 2 7 6 2 8 6 8 3 2t x b = 1 1 5 1 1 0 3 2 7 d p d :m o d e = a c t i v eo n = 1i d l e = 5 0 0 0 m sr e t r y = 3c o u n t = 0s e q n o = 6 7 1 4 2 2 n a t t :m o d e = n o n ed r a f t = 0i n t e r v a l = 0r e m o t e _ p o r t = 0 p r o x y i d = f o r t i g w 3 1 1 b p h 2p r o t o = 0s a = 1r e f = 2a u t o _ n e g o t i a t e = 0s e r i a l = 1 s r c :1 9 2 . 1 6 8 . 1 0 . 0 / 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 : 0 d s t :0 . 0 . 0 . 0 / 0 . 0 . 0 . 0 : 0 S A :r e f = 3o p t i o n s = 0 0 0 0 0 0 0 et y p e = 0 0s o f t = 0m t u = 1 4 3 6e x p i r e = 1 3 3 3r e p l a y w i n = 1 0 2 l i f e :t y p e = 0 1b y t e s = 0 / 0t i m e o u t = 1 7 5 0 / 1 8 0 0 d e c :s p i = 5 b a f d 6 a ae s p = 3 d e sk e y = 2 48 e 4 c 7 e 9 d 5 9 1 6 f d 0 0 f c 6 f 3 f e 4 e 7 b 3 5 c 4 0 4 3 1 7 3 5 1 6 2 c a h = s h a 1k e y = 2 02 4 6 2 e a e c 7 3 c b f c 4 7 3 c 9 c c 5 9 c 0 b 3 9 d 9 7 6 d c a 8 b 1 5 f e n c :s p i = 2 a 0 5 a d 8 0e s p = 3 d e sk e y = 2 48 3 f 2 a 4 4 7 6 6 7 5 a 7 e 8 1 0 b b 4 6 7 b a 0 6 7 5 2 2 2 e 6 a d 9 f 5 d b 3 a h = s h a 1k e y = 2 03 f d d 1 0 2 8 6 f f 9 3 6 c 3 6 0 8 8 7 9 3 1 5 b c 3 9 5 8 d 8 1 1 2 9 9 4 e p r o x y i d = f o r t i g w 3 1 1 b w l a n p h 2p r o t o = 0s a = 0r e f = 1a u t o _ n e g o t i a t e = 0s e r i a l = 2 s r c :1 9 2 . 1 6 8 . 2 0 . 0 / 2 5 5 . 2 5 5 . 2 5 5 . 0 : 0 d s t :0 . 0 . 0 . 0 / 0 . 0 . 0 . 0 : 0 In the following output the second tunnel with the name MyIPSecTunnnel is up.

m y f i r e w a l l 1# d i a g n o s ev p nt u n n e ll i s tn a m e" M y I P S e c T u n n n e l " l i s ti p s e ct u n n e lb yn a m e si nv d0 n a m e = M y I P S e c T u n n n e lv e r = 1s e r i a l = 13 . 3 . 3 . 3 : 0 > 4 . 4 . 3 . 4 8 : 0l g w y = d y nt u n = i n t fm o d p r o x y i d _ n u m = 1c h i l d _ n u m = 0r e f c n t = 1 1i l a s t = 0o l a s t = 0 s t a t :r x p = 1 9 6t x p = 3 3 5r x b = 5 7 6 0 0t x b = 2 8 4 1 9 d p d :m o d e = a c t i v eo n = 1i d l e = 5 0 0 0 m sr e t r y = 3c o u n t = 0s e q n o = 3 5 2 n a t t :m o d e = n o n ed r a f t = 0i n t e r v a l = 0r e m o t e _ p o r t = 0 p r o x y i d = M y I P S e c T u n n n e l p h 2p r o t o = 0s a = 1r e f = 2a u t o _ n e g o t i a t e = 0s e r i a l = 1 s r c :0 : 1 9 2 . 1 6 8 . 2 2 4 . 6 4 / 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 : 0 d s t :0 : 0 . 0 . 0 . 0 / 0 . 0 . 0 . 0 : 0 S A :r e f = 3o p t i o n s = 0 0 0 0 0 0 0 et y p e = 0 0s o f t = 0m t u = 1 4 3 6e x p i r e = 1 6 5 7r e p l a y w i n = 1 0 2 l i f e :t y p e = 0 1b y t e s = 0 / 0t i m e o u t = 1 7 4 8 / 1 8 0 0 d e c :s p i = b e 8 d 9 4 f 1e s p = 3 d e sk e y = 2 4b 7 d 4 a 7 2 d 2 c 7 9 e 1 8 4 6 d 5 4 1 3 3 c 4 a 1 9 8 0 8 5 c f 2 2 b 6 c 5 0 0 a h = s h a 1k e y = 2 00 a 6 b 3 6 9 1 b 7 a 8 8 7 d 6 7 b 6 9 4 9 3 5 b 8 1 3 c 7 a 0 3 3 9 e 3 7 d 8 e n c :s p i = 9 c c 4 b f d ce s p = 3 d e sk e y = 2 4d 7 7 6 1 6 b c 3 4 5 5 f 8 a c e e 0 1 8 d 5 b 9 b 5 7 2 c b d 0 8 7 d a 9 f f 9 8 a h = s h a 1k e y = 2 07 0 2 f 1 d 1 5 7 2 1 8 0 f 1 8 6 f b 1 6 9 f e f 5 0 d 6 4 f 0 5 7 2 8 1 e 7 b In this output are both tunnel up:


itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ 13/21

09/01/13

m y f i r e w a l l 1#d i a gv p nt u n n e ld u m p s a v f = 0t u n = f o r t i g w 3 1 1 b p r o x y i d = f o r t i g w 3 1 1 b w l a n p h 2p r o t o = 0 s r c :1 9 2 . 1 6 8 . 2 0 . 0 / 2 5 5 . 2 5 5 . 2 5 5 . 0 : 0 d s t :0 . 0 . 0 . 0 / 0 . 0 . 0 . 0 : 0 l i f e :t y p e = 0 1b y t e s = 0 / 0t i m e o u t = 1 7 5 0 / 1 8 0 0 d e c :s p i = 5 b a f d 6 a ce s p = 3 d e sk e y = 2 49 4 4 c 6 e 0 a 4 e 5 2 d 5 7 8 c e 4 a 3 f 7 8 f 6 0 6 6 e a e 5 3 a d e 0 b f 3 a a h = s h a 1k e y = 2 09 c 0 a d 7 2 b 0 8 b f 4 7 9 e 8 1 d 9 1 0 9 a c 0 f 7 f 7 2 1 c 7 0 4 0 b 4 6 e n c :s p i = 2 a 0 5 a d 9 7e s p = 3 d e sk e y = 2 45 c 8 1 4 1 c 7 5 0 d e 9 2 3 2 1 c 1 7 1 b 4 4 c 5 4 7 3 d 8 2 f b a c 4 7 a e 4 6 a h = s h a 1k e y = 2 00 7 2 4 b 6 b 1 9 7 c 0 c d 1 5 7 a c e d 1 2 2 b b 6 4 8 2 d 2 d 6 6 5 e 1 b 2 v f = 0t u n = f o r t i g w 3 1 1 b p r o x y i d = f o r t i g w 3 1 1 b p h 2p r o t o = 0 s r c :1 9 2 . 1 6 8 . 1 0 . 0 / 2 5 5 . 2 5 5 . 2 5 5 . 0 : 0 d s t :0 . 0 . 0 . 0 / 0 . 0 . 0 . 0 : 0 l i f e :t y p e = 0 1b y t e s = 0 / 0t i m e o u t = 1 7 5 3 / 1 8 0 0 d e c :s p i = 5 b a f d 6 a be s p = 3 d e sk e y = 2 45 0 6 0 5 5 a 1 c a f 7 8 c c 4 2 d 6 4 5 a 9 4 b 2 2 6 f 3 7 3 7 5 e a c 8 b b 6 1 a h = s h a 1k e y = 2 05 3 5 c 1 f 8 e f 2 0 e 8 b 7 b 6 d 0 1 1 f d e c f a 9 5 5 c e f 2 0 8 5 9 9 5 e n c :s p i = 2 a 0 5 a d 9 5e s p = 3 d e sk e y = 2 41 d 7 1 0 d 2 7 d a 2 9 b 7 7 3 a b d f 3 5 6 8 2 0 0 d 3 b 4 a 2 6 8 8 f b c 1 f a a h = s h a 1k e y = 2 01 d 7 d 6 b 3 6 0 8 4 c 7 1 5 e 8 5 4 6 3 6 9 b 6 2 1 e f f a c a 6 0 a 5 e e 4 with the diagnose command: m y f i r e w a l l 1#d i a g n o s ev p nt u n n e ls t a t d e v = 1t u n n e l = 0p r o x y i d = 1s a = 1c o n c = 0u p = 1

Check packet counters for the tunnel


To see if the encryption and decryption of the packages works use 2 or more times the diagnose vpn ipsec status or the diagnose vpn tunnel list command and compare the values. On the second and third outputs the counter should show larger number.

itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

14/21

09/01/13

Fortigate troubleshooting commands itsecworks

m y f i r e w a l l 1#d i a g n o s ev p ni p s e cs t a t u s A l li p s e cc r y p t od e v i c e si nu s e : C P 6 n u l l : 0 0 d e s : 0 0 3 d e s : 3 3 5 1 9 6 a e s : 0 0 n u l l : 0 0 m d 5 : 0 0 s h a 1 : 3 3 5 1 9 6 s h a 2 5 6 :0 0 s h a 3 8 4 :0 0 s h a 5 1 2 :0 0 S O F T W A R E : n u l l : 0 0 d e s : 0 0 3 d e s : 0 0 a e s : 0 0 n u l l : 0 0 m d 5 : 0 0 s h a 1 : 0 0 s h a 2 5 6 :0 0 s h a 3 8 4 :0 0 s h a 5 1 2 :0 0 On the following output the firewall has 3 active vpn peers.

itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

15/21

m y f i r e w a l l 1#d i a gv p nt u n n e ll i s t l i s ta l li p s e ct u n n e li nv d0 n a m e = s o h o f w 11 . 1 . 1 . 1 : 0 > 3 . 3 . 3 . 3 : 0l g w y = d y nt u n = i n t fm o d e = a u t ob o u n d _ i f = 7 p r o x y i d _ n u m = 1c h i l d _ n u m = 0r e f c n t = 5i l a s t = 4o l a s t = 1 s t a t :r x p = 1 8 0 6 4 5 1t x p = 1 4 4 7 0 9 1r x b = 2 3 4 3 2 5 5 0 4t x b = 4 9 9 3 1 6 9 5 5 d p d :m o d e = a c t i v eo n = 1i d l e = 5 0 0 0 m sr e t r y = 3c o u n t = 0s e q n o = 3 9 0 8 5 5 6 n a t t :m o d e = n o n ed r a f t = 0i n t e r v a l = 0r e m o t e _ p o r t = 0 p r o x y i d = s o h o f w 1 p 2p r o t o = 0s a = 1r e f = 2a u t o _ n e g o t i a t e = 0s e r i a l = 1 s r c :0 . 0 . 0 . 0 / 0 . 0 . 0 . 0 : 0 d s t :1 9 2 . 1 6 8 . 4 0 . 0 / 2 5 5 . 2 5 5 . 2 5 5 . 0 : 0 S A :r e f = 3o p t i o n s = 0 0 0 0 0 0 0 et y p e = 0 0s o f t = 0m t u = 1 4 3 6e x p i r e = 3 6 6r e p l a y w i n = 1 0 2 4 l i f e :t y p e = 0 1b y t e s = 0 / 0t i m e o u t = 1 7 7 4 / 1 8 0 0 d e c :s p i = 2 a 0 2 f c f 2e s p = 3 d e sk e y = 2 4b 3 f 2 6 5 d 5 2 c 6 8 5 2 8 f 6 5 e 6 2 2 e c d a 7 5 0 0 0 4 9 d 8 d c 4 c 3 f 4 a h = s h a 1k e y = 2 08 4 6 e 4 2 3 6 a 7 0 d 6 1 0 c 3 8 4 8 d 8 4 5 1 d 1 4 2 3 a a 7 a 7 a 9 b 4 8 e n c :s p i = b b 5 0 f 1 3 de s p = 3 d e sk e y = 2 4b b 2 4 f c 0 9 3 7 2 4 e 0 5 7 e 0 d e 4 5 4 f 0 b e 5 3 5 5 4 a d c f 8 f b 1 5 8 a h = s h a 1k e y = 2 0f d c 7 7 7 b 8 c 1 1 1 9 4 e 8 2 4 5 a d d 0 2 f b f 4 0 2 e 4 c a c 7 7 9 f c n a m e = s o h o f w 21 . 1 . 1 . 1 : 0 > 4 . 4 . 4 . 4 : 0l g w y = d y nt u n = i n t fm o d e = a u t ob o u n d _ i f = 7 p r o x y i d _ n u m = 1c h i l d _ n u m = 0r e f c n t = 5i l a s t = 4o l a s t = 4 s t a t :r x p = 1 7 1 1 0 1 6 9t x p = 1 8 5 3 2 5 3 4r x b = 5 9 5 1 7 4 2 1 9 2t x b = 1 5 2 4 7 1 6 3 3 9 7 d p d :m o d e = a c t i v eo n = 1i d l e = 5 0 0 0 m sr e t r y = 3c o u n t = 0s e q n o = 3 4 5 0 3 7 2 n a t t :m o d e = n o n ed r a f t = 0i n t e r v a l = 0r e m o t e _ p o r t = 0 p r o x y i d = s o h o f w 2 p 2p r o t o = 0s a = 1r e f = 2a u t o _ n e g o t i a t e = 0s e r i a l = 1 s r c :0 . 0 . 0 . 0 / 0 . 0 . 0 . 0 : 0 d s t :1 9 2 . 1 6 8 . 3 0 . 0 / 2 5 5 . 2 5 5 . 2 5 5 . 0 : 0 S A :r e f = 3o p t i o n s = 0 0 0 0 0 0 0 et y p e = 0 0s o f t = 0m t u = 1 4 3 6e x p i r e = 5 7 6r e p l a y w i n = 1 0 2 4 l i f e :t y p e = 0 1b y t e s = 0 / 0t i m e o u t = 1 7 7 4 / 1 8 0 0 d e c :s p i = 2 a 0 2 f c f 3e s p = 3 d e sk e y = 2 44 4 b 0 a f a f 4 f c b f 8 d b f f 0 6 7 e 1 d 7 5 f c 7 2 2 2 3 8 7 e f b 4 f 4 3 a h = s h a 1k e y = 2 03 3 3 e 1 3 6 7 1 8 8 5 e 0 8 1 7 7 e a 0 6 d f 5 e d 8 8 a 9 4 1 d 6 0 9 9 8 c e n c :s p i = e 5 e 8 0 4 d ce s p = 3 d e sk e y = 2 4f 1 b d c 0 3 9 4 3 1 7 1 6 a 3 3 7 6 1 8 7 9 a 5 b 9 a c 0 a c a 1 8 1 c e d 2 b 3 a h = s h a 1k e y = 2 05 7 a 1 2 c 6 1 b 1 7 f 3 4 3 1 b 1 f 8 8 9 5 0 4 5 5 5 8 a d 4 0 8 f 7 d 3 5 6 n a m e = s o h o f w 31 . 1 . 1 . 1 : 0 > 5 . 5 . 5 . 5 : 0l g w y = d y nt u n = i n t fm o d e = a u t ob o u n d _ i f = 7

5.0 sniffertrace
The basic command is diagnose sniffer packet, after that you have to define the interface* (or the keyword any): m y f i r e w a l l 1#d i a g n o s es n i f f e rp a c k e t t h en e t w o r ki n t e r f a c et os n i f f( o r" a n y " )
itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ 16/21

09/01/13

Fortigate troubleshooting commands itsecworks

*Looks like you cannot filter explicitly on tunnel interface, you have to use any in that case and define a filter string. And the tcpdump like filter string (or the keyword none):

m y f i r e w a l l 1#d i a g n o s es n i f f e rp a c k e ta n y f l e x i b l el o g i c a lf i l t e r sf o rs n i f f e r( o r" n o n e " ) . F o re x a m p l e : T op r i n tu d p1 8 1 2t r a f f i cb e t w e e nf o r t i 1a n de i t h e rf o r t i 2o rf o ' u d pa n dp o r t1 8 1 2a n dh o s tf o r t i 1a n d\ (f o r t i 2o rf o r t i 3\ ) ' And the output format you expect (I use always the 4) m y f i r e w a l l 1#d i a g n o s es n i f f e rp a c k e ta n yn o n e

1 :p r i n th e a d e ro fp a c k e t s 2 :p r i n th e a d e ra n dd a t af r o mi po fp a c k e t s 3 :p r i n th e a d e ra n dd a t af r o me t h e r n e to fp a c k e t s( i fa v a i l a b l e ) 4 :p r i n th e a d e ro fp a c k e t sw i t hi n t e r f a c en a m e 5 :p r i n th e a d e ra n dd a t af r o mi po fp a c k e t sw i t hi n t e r f a c en a m e 6 :p r i n th e a d e ra n dd a t af r o me t h e r n e to fp a c k e t s( i fa v a i l a b l e )w i t hi n t fn a m m y f i r e w a l l 1#d i a g n o s es n i f f e rp a c k e ta n yn o n e4 s n i f f e rc o u n t

m y f i r e w a l l 1#d i a g n o s es n i f f e rp a c k e ta n yn o n e44 i n t e r f a c e s = [ a n y ] f i l t e r s = [ n o n e ] 0 . 9 1 4 4 7 5w a n 1i n1 0 . 2 5 0 . 1 9 . 1 5 9 . 6 3 9 2 9>3 . 3 . 3 . 1 2 7 . 6 1 7 8 4 :6 8 9 1 0 3 3 9 7a c k6 4 7 4 5 3 0 0 . 9 1 5 0 6 7w a n 1o u t3 . 3 . 3 . 3 . 2 2>1 0 . 2 0 . 1 0 0 . 1 0 . 5 7 4 9 9 :p s h3 7 2 8 5 7 7 3 0 1a c k1 6 9 7 4 2 5 0 . 9 1 5 0 7 9e t h 0o u t3 . 3 . 3 . 3 . 2 2>1 0 . 2 0 . 1 0 0 . 1 0 . 5 7 4 9 9 :p s h3 7 2 8 5 7 7 3 0 1a c k1 6 9 7 4 2 5 0 . 9 1 5 4 5 2w a n 1o u t3 . 3 . 3 . 3 . 2 2>1 0 . 2 0 . 1 0 0 . 1 0 . 5 7 4 9 9 :p s h3 7 2 8 5 7 7 4 3 3a c k1 6 9 7 4 2 5 The 2. parameter after port6 arp 1? is the number of packets to be sniffered. In this example it is set to 2. m y f i r e w a l l#d i a g n o s es n i f f e rp a c k e tp o r t 6a r p12 i n t e r f a c e s = [ p o r t 6 ] f i l t e r s = [ a r p ] 0 . 9 0 7 5 9 2a r pw h o h a s3 . 3 . 3 . 3t e l l3 . 3 . 3 . 5 1 . 9 0 7 5 9 7a r pw h o h a s3 . 3 . 3 . 3t e l l3 . 3 . 3 . 5 m y f i r e w a l l# If the sniffer should be analysed with Wireshark, the following pl script should be used:
itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

fgt2eth.pl

17/21

09/01/13

Fortigate troubleshooting commands itsecworks

fgt2eth.pl http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD30877 (http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD30877)

6.0 View logging on cli


There are some fields that you wont ever see in webui as in the column setting you cannot choose them. Just an example for this is a false pre-shared key, the field that tells you what the problem is, called error_reason. The buffer size is limited and if the buffer is full the old logs will be overwritten. To check your buffer size issue the following command: m y f i r e w a l l#g e tl o gm e m o r yg l o b a l s e t t i n g f u l l f i n a l w a r n i n g t h r e s h o l d :9 5 f u l l f i r s t w a r n i n g t h r e s h o l d :7 5 f u l l s e c o n d w a r n i n g t h r e s h o l d :9 0 m a x s i z e:9 8 3 0 4

Configure logging
To view the logs on the CLI issue the following commands (it is better to use a syslog server as checking the logs from memory, it is slow). m y f i r e w a l l#e x e c u t el o gf i l t e rd e v i c em e m o r y m y f i r e w a l l#e x e c u t el o gf i l t e rs t a r t l i n e1 m y f i r e w a l l#e x e c u t el o gf i l t e rv i e w l i n e s1 0 m y f i r e w a l l#e x e c u t el o gf i l t e rc a t e g o r ye v e n t Check if that is correct for you. m y f i r e w a l l#e x e c u t el o gf i l t e rd u m p c a t e g o r y :e v e n t d e v i c e :m e m o r y r o l l :0 s t a r t l i n e :1 v i e w l i n e s :1 0
itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ 18/21

09/01/13

Fortigate troubleshooting commands itsecworks

Viewing the logs


In this example we can sse a failed vpn session as the preshared key is not identical on the vpn peers. The logs are not in every cases so talkative, for example the logs for different encryption traffic failure refer to nothing usefull. Logs for preshared key failure:

m y f i r e w a l l 3#e x e c u t el o gd i s p l a y 8 7 4l o g sf o u n d . 1 0l o g sr e t u r n e d . 1 :2 0 1 1 0 8 3 11 7 : 0 2 : 3 3l o g _ i d = 0 1 0 1 0 3 7 1 2 7t y p e = e v e n ts u b t y p e = i Logs for different encryption traffic failure:

S e p0 11 0 : 1 8 : 4 03 . 3 . 3 . 3d a t e = 2 0 1 1 0 9 0 1t i m e = 1 0 : 1 8 : 4 0d e v n a m e = m y f i r e w a l l 3d e v i S e p0 11 0 : 1 9 : 3 63 . 3 . 3 . 3d a t e = 2 0 1 1 0 9 0 1t i m e = 1 0 : 1 9 : 3 6d e v n a m e = m y f i r e w a l l 3d e v i S e p0 11 0 : 1 9 : 3 83 . 3 . 3 . 3d a t e = 2 0 1 1 0 9 0 1t i m e = 1 0 : 1 9 : 3 8d e v n a m e = m y f i r e w a l l 3d e v i S e p0 11 0 : 1 9 : 4 23 . 3 . 3 . 3d a t e = 2 0 1 1 0 9 0 1t i m e = 1 0 : 1 9 : 4 2d e v n a m e = m y f i r e w a l l 3d e v i there is an online help for the commands: http://docs.fortinet.com/fgt/handbook/cli_html/wwhelp/wwhimpl/js/html/wwhelp.htm (http://docs.fortinet.com/fgt/handbook/cli_html/wwhelp/wwhimpl/js/html/wwhelp.htm)

7.0 Backup and Restore


Backup command with tftp server:

m y f i r e w a l l#e x e c u t eb a c k u pf u l l c o n f i gt f t p< f u l l c o n f i g f i l e n a m e >< t f t ps e r v With an example:

m y f i r e w a l l 1#e x e c u t eb a c k u pf u l l c o n f i gt f t pm y f i r e w a l l 1 _ f u l l _ c o n f i g1 9 2 . 1 6 8 . P l e a s ew a i t . . . C o n n e c tt ot f t ps e r v e r1 9 2 . 1 6 8 . 1 . 1. . . # S e n dc o n f i gf i l et ot f t ps e r v e rO K . m y f i r e w a l l 1#
itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/ 19/21

09/01/13

Fortigate troubleshooting commands itsecworks

Restore command with tftp server:

m y f i r e w a l l#e x e c u t er e s t o r ec o n f i gt f t p< f u l l c o n f i g f i l e n a m e >< t f t ps e r v e ri Example Restore:

m y f i r e w a l l 1#e x e c u t er e s t o r ec o n f i gt f t pm y f i r e w a l l 1 _ f u l l _ c o n f i g1 9 2 . 1 6 8 . 1 . 1 T h i so p e r a t i o nw i l lo v e r w r i t et h ec u r r e n ts e t t i n g s ! D oy o uw a n tt oc o n t i n u e ?( y / n ) y P l e a s ew a i t . . . C o n n e c tt ot f t ps e r v e r1 9 2 . 1 6 8 . 1 . F i l ec h e c kO K . T h es y s t e mi sg o i n gd o w nN O W! ! P l e a s es t a n db yw h i l er e b o o t i n F G T 2 0 0 B( 1 4 : 1 5 1 0 . 0 1 . 2 0 0 8 ) V e r : 0 4 0 0 0 0 1 0 S e r i a ln u m b e r : F G 2 0 0 B 1 1 1 1 1 1 1 1 1 1 R A Ma c t i v a t i o n T o t a lR A M :2 5 6 M B E n a b l i n gc a c h e . . . D o n e . S c a n n i n gP C Ib u s . . . D o n e . A l l o c a t i n gP C Ir e s o u r c e s . . . D o n e . E n a b l i n gP C Ir e s o u r c e s . . . D o n e . Z e r o i n gI R Qs e t t i n g s . . . D o n e . V e r i f y i n gP I R Qt a b l e s . . . D o n e . E n a b l i n gI n t e r r u p t s . . . D o n e . B o o tu p ,b o o td e v i c ec a p a c i t y :6 4 M B . P r e s sa n yk e yt od i s p l a yc o n f i g u r a t i o nm e n u . . . . . . . . . R e a d i n gb o o ti m a g e1 3 1 9 5 9 5b y t e s . I n i t i a l i z i n gf i r e w a l l . . . S y s t e mi ss t a r t e d . T h ec o n f i gf i l em a yc o n t a i ne r r o r s , P l e a s es e ed e t a i l sb yt h ec o m m a n d' d i a g n o s ed e b u gc o n f i g e r r o r l o gr e a d ' m y f i r e Thats all folks!

itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

20/21

About these ads (http://en.wordpress.com/about-these-ads/)

Posted in: Fortigate (http://itsecworks.wordpress.com/category/security/fortigate/), Security (http://itsecworks.wordpress.com/category/security/), Troubleshooting (http://itsecworks.wordpress.com/category/security/fortigate/troubleshooting/) Be the first to start a conversation Blog at WordPress.com. Theme: Inuit Types by BizzArtic.

itsecworks.wordpress.com/2011/07/18/f ortigate-basic-troubleshooting-commands/

21/21