How To Troubleshoot FortiGate Firewalls With CLI Commands

I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI.

Coming from Cisco, everything is “show”. With Fortinet, you have the choice between show | get | diagnose | execute. Not that easy to remember. Likewise the sys | systemkeyword. It is always “diagnose sys” but “execute system”.

Entering the correct vdom/gobal Config

Remember to enter the correct vdom or global configuration tree before configuring anything:

config global
config vdom
edit <vdom-name>

To show the running configuration (such as “show run”), simply type in:

show

To show the entire running configuration with default values, use:

show full-configuration

To omit the “–More–” stops when displaying many lines, you can set the terminal output to the following, which will display all lines at once. This is similar to “terminal length 0” from Cisco. Be careful with it, because this command is persistent. Set it to default after usage!

config system console
set output standard
end

To find a CLI command within the configuration, you can use the pipe sign “|” with “grep” (similar to “include” on Cisco devices). Note the “-f” flag to show the whole config tree in which the keywords was found, e.g.:

show | grep -f ipv6
show full-configuration | grep -f ipv6

General Information

The very basics:

get system interface physical #overview of hardware interfaces
get hardware nic <nic-name> #details of a single network interface, same as: diagnose hardware deviceinfo nic <nic-name>
fnsysctl ifconfig <nic-name> #kind of hidden command to see more interface stats such as errors
get system status #==show version
get system performance status #CPU and network usage
diagnose sys top #top with all forked processed
diagnose sys top-summary #top easier, incl. CPU and mem bars. Forks are displayed by [x13] or whatever
execute dhcp lease-list
diagnose ip arp list
diagnose ipv6 address list
diagnose ipv6 neighbor-cache list
diagnose sys ntp status
diagnose autoupdate versions #lists the attack definition versions, last update, etc.
diagnose log test #generated all possibe log entries
diagnose test application dnsproxy 6 #shows the IP addresses of FQDN objects
diagnose debug crashlog read #shows crashlog, a status of 0 indicates a normal close of a process!

After rebooting a fresh device which is already licensed, it takes some time until it is “green” at the dashboard. The following commands can troubleshoot and start the “get license” process. Use the first three to enable debugging and start the process, while the last one disables the debugging again:

 

General Network Troubleshooting

Which is basically ping and traceroute:

execute ping-options ?
execute ping-options source <ip-address-of-the-interface>
execute ping <hostname|ip>
execute ping6-options ?
execute ping6 <hostname|ip>
execute traceroute <hostname|ip>
execute tracert6 <hostname|ip>

Routing

get router info routing-table all #routing table
get router info6 routing-table #IPv6 without the “all” keyword
get router info kernel #Forwarding Information Base
get router info6 kernel
get router <routing-protocol> #basic information about the enabled routing protocol
diagnose firewall proute list #policy-based routing
diagnose firewall proute6 list
diagnose ip rtcache list #route cache = current sessions w/ routing information

High Availability

diagnose sys ha status
execute ha manage ? #switch to the CLI of a secondary unit
execute ha manage <device-index>
diagnose sys ha showcsum #verify the checksum of all synchronized peers

Session Table

Display the current active sessions:

get system session list #rough view with NAT, only IPv4

diagnose sys session filter clear
diagnose sys session filter ?
diagnose sys session filter dst 8.8.8.8
diagnose sys session filter dport 53
diagnose sys session list #show the session table with the filter just set

Sniffer

Sniff packets like tcpdump does. This can be used for investigating connection problems between two hosts. There are no details of the firewall policy decisions. Use the debug flow (next paragraph) for analysis about firewall policies, etc.

diagnose sniffer packet <interface|any> ‘<tcpdump-filter>’ <verbose> <count> <time-format>

with:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

Examples:

diagnose sniffer packet any ‘host 8.8.8.8’ 4 4 l
diagnose sniffer packet any ‘host 8.8.8.8 and dst port 53’ 4 10 a
diagnose sniffer packet wan1 ‘dst port (80 or 443)’ 2 50 l
diagnose sniffer packet any ‘net 2001:db8::/32’ 6 1000 l

Here are two more examples on how to show LLDP or CDP packets in order to reveal the connected layer 2 ports from switches.

LLDP:
diagnose sniffer packet port1 ‘ether proto 0x88cc’ 4 1 a

CDP:
diagnose sniffer packet port1 ‘ether[20:2] == 0x2000’ 6 1 a

Flow

If you want to see the FortiGate details about a connection, use this kind of debug. E.g., it shows the routing decision and the policy, which allowed the connection.

 

diagnose debug reset
diagnose debug flow filter ?
diagnose debug flow filter saddr 172.16.27.148
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show console enable
diagnose debug enable
diagnose debug flow trace start 10  #display the next 10 packets, after that, disable the flow:
diagnose debug disable

Example:

fd-wv-fw04 # diagnose debug reset
fd-wv-fw04 # diagnose debug flow filter daddr 8.8.8.8
fd-wv-fw04 # diagnose debug flow show console enable
show trace messages on console

fd-wv-fw04 # diagnose debug enable
fd-wv-fw04 # diagnose debug flow trace start 20
id=20085 trace_id=11 func=print_pkt_detail line=4420 msg=”vd-root received a packet(proto=17, 192.168.160.10:55859->8.8.8.8:53) from fg-trust. ”
id=20085 trace_id=11 func=init_ip_session_common line=4569 msg=”allocate a new session-0001f004″
id=20085 trace_id=11 func=vf_ip4_route_input line=1596 msg=”find a route: flags=00000000 gw-172.16.1.1 via wan1″
id=20085 trace_id=11 func=fw_forward_handler line=671 msg=”Allowed by Policy-16:”
id=20085 trace_id=11 func=__ip_session_run_tuple line=2601 msg=”run helper-dns-udp(dir=original)”
id=20085 trace_id=12 func=print_pkt_detail line=4420 msg=”vd-root received a packet(proto=17, 192.168.160.10:63624->8.8.8.8:53) from fg-trust. ”
id=20085 trace_id=12 func=init_ip_session_common line=4569 msg=”allocate a new session-0001f005″
id=20085 trace_id=12 func=vf_ip4_route_input line=1596 msg=”find a route: flags=00000000 gw-172.16.1.1 via wan1″
id=20085 trace_id=12 func=fw_forward_handler line=671 msg=”Allowed by Policy-16:”
id=20085 trace_id=12 func=__ip_session_run_tuple line=2601 msg=”run helper-dns-udp(dir=original)”

fd-wv-fw04 # diagnose debug disable

VPN

To show details about IKE/IPsec connections, use these commands:

get vpn ike gateway <name>
get vpn ipsec tunnel name <name>
get vpn ipsec tunnel details
diagnose vpn tunnel list
diagnose vpn ipsec status           #shows all crypto devices with counters that are used by the VPN
get router info routing-table all

To debug IKE/IPsec sessions, use the VPN debug:

diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter ?
diagnose vpn ike log-filter dst-addr4 1.2.3.4
diagnose debug app ike 255          #shows phase 1 and phase 2 output
diagnose debug enable               #after enough output, disable the debug:
diagnose debug disable

To reset a certain VPN connection, use this

diag vpn tunnel reset <phase1 name>

Log

For investigating the log entries (similar to the GUI), use the following filters, etc.:

execute log filter reset
execute log filter category event
execute log filter field            #press enter for options
execute log filter field dstport 8001
execute log filter view-lines 1000
execute log filter start-line 1
execute log display

 

Defaults

Just a reminder for myself:

IP: 192.168.1.99

Login: admin

Password: <blank>

To change the IP address of the mgmt interface (or any other) via the CLI, these commands can be used:

config system interface
edit mgmt
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh
next
end

 

You may also like...