FortiGate:Diagnose-Command-Guide
Zur Navigation springen
Zur Suche springen
FortiGate:Diagnose-Command-Guide
Vorwort
Dieser Artikel zeigt den vollständingen "diagnose tree" für FortiOS 5.0 sowie 5.2. In den verschiedenen Abschnitten sind einge Beispiele aufgeführt für die gezeigten Kommandos sofern dies möglich war. Als Device stand eine FG-60D zur Verfügung. Die Angaben über die FortiOS Version bezieht sich nicht darauf ob das Kommando für die jeweilige FortiOS Version zur Verfügung steht, sondern indiziert wann dieses Kommando zur FortiOS Version hinzugefügt wurde.
Datenschutz
*********************************************************************
* *
* THIS FILE MAY CONTAIN CONFIDENTIAL, PRIVILEGED OR OTHER LEGALLY *
* PROTECTED INFORMATION. YOU ARE PROHIBITED FROM COPYING, *
* DISTRIBUTING OR OTHERWISE USING IT WITHOUT PERMISSION FROM *
* ALSO SCHWEIZ AG SWITZERLAND. *
* *
*********************************************************************
"Die in diesen Artikeln enthaltenen Informationen sind vertraulich und dürfen ohne
schriftliche Zustimmung von der ALSO Schweiz AG gegenüber Dritt-Unternehmen nicht
bekannt gemacht werden"
diagnose
antivirus
antivirus avquery
FortiGuard - AV Query statistics and reporting
# diagnose antivirus avquery statistics flush Flush daemon and cache statistics. [5.0][5.2]
# diagnose antivirus avquery statistics list Display cache and daemon statistics.
DNS failures : 0
DNS lookups : 0
Data send failures : 0
Data read failures : 0
Incorrect CRCs in responses : 0
Proxy request failures : 0
Requests timed out : 0
Total Requests : 0
Requests to rating servers : 0
Server error responses : 0
Relayed requests : 0
Jobs passed on daemon shutdown : 0
Server error, files passed : 0
Bad license, files passed : 0
Request queue full, files passed : 0
Daemon not started; files passed : 0
No server, files passed : 0
No resources, files passed : 0
Bad query format, files passed : 0
Cache mem allowed : 0
Cache mem used : 0
Number of cache entries : 0
Cache queries : 0
Cache hits : 0
[5.0][5.2]
# diagnose antivirus avquery status FortiGuard - AV Query service status [5.0][5.2]
FortiGuard - AV Query service is disabled.
Server status unknown
antivirus bypass
# diagnose antivirus bypass on|off On/Off for bypassing AV checking. [5.0][5.2]
antivirus heuristic
# diagnose antivirus heuristic showrules Display heuristic rule overrides. [5.0][5.2]
# diagnose antivirus heuristic showthreshold Display heuristic threshold. [5.0][5.2]
Threshold: 0
antivirus quarantine
# diagnose antivirus quarantine delete [Checksum für File] Delete a file in quarantine. [5.0][5.2]
# diagnose antivirus quarantine list List the files in quarantine. [5.0][5.2]
Quarantine List (Count = 0)
-----------------------------
CHECKSUM SIZE FIRST-TIMESTAMP LAST-TIMESTAMP SERVICE STATUS DC TTL FILENAME DESCRIPTION
# diagnose antivirus quarantine list service {http|https|ftp|smtp|smtps|pop3|pop3s|imap|imaps|im|nntp}
# diagnose antivirus quarantine list status {infected|heuristic|blocked}
# diagnose antivirus quarantine purge Delete all quarantined files. [5.0][5.2]
antivirus virus
# diagnose antivirus virus list List detected virus [5.0][5.2]
Virus List
==========
ACM/Bursted.AN
ACM/Medre.A@mm
ACM/Pasdoc.A
Akuku.889.A
ALS/Medre.A!tr
Android/Agent.BY!tr
Android/Agent.FS!tr
Android/Basebridge.B!tr
Android/DrdDream.A!exploit.CVE2010EASY
Android/DroidRooter.A
Android/DroidRooter.C
Android/DroidRt.B
Android/DrSheep.A
Android/FakeInst.C!tr
Android/Fakelash.A!tr.spy
Android/FkToken.A
autoupdate
autoupdate downgrade
# diagnose autoupdate downgrade enable | disable Update object downgrade status. [5.0][5.2]
# diagnose autoupdate downgrade enable
Update downgrade enabled
# diagnose autoupdate downgrade disable
Update downgrade disabled
autoupdate status
# diagnose autoupdate status Status of automatic updates. [5.0][5.2]
FDN availability: unavailable at Mon Nov 16 19:29:33 2015
Push update: disable
Scheduled update: enable
Update every: 6 hours at 0 minutes after the hour
Virus definitions update: enable
IPS definitions update: enable
Push address override: disable
Web proxy tunneling: disable
Description:
FDN availability: Specify availability status and last access time (access time corresponds to the scheduled update settings).
Possible values are: available/unavailable.
Push update: Specify whether push update method is enabled or disabled. Possible values are: enable/disable.
Scheduled update: Specify whether scheduled update is enabled or disabled. Possible values are: enable/disable.
Update every: If scheduled update is enabled, specify the time defined to launch the update.
Virus definitions update: Specify whether the virus definitions update is enabled or disabled. Possible values are: enable/disable.
IPS definitions updates: Specify whether the IPS definitions update is enabled or disabled. Possible values are: enable/disable.
Server override: Specify whether the use of another FDS server is enabled or disabled. Possible values are: enable/disable.
If enabled a new line is displayed showing the FDS IP address defined in the configuration.
Push address override: If push update is enabled, specify whether the FortiGate override address feature is enabled or disabled.
Possible values are: enable/disable. If enabled, a new line is displayed showing the FDS IP address and the
TCP port (a.b.c.d:port) defined in the configuration.
Web proxy tunneling: Specify whether FortiGate device is using a proxy to retrieve AV and IPS definitions updates. Possible values
are: enable/disable. If enabled, additional lines are displayed showing the proxy settings.
autoupdate versions
# diagnose autoupdate versions Update object versions. [5.0][5.2]
AV Engine
---------
Version: 5.00171
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jun 26 15:14:00 2015
Last Update Attempt: Mon Nov 16 18:31:29 2015
Result: Connectivity failure
Virus Definitions
---------
Version: 16.00560
Contract Expiry Date: n/a
Last Updated using manual update on Fri Oct 19 08:31:00 2012
Last Update Attempt: Mon Nov 16 18:31:29 2015
Result: Connectivity failure
............................
............................
central-mgmt
central-mgmt script-history
# diagnose central-mgmt script-history clear Clear script execution history. [5.0][5.2]
Script execution history has been cleared.
# diagnose central-mgmt script-history del [id Record ID] Delete one script execution record. [5.0][5.2]
# diagnose central-mgmt script-history list List script execution history. [5.0][5.2]
There is 0 script execution log:
ID Time Type Status Name
----------------------------------------------------
----------------------------------------------------
# diagnose central-mgmt script-history test Generate sample script execution records. [5.0][5.2]
One new script execution record has been created.
One new script execution record has been created.
One new script execution record has been created.
client-reputation
NOTE Not Available on Model(s) "FortiGate 60C"
client-reputation convert-timestamp
# diagnose client-reputation convert-timestamp Convert a client reputation database timestamp to date and time. [5.0][5.2]
client-reputation test-all
# diagnose client-reputation test-all Adds log messages from multiple sources to the client reputation db for testing.[5.0][5.2]
client-reputation test-app
# diagnose client-reputation test-app Adds application control log messages to the client reputation db for testing. [5.0][5.2]
client-reputation test-ips
# diagnose client-reputation test-ips Adds ips log messages to the client reputation db for testing. [5.0][5.2]
client-reputation test-webfilter
# diagnose client-reputation test-webfilter Adds webfilter log messages to the client reputation db for testing. [5.0][5.2]
cp
NOTE Not Available on Model(s) "FortiGate 60C"
cp cp8
# diagnose cp cp8 Co-processor version 8. [5.2]
debug
# diagnose debug [disable | enable] Disable/enable debug output. [5.0][5.2]
NOTE Use this command to enable/disable debugging messages to the CLI display.
debug admin
# debug admin error-log Last failed admin user login details. [5.2]
debug application
# diagnose debug application [application option] [Debug Level/Integer application
NOTE Use for all commands the following "Integer" to indicate the "Debug Level":
Integer:
-1 Display all messages.
0 Do not display messages
# diagnose debug application alarmd Alarmd daemon [5.0][5.2]
# diagnose debug application alertmail Alert mail daemon [5.0][5.2]
# diagnose debug application authd Auth daemon. [5.0][5.2]
# diagnose debug application chassis Chassis daemon. [5.0][5.2]
# diagnose debug application crl-update CRL update daemon. [5.0][5.2]
# diagnose debug application cw_acd Capwap AC daemon. [5.0][5.2]
# diagnose debug application ddnscd DDNS client daemon. [5.0][5.2]
# diagnose debug application dhcp6c DHCPv6 client. [5.0][5.2]
# diagnose debug application dhcp6r DHCPv6 relay. [5.0][5.2]
# diagnose debug application dhcp6s DHCPv6 server. [5.0][5.2]
# diagnose debug application dhcpc DHCP client module. [5.0][5.2]
# diagnose debug application dhcprelay DHCP relay daemon. [5.0][5.2]
# diagnose debug application dhcps DHCP server. [5.0][5.2]
# diagnose debug application dialinsvr Dial-in-server daemon. [5.0][5.2]
# diagnose debug application dlp DLP [5.0][5.2]
# diagnose debug application dlpfingerprint DLP fingerprint daemon. [5.0][5.2]
# diagnose debug application dnsproxy DNS proxy module. [5.0][5.2]
# diagnose debug application dsd DLP Stat Daemon [5.0][5.2]
# diagnose debug application extenderd Extender Wan daemon. [5.2]
# diagnose debug application fcnacd FortiClient NAC daemon. [5.0][5.2]
# diagnose debug application fgd_alert FortiGuard alert message. [5.0][5.2]
# diagnose debug application fgfmd FortiGate/FortiManager communication daemon. [5.0][5.2]
# diagnose debug application fnbamb Fortigate non-blocking auth daemon. [5.0][5.2]
# diagnose debug application forticldd FortiCloud daemon. [5.0][5.2]
# diagnose debug application forticron Forticron daemon. [5.0][5.2]
# diagnose debug application fsd Forti-start daemon. [5.0][5.2]
# diagnose debug application fssod FSSO daemon. [5.0][5.2]
# diagnose debug application ftpd FTP proxy. [5.0][5.2]
# diagnose debug application garpd VIP gratuitous ARP daemon. [5.0][5.2]
# diagnose debug application harelay HA relay module. [5.0][5.2]
# diagnose debug application hasync HA synchronization module. [5.0][5.2]
# diagnose debug application hatalk HA protocol module. [5.0][5.2]
# diagnose debug application http HTTP proxy. [5.0][5.2]
# diagnose debug application httpsd HTTPSd daemon. [5.0][5.2]
# diagnose debug application ike IKE daemon. [5.0][5.2]
# diagnose debug application im IM proxy. [5.0][5.2]
# diagnose debug application imap IMAP proxy. [5.0][5.2]
# diagnose debug application info-sslvpn SSL-VPN info daemon for Fortinet top bar. [5.0][5.2]
# diagnose debug application init System init process. [5.2]
# diagnose debug application ipldbd Ipldbd daemon. [5.0][5.2]
# diagnose debug application ipsengine ips sensor [5.0][5.2]
# diagnose debug application ipsmonitor ips monitor [5.0][5.2]
# diagnose debug application ipsufd IPS URL filter resolver daemon. [5.0][5.2]
# diagnose debug application l2tp L2TP daemon. [5.0][5.2]
# diagnose debug application l2tpcd L2tpcd daemon. [5.0][5.2]
# diagnose debug application link-monitor Link monitor daemon. [5.2]
# diagnose debug application lldptx Link Layer Discovery Protocol (LLDP) Transmitter [5.2]
# diagnose debug application lted USB LTE daemon. [5.0][5.2]
# diagnose debug application miglogd Log daemon. [5.0][5.2]
# diagnose debug application modemd MODEM daemon. [5.0][5.2]
# diagnose debug application netscan Netscan [5.0][5.2]
# diagnose debug application nntp NNTP proxy. [5.0][5.2]
# diagnose debug application nq NAC quarantine daemon. [5.0]
# diagnose debug application ntpd NTPd daemon. [5.0][5.2]
# diagnose debug application ovrd Override daemon. [5.2]
# diagnose debug application pop3 POP3 proxy. [5.0][5.2]
# diagnose debug application ppp PPP daemon. [5.0][5.2]
# diagnose debug application pppoed PPPoE client Daemon. [5.0][5.2]
# diagnose debug application pptp PPTP daemon. [5.0][5.2]
# diagnose debug application pptpc PPTP client. [5.0][5.2]
# diagnose debug application proxy Proxy acceptor. [5.0]
# diagnose debug application proxyacceptor Proxy acceptor. [5.2]
# diagnose debug application proxydaemon Proxy daemon. [5.0][5.2]
# diagnose debug application proxyworker Proxy worker. [5.0][5.2]
# diagnose debug application quarantine Quarantine daemon. [5.0][5.2]
# diagnose debug application radiusd RADIUS daemon. [5.0][5.2]
# diagnose debug application radvd Router adv daemon. [5.0][5.2]
# diagnose debug application rsyslogd Rsyslogd daemon. [5.0][5.2]
# diagnose debug application rtmon PING server. [5.0]
# diagnose debug application scanunit Scanunit daemon. [5.0][5.2]
# diagnose debug application sccp SCCP ALG. [5.0][5.2]
# diagnose debug application scep SCEP [5.0][5.2]
# diagnose debug application server-probe Server probe daemon. [5.0][5.2]
# diagnose debug application sessionsync Session sync daemon. [5.0][5.2]
# diagnose debug application sflowd sFlow protocol module. [5.0][5.2]
# diagnose debug application sip SIP ALG. [5.0][5.2]
# diagnose debug application smbcd SMB client daemon. [5.0][5.2]
# diagnose debug application smtp SMTP proxy. [5.0][5.2]
# diagnose debug application snmpd SNMP daemon. [5.0][5.2]
# diagnose debug application spamfilter Spam filter module. [5.0][5.2]
# diagnose debug application spareblock Set debug spare block count. [5.0][5.2]
# diagnose debug application src-vis Source Visibility daemon. [5.0][5.2]
# diagnose debug application sshd Sshd daemon. [5.0][5.2]
# diagnose debug application ssl SSL daemon. [5.0][5.2]
# diagnose debug application sslvpn sslvpn [5.0][5.2]
# diagnose debug application stp Spanning Tree Protocol daemon. [5.0][5.2]
# diagnose debug application update Update daemon. [5.0][5.2]
# diagnose debug application uploadd Upload daemon. [5.0][5.2]
# diagnose debug application urlfilter Urlfilter daemon. [5.0][5.2]
# diagnose debug application vpd VPN policy daemon. [5.0][5.2]
# diagnose debug application vrrpd VRRP daemon. [5.0][5.2]
# diagnose debug application vs virtual-server [5.0][5.2]
# diagnose debug application wa_cs WAN acceleration cs server. [5.0]
# diagnose debug application wa_dbd WAN acceleration db server. [5.0]
# diagnose debug application wabcs WAN acceleration byte cache storage. [5.2]
# diagnose debug application wad WAN acceleration proxy. [5.0][5.2]
# diagnose debug application waocs WAN acceleration object cache storage. [5.2]
# diagnose debug application wccpd WCCP daemon. [5.0][5.2]
# diagnose debug application wifi WiFi setting. [5.0][5.2]
# diagnose debug application wiredap Wired AP (802.1X port-based auth) daemon. [5.0][5.2]
# diagnose debug application wpad Port access entity daemon. [5.0][5.2]
# diagnose debug application wpad_dump Dump wpad packet in binary format. [5.0][5.2]
# diagnose debug application zebos ZebOS [5.0][5.2]
# diagnose debug application zebos-launcher ZebOS launcher daemon. [5.0][5.2]
debug authd
# diagnose debug authd clear Clear internal data structures and keep alive sessions. [5.0]
# diagnose debug authd fsso FFSO [5.0]
# diagnose debug authd fsso clear-logons Clear logon information. [5.0]
# diagnose debug authd fsso filter clear Clear all filters. [5.0]
# diagnose debug authd fsso filter group <name> Group name. [5.0]
# diagnose debug authd fsso filter server <name> FSSO agent name. [5.0]
# diagnose debug authd fsso filter source [from srcip] [to srcip] Source IP address. [5.0]
# diagnose debug authd fsso filter user <name> User name. [5.0]
# diagnose debug authd fsso list List current logons. [5.0]
# diagnose debug authd fsso refresh-groups Refresh group mappings. [5.0]
# diagnose debug authd fsso refresh-logons Resync logon database. [5.0]
# diagnose debug authd fsso server-status Show FSSO agent connection status. [5.0]
# diagnose debug authd fsso summary Summary of current logons. [5.0]
# diagnose debug authd memory Show authd memory usage information. [5.0]
debug cli
# diagnose debug cli [Integer] Debug CLI. [5.0][5.2]
Integer level = 0 - 8
debug cmdb-trace
# diagnose debug cmdb-trace [Integer 0 - 1] Trace CLI. [5.0][5.2]
debug config-error-log
# diagnose debug config-error-log Configure error log info. [5.0][5.2]
# diagnose debug config-error-log clear Clear config error log. [5.0][5.2]
# diagnose debug config-error-log read Display config error on console. [5.0][5.2]
debug console
# diagnose debug console no-user-log-msg Console does not show user log messages. [5.0]
# diagnose debug console no-user-log-msg disable Disable console no user log message. [5.0]
# diagnose debug console no-user-log-msg enable Enable console no user log message. [5.0]
# diagnose debug console send [AT command] [character] [integer] Send out MODEM HA AT command. [5.0]
# diagnose debug console timestamp timestamp [5.0]
# diagnose debug console timestamp disable Disable timestamp. [5.0]
# diagnose debug console timestamp enable Enable timestamp. [5.0]
NOTE Use this command to enable or disable the timestamp in debug logs.
debug crashlog
# diagnose debug crashlog Crash log info. [5.0][5.2]
# diagnose debug crashlog clear Clear crash log. [5.0]
# diagnose debug crashlog get Get crashlog. [5.0]
# diagnose debug crashlog read Read crashlog. [5.0]
NOTE Use this command to show crash logs from application proxies that have call back traces, segmentation
faults, or memory register dumps, or to delete the crash log.
debug flow
# diagnose debug flow filter Trace packet with filter. [5.0]
# diagnose debug flow filter6 Trace packet with IPv6 filter. [5.0]
# diagnose debug flow show Enable/disable display of trace on console. [5.0]
# diagnose debug flow trace Start/stop trace. [5.0]
Was ist das spezielle am Kommando "diagnose debug flow"
Dieser Befehl zeigt wie ein Packet abgehandelt wird im Kernel dh. über welches Interface es reinkommt, wie es geroutet
wird, ob die Policy angesprochen wird etc. Es ist ein "Monitor"für Flow Packages:
# diagnose debug flow filter clear
# diagnose debug flow show console enable
# diagnose debug flow show function enable
# diagnose debug flow filter proto [Angabe der Protokoll Nummer zB "6" für TCP]
# diagnose debug flow filter [Definition des Filters]
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
NOTE Als Filter können folgende Angaben definiert werden:
addr IP address.
clear Clear filter.
daddr Destination IP address.
dport Destination port.
negate Inverse filter.
port port
proto Protocol number.
saddr Source IP address.
sport Source port.
vd Index of virtual domain.
Grundanwendung des "diagnose debug flow" Kommandos:
NOTE Die nachfolgende Befehle zeigen wie für "flow" alle Funktionen zur Vorbereitung zurückgesetzt werden. Danach werden
die verschiedenen Funktionen wie zB "timestamp" usw. aktiviert. Dies bedeutet: Nicht im jeden Fall ist dieser Vorgang
auszuführen nur dann wenn zu Beginn alle Filter und Funktionen auf Ihre Standard Werte zurückgesetzt werden sollen um
sicherzustellen das keine vorhergenden Filter mehr bestehen!
Deaktivere Debug "flow":
# diagnose debug disable
Stoppe Trace für "flow":
# diagnose debug flow trace stop
Lösche Filter für "flow":
# diagnose debug flow filter clear
Setze Debug zurück für "flow":
# diagnose debug reset
Setze eine neuen Filter für "flow":
# diagnose debug flow filter addr [x.x.x.x] [To filter only address x.x.x.x]
Aktiviere "output" auf Console für "flow":
# diagnose debug flow show console enable
Aktiviere function-name für "flow":
# diagnose debug flow show function-name enable
Aktiviere timestamp (Zeit) für "flow":
# diagnose debug console timestamp enable
Setze die Anzahl Packet die für "flow" resp. für den Filter angzeigt werden sollen:
# diagnose debug flow trace start [Anzahl der Packet zB 10]
Aktiviere die Funktion "flow":
# diagnose debug enable [To enable the debug command.]
Nachfolgend einige Beispiele die zeigen wie ein Filter für "flow" aussehen kann:
Explizit nach ping traffic filtern:
# diagnose debug flow filter proto 1
NOTE Weitere Informationen betreffend den Protokoll Nummern siehe nachfolgender Artikel:
Allgemein:Assigned-Internet-Protocol-Numbers-RFC
Explizit nur ICMP auf eine bestimmte IP-Adresse filtern:
# diagnose debug flow filter addr [Definiere die IPv4 Adresse von bis zB 192.168.1.1 192.168.1.10]
# diagnose debug flow filter proto [Definiere die Protokoll Nummer zB für ICMP 1]
Explizit nach einer bestimmten Portnummer filtern:
# diagnose debug flow filter port [Definiere Portnummer zB 80]
Auf eine bestimmte IP Adresse und Portnummer filtern:
# diagnose debug flow filter addr [Definiere die IPv4 Adresse zB 192.168.1.10]
# diagnose debug flow filter port [Definiere Portnummer zB 25]
Explizit auf einen bestimmten Source Port filtern:
# diagnose debug flow filter sport [Definiere Sourceport zB 10823]
Explizit auf einen bestimmten Destinations Port filtern:
# diagnose debug flow filter dport [Definiere Destinations Port zB110]
Explizit auf eine bestimmte Source IP Adresse filtern:
# diagnose debug flow filter saddr [Definiere IPv4 Adresse zB 192.168.5.44]
Explizit auf eine Source IP Adresse filtern:
# diagnose debug flow filter daddr [Definiere IPv4 Adresse zB 192.168.3.24]
Explizit auf eine virtuelle Domaine (vdom) filtern:
# diagnose debug flow filter vd [Definiere Index zB 2 ; -1 für alle]
Wenn mit "diagnose debug flow" gearbeitet wird, werden betreffend "block" verschiedenen Nachrichten ausgegeben. Diese haben folgende Bedeutung:
Denied by forward policy check - Es existiert keine entsprechende Firewall Policy Rule für diesen Traffic.
- Eine Firewall Policy Rule existiert zwar jedoch ist ein "disclaimer" aktiviert der zuerst akzeptiert werden muss.
Denied by end point ip filter check - Die Source IP Adresse des Traffic ist in der Quarantine von DLP.
exceeded shaper limit, drop - Packet wurde verworfen durch den Traffic Shaper.
Reverse path check fail, drop - Packet wurde verworfen durch die Funktion "reverse path forwarding". Weitere Informationen zu "reverse path forwarding"
siehe auch nachfolgenden Artikel:
FortiGate-5.0-5.2:FAQ#Wie_schalte_ich_das_.22Reverse_Path_Forwarding.22_von_.22loose.22_auf_.22strict.22_.28per_Standard_gilt_.22loose.22.29.3F
Iprope_in_check() check failed, drop - Das Packet benützt als Destination eine FortiGate IP Adresse dh. Mgmt. Traffic jedoch:
--> Der Service auf der FortiGate zB Admin HTTPS Zugriff ist nicht aktiviert.
--> Der Service ist zwar aktiviert benützt jedoch einen anderen Port.
--> Für den Service wurde ein "trusted host" konfiguriert und die Source IP ist nicht enthalten in "trusted host".
- Das Packet benützt als Destination keine FortiGate IP Adresse dh. für Mgmt. Traffic jedoch wird die IP benutzt
für ein VIP oder IP Pool Objekt.
debug fsso-polling
# diagnose debug fsso-polling FSSO active directory poll module. [5.0][5.2]
# diagnose debug fsso-polling client Show FSSO AD Server Clients. [5.0]
# diagnose debug fsso-polling detail <id-AD Server Entry ID> Show FSSO AD Server Detail. [5.0]
# diagnose debug fsso-polling ha Show FSSO HA Summary. [5.0]
# diagnose debug fsso-polling refresh-user <id-AD Server Entry ID> Refresh FSSO AD Server users. [5.0]
# diagnose debug fsso-polling set-log-source [ID AD] [0: security, 1:appl.] Source of event log. [5.0]
# diagnose debug fsso-polling summary Show FSSO AD Server Summary. [5.0]
# diagnose debug fsso-polling user [ID AD] Show FSSO AD Server users. [5.0]
debug info
# diagnose debug info Show active debug level settings. [5.0][5.2]
debug kernel
# diagnose debug kernel ha [Integer - disable, 1-7 = higher level] Debug kernel HA level. [5.0]
# diagnose debug kernel level [Integer - Kernel level] Debug kernel level. [5.0]
debug rating
# diagnose debug rating [refresh-rate (sec)] Display rating info. [5.0][5.2]
NOTE Use this command to display the available FortiGuard Distribution Network servers for antispam queries
and to set the frequency for refreshing the server list.
Server Status)
D Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more
than one IP address, all of them will be flagged with 'D' and will be used first for INIT requests
before falling back to other servers.
I Indicates the server to which the last INIT request was sent.
F The server has not responded to requests and is considered to have failed.
T The server is currently being timed.
debug report
# diagnose debug report Report for tech support. [5.0][5.2]
# diagnose debug report reset Reset debug report. [5.0]
debug reset
# diagnose debug reset Reset all debug level to default. [5.0][5.2]
debug rtmon
# diagnose debug rtmon Dump rtmon data by name. [5.0]
# diagnose debug rtmon dump pingsvr Dump ping server. [5.0]
# diagnose debug rtmon dump fail-detect Dump fail-detect. [5.0]
debug urlfilter
# diagnose debug urlfilter src-addr [IP address] Enable debug messages for selected source IP address. [5.0]
# diagnose debug urlfilter test-url [url] Find the result returned from the URL filter for a URL.
disktest
disktest block
# diagnose disktest block Block size of each read/write operation. [5.2]
Current Test Block: 4M.
disktest device
# diagnose disktest device Device to test. [5.2]
# diagnose disktest device
1 /dev/sda, size 3864MB, boot device
2 /dev/sdb, size 7728MB
# diagnose disktest device 1
Current Test Device: /dev/sda
disktest run
# diagnose disktest run Run test with specified cycle. [5.2]
Round 1 started.
Current Test Device: /dev/sda
Total size: 3864M
Current Test Block: 4M.
Current Time Limit: No limit
Current Size Limit: No limit
Time(Sec) Size(MB) Read(MB/s) Write(MB/s)
...........................
..........................
disktest size
# diagnose disktest size Test size limit for each cycle. [5.2]
Current Size Limit: No limit
disktest time
# diagnose disktest time Test time limit for each cycle. [5.2]
Current Time Limit: No limit
endpoint
Endpoint compliance diagnostics.
endpoint ec-feature-list
# diagnose endpoint ec-feature-list Endpoint checking feature list information. [5.0][5.2]
Number of list entries: 0
endpoint filter
# diagnose endpoint filter clear Erase the current filter. [5.0][5.2]
# diagnose endpoint filter ftcl-uid [uid FortiClient UID] FortiClient UID to filter by. [5.0][5.2]
# diagnose endpoint filter list Display the current filter. [5.0][5.2]
source IP : any
session IP : any
MAC : any
FortiClient UID : any
# diagnose endpoint filter mac [MAC address (xx:xx:xx:xx:xx:xx)] MAC address to filter by. [5.0][5.2]
# diagnose endpoint filter ses-ip [ipv4-address Session IPv4 address] IPv4 session address to filter by. [5.0][5.2]
# diagnose endpoint filter src-ip [ipv4-address Session IPv4 address] IPv4 source address to filter by. [5.0][5.2]
endpoint information
# diagnose endpoint information Latest endpoint related information. [5.0][5.2]
FortiGuard Availability: not reachable
FortiClient Downloads: 0
endpoint record-delete
# diagnose endpoint record-delete [ipv4-address Source IPv4 address] Delete endpoint records. [5.0][5.2]
endpoint record-list
# diagnose endpoint record-list any List endpoint records. [5.0][5.2]
online records: 0; offline records: 0
status -- none: 0; uninstalled: 0; unregistered: 0; registered: 0; blocked: 0
endpoint record-summary
# diagnose endpoint record-summary List summary of endpoint records. [5.0][5.2]
online records: 0; offline records: 0
status -- none: 0; uninstalled: 0; unregistered: 0; registered: 0; blocked: 0
endpoint registration
# diagnose endpoint registration block [id FortiClient UID] Block a FortiClient from registering. [5.0]
# diagnose endpoint registration cmdb-list [ipv4 Source or any] List FortiClients stored in CMDB. [5.0]
# diagnose endpoint registration deregister [id FortiClient UID] Deregister a registered FortiClient. [5.0]
# diagnose endpoint registration force-peer-resync force to resync registration with all peers. [5.0]
# diagnose endpoint registration keepalive-timestamp [FortiClient UID] List KeepAlive timestamps. [5.0]
# diagnose endpoint registration list blocked-forticlients [ipv4 address or any] List blocked FortiClients. [5.0]
# diagnose endpoint registration list registered-forticlients [ipv4 address or any] List registered FortiClients. [5.0]
# diagnose endpoint registration recalculate-registered-forticlients Re-calculate number of registered forticlients. [5.0]
Total number of licences: 10
Total number of granted licenses: 0 (0)
Total number of available licences: 10
# diagnose endpoint registration skip-forticlient-system-update [1/0 Skip/Unskip] Skip the system update upon receiving KeepAlive from FC [5.0]
# diagnose endpoint registration ssl-session-timeout [SSL session timeout] Set the SSL session timeout. [5.0]
# diagnose endpoint registration summary Summary of FortiClient registrations. [5.0]
Total number of licences: 10
Total number of granted licenses: 0
Total number of available licences: 10
# diagnose endpoint registration sync-peer-list [1/0 signal daemon] List registration sync peers. [5.0]
# diagnose endpoint registration unblock [FortiClient UID] Unblock a previously blocked FortiClient. [5.0]
extender
extender atcmd
# diagnose extender atcmd at command
# diagnose extender atcmd[at-command] [mark - change mark to '?' in at command] [sn - serial number of extender] [5.2]
extender cmd
# diagnose extender cmd generic at command [5.2]
# diagnose extender cmd [Integer - a number mapping a generic at command] [sn - serial number of extender]
Description of Test Level
1 Show device info
2 Show data session connection status
3 Test connection
4 Test disconnection
5 Get signal strength
fdsm
FortiCloud/FortiManager Service.
fdsm account-info
# diagnose fdsm account-info FortiCloud account information. [5.0][5.2]
Account information: status=0, type=basic.
fdsm cfg-diff
# diagnose fdsm cfg-diff [revision1] [revision2] Configuration difference. [5.0] [5.2]
fdsm cfg-download
# diagnose fdsm cfg-download [normal | template | script] Download configuration. [5.0][5.2]
fdsm cfg-list
# diagnose fdsm cfg-list [normal | template | script] Download configuration list. [5.0][5.2]
fdsm cfg-upload
# diagnose fdsm cfg-upload [comments] Upload configuration. [5.0][5.2]
fdsm contract-controller-update
# diagnose fdsm contract-controller-update Update contract controller. [5.0][5.2]
Protocol=2.0|Response=202|Firmware=FAZ-4K-FW-2.50-100|SerialNumber=FAMS000000000000|
Persistent=false|ResponseItem=HomeServer:208.91.113.180:443*AlterServer:208.91.113.180:443*Contract:20141016*NextRequest:86400*UploadConfig:False*ManagementMode:Local*ManagementID:650735713
Result=Success
fdsm fc-installer-download
# diagnose fdsm fc-installer-download [Installer ID] Download FortiClient installer. [5.0][5.2]
fdsm fds-update
# diagnose fdsm fds-update Perform FortiGuard update. [5.0][5.2]
fdsm ftk-activiate
# diagnose fdsm ftk-activiate [arg please input args] FortiToken activation. [5.0][5.2]
fdsm log-controller-update
# diagnose fdsm log-controller-update Perform log update. [5.0][5.2]
Protocol=2.0|Response=202|Firmware=FAZ-4K-FW 2.50-
100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:208.91.113.183:514*AlterServer:208.91.113.201:514*Contract:20141016*ContractType:Basic*NextRequest:86400*Disk:1024*Used:3.44*Volume:102*Archive:True
Result=Success
fdsm message-update
# diagnose fdsm message-update Perform message update. [5.0][5.2]
Protocol=2.0|Response=202|Firmware=FAZ-4K-FW 2.50-
100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:208.91.113.183:514*AlterServer:208.91.113.201:514*Contract:20141016*ContractType:Basic*NextRequest:86400*Disk:1024*Used:3.44*Volume:102*Archive:True
Result=Success
fdsm forticlient-update
# diagnose fdsm forticlient-update FortiClient update. [5.0][5.2]
fdsm forticlient-net-info
# diagnose fdsm forticlient-net-info FortiClient net information. [5.0][5.2]
SerialNumber=FPT-FCS-29500013|Address=208.91.112.135:443|FDNListener=208.91.112.135:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0005|Address=208.91.112.132:443|FDNListener=208.91.112.132:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0007|Address=62.209.40.71:443|FDNListener=62.209.40.71:8889|TimeZone=1
.......................................................
.......................................................
......................................................
TimeZone=-8|Address=support.fortinet.com|Registration=/registration.aspx|Login=/login.aspx:
Result=Success
fdsm fortiap-download
# diagnose fdsm fortiap-download [Image ID] Download FortiAP image. [5.0][5.2]
fdsm fortiap-latest-ver
# diagnose fdsm fortiap-latest-ver [model Model name] Get most recent FortiAP build information. [5.0][5.2]
fdsm image-download
# diagnose fdsm image-download [Image ID] Download image. [5.0][5.2]
fdsm image-list
# diagnose fdsm image-list Download image list. [5.0][5.2]
05000000FIMG0007000007 v5.00 GA P7 b3608 (downgrade)
04000000FIMG0007003015 v4.00 MR3-GA P15 b0672 (downgrade)
04000000FIMG0007002011 v4.00 MR2-GA P11 b0342 (downgrade)
fdsm modem-list
# diagnose fdsm modem-list MODEM list. [5.0][5.2]
fdsm report-download
# diagnose fdsm report-download [OID] Download report. [5.0][5.2]
fdsm report-list
# diagnose fdsm report-list [VDOM Name] Download report list. [5.0][5.2]
fdsm sslvpn-man-upgrade-package-download
# diagnose fdsm sslvpn-man-upgrade-package-download [Package ID] Download SSL-VPN manual upgrade package. [5.0][5.2]
fdsm sslvpn-package-download
# diagnose fdsm sslvpn-package-download [Package ID] Download SSL-VPN package. [5.0][5.2]
firewall
firewall auth
# diagnose firewall auth clear Clear authenticated IPv4 users. [5.0]
# diagnose firewall auth filter Filters used to list entries. [5.0]
# diagnose firewall auth filter clear [Enter] Clear all filters. [5.0]
# diagnose firewall auth filter group [Group name] Group name. [5.0]
# diagnose firewall auth filter method [fw, fsso, ntlm] method [5.0]
# diagnose firewall auth filter policy [xxx - Policy ID] Policy ID. [5.0]
# diagnose firewall auth filter source [IPv4 source] IPv4 source address. [5.0]
# diagnose firewall auth filter source6 [IPv6 source] IPv6 source address. [5.0]
# diagnose firewall auth filter user [User name] User name [5.0]
# diagnose firewall auth ipv6 [clear | list] Authenticated IPv6 users. [5.0]
# diagnose firewall auth list List authenticated IPv4 users. [5.0]
----- 0 listed, 0 filtered ------
firewall blocking
# diagnose firewall blocking list [ipv4 Source IP] List information. [5.0]
firewall dns-xlate
# diagnose firewall dns-xlate [mapping | pool] DNS translation. [5.2]
# diagnose firewall dns-xlate mapping list
List DNS translation mapping:(vf=root)
# diagnose firewall dns-xlate pool list
List DNS translation pool:(vf=root)
firewall fqdn
# diagnose firewall fqdn flush Flush IP info of FQDN. [5.0]
# diagnose firewall fqdn list List all FQDN. [5.0]
List all FQDN:
albert.apple.com: ID(39) REF(2)
phobos.apple.com: ID(56) REF(2)
swscan.apple.com: ID(60) REF(2)
test.stats.update.microsoft.com: ID(63) REF(2)
itunes.apple.com: ID(69) REF(2)
ax.itunes.apple.com: ID(76) REF(2)
deimos3.apple.com: ID(97) REF(2)
www.msftncsi.com: ID(103) REF(2)
download.windowsupdate.com: ID(129) REF(2)
au.download.windowsupdate.com: ID(133) REF(2)
gs.apple.com: ID(135) REF(2)
phobos.apple.com.edgesuite.net: ID(154) REF(2)
metrics.apple.com: ID(164) REF(2)
download.microsoft.com: ID(201) REF(2)
swcdn.apple.com: ID(204) REF(2)
swquery.apple.com: ID(205) REF(2)
ntservicepack.microsoft.com: ID(227) REF(2)
swdownload.apple.com: ID(239) REF(2)
update.microsoft.com: ID(244) REF(2)
appldnld.apple.com: ID(252) REF(2)
windowsupdate.microsoft.com: ID(255) REF(2)
# diagnose firewall fqdn purge Purge all unused FQDN. [5.0]
firewall ip-translation
# diagnose firewall ip-translation [flush | list] IP translation. [5.0][5.2]
firewall ip_host
# diagnose firewall ip_host add Add ip_host. [5.0]
# diagnose firewall ip_host add dev [Device name] Device tree name [5.0]
# diagnose firewall ip_host add dst [ipv4 Destination] Destination tree ipv4 [5.0]
# diagnose firewall ip_host add src [ipv4 Source] Source tree ipv4 [5.0]
# diagnose firewall ip_host clr [dev | dst | src] Clear ip_host node. [5.0]
# diagnose firewall ip_host del Del ip_host entry. [5.0]
# diagnose firewall ip_host del dev [Device name] Device tree name [5.0]
# diagnose firewall ip_host del dst [ipv4 Destination] Destination tree ipv4 [5.0]
# diagnose firewall ip_host del src [ipv4 Source] Source tree ipv4 [5.0]
# diagnose firewall ip_host list List ip_host. [5.0]
# diagnose firewall ip_host list dev [Device name] Device tree name [5.0]
# diagnose firewall ip_host list dst [ipv4 Destination] Destination tree ipv4 [5.0]
# diagnose firewall ip_host list ep-ip [ipv4 Source] Source tree ipv4 [5.0]
# diagnose firewall ip_host list src [ipv4 Source] Source tree ipv4 [5.0]
# diagnose firewall ip_host rem Del ip_host node. [5.0]
# diagnose firewall ip_host rem dev [Device name] Device tree name [5.0]
# diagnose firewall ip_host rem dst [ipv4 Destination] Destination tree ipv4 [5.0]
# diagnose firewall ip_host rem src [ipv4 Source] Source tree ipv4 [5.0]
# diagnose firewall ip_host stat stat [5.0]
iph_size=0
firewall ipgeo
# diagnose firewall ipgeo copyright-notice Copyright note. [5.0]
Copyright (c) 2011 MaxMind Inc. All Rights Reserved.
# diagnose firewall ipgeo country-list List all countries. [5.0]
Total countries loaded:2
EU
CH
# diagnose firewall ipgeo ip-list [Country ID example CH] List IP info of country. [5.0]
5.1.96.0 - 5.1.103.255
5.1.112.0 - 5.1.119.255
5.39.2.205 - 5.39.2.206
5.39.56.32 - 5.39.56.47
5.44.112.0 - 5.44.127.255
5.53.104.0 - 5.53.111.255
5.57.200.0 - 5.57.207.255
5.61.224.0 - 5.61.231.255
5.102.144.0 - 5.102.151.255
5.104.88.0 - 5.104.95.255
5.133.32.0 - 5.133.39.255
5.134.24.0 - 5.134.31.255
5.144.0.0 - 5.144.47.255
........................
........................
........................
# diagnose firewall ipgeo ip2country [ipv4 address] Get country info for the IP. [5.0]
# diagnose firewall ipgeo override Print out all user defined IP geolocation data. [5.0]
firewall iplist
# diagnose firewall iplist [flush | list optimized] IP list. [5.0][5.2]
firewall iplist6
# diagnose firewall iplist6 [flush | list optimized] IP list. [5.0][5.2]
firewall ipmac
# diagnose firewall ipmac ipmac [5.0][5.2]
# diagnose firewall ipmac add [xxx.xxx.xxx.xxx - IP address] IP address. [5.0]
# diagnose firewall ipmac delete [xx.xxx.xxx.xxx - IP address] IP address. [5.0]
# diagnose firewall ipmac flush flush [5.0]
# diagnose firewall ipmac list list [5.0]
List firewall IP/MAC address pairs:
ip=198.18.3.2 mac=08:5b:0e:a3:97:a6 act=01 flag=00
ip=198.18.2.2 mac=9c:b7:0d:de:8f:74 act=01 flag=00
ip=198.18.3.3 mac=08:5b:0e:5d:f7:0c act=01 flag=00
# diagnose firewall ipmac status status [5.0]
ipmac status: enable=0, default_act=0, count=3
firewall ippool
# diagnose firewall ippool flush flush [5.0]
# diagnose firewall ippool list list [5.0]
# diagnose firewall ippool list nat-ip List allocated IP in ippool. [5.0]
# diagnose firewall ippool list pba List PBA in ippool. [5.0]
# diagnose firewall ippool list user List users of ippool. [5.0]
# diagnose firewall ippool stats statistics [5.0]
Total 0 ippool is allocated.
Total 0 client host is online.
Total 0 natip is allocated.
Total 0 PBA is allocated.
Approximate 0 PBA is allocated in 1 second before.
firewall ippool-fixed-range
# diagnose firewall ippool-fixed-range Fixed range IP pool. [5.0][5.2]
# diagnose firewall ippool-fixed-range list natip [natip <xxx.xxx.xxx.xxx | natip + port]
firewall iprope
# diagnose firewall iprope appctrl List application control lists. [5.0]
# diagnose firewall iprope appctrl list List application control lists. [5.0]
app-list=default/2000 other-action=Pass
app-id=1 list-id=2000 action=Pass
app-id=2 list-id=2000 action=Pass
app-id=3 list-id=2000 action=Pass
app-id=4 list-id=2000 action=Pass
app-id=6 list-id=2000 action=Pass
app-id=7 list-id=2000 action=Pass
app-id=8 list-id=2000 action=Pass
...........................................
...........................................
# diagnose firewall iprope appctrl shaper list List application control app shapers. [5.0]
# diagnose firewall iprope appctrl stats clear Clear application control app statistics. [5.0]
# diagnose firewall iprope appctrl stats list List application control app statistics. [5.0]
# diagnose firewall iprope appctrl status Application control list status. [5.0]
appctrl table 3 list 2 app 6762 shaper 0
# diagnose firewall iprope clear Clear policy statistic. [5.0]
clear group idx ...
# diagnose firewall iprope flush [No. - Number, hexadecimal] flush [5.0]
# diagnose firewall iprope list [No. - Number, hexadecimal] list [5.0]
# diagnose firewall iprope show show [5.0]
# diagnose firewall iprope state state [5.0]
av_break=pass/off av_conserve=off Alloc: iprope=196 shaper=27 user=0 nodes=27 pol=332
app_src=0 auth_logon=0 auth_info=0
av_service=http fail open act=off
av_service=imap fail open act=off
av_service=pop3 fail open act=off
av_service=smtp fail open act=off
av_service=ftp fail open act=off
av_service=im fail open act=off
av_service=p2p fail open act=off
av_service=nntp fail open act=off
av_service=https fail open act=off
av_service=imaps fail open act=off
av_service=pop3s fail open act=off
av_service=smtps fail open act=off
av_service=ftps fail open act=off
av_service=cifs fail open act=off
total group number = 24 act=2
00004e20 00100000 00000001 00004e21 00100012 00004e22 00100002 00004e23 00100003 00000003 00004e24 00100004 00000005 00004e25 00060005 00000006 00000007 00000008 00100009 0010000a 0010000c 0010000d 0010000e 0010000f
firewall iprope6
# diagnose firewall iprope6 clear Clear policy statistic. [5.0]
# diagnose firewall iprope6 flush [No. - Number, hexadecimal] flush [5.0]
# diagnose firewall iprope6 list [No. - Number, hexadecimal] list [5.0]
# diagnose firewall iprope6 show show [5.0]
show group idx ...
# diagnose firewall iprope6 state state [5.0]
av_break = off/block av_conserve = block
alloc: iprope = 196 shaper = 27 user = 0
default action: 2
groups: total number 9
00000001 00100012 00100003 00000003 00100004 00000005 00000006 0010000e 0010000f
firewall ipv6-ehf
# diagnose firewall ipv6-ehf IPv6 extension header filter. [5.0][5.2]
ipv6 extension header filter:
flags: 0x00000004 rout
routing types: 0
firewall packet
# diagnose firewall packet distribution Packet statistics. [5.0][5.2]
getting packet distribution statistics...
0 bytes - 63 bytes: 3243883 packets
64 bytes - 127 bytes: 11859967 packets
128 bytes - 255 bytes: 964121 packets
256 bytes - 383 bytes: 190072 packets
384 bytes - 511 bytes: 13840 packets
512 bytes - 767 bytes: 59863 packets
768 bytes - 1023 bytes: 18604 packets
1024 bytes - 1279 bytes: 98551 packets
1280 bytes - 1500 bytes: 72256 packets
> 1500 bytes: 0 packets
firewall proute
# diagnose firewall proute list Policy route. [5.0][5.2]
list route policy info(vf=root):
firewall proute6
# diagnose firewall proute6 list IPv6 policy route. [5.0][5.2]
firewall schedule
# diagnose firewall schedule list schedule [5.0][5.2]
none weekly ------- start 0:0 stop 0:0 stat=00000001 use=1
always weekly SMTWTFS start 0:0 stop 0:0 stat=00000000 use=27
firewall shaper
# diagnose firewall shaper per-ip-shaper Traffic shapers. [5.0]
clear Use this command to clear the per-ip statistical data to begin a fresh diagnoses.
list Use this command to view information for the per-IP shaper for security policies.
state This command displays the total number of per-ip shapers on the FortiGate unit.
stats This command displays a summary statistics on the shapers.
# diagnose firewall shaper per-ip-shaper clear Per-IP clear statistic data. [5.0]
# diagnose firewall shaper per-ip-shaper list List per-IP shapers. [5.0]
# diagnose firewall shaper per-ip-shaper state Per-IP shapers state. [5.0]
memory allocated 0
# diagnose firewall shaper per-ip-shaper stats Per-IP shapers statistic. [5.0]
memory allocated 0 packet dropped: 0
# diagnose firewall shaper traffic-shaper Traffic shapers. [5.0]
list Use this command to view information for the shared traffic shaper for security policies.
state Use this command to display the total number of traffic shapers on the FortiGate unit.
stats clear Use this command to clear the per-ip statistical data to begin a fresh diagnoses.
stats list Use this command to view information for the per-IP shaper for security policies enter the command.
# diagnose firewall shaper traffic-shaper list List traffic shapers. [5.0]
name Citrix-CS4-AF41
maximum-bandwidth 0 KB/sec
guaranteed-bandwidth 0 KB/sec
current-bandwidth 0 B/sec
priority 2
tos 22
packets dropped 0
name local-guarantee-100kbps.intra
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 12 KB/sec
current-bandwidth 0 B/sec
priority 2
tos ff
packets dropped 0
# diagnose firewall shaper traffic-shaper state Global traffic shaper state. [5.0]
shapers 6
# diagnose firewall shaper traffic-shaper stats clear Clear traffic shaper statistics. [5.0]
# diagnose firewall shaper traffic-shaper stats list List traffic shaper statistics. [5.0]
shapers 6 ipv4 0 ipv6 0 drops 0
firewall statistic
# diagnose firewall statistic Traffic statistics. [5.0][5.2]
# diagnose firewall statistic clear Clear traffic stats. [5.0]
# diagnose firewall statistic show Show traffic stats. [5.0]
show Use the show command to display throughput information for the firewall broken down, into categories,
by both packets and bytes. Categories include common applications such as DNS, FTP, IM, P2P, and VoIP
and also includes the lower level protocols — TCP, UDP, ICMP, and IP.
clear Use the clear command to clear and reset the throughput information.
firewall uuid
# diagnose firewall uuid UUID list. [5.2]
firewall vip
# diagnose firewall vip VIP diagnostics. [5.0][5.2]
# diagnose firewall vip realserver Load balance real servers. [5.0]
# diagnose firewall vip realserver down [name | xxx.xxx.xxx.xxx] Change address down. [5.0]
# diagnose firewall vip realserver flush flush [5.0]
# diagnose firewall vip realserver healthcheck stats clear Clear health check statistics. [5.0]
# diagnose firewall vip realserver healthcheck stats show Show health check statistics. [5.0]
# diagnose firewall vip realserver list list [5.0]
# diagnose firewall vip realserver up [name | xxx.xxx.xxx.xxx] Change address up. [5.0]
# diagnose firewall vip virtual-server filter Filter for various virtual server diagnostics. [5.0]
# diagnose firewall vip virtual-server filter clear Erase the current filter. [5.0]
# diagnose firewall vip virtual-server filter dst [ip-address from |ip-address to] Destination address range to filter by. [5.0]
# diagnose firewall vip virtual-server filter dst-port [port from | port to] Destination port range to filter by. [5.0]
# diagnose firewall vip virtual-server filter list Display the current filter. [5.0]
# diagnose firewall vip virtual-server filter name [name] VIP name to filter by. [5.0]
# diagnose firewall vip virtual-server filter negate dst-addr Negate IPv4 destination address. [5.0]
# diagnose firewall vip virtual-server filter negate dst-port Negate destination port. [5.0]
# diagnose firewall vip virtual-server filter negate name Negate name. [5.0]
# diagnose firewall vip virtual-server filter negate src-addr Negate IPv4 source address. [5.0]
# diagnose firewall vip virtual-server filter negate src-port Negate source port. [5.0]
# diagnose firewall vip virtual-server filter negate vd negate virtual domain [5.0]
# diagnose firewall vip virtual-server log Logging diagnostics. [5.0]
# diagnose firewall vip virtual-server log console disable Do not show virtual-server log on console. [5.0]
# diagnose firewall vip virtual-server log console enable Show virtual-server log on console. [5.0]
# diagnose firewall vip virtual-server log filter clear Erase the current filter.
# diagnose firewall vip virtual-server log filter dst [ip-address from | ip-address to] Destination address range to filter by. [5.0]
# diagnose firewall vip virtual-server log filter dst-port [port destination] Destination port range to filter by. [5.0]
# diagnose firewall vip virtual-server log filter list Display the current filter. [5.0]
# diagnose firewall vip virtual-server log filter name [name] Virtual-server name to filter by. [5.0]
# diagnose firewall vip virtual-server log filter negate dst-addr Negate IPv4 destination address. [5.0]
# diagnose firewall vip virtual-server log filter negate dst-port Negate destination port. [5.0]
# diagnose firewall vip virtual-server log filter negate name Negate name. [5.0]
# diagnose firewall vip virtual-server log filter negate src-addr Negate IPv4 source address. [5.0]
# diagnose firewall vip virtual-server log filter negate src-port Negate source port. [5.0]
# diagnose firewall vip virtual-server log filter negate vd Negate virtual domain. [5.0]
# diagnose firewall vip virtual-server log terminal clear Clear debug log terminals. [5.0]
# diagnose firewall vip virtual-server log terminal reset Reset debug log terminals. [5.0]
# diagnose firewall vip virtual-server log terminal stats Show debug log terminal statistics. [5.0]
# diagnose firewall vip virtual-server real-server Real-server diagnostics. [5.0]
# diagnose firewall vip virtual-server session Session diagnostics. [5.0]
# diagnose firewall vip virtual-server session clear Clear all active sessions. [5.0]
# diagnose firewall vip virtual-server session client clear Clear client sessions. [5.0]
# diagnose firewall vip virtual-server session client list List active client sessions. [5.0]
# diagnose firewall vip virtual-server session list List active sessions. [5.0]
# diagnose firewall vip virtual-server session server clear Clear server sessions. [5.0]
# diagnose firewall vip virtual-server session server list List active server sessions. [5.0]
# diagnose firewall vip virtual-server stats Statistics. [5.0]
# diagnose firewall vip virtual-server stats clear Clear all statistics. [5.0]
# diagnose firewall vip virtual-server stats http clear Clear HTTP statistics. [5.0]
# diagnose firewall vip virtual-server stats http list List HTTP statistics. [5.0]
# diagnose firewall vip virtual-server stats list List all statistics. [5.0]
# diagnose firewall vip virtual-server stats operational all Display per-process operational info and statistics. [5.0]
# diagnose firewall vip virtual-server stats operational list Display operational info and statistics. [5.0]
# diagnose firewall vip virtual-server stats summary clear Clear summary statistics. [5.0]
# diagnose firewall vip virtual-server stats summary list List summary statistics. [5.0]
forticare
FortiCare Service.
forticare protocol
# diagnose forticare protocol [HTTP or HTTPS] HTTP or HTTPS. [5.0][5.2]
forticare server
# diagnose forticare server [Server IP (0:disable)] FortiCare server. [5.0][5.2]
forticlient
forticlient add-connection
# diagnose forticlient add-connection Add test FortiClient connection. [5.0][5.2]
# diagnose forticlient add-connection [Forticlient name] [User name] [Client Id] [Host OS] [Source IP]
forticlient close-all-connection
# diagnose forticlient close-all-connection Close all test FortiClient connection. [5.0][5.2]
forticlient close-connection
# diagnose forticlient close-connection Close test FortiClient connection. [5.0][5.2]
# diagnose forticlient close-connection handle FortiClient connection handle; Type enter to list current handles
fortitoken
fortitoken debug
# diagnose fortitoken debug disable Disable debug output. [5.0]
# diagnose fortitoken debug enable Enable debug output. [5.0]
fortitoken info
# diagnose fortitoken info Show current drift and status for each FortiToken. [5.0][5.2]
FORTITOKEN DRIFT STATUS
FTKMOB619EA900F5 0 new
FTKMOB41806139B5 0 new
Total activated token: 0
Total global activated token: 0
Token server status: reachable
fortitoken test
# diagnose fortitoken test [FortiToken ID] Test FortiToken with screen setting for drift of internal clock. [5.0][5.2]
hardware
hardware certificate
# diagnose hardware certificate Verify certificates. [5.0][5.2]
Checking Fortinet_CA.cer integrality ........Passed Checking Fortinet_Factory.cer integrality ........Passed Checking Fortinet_Factory.cer key-pair integrality ........Passed Checking Fortinet_Factory.cer Serial-No. ........Passed Checking Fortinet_Factory.cer timeliness ........Passed Checking Fortinet_Factory.key integrality ........Passed Checking Fortinet_CA2.cer existent ........[Not Exist] Checking Fortinet_Factory2.cer existent ........[Not Exist] Checking Fortinet_Factory2.key existent ........[Not Exist]
hardware deviceinfo
# diagnose hardware deviceinfo Get device information. [5.0][5.2]
disk Use the <disk> command to display all disks in the FortiGate unit. This includes hard disks, and SSD disks.
The information includes partitions, size, type, and available space.
nic Use the <nic> command to display information about the network card attached to the interface. The information
displayed varies by the type of NIC. It will include the VLAN id, state,link, speed, counts for received and
transmitted packets and bytes. The MAC for this NIC is Current_HWaddr and Permant_HWaddr, and this is only
place you can see both the old and new MAC when it is changed.
# diagnose hardware deviceinfo disk Display information of all disks. [5.0]
EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended
Disk Internal-0(boot) ref: 3.8GB type: USB [FORTINET S01_V130521_004] dev: /dev/sda
partition ref: 247.0MB, 216.0MB free mounted: Y label: dev: /dev/sda1(boot)
partition ref: 247.0MB, 216.0MB free mounted: N label: dev: /dev/sda2(boot)
partition ref: 3.2GB, 3.1GB free mounted: Y label: dev: /dev/sda3
Disk Internal ref: 16 7.5GB type: USB [FORTINET S01_V130819_008] dev: /dev/sdb
partition ref: 17 7.4GB, 7.3GB free mounted: Y label: 27079BFE01A8811C dev: /dev/sdb1
Total available disks: 2
Max SSD disks: 0 Available storage disks: 1
# diagnose hardware deviceinfo nic [dmz|eth4|eth5|eth6|eth7|eth8|internal|wan1|wan2] Display NIC information. [5.0]
# diagnose hardware deviceinfo nic
The following NICs are available:
dmz
internal1
internal2
internal3
internal4
internal5
internal6
internal7
wan1
wan2
# diagnose hardware deviceinfo nic dmz
Driver Name :Fortinet NP4Lite Driver
Version :1.0.0
Admin :up
Current_HWaddr 08:5b:0e:47:db:57
Permanent_HWaddr 08:5b:0e:47:db:57
Status :up
Speed :100
Duplex :Half
Host Rx Pkts :2303106
Host Rx Bytes :548062496
Host Tx Pkts :2250533
Host Tx Bytes :347212131
Rx Pkts :2303106
Rx Bytes :580305980
Tx Pkts :2250533
Tx Bytes :330921975
rx_buffer_len :2048
Hidden :No
cmd_in_list : 0
promiscuous : 1
hardware ioport
# diagnose hardware ioport Read/write data via IO port. [5.0][5.2]
# diagnose hardware ioport byte [arg] [address_hex] Read/write byte via IO port. [5.0]
# diagnose hardware ioport long [arg] [address_hex] Read/write long via IO port. [5.0]
# diagnose hardware ioport word [arg] [address_hex] Read/write word via IO port. [5.0]
Variable Description
<address_hex> Type the hexadecimal address of the I/O port of which you want to read data in byte.
<address_hex> Type the hexadecimal address of the I/O port of which you want to read data in sentence.
<address_hex> Type the hexadecimal address of the I/O port of which you want to read data in word.
hardware ipsec
# diagnose hardware ipsec Get ASIC IPsec information. [5.0][5.2]
hardware lspci
# diagnose hardware lspci [arg] List PCI parameters. [5.0][5.2]
arg Description
-v Be verbose
-n Show numeric ID's
-nn Show both textual and numeric ID's (names & numbers)
-b Bus-centric view (PCI addresses and IRQ's instead of those seen by the CPU)
-x Show hex-dump of the standard portion of config space
-xxx Show hex-dump of the whole config space (dangerous; root only)
-xxxx Show hex-dump of the 4096-byte extended config space (root only)
-s [[[[<domain>]:]<bus>]:][<slot>][.[<func>]] Show only devices in selected slots
-d [<vendor>]:[<device>] Show only selected devices
-t Show bus tree
-m Produce machine-readable output
-i <file> Use specified ID database instead of /etc//pci.ids
-D Always show domain numbers
-M Enable `bus mapping' mode (dangerous; root only)
-P <dir> Use specified directory instead of /proc/bus/pci
-F <file> Read configuration data from given file
-G Enable PCI access debugging
hardware pciconfig
# diagnose hardware pciconfig Get PCI information. [5.0][5.2]
hardware setpci
# diagnose hardware setpci [arg] [arg] [arg] Set PCI parameters. [5.0][5.2]
Example
-f Don't complain if there's nothing to do
-v Be verbose
-D List changes, don't commit them
-P <dir> Use specified directory instead of /proc/bus/pci
-F <file> Read configuration data from given file
-G Enable PCI access debugging
<device>: -s [[[<domain>]:][<bus>]:][<slot>][.[<func>]]
| -d [<vendor>]:[<device>]
<reg>: <number>[.(B|W|L)]
| <name>
<values>: <value>[,<value>...]
<value>: <hex>
| <hex>:<mask>
hardware sysinfo
# diagnose hardware sysinfo cpu Display detailed information for all installed CPU(s). [5.0]
Processor : ARMid(wb) rev 1 (v4l)
model name : FortiSOC2
BogoMIPS : 799.53
Features : swp half thumb
Hardware : FSoC2_ASIC
Revision : 0000
Serial : 0000000000000000
Imp: 0x66 Arch: 0x5 Part: 0x726 Ver: 0x1
Ctype: 14 DSize: 6 DASS: 8 DLEN: 32 ISize: 6 IASS: 8 ILEN: 32
Seperated TLB: Associativity 0
0x0005317f HUM: En Vec Base:0xffff0000 IC:En BP:Dis RomP:Dis
SysP:En WB:En DC: En Align:En
0x00000000 SB: Dis DB:Dis RS:Dis
# diagnose hardware sysinfo interrupts Display system interrupts information. [5.0]
0: 344849539 Timer Tick
8: 0 soc2_vpn
10: 0 soc2_pkce2
20: 36073893 np4lite
27: 0 ehci_hcd
28: 1377222 ehci_hcd
32: 16008 serial
Err: 0
# diagnose hardware sysinfo iomem Display memory map of I/O ports. [5.0]
00000000-77ffffff : System RAM
00018000-00210f83 : Kernel code
00210f84-0028b877 : Kernel data
# diagnose hardware sysinfo ioports Display address list of I/O ports. [5.0]
fe410000-fe410007 : serial(set)
fe420000-fe420007 : serial(auto)
fe430000-fe430007 : serial(auto)
fe470000-fe480000 : Timer 0~2
# diagnose hardware sysinfo memory Display system memory information. [5.0]
total: used: free: shared: buffers: cached: shm:
Mem: 1928380416 500678656 1427701760 0 68730880 176816128 167763968
Swap: 0 0 0
MemTotal: 1883184 kB
MemFree: 1394240 kB
MemShared: 0 kB
Buffers: 67120 kB
Cached: 172672 kB
SwapCached: 0 kB
Active: 126976 kB
Inactive: 112944 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 1883184 kB
LowFree: 1394240 kB
SwapTotal: 0 kB
SwapFree: 0 kB
# diagnose hardware sysinfo mtrr Display memory type range register. [5.0]
# diagnose hardware sysinfo slab Display memory allocation information. [5.0]
slabinfo - version: 1.1
kmem_cache 72 140 112 2 2 1 0
tcp6_session 0 0 928 0 0 1 0
ip6_session 0 9 864 0 1 1 1
sctp_session 0 0 864 0 0 1 0
tcp_session 6 18 864 1 2 1 1
ip_session 7 60 800 2 6 1 4
ip6_mrt_cache 0 0 352 0 0 1 0
fib6_nodes 15 226 32 1 1 1 0
ip6_dst_cache 49 70 224 2 2 1 0
ndisc_cache 3 61 128 1 1 1 0
ip_mrt_cache 0 0 320 0 0 1 0
tcp_tw_bucket 0 49 160 0 1 1 1
tcp_bind_bucket 46 226 32 1 1 1 0
tcp_open_request 0 61 128 0 1 1 1
inet_peer_cache 5 120 64 1 1 1 0
ip_dst_cache 13 41 192 1 1 1 0
ip_fib_hash 34 226 32 1 1 1 0
arp_cache 5 61 128 1 1 1 0
vf 4 7 2208 1 1 2 0
vf_entry 21 290 24 1 1 1 0
if_event_cache 0 120 64 0 1 1 1
blkdev_requests 2048 3078 96 26 38 1 12
journal_head 5 156 48 1 1 1 0
revoke_table 2 509 12 1 1 1 0
revoke_record 0 226 32 0 1 1 1
eventpoll pwq 346 406 36 2 2 1 0
eventpoll epi 340 405 96 5 5 1 0
dnotify_cache 0 0 20 0 0 1 0
file_lock_cache 2 88 88 1 1 1 0
fasync_cache 0 0 16 0 0 1 0
uid_cache 0 0 32 0 0 1 0
pkt_buf_head_cache 401 464 480 28 29 1 1
sock 403 440 928 52 55 1 3
sigqueue 0 59 132 0 1 1 1
kiobuf 0 0 64 0 0 1 0
cdev_cache 638 720 64 6 6 1 0
bdev_cache 3 120 64 1 1 1 0
mnt_cache 19 120 64 1 1 1 0
inode_cache 5673 5724 448 317 318 1 1
dentry_cache 5580 5673 128 92 93 1 1
filp 3651 3660 128 60 60 1 0
names_cache 0 4 4096 0 2 1 2
buffer_head 25382 29727 96 315 367 1 52
mm_struct 71 122 128 2 2 1 0
vm_area_struct 12314 13800 64 108 115 1 7
fs_cache 70 226 32 1 1 1 0
files_cache 71 95 416 4 5 1 1
signal_act 79 90 1312 14 15 1 1
pte-cache 3303 3752 2048 826 938 1 112
size-131072(DMA) 0 0 131072 0 0 16 0
size-131072 5 5 131072 5 5 16 0
size-65536(DMA) 0 0 65536 0 0 8 0
size-65536 4 4 65536 4 4 8 0
size-32768(DMA) 0 0 32768 0 0 4 0
size-32768 2 3 32768 2 3 4 1
size-16384(DMA) 0 0 16384 0 0 2 0
size-16384 12 15 16384 12 15 2 3
size-8192(DMA) 0 0 8192 0 0 1 0
size-8192 7 8 8192 7 8 1 1
size-4096(DMA) 0 0 4096 0 0 1 0
size-4096 378 402 4096 192 201 1 9
size-2048(DMA) 0 0 2048 0 0 1 0
size-2048 227 312 2048 57 78 1 21
size-1024(DMA) 0 0 1024 0 0 1 0
size-1024 283 312 1024 38 39 1 1
size-512(DMA) 0 0 512 0 0 1 0
size-512 303 345 512 22 23 1 1
size-256(DMA) 0 0 256 0 0 1 0
size-256 42 186 256 2 6 1 4
size-128(DMA) 0 0 128 0 0 1 0
size-128 5072 5124 128 84 84 1 0
size-64(DMA) 0 0 64 0 0 1 0
size-64 14828 21720 64 133 181 1 48
imp2p
IM and P2P.
imp2p aim-sip-factories
# diagnose imp2p aim-sip-factories AIM SIP factories. [5.0]
imp2p aim-voice-calls
# diagnose imp2p aim-voice-calls AIM SIP factories. [5.0]
imp2p debug-console
# diagnose imp2p debug-console Debug consoles. [5.0]
imp2p flush
# diagnose imp2p flush aim AOL Messenger sessions. [5.0]
# diagnose imp2p flush all All IM sessions. [5.0]
# diagnose imp2p flush icq ICQ sessions. [5.0]
# diagnose imp2p flush msn MSN Messenger sessions. [5.0]
# diagnose imp2p flush yahoo Yahoo Messenger sessions. [5.0]
imp2p im-configs
# diagnose imp2p im-configs Debug consoles. [5.0]
imp2p log-debug
# diagnose imp2p log-debug [log on console, 0 off, otherwise, on] Enable/disable IM proxy log on console. [5.0]
imp2p log-filter
# diagnose imp2p log-filter clear Clear the current filter. [5.0]
# diagnose imp2p log-filter dst-addr [Destination IPv4] IPv4 destination address range to filter by. [5.0]
# diagnose imp2p log-filter dst-port [Destination Port] Destination port to filter by. [5.0]
# diagnose imp2p log-filter list Display the current filter. [5.0]
# diagnose imp2p log-filter negate dst-addr4 Negate the dst-addr4 filter. [5.0]
# diagnose imp2p log-filter negate dst-port Negate the dst-port filter. [5.0]
# diagnose imp2p log-filter negate protocol Negate the protocol filter. [5.0]
# diagnose imp2p log-filter negate src-addr4 Negate the src-addr4 filter. [5.0]
# diagnose imp2p log-filter negate src-port Negate the src-port filter. [5.0]
# diagnose imp2p log-filter negate vd Negate the virtual domain filter. [5.0]
# diagnose imp2p log-filter protocol aim Filter AIM traffic. [5.0]
# diagnose imp2p log-filter protocol icq Filter ICQ traffic. [5.0]
# diagnose imp2p log-filter protocol msn Filter MSN traffic. [5.0]
# diagnose imp2p log-filter protocol yahoo Filter Yahoo traffic. [5.0]
# diagnose imp2p log-filter src-addr4 [Source IPv4] IPv4 source address range to filter by. [5.0]
# diagnose imp2p log-filter src-port [Source Port] Source port to filter by. [5.0]
# diagnose imp2p log-filter vd [Index | -1] ]Index of virtual domain. -1 matches all. [5.0]
imp2p profile
# diagnose imp2p profile app All application profiles. [5.0]
# diagnose imp2p profile av All AV profiles. [5.0]
# diagnose imp2p profile dlp All DLP profiles. [5.0]
# diagnose imp2p profile proto-opts All protocol options [5.0]
imp2p redirect
# diagnose imp2p redirect dns flush Flush DNS-detected redirects. [5.0]
# diagnose imp2p redirect dns list List DNS-detected redirects. [5.0]
# diagnose imp2p redirect dns remove Remove persistent copy of DNS-detected redirects. [5.0]
# diagnose imp2p redirect dns restore Restore persistent copy of DNS-detected redirects. [5.0]
# diagnose imp2p redirect dns save Store a persistent copy of DNS-detected redirects. [5.0]
# diagnose imp2p redirect list All IM redirects. [5.0]
# diagnose imp2p redirect range list Permanent IP address redirect ranges. [5.0]
imp2p restart
# diagnose imp2p restart Restart IM, SIP, and SCCP. [5.0]
imp2p session
# diagnose imp2p session list List IM sessions. [5.0]
imp2p stats
# diagnose imp2p stats bandwidth P2P bandwidth usage. [5.0]
# diagnose imp2p stats block-users aim AOL Messenger users. [5.0]
# diagnose imp2p stats block-users all All IM users. [5.0]
# diagnose imp2p stats block-users icq ICQ users. [5.0]
# diagnose imp2p stats block-users msn MSN Messenger users. [5.0]
# diagnose imp2p stats block-users yahoo Yahoo Messenger users. [5.0]
# diagnose imp2p stats chat Statistics of IM chat usage. [5.0]
# diagnose imp2p stats clear Reset all the IM and P2P statistics. [5.0]
# diagnose imp2p stats files Statistics of IM file transfers. [5.0]
# diagnose imp2p stats mem full Memory usage details. [5.0]
# diagnose imp2p stats mem summary Memory usage summary. [5.0]
# diagnose imp2p stats messages Statistics of IM messages exchanged. [5.0]
# diagnose imp2p stats proto Full listing of raw protocol statistics. [5.0]
# diagnose imp2p stats reset-time Time of last stats reset. [5.0]
# diagnose imp2p stats usage Statistics of IM usage. [5.0]
imp2p tmp-users
# diagnose imp2p tmp-users aim Temporary AOL Messenger users. [5.0]
# diagnose imp2p tmp-users all All Temporary IM users. [5.0]
# diagnose imp2p tmp-users icq Temporary ICQ users. [5.0]
# diagnose imp2p tmp-users msn Temporary MSN Messenger users. [5.0]
# diagnose imp2p tmp-users yahoo Temporary Yahoo Messenger users. [5.0]
imp2p users
# diagnose imp2p users aim AOL Messenger users. [5.0]
# diagnose imp2p users aim-stun AIM STUN users. [5.0]
# diagnose imp2p users all All IM users. [5.0]
# diagnose imp2p users icq ICQ users. [5.0]
# diagnose imp2p users msn MSN Messenger users. [5.0]
# diagnose imp2p users yahoo Yahoo Messenger users. [5.0]
ip
ip address
# diagnose ip address add [intf-name] [ipv4 address] [Subnet Mask] Add IP address. [5.0]
# diagnose ip address delete [intf-name] [ipv4 address] Delete IP address. [5.0]
# diagnose ip address flush [intf-name] Flush IP addresses. [5.0]
# diagnose ip address list List IP addresses. [5.0]
IP=198.18.3.1->198.18.3.1/255.255.255.0 index=4 devname=dmz
IP=193.193.135.66->193.193.135.66/255.255.255.224 index=5 devname=wan1
IP=198.18.0.1->198.18.0.1/255.255.255.0 index=7 devname=internal1
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=66 devname=root
IP=198.18.2.1->198.18.2.1/255.255.255.128 index=68 devname=fortinet4intern
IP=198.18.2.129->198.18.2.129/255.255.255.128 index=69 devname=fortinet4guest
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=73 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=75 devname=vsys_fgfm
ip arp
# diagnose ip arp add [intf-name] [ipv4 address] [MAC Address] Add an ARP entry. [5.0]
# diagnose ip arp delete [intf-name] [ipv4 address] Delete an ARP entry. [5.0]
# diagnose ip arp flush [intf-name] Flush ARP table. [5.0]
# diagnose ip arp list Show ARP table. [5.0]
index=66 ifname=root 0.0.0.0 00:00:00:00:00:00 state=00000040 use=96620321 confirm=96626321 update=96620321 ref=2
index=7 ifname=internal1 198.18.0.90 state=00000001 use=87 confirm=96626622 update=244 ref=3
index=4 ifname=dmz 198.18.3.2 08:5b:0e:a3:97:a6 state=00000002 use=852 confirm=3353 update=1853 ref=2
index=4 ifname=dmz 198.18.3.3 08:5b:0e:5d:f7:0c state=00000002 use=419 confirm=2920 update=2920 ref=2
index=5 ifname=wan1 193.193.135.65 00:90:0b:3b:d6:c2 state=00000008 use=94 confirm=4091 update=496 ref=3
ip framed-ip
# diagnose ip framed-ip Framed IP. [5.0][5.2]
# diagnose ip framed-ip delete [ipv4 address] Delete Framed IP. [5.0]
# diagnose ip framed-ip delete-all [Service name, ENTER for options] Delete Framed IPS belong to the same service.
# diagnose ip framed-ip delete-all
Available services:
wad
ipsec
pptp
l2tp
sslvpn
admin-login
test [5.0]
# diagnose ip framed-ip list List Framed IP. [5.0]
ip get-igmp-limit
# diagnose ip get-igmp-limit Get max IGMP states. [5.0]
igmp limit: 3200
ip group-membership
# diagnose ip group-membership Multicast group membership. [5.0]
Idx Device : Count Querier Group Users Timer Reporter
3 eth0 : 1 V2
4 dmz : 3 V2
8C0100E0 1 0:FA3D484B 1
010000E0 1 0:EB6DA98C 0
5 wan1 : 3 V2
8C0100E0 1 0:FA3D46AC 1
010000E0 1 0:EB6DA98C 0
6 wan2 : 1 V2
7 internal1 : 3 V2
8C0100E0 1 0:FA3D4992 1
010000E0 1 0:EB6DA98C 0
8 internal2 : 1 V2
9 internal3 : 1 V2
10 internal4 : 1 V2
11 internal5 : 1 V2
12 internal6 : 1 V2
13 internal7 : 1 V2
14 eth11 : 1 V2
15 swvl12 : 1 V2
16 swvl13 : 1 V2
17 swvl14 : 1 V2
18 swvl15 : 1 V2
19 swvl16 : 1 V2
20 swvl17 : 1 V2
21 swvl18 : 1 V2
22 swvl19 : 1 V2
23 swvl20 : 1 V2
24 swvl21 : 1 V2
25 swvl22 : 1 V2
26 swvl23 : 1 V2
27 swvl24 : 1 V2
28 swvl25 : 1 V2
29 swvl26 : 1 V2
30 swvl27 : 1 V2
31 swvl28 : 1 V2
32 swvl29 : 1 V2
33 swvl30 : 1 V2
34 swvl31 : 1 V2
35 swvl32 : 1 V2
36 swvl33 : 1 V2
37 swvl34 : 1 V2
38 swvl35 : 1 V2
39 swvl36 : 1 V2
40 swvl37 : 1 V2
41 swvl38 : 1 V2
42 swvl39 : 1 V2
43 swvl40 : 1 V2
44 swvl41 : 1 V2
45 swvl42 : 1 V2
46 swvl43 : 1 V2
47 swvl44 : 1 V2
48 swvl45 : 1 V2
49 swvl46 : 1 V2
50 swvl47 : 1 V2
51 swvl48 : 1 V2
52 swvl49 : 1 V2
53 swvl50 : 1 V2
54 swvl51 : 1 V2
55 swvl52 : 1 V2
56 swvl53 : 1 V2
57 swvl54 : 1 V2
58 swvl55 : 1 V2
59 swvl56 : 1 V2
60 swvl57 : 1 V2
61 swvl58 : 1 V2
62 swvl59 : 1 V2
63 modem : 0 V2
66 root : 0 V2
010000E0 1 0:EB6DA98C 0
67 ssl.root : 0 V2
010000E0 1 0:EB6DA98C 0
68 fortinet4intern: 2 V2
010000E0 1 0:EB6DA999 0
69 fortinet4guest: 2 V2
010000E0 1 0:EB6DA98C 0
70 ipsec-fc : 0 V2
71 ipsec-ios : 0 V2
72 ipsec-cisco: 0 V2
73 vsys_ha : 0 V2
010000E0 1 0:EB6DA98C 0
74 port_ha : 2 V2
010000E0 1 0:EC97A9D5 0
75 vsys_fgfm : 0 V2
010000E0 1 0:EB6DA98C 0
ip mac
# diagnose ip mac Multicast MAC listing. [5.0]
3 eth0 1 0 333300000001
4 dmz 1 0 01005e00018c
4 dmz 1 0 01005e000001
4 dmz 1 0 333300000001
5 wan1 1 0 01005e00018c
5 wan1 1 0 01005e000001
5 wan1 1 0 333300000001
6 wan2 1 0 333300000001
7 internal1 1 0 01005e00018c
7 internal1 1 0 01005e000001
7 internal1 1 0 333300000001
8 internal2 1 0 333300000001
9 internal3 1 0 333300000001
10 internal4 1 0 333300000001
11 internal5 1 0 333300000001
12 internal6 1 0 333300000001
13 internal7 1 0 333300000001
14 eth11 1 0 333300000001
15 swvl12 1 0 333300000001
16 swvl13 1 0 333300000001
17 swvl14 1 0 333300000001
18 swvl15 1 0 333300000001
19 swvl16 1 0 333300000001
20 swvl17 1 0 333300000001
21 swvl18 1 0 333300000001
22 swvl19 1 0 333300000001
23 swvl20 1 0 333300000001
24 swvl21 1 0 333300000001
25 swvl22 1 0 333300000001
26 swvl23 1 0 333300000001
27 swvl24 1 0 333300000001
28 swvl25 1 0 333300000001
29 swvl26 1 0 333300000001
30 swvl27 1 0 333300000001
31 swvl28 1 0 333300000001
32 swvl29 1 0 333300000001
33 swvl30 1 0 333300000001
34 swvl31 1 0 333300000001
35 swvl32 1 0 333300000001
36 swvl33 1 0 333300000001
37 swvl34 1 0 333300000001
38 swvl35 1 0 333300000001
39 swvl36 1 0 333300000001
40 swvl37 1 0 333300000001
41 swvl38 1 0 333300000001
42 swvl39 1 0 333300000001
43 swvl40 1 0 333300000001
44 swvl41 1 0 333300000001
45 swvl42 1 0 333300000001
46 swvl43 1 0 333300000001
47 swvl44 1 0 333300000001
48 swvl45 1 0 333300000001
49 swvl46 1 0 333300000001
50 swvl47 1 0 333300000001
51 swvl48 1 0 333300000001
52 swvl49 1 0 333300000001
53 swvl50 1 0 333300000001
54 swvl51 1 0 333300000001
55 swvl52 1 0 333300000001
56 swvl53 1 0 333300000001
57 swvl54 1 0 333300000001
58 swvl55 1 0 333300000001
59 swvl56 1 0 333300000001
60 swvl57 1 0 333300000001
61 swvl58 1 0 333300000001
62 swvl59 1 0 333300000001
68 fortinet4intern 1 0 01005e000001
68 fortinet4intern 1 0 333300000001
69 fortinet4guest 1 0 01005e000001
69 fortinet4guest 1 0 333300000001
74 port_ha 1 0 01005e000001
74 port_ha 1 0 333300000001
ip mroute
# diagnose ip mroute Multicast FIB. [5.0]
ip status
# diagnose ip status Multicast status. [5.0]
PIM OFF Assert: OFF Socket in use: FALSE
ip vif
# diagnose ip vif Multicast VIF device info. [5.0]
ip route
# diagnose ip route add Add static route. [5.0]
# diagnose ip route add [intf-name] [ipv4 address] [Subnet Mask] [Nexthop IP address] [Distance 1-255] [Priority 0-4294967295] [verify]
# diagnose ip route delete Delete static route. [5.0]
# diagnose ip route delete [intf-name] [ipv4 address] [Subnet Mask] [Nexthop IP address] [Distance 1-255] [Priority 0-4294967295] [verify]
# diagnose ip route flush Flush routing table. [5.0]
# diagnose ip route list List routing table. [5.0]
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->193.193.135.64/27 pref=193.193.135.66 gwy=0.0.0.0 dev=5(wan1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->198.18.1.0/25 pref=0.0.0.0 gwy=0.0.0.0 dev=67(ssl.root)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.18.2.128/25 pref=198.18.2.129 gwy=0.0.0.0 dev=69(fortinet4guest)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.18.2.0/25 pref=198.18.2.1 gwy=0.0.0.0 dev=68(fortinet4intern)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.18.0.0/24 pref=198.18.0.1 gwy=0.0.0.0 dev=7(internal1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.18.3.0/24 pref=198.18.3.1 gwy=0.0.0.0 dev=4(dmz)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=193.193.135.65 dev=5(wan1)
Routing Table Description of Entry
tab table number. This will be either 254 (unicast) or 255 (multicast).
vf virtual domain of the firewall. This is the vdom index number. If vdoms are not enabled, this number will be 0.
type type of routing connection. Valid values include:
0 - unspecific
1 - unicast
2 - local
3 - broadcast
4 - anycast
5 - multicast
6 - blackhole
7 - unreachable
8 - prohibited
proto type of installation. This indicates where the route came from. Valid values include:
0 - unspecific
2 - kernel
11 - ZebOS routing module
14 - FortiOS
15 - HA
16 - authentication based
17 - HA
prio priority of the route. Lower priorities are preferred.
->10.11.201.0/24 the IP address and subnet mask of the destination.
(->x.x.x.x/mask)
pref preferred next hop along this route.
gwy gateway - the IPv4 address of the gateway this route will use.
dev outgoing interface index. This number is associated with the interface for this route, and if VDOMs
are enabled the VDOM will be included here as well. If an interface alias is set for this interface
it will also be displayed here.
# diagnose ip route verify Verify static route. [5.0]
# diagnose ip route verify [intf-name] [ipv4 address] [Subnet Mask] [Nexthop IP address] [Distance 1-255] [Priority 0-4294967295]
# diagnose ip router bfd BFD debug. [5.0]
# diagnose ip router bfd all [enable | disable] Enable all debugging. [5.0]
# diagnose ip router bfd events [enable | disable] BFD events. [5.0]
# diagnose ip router bfd fsm [arg] BFD finite state machine. [5.0]
# diagnose ip router bfd level critical Critical level. [5.0]
# diagnose ip router bfd level error Error level. [5.0]
# diagnose ip router bfd level info Information level. [5.0]
# diagnose ip router bfd level none None level. [5.0]
# diagnose ip router bfd level warn Warning level. [5.0]
# diagnose ip router bfd nsm [arg] BFD nsm debug. [5.0]
# diagnose ip router bfd packet [arg] BFD packets. [5.0]
# diagnose ip router bfd show Show status of BFD debugging. [5.0]
# diagnose ip router bgp BGP protocol. [5.0]
# diagnose ip router bgp all [arg] [arg] All debugging. [5.0]
# diagnose ip router bgp dampening [arg] [arg] BGP dampening. [5.0]
# diagnose ip router bgp events [arg] [arg] BGP events. [5.0]
# diagnose ip router bgp filters [arg] [arg] BGP filters. [5.0]
# diagnose ip router bgp fsm [arg] [arg] BGP finite state machine. [5.0]
# diagnose ip router bgp keepalives [arg] [arg] BGP keep alive messages. [5.0]
# diagnose ip router bgp level critical Critical level. [5.0]
# diagnose ip router bgp level error Error level. [5.0]
# diagnose ip router bgp level info Information level. [5.0]
# diagnose ip router bgp level none None level. [5.0]
# diagnose ip router bgp level warn Warning level. [5.0]
# diagnose ip router bgp nsm [arg] [arg] NSM message. [5.0]
# diagnose ip router bgp show Show status of BGP debugging. [5.0]
# diagnose ip router bgp updates [arg] [arg] [arg] BGP updates. [5.0]
# diagnose ip router command Send command to routing daemon. [5.0]
# diagnose ip router command show Send show command to imi. [5.0]
# diagnose ip router command show-vrf Send show command to imi (in virtual router). [5.0]
# diagnose ip router igmp IGMP debug. [5.0]
# diagnose ip router igmp all [arg] [arg] All debugging. [5.0]
# diagnose ip router igmp decode [arg] [arg] Decode debugging. [5.0]
# diagnose ip router igmp encode [arg] [arg] Encode debugging. [5.0]
# diagnose ip router igmp events [arg] [arg] Events debugging. [5.0]
# diagnose ip router igmp fsm [arg] [arg] FSM debugging. [5.0]
# diagnose ip router igmp level critical Critical level. [5.0]
# diagnose ip router igmp level error Error level. [5.0]
# diagnose ip router igmp level info Information level. [5.0]
# diagnose ip router igmp level none None level. [5.0]
# diagnose ip router igmp level warn Warning level. [5.0]
# diagnose ip router igmp show Show status of IGMP debugging. [5.0]
# diagnose ip router igmp tib [arg] [arg] TIB (tree-info-base) debugging. [5.0]
# diagnose ip router isis IS-IS protocol. [5.0]
# diagnose ip router isis all [arg] [arg] All IS-IS debug. [5.0]
# diagnose ip router isis events [arg] [arg] IS-IS Events. [5.0]
# diagnose ip router isis ifsm [arg] [arg] IS-IS Interface State Machine. [5.0]
# diagnose ip router isis level critical Critical level. [5.0]
# diagnose ip router isis level error Error level. [5.0]
# diagnose ip router isis level info Information level. [5.0]
# diagnose ip router isis level none None level. [5.0]
# diagnose ip router isis level warn Warning level. [5.0]
# diagnose ip router isis lsp [arg] [arg] IS-IS Link State PDU. [5.0]
# diagnose ip router isis nfsm [arg] [arg] IS-IS Neighbor State Machine. [5.0]
# diagnose ip router isis nsm [arg] [arg] IS-IS NSM information. [5.0]
# diagnose ip router isis pdu [arg] [arg] IS-IS Protocol Data Unit. [5.0]
# diagnose ip router isis show Show IS-IS debugging. [5.0]
# diagnose ip router isis spf IS-IS SPF Calculation. [5.0]
# diagnose ip router ospf OSPF protocol. [5.0]
# diagnose ip router ospf all [enable | disable] [arg] All OSPF debug. [5.0]
# diagnose ip router ospf events [arg] [arg] OSPF Events. [5.0]
# diagnose ip router ospf ifsm [arg] [arg] OSPF Interface State Machine. [5.0]
# diagnose ip router ospf level critical Critical level. [5.0]
# diagnose ip router ospf level error Error level. [5.0]
# diagnose ip router ospf level info Information level. [5.0]
# diagnose ip router ospf level none None level. [5.0]
# diagnose ip router ospf level warn Warning level. [5.0]
# diagnose ip router ospf lsa [arg] [arg] OSPF Link State Advertisement. [5.0]
# diagnose ip router ospf nfsm [arg] [arg] OSPF Neighbor State Machine. [5.0]
# diagnose ip router ospf nsm [arg] [arg] OSPF NSM information. [5.0]
# diagnose ip router ospf packet [arg] [arg] OSPF Packets. [5.0]
# diagnose ip router ospf route [arg] [arg] OSPF route information. [5.0]
# diagnose ip router ospf show Show status of OSPF debugging. [5.0]
# diagnose ip router pim-dm PIM dense-mode. [5.0]
# diagnose ip router pim-dm all [arg] [arg] All debugging. [5.0]
# diagnose ip router pim-dm context [arg] [arg] VF-VRF context debugging. [5.0]
# diagnose ip router pim-dm decode [arg] [arg] Message decode debugging. [5.0]
# diagnose ip router pim-dm encode [arg] [arg] Message encode debugging. [5.0]
# diagnose ip router pim-dm fsm [arg] [arg] FSM debugging. [5.0]
# diagnose ip router pim-dm level critical Critical level. [5.0]
# diagnose ip router pim-dm level error Error level. [5.0]
# diagnose ip router pim-dm level info Information level. [5.0]
# diagnose ip router pim-dm level none None level. [5.0]
# diagnose ip router pim-dm level warn Warning level. [5.0]
# diagnose ip router pim-dm mrt [arg] [arg] Multicast-route-table debugging. [5.0]
# diagnose ip router pim-dm nexthop [arg] [arg] Nexthop debugging. [5.0]
# diagnose ip router pim-dm nsm [arg] [arg] NSM interaction debugging. [5.0]
# diagnose ip router pim-dm show Show status of PIM dense-mode debugging. [5.0]
# diagnose ip router pim-dm vif [arg] [arg] Multicast VI debugging. [5.0]
# diagnose ip router pim-sm PIM sparse-mode. [5.0]
# diagnose ip router pim-sm all [arg] [arg] All debugging. [5.0]
# diagnose ip router pim-sm events [arg] [arg] Events debugging. [5.0]
# diagnose ip router pim-sm level critical Critical level. [5.0]
# diagnose ip router pim-sm level error Error level. [5.0]
# diagnose ip router pim-sm level info Information level. [5.0]
# diagnose ip router pim-sm level none None level. [5.0]
# diagnose ip router pim-sm level warn Warning level. [5.0]
# diagnose ip router pim-sm mfc [arg] [arg] MFC debugging. [5.0]
# diagnose ip router pim-sm mib [arg] [arg] MIB debugging. [5.0]
# diagnose ip router pim-sm nexthop [arg] [arg] Nexthop debugging. [5.0]
# diagnose ip router pim-sm nsm [arg] [arg] NSM debugging. [5.0]
# diagnose ip router pim-sm packet all [arg] [arg] All packet debugging. [5.0]
# diagnose ip router pim-sm packet in [arg] [arg] Incoming packet debugging. [5.0]
# diagnose ip router pim-sm packet out [arg] [arg] Outgoing packet debugging. [5.0]
# diagnose ip router pim-sm show Show status of PIM sparse-mode debugging. [5.0]
# diagnose ip router pim-sm state [arg] [arg] State debugging. [5.0]
# diagnose ip router pim-sm timer all [arg] [arg] All timer debugging. [5.0]
# diagnose ip router pim-sm timer assert all [arg] [arg] All assert timers. [5.0]
# diagnose ip router pim-sm timer assert at [arg] [arg] Assert timer. [5.0]
# diagnose ip router pim-sm timer bsr all [arg] [arg] All BSR timers. [5.0]
# diagnose ip router pim-sm timer bsr bst [arg] [arg] Bootstrap timer. [5.0]
# diagnose ip router pim-sm timer bsr crp [arg] [arg] Candidate-RP timer. [5.0]
# diagnose ip router pim-sm timer hello all [arg] [arg] All hello-related timers. [5.0]
# diagnose ip router pim-sm timer hello ht [arg] [arg] Hello timer. [5.0]
# diagnose ip router pim-sm timer hello nlt [arg] [arg] Hello timer debugging. [5.0]
# diagnose ip router pim-sm timer hello tht [arg] [arg] Triggered hello timer. [5.0]
# diagnose ip router pim-sm timer joinprune all [arg] [arg] All join prune timers. [5.0]
# diagnose ip router pim-sm timer joinprune et [arg] [arg] Expiry timer. [5.0]
# diagnose ip router pim-sm timer joinprune jt [arg] [arg] Join prune timer. [5.0]
# diagnose ip router pim-sm timer joinprune kat [arg] [arg] Keep alive timer. [5.0]
# diagnose ip router pim-sm timer joinprune ot [arg] [arg] Override timer. [5.0]
# diagnose ip router pim-sm timer joinprune ppt [arg] [arg] Prune pending timer. [5.0]
# diagnose ip router pim-sm timer register all [arg] [arg] All register timers. [5.0]
# diagnose ip router pim-sm timer register rst [arg] [arg] Register stop timer. [5.0]
# diagnose ip router rip RIP protocol. [5.0]
# diagnose ip router rip all [arg] Enable all debugging. [5.0]
# diagnose ip router rip events [arg] RIP events. [5.0]
# diagnose ip router rip level critical Critical level. [5.0]
# diagnose ip router rip level error Error level. [5.0]
# diagnose ip router rip level info Information level. [5.0]
# diagnose ip router rip level none None level. [5.0]
# diagnose ip router rip level warn Warning level. [5.0]
# diagnose ip router rip packet-receive [arg] RIP receive events. [5.0]
# diagnose ip router rip packet-send [arg] RIP send events. [5.0]
# diagnose ip router rip show Show status of RIP debugging. [5.0]
ip rtcache
# diagnose ip rtcache Routing cache. [5.0][5.2]
ip tcp
# diagnose ip tcp [flush | list] TCP sockets. [5.0][5.2]
ip udp
# diagnose ip udp [flush | list] UDP sockets. [5.0][5.2]
ips
ips anomaly
# diagnose ips anomaly clear Clear anomaly meters. [5.0]
# diagnose ips anomaly config List DoS-sensor. [5.0]
DoS sensors in kernel vd 0:
DoS id 1 proxy 0
0 tcp_syn_flood status 1 log 1 nac 0 action 7 threshold 2000
1 tcp_port_scan status 1 log 1 nac 0 action 0 threshold 1000
2 tcp_src_session status 1 log 1 nac 0 action 0 threshold 5000
3 tcp_dst_session status 1 log 1 nac 0 action 0 threshold 5000
4 udp_flood status 1 log 1 nac 0 action 7 threshold 2000
5 udp_scan status 1 log 1 nac 0 action 0 threshold 2000
6 udp_src_session status 1 log 1 nac 0 action 0 threshold 5000
7 udp_dst_session status 1 log 1 nac 0 action 7 threshold 5000
8 icmp_flood status 1 log 1 nac 0 action 7 threshold 250
9 icmp_sweep status 1 log 1 nac 0 action 0 threshold 100
10 icmp_src_session status 1 log 1 nac 0 action 0 threshold 300
11 icmp_dst_session status 1 log 1 nac 0 action 0 threshold 1000
12 ip_src_session status 0 log 0 nac 0 action 0 threshold 5000
13 ip_dst_session status 0 log 0 nac 0 action 0 threshold 5000
14 sctp_flood status 0 log 0 nac 0 action 0 threshold 2000
15 sctp_scan status 0 log 0 nac 0 action 0 threshold 1000
16 sctp_src_session status 0 log 0 nac 0 action 0 threshold 5000
17 sctp_dst_session status 0 log 0 nac 0 action 0 threshold 5000
total # DoS sensors: 1.
# diagnose ips anomaly filter clear Clear anomaly filter. [5.0]
# diagnose ips anomaly filter freq [Frequency from] [Frequency to] Frequency [5.0]
# diagnose ips anomaly filter id [0-11] Anomaly ID. [5.0]
# diagnose ips anomaly filter id [0-11] IP and subnet mask. [5.0]
# diagnose ips anomaly filter pps [PPS from] pps [5.0]
# diagnose ips anomaly list List anomaly meters. [5.0]
list nids meter:
id=udp_dst_session ip=198.41.0.4 dos_id=1 exp=5956 pps=0 freq=0
id=udp_flood ip=198.41.0.4 dos_id=1 exp=954 pps=0 freq=10
id=udp_src_session ip=193.193.135.65 dos_id=1 exp=5956 pps=0 freq=0
id=udp_scan ip=193.193.135.65 dos_id=1 exp=954 pps=0 freq=9
id=udp_flood ip=193.193.135.66 dos_id=1 exp=917 pps=1 freq=1
id=udp_dst_session ip=193.193.135.95 dos_id=1 exp=5652 pps=0 freq=0
id=udp_flood ip=193.193.135.95 dos_id=1 exp=650 pps=2 freq=2
id=udp_dst_session ip=192.228.79.201 dos_id=1 exp=5819 pps=0 freq=0
id=udp_flood ip=192.228.79.201 dos_id=1 exp=817 pps=1 freq=1
total # of nids meters: 9.
# diagnose ips anomaly status List anomaly status. [5.0]
meter budget: 100000
meter used: 8/8
meter depth: 2
sensor active: 1
sensor pending: 0
ips anomaly6
# diagnose ips anomaly6 clear Clear anomaly meters. [5.0]
# diagnose ips anomaly6 config List DoS-sensor. [5.0]
DoS sensors in kernel vd 0:
total # DoS sensors: 0.
# diagnose ips anomaly6 filter clear Clear anomaly filter. [5.0]
# diagnose ips anomaly6 filter freq [Frequency from] Frequency [5.0]
# diagnose ips anomaly6 filter id [0-11] Anomaly ID. [5.0]
# diagnose ips anomaly6 filter ip [IP address and Subnet Mask] IP and subnet mask. [5.0]
# diagnose ips anomaly6 filter pps [PPS from] pps [5.0]
# diagnose ips anomaly6 list List anomaly meters. [5.0]
list nids meter:
total # of nids meters: 0.
# diagnose ips anomaly6 status List anomaly status. [5.0]
meter budget: 100000
meter used: 0/0
meter depth: 0
sensor active: 0
sensor pending: 0
ips config
# diagnose ips config disable log-verbose log-verbose [5.0]
# diagnose ips config enable log-verbose log-verbose [5.0]
ips debug
# diagnose ips debug disable all all [5.0]
# diagnose ips debug disable av av [5.0]
# diagnose ips debug disable content content [5.0]
# diagnose ips debug disable content_detail content_detail [5.0]
# diagnose ips debug disable detect detect [5.0]
# diagnose ips debug disable dissector dissector [5.0]
# diagnose ips debug disable dns dns [5.0]
# diagnose ips debug disable error error [5.0]
# diagnose ips debug disable http http [5.0]
# diagnose ips debug disable im im [5.0]
# diagnose ips debug disable init init [5.0]
# diagnose ips debug disable ipsa ipsa [5.0]
# diagnose ips debug disable log log [5.0]
# diagnose ips debug disable mail mail [5.0]
# diagnose ips debug disable mime mime [5.0]
# diagnose ips debug disable p2p p2p [5.0]
# diagnose ips debug disable packet packet [5.0]
# diagnose ips debug disable packet_detail packet_detail [5.0]
# diagnose ips debug disable packet_dump packet_dump [5.0]
# diagnose ips debug disable parse parse [5.0]
# diagnose ips debug disable proxy proxy [5.0]
# diagnose ips debug disable rpc rpc [5.0]
# diagnose ips debug disable session session [5.0]
# diagnose ips debug disable ssh ssh [5.0]
# diagnose ips debug disable ssl ssl [5.0]
# diagnose ips debug disable state state [5.0]
# diagnose ips debug disable tcp tcp [5.0]
# diagnose ips debug disable timeout timeout [5.0]
# diagnose ips debug disable urlfilter urlfilter [5.0]
# diagnose ips debug disable voip voip [5.0]
# diagnose ips debug disable warn warn [5.0]
# diagnose ips debug enable all all [5.0]
# diagnose ips debug enable av av [5.0]
# diagnose ips debug enable content content [5.0]
# diagnose ips debug enable content_detail content_detail [5.0]
# diagnose ips debug enable detect detect [5.0]
# diagnose ips debug enable dissector dissector [5.0]
# diagnose ips debug enable dns dns [5.0]
# diagnose ips debug enable error error [5.0]
# diagnose ips debug enable http http [5.0]
# diagnose ips debug enable im im [5.0]
# diagnose ips debug enable init init [5.0]
# diagnose ips debug enable ipsa ipsa [5.0]
# diagnose ips debug enable log log [5.0]
# diagnose ips debug enable mail mail [5.0]
# diagnose ips debug enable mime mime [5.0]
# diagnose ips debug enable p2p p2p [5.0]
# diagnose ips debug enable packet packet [5.0]
# diagnose ips debug enable packet_detail packet_detail [5.0]
# diagnose ips debug enable packet_dump packet_dump [5.0]
# diagnose ips debug enable parse parse [5.0]
# diagnose ips debug enable proxy proxy [5.0]
# diagnose ips debug enable rpc rpc [5.0]
# diagnose ips debug enable session session [5.0]
# diagnose ips debug enable ssh ssh [5.0]
# diagnose ips debug enable ssl ssl [5.0]
# diagnose ips debug enable state state [5.0]
# diagnose ips debug enable tcp tcp [5.0]
# diagnose ips debug enable timeout timeout [5.0]
# diagnose ips debug enable urlfilter urlfilter [5.0]
# diagnose ips debug enable voip voip [5.0]
# diagnose ips debug enable warn warn [5.0]
ips dissector
# diagnose ips dissector dump dump [5.0]
# diagnose ips dissector status status [5.0]
ips filter
# diagnose ips filter asm [assembled packets] asm [5.0]
# diagnose ips filter clear clear [5.0]
# diagnose ips filter ip [IPv4 address] ip [5.0]
# diagnose ips filter length [session length] length [5.0]
# diagnose ips filter port [port] port [5.0]
# diagnose ips filter protocol [protocol number] protocol [5.0]
# diagnose ips filter session [session id] session [5.0]
# diagnose ips filter status status [5.0]
2015-11-17 00:47:48 DEBUG FILTER:
2015-11-17 00:47:48 ip 0.0.0.0 0.0.0.0
2015-11-17 00:47:48 port 0
2015-11-17 00:47:48 protocol 0
2015-11-17 00:47:48 session id 0
2015-11-17 00:47:48 l7 0
2015-11-17 00:47:48 asm 0
2015-11-17 00:47:48 length 0
ips global
# diagnose ips global rule reload Reload rule file. [5.0]
ips memory
# diagnose ips memory compact compact [5.0]
# diagnose ips memory list list [5.0]
# diagnose ips memory pool pool [5.0]
# diagnose ips memory status status [5.0]
ips packet
# diagnose ips packet clear clear [5.0]
# diagnose ips packet status status [5.0]
ips raw
# diagnose ips raw clear Clear status. [5.0]
# diagnose ips raw status Show status. [5.0]
raw total packets: 428
raw open: 0
raw dropped: 0
l2 total packets: 0
l2 open: 0
l2 dropped: 0
ips session
# diagnose ips session clear clear [5.0]
# diagnose ips session content content [5.0]
# diagnose ips session list list [5.0]
# diagnose ips session performance performance [5.0]
# diagnose ips session status status [5.0]
# diagnose ips share clear [pool] clear [5.0]
# diagnose ips share list [pool] list [5.0]
# diagnose ips share pool pool [5.0]
ips signature
# diagnose ips signature av av [5.0]
2015-11-17 00:52:41 FLOW-AV SIGNATURE STATISTICS:
2015-11-17 00:52:41 version: 0.00000
2015-11-17 00:52:41 virus: 0
2015-11-17 00:52:41 grayware: 0
2015-11-17 00:52:41 valid: 0, purge: 0
# diagnose ips signature cycle cycle [5.0]
2015-11-17 00:52:53 SIGNATURE PERFORMANCE: 34 packets
2015-11-17 00:52:53 Total Hits Cycles Per-Hit Hits Cycles
2015-11-17 00:52:53 --------------------------------------------------------------------------------
2015-11-17 00:52:53
# diagnose ips signature hit [top N] hit [5.0]
2015-11-17 00:52:25 SIGNATURE PERFORMANCE: 34 packets
2015-11-17 00:52:25 Pattern Hits Cycles Non-Pat Hits Cycles
2015-11-17 00:52:25 --------------------------------------------------------------------------------
2015-11-17 00:52:25
# diagnose ips signature status [severity mask] status [5.0]
# diagnose ips signature status
2015-11-17 00:53:19 SIGNATURE STATISTICS: 23
2015-11-17 00:53:19 ---------------- 0 ----------------
2015-11-17 00:53:19 av:2015-11-17 00:53:19
2015-11-17 00:53:19 webf: http:0x0 https:0x0 rules:0
2015-11-17 00:53:19 dlp: rules:02015-11-17 00:53:19
2015-11-17 00:53:19 spam: rules:0
2015-11-17 00:53:19 ips: enabled:0 pattern:0, engine:0
2015-11-17 00:53:19 ---------------- 1 ----------------
2015-11-17 00:53:19 av:2015-11-17 00:53:19
2015-11-17 00:53:19 webf: http:0x0 https:0x0 rules:0
2015-11-17 00:53:19 dlp: rules:02015-11-17 00:53:19
2015-11-17 00:53:19 spam: rules:0
2015-11-17 00:53:19 ips: enabled:6059 pattern:6856, engine:25
2015-11-17 00:53:19 ---------------- 2 ----------------
2015-11-17 00:53:19 av:2015-11-17 00:53:19
2015-11-17 00:53:19 webf: http:0x0 https:0x0 rules:0
2015-11-17 00:53:19 dlp: rules:02015-11-17 00:53:19
2015-11-17 00:53:19 spam: rules:0
2015-11-17 00:53:19 ips: enabled:6059 pattern:6856, engine:25
2015-11-17 00:53:19 ---------------- 3 ----------------
2015-11-17 00:53:19 av:2015-11-17 00:53:19
2015-11-17 00:53:19 webf: http:0x0 https:0x0 rules:0
2015-11-17 00:53:19 dlp: rules:02015-11-17 00:53:19
2015-11-17 00:53:19 spam: rules:0
2015-11-17 00:53:19 ips: enabled:6059 pattern:6856, engine:25
2015-11-17 00:53:19 ---------------- 4 ----------------
.......................................................
.......................................................
.......................................................
.......................................................
ips ssl
# diagnose ips ssl bypass disable disable bypasse [5.0]
# diagnose ips ssl bypass enable enable bypass [5.0]
# diagnose ips ssl clear clear [5.0]
# diagnose ips ssl debug dbg debug dbg [5.0]
# diagnose ips ssl debug err debug error [5.0]
# diagnose ips ssl debug noise debug noise [5.0]
# diagnose ips ssl debug none debug none [5.0]
# diagnose ips ssl debug warn debug warn [5.0]
# diagnose ips ssl noscan disable disable noscan [5.0]
# diagnose ips ssl noscan enable enable noscan [5.0]
# diagnose ips ssl status status [5.0]
2015-11-17 00:57:06 -------------------- SSL statistics ---------------------
2015-11-17 00:57:06 SSL transactions: C/T/E/S
SSL v3: 0/0/0/0
TLS 1.0: 0/0/0/0
TLS 1.1: 0/0/0/0
TLS 1.2: 0/0/0/0
2015-11-17 00:57:06 ---------------------------------------------------------
Cipher suites:
2015-11-17 00:57:06 ---------------------------------------------------------
Negotiated protocols:
HTTP/1: 0
HTTP/2: 0
SPDY/2: 0
SPDY/3: 0
SPDY/4: 0
2015-11-17 00:57:06 ---------------------------------------------------------
Packets:
Received: 0
Sent: 0
Error: 0
Err rate: 0.00%
2015-11-17 00:57:06 ---------------------------------------------------------
Key Exchange:
Certificate cache entries: 0
Certificate cache size: 0
Certificate cache saving: 0
Certificate cache hits: 0
Certificate cache miss: 0
Certificate cache reset: 0
Different certificate size: 0
Different DH client key: 0
Different DH server key: 0
Different DH signature: 0
Different ECDH client key: 0
Different ECDH server key: 0
Different ECDH signature: 0
Encrypt-then-MAC: 0
Truncated HMAC: 0
Extended Master Secret: 0
OCSP stapling: 0
Decryption only: 0
Stitched ciphers: 0
2015-11-17 00:57:06 ---------------------------------------------------------
Error counters:
Unknown SSL records: 0
Unsupported SSL versions: 0
Unsupported cipher suites: 0
Malformed SSL records: 0
Decryption failure: 0
Cert replacement failure: 0
Unknown CA alerts: 0
Client certificates: 0
Exempted: 0
2015-11-17 00:57:06 ---------------------------------------------------------
ips urlfilter
# diagnose ips urlfilter clear clear [5.0]
# diagnose ips urlfilter status status [5.0]
2015-11-17 00:58:43
URL-FILTER STATISTICS:
2015-11-17 00:58:43 request response pending error timeout blocked allowed
2015-11-17 00:58:43 0 0 0 0 0 0 0
ipv6
ipv6 address
# diagnose ipv6 address add [intf-name] [IPv6 prefix] Add IPv6 address. [5.0]
# diagnose ipv6 address anycast [arg] [arg] Add IPv6 anycast address. [5.0]
# diagnose ipv6 address delete [intf-name] [IPv6 prefix] Delete IPv6 address. [5.0]
# diagnose ipv6 address flush Flush IPv6 addresses. [5.0]
# diagnose ipv6 address list List IPv6 addresses. [5.0]
dev=75 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=73 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=66 devname=root flag=P scope=254 prefix=128 addr=::1
# diagnose ipv6 address multicast [intf-name] [IPv6 prefix] Add IPv6 multicast address. [5.0]
ipv6 devconf
# diagnose ipv6 devconf IPv6 device config. [5.0][5.2]
# diagnose ipv6 devconf accept-dad [0,1, or 2] IPv6 Duplicate Address Detection. [5.0]
# diagnose ipv6 devconf disable_ipv6 [0 or 1] Disable/enable IPv6 operation. [5.0]
0: disable DAD;
1: enable DAD;
2: enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found
0: enabling IPv6 operation;
1: disabling.
ipv6 ipv6-tunnel
# diagnose ipv6 ipv6-tunnel tunnels [5.0][5.2]
# diagnose ipv6 ipv6-tunnel add [Tunnel name] [intf-name] [Source IP address] [Destination IP address] Add tunnel. [5.0]
# diagnose ipv6 ipv6-tunnel delete [Tunnel name] Delete tunnel. [5.0]
# diagnose ipv6 ipv6-tunnel list Show tunnels. [5.0]
ipv6 multicast
# diagnose ipv6 multicast Multicast information. [5.0][5.2]
# diagnose ipv6 multicast mroute Multicast FIB. [5.0]
# diagnose ipv6 multicast vif Multicast VIF device info. [5.0]
# diagnose ipv6 multicast status Multicast status. [5.0]
PIM6 OFF Assert: OFF Socket in use: FALSE
ipv6 neighbor-cache
# diagnose ipv6 neighbor-cache IPv6 neighbor-cache table. [5.0][5.2]
# diagnose ipv6 neighbor-cache add [intf-name] [IPv6 address] [MAC address] Add an IPv6 neighbor cache entry. [5.0]
# diagnose ipv6 neighbor-cache delete [intf-name] [IPv6 address] Delete an IPv6 neighbor cache entry. [5.0]
# diagnose ipv6 neighbor-cache flush [intf-name] Flush IPv6 neighbor cache table. [5.0]
# diagnose ipv6 neighbor-cache list Show IPv6 neighbor cache table. [5.0]
ifindex=66 ifname=root :: 00:00:00:00:00:00 state=00000040 use=345690114 confirm=345696114 update=345690114 ref=1
ipv6 route
# diagnose ipv6 route [flush | list] IPv6 routing table. [5.0][5.2]
# diagnose ipv6 route list
vf=0 type=02 protocol=0(unspec) flag=80200001 oif=66(root) dst:::1/128 gwy::: prio=100 pmtu=16436
vf=0 type=07 protocol=3(boot) flag=00200200 oif=66(root) dst:fe80::/10 prio=100 pmtu=16436
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=67(ssl.root) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=70(ipsec-fc) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=71(ipsec-ios) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=72(ipsec-cisco) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=4(dmz) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=69(fortinet4guest) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=68(fortinet4intern) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=7(internal1) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=8(internal2) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=9(internal3) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=10(internal4) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=11(internal5) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=12(internal6) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=13(internal7) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=63(modem) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=5(wan1) dst:fe80::/10 prio=100 pmtu=1492
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=6(wan2) dst:fe80::/10 prio=100 pmtu=1500
vf=0 type=07 protocol=3(boot) flag=00200200 oif=66(root) dst:ff00::/8 prio=100 pmtu=16436
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=67(ssl.root) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=70(ipsec-fc) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=71(ipsec-ios) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=72(ipsec-cisco) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=4(dmz) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=69(fortinet4guest) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=68(fortinet4intern) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=7(internal1) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=8(internal2) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=9(internal3) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=10(internal4) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=11(internal5) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=12(internal6) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=13(internal7) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=63(modem) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=5(wan1) dst:ff00::/8 prio=100 pmtu=1492
vf=0 type=01 protocol=2(kernel) flag=00040001 oif=6(wan2) dst:ff00::/8 prio=100 pmtu=1500
vf=0 type=07 protocol=0(unspec) flag=00200200 oif=66(root) prio=ffffffff pmtu=0
ipv6 router
# diagnose ipv6 router ospf OSPFv3 protocol. [5.0]
# diagnose ipv6 router ospf all [arg] [arg] All OSPFv3 debug. [5.0]
# diagnose ipv6 router ospf events [arg] [arg] OSPFv3 Events. [5.0]
# diagnose ipv6 router ospf ifsm [arg] [arg] OSPFv3 Interface State Machine. [5.0]
# diagnose ipv6 router ospf level critical Critical level. [5.0]
# diagnose ipv6 router ospf level error Error level. [5.0]
# diagnose ipv6 router ospf level info Information level. [5.0]
# diagnose ipv6 router ospf level none None level. [5.0]
# diagnose ipv6 router ospf level warn Warning level. [5.0]
# diagnose ipv6 router ospf lsa [arg] [arg] OSPFv3 Link State Advertisement. [5.0]
# diagnose ipv6 router ospf nfsm [arg] [arg] OSPFv3 Neighbor State Machine. [5.0]
# diagnose ipv6 router ospf nsm [arg] [arg] OSPFv3 NSM information. [5.0]
# diagnose ipv6 router ospf packet [arg] [arg] OSPFv3 Packets. [5.0]
# diagnose ipv6 router ospf route [arg] [arg] OSPFv3 route information. [5.0]
# diagnose ipv6 router ospf show Show status of OSPFv3 debugging. [5.0]
OSPFv3 debugging status:
OSPFv3 debugging level is CRITICAL
# diagnose ipv6 router rip RIPng protocol. [5.0]
# diagnose ipv6 router rip all [enable | disable] Enable all debugging. [5.0]
# diagnose ipv6 router rip events [arg] RIPng events. [5.0]
# diagnose ipv6 router rip level critical Critical level. [5.0]
# diagnose ipv6 router rip level error Error level. [5.0]
# diagnose ipv6 router rip level info Information level. [5.0]
# diagnose ipv6 router rip level none None level. [5.0]
# diagnose ipv6 router rip level warn Warning level. [5.0]
# diagnose ipv6 router rip packet-receive [arg] RIPng receive events. [5.0]
# diagnose ipv6 router rip packet-send [arg] RIPng send events. [5.0]
# diagnose ipv6 router rip show Show status of RIPng debugging. [5.0]
RIPng debugging status:
RIPng debugging level is INFO
ipv6 sit-tunnel
# diagnose ipv6 sit-tunnel tunnels [5.0][5.2]
# diagnose ipv6 sit-tunnel add [Tunnel name] [intf-name] [Source IP address] [Destination IP address] Add tunnel. [5.0]
# diagnose ipv6 sit-tunnel delete [Tunnel name] Delete tunnel. [5.0]
# diagnose ipv6 sit-tunnel list Show tunnels. [5.0]
total tunnel = 0:
lldptx
Link Layer Transmission Protocol (LLDP) Transmitter diagnostics.
lldptx log
# diagnose lldptx log Debug log. [5.2]
lldptx restart
# diagnose lldptx restart Restart LLDP transmitter. [5.2]
lldptx scheduler-times
# diagnose lldptx scheduler-times Scheduler times. [5.2]
lldptx stats
# diagnose lldptx stats Source visibility statistics. [5.2]
log
log alertconsole
# diagnose log alertconsole alertconsole [5.0][5.2]
# diagnose log alertconsole clear Clear alert messages. [5.0]
Cleared all alert console messages.
# diagnose log alertconsole fgd-retrieve Retrieve FortiGuard alerts. [5.0]
retrieve FortiGuard alert console messages successful
# diagnose log alertconsole list List current alert messages. [5.0]
There are 0 alert console messages:
# diagnose log alertconsole test Generate alert messages (showed after generating by list). [5.0]
There are 24 alert console messages:
2015-11-17 16:19:07 VDOM Test policy X
2015-11-17 16:19:07 FortiClient license maximum has been reached. Attempts failed: 10
2015-11-17 16:19:07 FortiGuard New Attack DB FortiGuard new attack DB release
2015-11-17 16:19:07 FortiGuard New AntiVirus DB FortiGuard new antivirus DB release
2015-11-17 16:19:07 FortiGuard Latest Attack FortiGuard latest attack
2015-11-17 16:19:07 FortiGuard Latest Virus FortiGuard latest virus
2015-11-17 16:19:07 FortiGuard Latest Threat FortiGuard latest threat
2015-11-17 16:19:07 FortiGuard Advisory FortiGuard Advisory
2015-11-17 16:19:07 Administrator login failed
2015-11-17 16:19:07 The bypass port pairs have entered bypass mode
2015-11-17 16:19:07 FortiCloud daily quota has been reached
2015-11-17 16:19:07 FortiCloud disk quota is 95% used
2015-11-17 16:19:07 New firmware is available from FortiGuard
2015-11-17 16:19:07 Log disk is unavailable
2015-11-17 16:19:07 Log disk failure is imminent
2015-11-17 16:19:07 Lost the connection to FortiAnalyzer (FLGxxx1234567890)
2015-11-17 16:19:07 Found a new FortiAnalyzer (FLGxxx1234567890)
2015-11-17 16:19:07 Firmware downgraded by test
2015-11-17 16:19:07 System is rebooted and operating in USB mode with configurations from USB (read-only)
2015-11-17 16:19:07 Fortigate has reached system connection limit for 30 seconds
2015-11-17 16:19:07 Fortigate has reached connection limit for 30 seconds
2015-11-17 16:19:07 Firmware upgraded by test
2015-11-17 16:19:07 System shutdown test
2015-11-17 16:19:07 System restart
log alertmail
# diagnose log alertmail alertmail [5.0][5.2]
# diagnose log alertmail authcode [recipient's email address] Send a test authentication code. [5.0]
# diagnose log alertmail bugtest Send a test bug report. [5.0]
# diagnose log alertmail test [Log level] [Number of messages] Send a test alert mail. [5.0]
log kernel-stats
# diagnose log kernel-stats Query logging statistics. [5.0][5.2]
fgtlog: 1
fgtlog 0: total-log=513617, failed-log=0
log test
# diagnose log test Test miglog. [5.0][5.2]
generating a system event message with level - warning
generating an infected virus message with level - warning
generating a blocked virus message with level - warning
generating a URL block message with level - warning
generating a DLP message with level - warning
generating an IPS log message
generating an anomaly log message
generating an application control IM message with level - information
generating an IPv6 application control IM message with level - information
generating deep application control logs with level - information
generating an antispam message with level - notification
generating an allowed traffic message with level - notice
generating a multicast traffic message with level - notice
generating a ipv6 traffic message with level - notice
generating a wanopt traffic log message with level - notification
generating a HA event message with level - warning
generating netscan log messages with level - notice
generating a VOIP event message with level - information
generating a DNS event message with level - information
generating authentication event messages
generating a Forticlient message with level - information
generating a URL block message with level - warning
log wireless-controller
# diagnose log wireless-controller Test wireless event log. [5.0][5.2]
generating a wireless system restarted event message with level - notice
generating a wireless system hostapd up event message with level - notice
generating a wireless system hostapd down event message with level - notice
generating a wireless ap status config rogue event message with level - notice
generating a wireless ap status config accepted event message with level - notice
generating a wireless ap status config suppressed event message with level - notice
generating a wireless ap status config unclassified event message with level - notice
generating a wireless ap status rogue ap detected event message with level - notice
generating a wireless ap status rogue ap changed event message with level - notice
generating a wireless ap status rogue ap off air event message with level - notice
generating a wireless ap status rogue ap on air event message with level - notice
generating a wireless ap status rogue ap off wire event message with level - notice
generating a wireless ap status fake ap detected event message with level - notice
generating a wireless ap status fake ap on air event message with level - notice
generating a wireless ap status rogue ap suppressed event message with level - notice
generating a wireless ap status rogue ap unsuppressed event message with level - notice
generating 2 wireless ap status rogue ap on wire event message with level - warning
generating a wireless wtp join event message with level - notice
generating a wireless wtp leave event message with level - notice
generating a wireless wtp fail event message with level - notice
generating a wireless wtp update event message with level - notice
generating a wireless wtp reset event message with level - notice
generating a wireless wtp kick event message with level - notice
generating a wireless wtp add failure event message with level - notice
generating a wireless wtp config error event message with level - notice
generating a wireless wtp sn mismatch event message with level - notice
generating a wireless wtp add event message with level - notice
generating a wireless wtp add xss event message with level - notice
generating a wireless wtp cmdb add event message with level - notice
generating a wireless wtp cmdb delete event message with level - notice
generating a wireless wtp radio darrp start event message with level - notice
generating a wireless wtp radio darrp channel event message with level - notice
generating a wireless wtp radio darrp stop event message with level - notice
generating a wireless wtp radio oper channel event message with level - notice
generating a wireless wtp radio country config success event message with level - notice
generating a wireless wtp radio oper country event message with level - notice
generating a wireless wtp radio radar detected event message with level - notice
generating a wireless wtp radio NOL removed event message with level - notice
generating a wireless wtp radio config txpower event message with level - notice
generating a wireless wtp radio oper txpower event message with level - notice
generating a wireless wtp radio country config failure event message with level - error
generating a wireless sta association event message with level - notice
generating a wireless sta authentication event message with level - notice
generating a wireless sta disassociation event message with level - notice
generating a wireless sta deauthentication event message with level - notice
generating a wireless sta idle event message with level - notice
generating a wireless sta denial event message with level - notice
generating a wireless sta kick event message with level - notice
generating a wireless sta ip detected event message with level - notice
generating a wireless sta leave wtp event message with level - notice
generating a wireless sta disconnected by wtp event message with level - notice
generating 2 wireless client load balance deny event message with level - notice
generating a wireless client load balance retry event message with level - notice
generating a wireless station presence detection event message with level - notice
generating 10 wireless wids event message with level - notice
netlink
netlink aggregate
# diagnose netlink aggregate 802.3ad link aggregation [5.2]
netlink backlog
# diagnose netlink backlog get Show backlog. [5.0]
Current backlog is 1000
# diagnose netlink backlog set backlog backlog value [5.0]
netlink brctl
# diagnose netlink brctl domain [name] [id] domain (Where <name> is the name of the forwarding domain to display.) [5.0]
# diagnose netlink brctl list [bridge_name] list [5.0]
list bridge information
Total 0 bridges
# diagnose netlink brctl name name [5.0]
# diagnose netlink brctl name [type "host" or "port"] name [5.0]
# diagnose netlink brctl name [host] list existing bridge MAC table [5.0]
# diagnose netlink brctl name [port] list the existing bridge port list [5.0]
netlink device
# diagnose netlink device list List devices. [5.0]
Interface| bytes packets errs drop fifo other compressed mcast colls
lo.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
dummy0.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
eth0.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
dmz.Rx: 587672773 2341158 0 0 0 0 0 0 N/A
.Tx: 335251096 2287514 0 0 0 0 0 N/A 0
wan1.Rx: 1261430295 14461232 0 0 0 0 0 0 N/A
.Tx: 2168761410 22117673 0 0 0 0 0 N/A 0
wan2.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
internal1.Rx: 20194575 58535 0 0 0 0 0 0 N/A
.Tx: 78959460 1315991 0 0 0 0 0 N/A 0
internal2.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
internal3.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
internal4.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
internal5.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
internal6.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
internal7.Rx: 0 0 0 0 0 0 0 0 N/A
.Tx: 0 0 0 0 0 0 0 N/A 0
netlink dstmac
# diagnose netlink dstmac flush Destination MAC substitution flush [5.0]
# diagnose netlink dstmac list [name - Interface name] Destination MAC substitution list [5.0]
# diagnose netlink dstmac list
dev=lo mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=dummy0 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=eth0 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=dmz mac=00:00:00:00:00:00 src-vis-os src-vis-host src-vis-user rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=wan1 mac=00:00:00:00:00:00 policy rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=wan2 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=internal1 mac=00:00:00:00:00:00 src-vis-os src-vis-host src-vis-user rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=internal2 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=internal3 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=internal4 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=internal5 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=internal6 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
dev=internal7 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=0 bytes=0 over_bps=0 sampler_rate=0
netlink interface
# diagnose netlink interface clear [Interface name] Clear interface counters. [5.0]
# diagnose netlink interface list [Interface name] List interfaces. [5.0]
# diagnose netlink interface list
if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=4 state=present fw_flags=0 flags=loopback
if=dummy0 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=1 state=present fw_flags=0 flags=broadcast noarp
if=eth0 family=00 type=1 index=3 mtu=1500 link=0 master=0
ref=3 state=present tx_sched fw_flags=0 flags=broadcast multicast
if=dmz family=00 type=1 index=4 mtu=1500 link=0 master=0
ref=17 state=start present fw_flags=3800 flags=up broadcast run allmulti multicast
if=wan1 family=00 type=1 index=5 mtu=1492 link=0 master=0
ref=14 state=start present fw_flags=10 flags=up broadcast run allmulti multicast
if=wan2 family=00 type=1 index=6 mtu=1500 link=0 master=0
ref=7 state=present tx_sched fw_flags=0 flags=broadcast allmulti multicast
if=internal1 family=00 type=1 index=7 mtu=1500 link=0 master=0
ref=14 state=start present fw_flags=3800 flags=up broadcast run allmulti multicast
if=internal2 family=00 type=1 index=8 mtu=1500 link=0 master=0
ref=7 state=present tx_sched fw_flags=0 flags=broadcast allmulti multicast
if=internal3 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=7 state=present tx_sched fw_flags=0 flags=broadcast allmulti multicast
if=internal4 family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=7 state=present tx_sched fw_flags=0 flags=broadcast allmulti multicast
if=internal5 family=00 type=1 index=11 mtu=1500 link=0 master=0
ref=7 state=present tx_sched fw_flags=0 flags=broadcast allmulti multicast
if=internal6 family=00 type=1 index=12 mtu=1500 link=0 master=0
ref=7 state=present tx_sched fw_flags=0 flags=broadcast allmulti multicast
if=internal7 family=00 type=1 index=13 mtu=1500 link=0 master=0
ref=7 state=present tx_sched fw_flags=0 flags=broadcast allmulti multicast
netlink qlen
# diagnose netlink qlen get [Interface name] Get queue length. [5.0]
TX queue length for interface wan1 is 100
# diagnose netlink qlen set [Interface name] Queue length. [5.0]
netlink redundant
# diagnose netlink redundant redundant interfaces [5.2]
netlink switch
# diagnose netlink switch list list switch ports [5.0]
npl
npl npl_debug
# diagnose npl npl_debug [param1] [param2] [param3] npl_diag. [5.2]
npu
npu nplite
# diagnose npu nplite [enable | disable] Network Processor SoC. [5.2]
radiusd
Radius daemon diagnostic commands.
radiusd test
# diagnose radiusd test [Test level] Send test command to RADIUS daemon. [5.0][5.2]
remote-content-archive
remote-content-archive msgstats
# diagnose remote-content-archive msgstats Remote content archive statistics. [5.0]
# diagnose remote-content-archive msgstats flush Flush content archive statistics. [5.0]
# diagnose remote-content-archive msgstats show Show content archive statistics. [5.0]
report
NOTE Not Available on Model(s) "FortiGate 60C"
report [5.2]
rsso
RSSO diagnostic commands.
rsso query
# diagnose rsso query carrier-endpoint Query by End Point. [5.0]
# diagnose rsso query carrier-endpoint [End Point to query] [IP address of TFTP server] Query by End Point. [5.0]
# diagnose rsso query ip [End Point to query] [IP address of TFTP server] Query by IP address. [5.0]
# diagnose rsso query rsso-key [RSSO key to query] [IP address of TFTP server] Query by RSSO key. [5.0]
settings
settings info
# diagnose settings info Show all # diagnose settings. [5.0][5.2]
debug output: disable
console timestamp: enable
console no user log message: disable
CLI debug level: 3
ipsmonitor test level: 20
ipsengine test level: 99
settings reset
# diagnose settings reset Reset all # diagnose settings. [5.0][5.2]
sniffer
sniffer packet
The sniffer diagnose command can be used for debugging purposes. The FortiGate can sniff traffic on a specific Interface or on all Interfaces. There are 3 different Levels of Information, a.k.a. Verbose Levels 1 to 3, where verbose 1 shows less information and verbose 3 shows the most information. Verbose 4, 5 and 6 would additionally provide the interface details.
NOTE Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25% of CPU usage on
low-end models. Short Ethernet frames sent by the FortiGate may appear to be under the minimum length of 64 bytes.
The Ethernet source and/or destination MAC addresses may be incorrect when using the "any" interface. They may be
displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.
How to use the "sniffer packet" command as various example follow the below link:
FortiGate:Diagnose-Sniffer-Guide
snmp
snmp ip
# diagnose snmp ip frags Fragmentation and reassembly info. [5.0]
ReasmTimeout = 0
ReasmReqds = 0
ReasmOKs = 0
ReasmFails = 0
FragOKs = 0
FragFails = 0
FragCreates = 0
snmp trap
# diagnose snmp trap send Generate a trap event [5.0]
Generating test trap...
Test trap successfully sent to snmp daemon.
spamfilter
spamfilter bword
# diagnose spamfilter bword Spam banned word match filter. [5.0][5.2]
# diagnose spamfilter bword matchfilter [Filter string from end of spam filter banned word log line] Spam banned word match filter. [5.0]
spamfilter fortishield
# diagnose spamfilter fortishield fortishield [5.0][5.2]
# diagnose spamfilter fortishield servers [Frequency to refresh server list (sec)] FortiGuard - AntiSpam server status. [5.0]
# diagnose spamfilter fortishield statistics flush Flush cache and daemon statistics. [5.0]
# diagnose spamfilter fortishield statistics list Display server status, cache and daemon statistics. [5.0]
FortiGuard-AntiSpam Statistics:
=====================
DNS failures : 0
DNS lookups : 0
Data send failures : 0
Data read failures : 0
Incorrect CRC : 0
Proxy request failures : 0
Total Requests : 0
Requests to rating servers : 0
Server errored responses : 0
Relayed requests : 0
Timeout Allowed : 0
Shutdown-remain allowed : 0
Server-error allowed : 0
Bad-licence allowed : 0
Query-full allowed : 0
NO-init allowed : 0
No-server allowed : 0
No-resource allowed : 0
Bad-query allowed : 0
Cache mem allowed : 38567608
Cache mem used : 0
Number of cache entries : 0
Cache queries : 0
Cache hits : 0
IP White : 0
IP Allowed : 0
IP Spammed : 0
URL Allowed : 0
URL Spammed : 0
Hash Allowed : 0
Hash Spammed : 0
Emails Count : 0
Total Latency : 0
Last Latency : 0
Max Latency : 0
Min Latency : 0
-- latency counters --
[ 0] : 0 0 0 0 0 0 0 0 0 0 0 0
[12] : 0 0 0 0 0 0 0 0
-- diagnostic counters --
[ 0] : 0 0 0 0 0 0 0 0 0 0 0 0
[12] : 0 0 0 0 0 0 0 0 0 0 0 0
[24] : 0 0 0 0 0 0 0 0 0 0 0 0
[36] : 0 0 0 0 0 0 0 0 0 0 0 0
[48] : 0 0 0 0 0 0 0 0 0 0 0 0
[60] : 0 0 0 0
src-vis
src-vis log
# diagnose src-vis log terminal clear Clear debug log terminals. [5.0]
# diagnose src-vis log terminal reset Reset debug log terminals. [5.0]
# diagnose src-vis log terminal stats Show debug log terminal statistics. [5.0]
src-vis restart
# diagnose src-vis restart Restart src-vis daemon. [5.0][5.2]
src-vis restore
# diagnose src-vis restore Restore hosts list from flash. [5.0][5.2]
src-vis ring
# diagnose src-vis ring [Start point in the ring] Display contents of ring buffer. [5.0][5.2]
src-vis save
# diagnose src-vis save Save hosts list to flash. [5.0][5.2]
src-vis scheduler
# diagnose src-vis scheduler-times display Display scheduler times. [5.0]
# diagnose src-vis scheduler-times start Start measuring scheduler times. [5.0]
# diagnose src-vis scheduler-times stop Stop measuring scheduler times. [5.0]
src-vis stats
# diagnose src-vis stats count Object counts. [5.0]
src-vis stats
# diagnose src-vis stats list List all statistics. [5.0]
stats
Usage statistics.
stats app-bandwidth
# diagnose stats app-bandwidth [Number of entries to print out] Applications by bandwidth of last minute. [5.0][5.2]
stats app-stat-clear
# diagnose stats app-stat-clear Clear application statistics. [5.0][5.2]
stats app-usage-ip
# diagnose stats app-usage-ip Per IP usage of application. [5.0][5.2]
# diagnose stats app-usage-ip [ID or name of application to print by IP address>] [Number of entries to print out] [Beginning of IP range] [End of IP range]
stats per-ip-bw
# diagnose stats per-ip-bw Top bandwidth by IP address. [5.0]
# diagnose stats per-ip-bw [Number of entries to print out] [Beginning of IP range] [End of IP range]
switch-controller
NOTE Der Switch Controller ist nicht auf allen Modelen verfügbar:
FortiGate-100D, FortiGate-140D, FortiGate-200D, FortiGate-240D, FortiGate-600C, FortiGate-800C, and FortiGate-1000C
switch-controller dump
# diagnose switch-controller dump dump daemon data [5.2]
# diagnose switch-controller dump vlan_config configured switch-controller vlan info [5.2]
# diagnose switch-controller dump switch_config configured managed-switch info [5.2]
# diagnose switch-controller dump mac_hosts cached kernel mac hosts [5.2]
# diagnose switch-controller dump device_access_list cached device access list [5.2]
# diagnose switch-controller dump client running clients [5.2]
switch-controller kick
# diagnose switch-controller kick kick client [5.2]
# diagnose switch-controller kick [vdom] [device-id] [vlanid] [portid | 0 for all] [client mac]
sys
sys checkused
# diagnose sys checkused [path.object.mkey] [tablename] Check who use the entry. [5.0][5.2]
# diagnose sys checkused system.interface.name wan1
entry used by table system.interface:name 'ipsec-cisco'
entry used by table system.interface:name 'ipsec-fc'
entry used by table system.interface:name 'ipsec-ios'
entry used by child table dashboard:id '9' of table system.admin:name 'admin'
entry used by child table monitor-interface:interface-name 'wan1' of table system.ddns:ddnsid '1'
entry used by child table source-interface:name 'wan1' of complex vpn.ssl.settings:source-interface.name
entry used by child table source-interface:name 'wan1' of table authentication-rule:id '1' of entry used by child table source-interface:name 'wan1' of table authentication-rule:id '2' of complex vpn.ssl.settings:authentication-rule.source-interface.name
entry used by table vpn.ipsec.phase1:name 'ipsec-l2tp'
entry used by table vpn.ipsec.phase1-interface:name 'ipsec-cisco'
entry used by table vpn.ipsec.phase1-interface:name 'ipsec-fc'
entry used by table vpn.ipsec.phase1-interface:name 'ipsec-ios'
entry used by table firewall.vip:name 'nat-ip-local-193.193.135.66-32-port-25'
entry used by table firewall.vip:name 'nat-ip-local-193.193.135.66-32-port-443'
entry used by table firewall.vip:name 'nat-ip-local-193.193.135.66-32-port-465'
entry used by table firewall.vip:name 'nat-ip-local-193.193.135.66-32-port-993'
entry used by table firewall.vip:name 'nat-ip-local-193.193.135.66-32-port-995'
entry used by table firewall.vip:name 'nat-ip-local-193.193.135.66-32-port-5060'
entry used by child table srcintf:name 'wan1' of table firewall.policy:policyid '6'
entry used by child table srcintf:name 'wan1' of table firewall.policy:policyid '7'
sys csum
# diagnose sys csum [File name] System checksum. [5.0][5.2]
sys cpuset
# diagnose sys cpuset cpuset [5.2]
sys dashboard
# diagnose sys dashboard Dashboard for admin user. [5.0][5.2]
# diagnose sys dashboard reset Reset dashboard config for current admin. [5.0]
# diagnose sys dashboard stats app-usage clear [User name] Clear stats. [5.0]
# diagnose sys dashboard stats app-usage show [User name] [Application ID] [VDOM Name (optional)] Show stats. [5.0]
# diagnose sys dashboard stats dlp-archive clear [User name] Clear stats. [5.0]
# diagnose sys dashboard stats dlp-archive show [User name] Show stats. [5.0]
# diagnose sys dashboard stats log [arg] Log statistics. [5.0]
# diagnose sys dashboard stats log-clear Log statistics. [5.0]
# diagnose sys dashboard stats pol-usage clear [arg] [arg] [arg] Top policy usage. [5.0]
# diagnose sys dashboard stats pol6-usage clear [arg] [arg] [arg] Top policy6 usage. [5.0]
# diagnose sys dashboard stats session-top [User name] Top sessions. [5.0]
# diagnose sys dashboard stats traffic-history [Interface name] Traffic history. [5.0]
sys dayst-info
# diagnose sys dayst-info [Num] [year] Daylight saving time information. [5.0][5.2]
# diagnose sys dayst-info
The current timezone '(GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stoc daylight saving time starts at Sun Mar 29 02:00:00 2015, ends at Sun Oct 25 02:00:00 2015
0 (GMT-12:00)Eniwetok,Kwajalein
1 (GMT-11:00)Midway Island, Samoa
2 (GMT-10:00)Hawaii
3 (GMT-9:00)Alaska
4 (GMT-8:00)Pacific Time(US&Canada)
5 (GMT-7:00)Arizona
81 (GMT-7:00)Baja California Sur, Chihuahua
6 (GMT-7:00)Mountain Time(US&Canada)
7 (GMT-6:00)Central America
8 (GMT-6:00)Central Time(US&Canada)
9 (GMT-6:00)Mexico City
10 (GMT-6:00)Saskatchewan
11 (GMT-5:00)Bogota,Lima,Quito
12 (GMT-5:00)Eastern Time(US & Canada)
13 (GMT-5:00)Indiana(East)
74 (GMT-4:30)Caracas
14 (GMT-4:00)Atlantic Time(Canada)
77 (GMT-4:00)Georgetown
15 (GMT-4:00)La Paz
16 (GMT-4:00)Santiago
17 (GMT-3:30)Newfoundland
18 (GMT-3:00)Brasilia
19 (GMT-3:00)Buenos Aires
20 (GMT-3:00)Nuuk(Greenland)
75 (GMT-3:00)Uruguay
21 (GMT-2:00)Mid-Atlantic
22 (GMT-1:00)Azores
23 (GMT-1:00)Cape Verde Is.
24 (GMT)Monrovia
80 (GMT)Greenwich Mean Time
79 (GMT)Casablanca
25 (GMT)Dublin,Edinburgh,Lisbon,London
26 (GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stockholm,Vienna
27 (GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague
28 (GMT+1:00)Brussels,Copenhagen,Madrid,Paris
78 (GMT+1:00)Namibia
29 (GMT+1:00)Sarajevo,Skopje,Warsaw,Zagreb
30 (GMT+1:00)West Central Africa
31 (GMT+2:00)Athens,Istanbul,Minsk,Sofija
32 (GMT+2:00)Bucharest
33 (GMT+2:00)Cairo
34 (GMT+2:00)Harare,Pretoria
35 (GMT+2:00)Helsinki,Riga,Tallinn
36 (GMT+2:00)Jerusalem
37 (GMT+3:00)Baghdad
38 (GMT+3:00)Kuwait,Riyadh
40 (GMT+3:00)Nairobi
41 (GMT+3:30)Tehran
42 (GMT+4:00)Abu Dhabi,Muscat
43 (GMT+4:00)Baku
39 (GMT+4:00)Moscow,St.Petersburg,Volgograd
44 (GMT+4:30)Kabul
46 (GMT+5:00)Islamabad,Karachi,Tashkent
47 (GMT+5:30)Calcutta,Chennai,Mumbai,New Delhi
51 (GMT+5:30)Sri Jayawardenepara
48 (GMT+5:45)Kathmandu
45 (GMT+6:00)Ekaterinburg
49 (GMT+6:00)Almaty
50 (GMT+6:00)Astana,Dhaka
52 (GMT+6:30)Rangoon
53 (GMT+7:00)Bangkok,Hanoi,Jakarta,Novosibirsk
54 (GMT+8:00)Krasnoyarsk
55 (GMT+8:00)Beijing,ChongQing,HongKong,Urumgi
56 (GMT+8:00)Ulaan Bataar
57 (GMT+8:00)Kuala Lumpur,Singapore
58 (GMT+8:00)Perth
59 (GMT+8:00)Taipei
60 (GMT+9:00)Irkutsk,Osaka,Sapporo,Tokyo,Seoul
62 (GMT+9:30)Adelaide
63 (GMT+9:30)Darwin
61 (GMT+10:00)Yakutsk
64 (GMT+10:00)Brisbane
65 (GMT+10:00)Canberra,Melbourne,Sydney
66 (GMT+10:00)Guam,Port Moresby
67 (GMT+10:00)Hobart
68 (GMT+11:00)Vladivostok
69 (GMT+12:00)Magadan
70 (GMT+11:00)Solomon Is.,New Caledonia
71 (GMT+12:00)Auckland,Wellington
72 (GMT+12:00)Fiji,Kamchatka,Marshall Is.
82 (GMT+12:45)Chatham Islands
73 (GMT+13:00)Nuku'alofa
76 (GMT+14:00)Kiritimati
sys device
# diagnose sys device add [Virtual Domain Name] [Device Name] Virtual domain device management. [5.0][5.2]
sys flash
# diagnose sys flash Flash image. [5.0][5.2]
# diagnose sys flash format format shared data partition (flash partition #3) [5.0]
# diagnose sys flash list [List files] List flash images. [5.0]
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT60D-5.02-FW-build688-150722 253871 32279 13% Yes
2 FGT60D-5.02-FW-build670-150318 253871 32262 13% No
3 ETDB-1.00000 3368360 125216 4% No
Image build at Jul 22 2015 06:22:38 for b0688
sys fullcone
# diagnose sys fullcone Fullcone diagnostics. [5.0][5.2]
sys h323
# diagnose sys h323 H323 diagnostics. [5.0][5.2]
# diagnose sys h323 call list H323 calls. [5.0]
# diagnose sys h323 debug-mask [mask - 0-disable, 1-parser, 2-CS, 4-RAS, 8-h245] Mask for H323 kernel trace. [5.0]
# diagnose sys h323 peer list H323 peers. [5.0]
# diagnose sys h323 status Display h323 status. [5.0]
Peer: alloc=0 free=0 used=0
Call: alloc=0 free=0 used=0
sys ha
# diagnose sys ha cached-csum [Show cached checksum VDOM-name] Show HA cached checksum. [5.0]
# diagnose sys ha cluster-csum [arg] Show HA cluster checksum. [5.0]
================== FGT60D4613048017 ==================
is_manage_master()=1, is_root_master()=1
debugzone
global: f8 59 14 50 b2 72 41 14 67 3d a6 49 8c 00 cc 4a
root: 57 57 c5 55 3b 5c 22 d1 ed 06 28 13 2e bb a5 8a
all: b4 96 88 40 ed 8b 72 f0 89 72 c8 d5 2f df 31 9e
checksum
global: f8 59 14 50 b2 72 41 14 67 3d a6 49 8c 00 cc 4a
root: 57 57 c5 55 3b 5c 22 d1 ed 06 28 13 2e bb a5 8a
all: b4 96 88 40 ed 8b 72 f0 89 72 c8 d5 2f df 31 9e
# diagnose sys ha csum-recalculate [vdom-name or global] Re-calculate HA checksum. [5.0]
# diagnose sys ha dump-by all-xdb Dump all xdb. [5.0]
NOTE This command displays information about the current configuration of the cluster and how its operating.
You can use the out to determine the primary unit, the state of port monitoring as well as most cluster
configuration details and status.
# diagnose sys ha dump-by all-vcluster Dump all vcluster. [5.0]
NOTE This command displays the status and configuration of the individual cluster units. You can use the output of
this command to determine the primary unit and the status of each cluster unit.
# diagnose sys ha dump-by rcache Dump rcache. [5.0]
# diagnose sys ha dump-by all-group Dump all group. [5.0]
# diagnose sys ha dump-by memory Dump memory. [5.0]
# diagnose sys ha dump-by debug-zone Dump HA debug zone. [5.0]
# diagnose sys ha dump-by vdom Dump HA vdom info. [5.0]
# diagnose sys ha dump-by kernel Dump HA kernel info. [5.0]
# diagnose sys ha dump-by device Dump HA device. [5.0]
# diagnose sys ha dump-by stat Dump HA statistics. [5.0]
NOTE This command displays some statistics about how well the cluster is functioning. Information includes packet counts,
memory use, failed links and ping failures.
# diagnose sys ha dump-by sesync Dump HA session sync peers. [5.0]
# diagnose sys ha extfile-sig Dump extfile's signature. [5.0]
# diagnose sys ha fib FIB information. [5.0]
# diagnose sys ha hadiff HA diff debug. [5.0]
# diagnose sys ha hadiff log clear Clear log. [5.0]
# diagnose sys ha hadiff log disable Disable log. [5.0]
# diagnose sys ha hadiff log enable Enable log. [5.0]
# diagnose sys ha hadiff max-sync-turns [Set/get max number sync] Set/get max number of sync turns. [5.0]
# diagnose sys ha hadiff max-unsync-wait [max unsync wait times] Set/get max unsync wait times. [5.0]
# diagnose sys ha hadiff status HA diff status. [5.0]
pid: 0
state: idle
vdom:
log: disabled
max-sync-turns: 0
max-unsync-wait: 0
sync-failure: 0
master-lastcsum: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# diagnose sys ha mac Mac Information. [5.0]
HA mac msg name=port1, phyindex=0, 00:09:0F:09:00:01, linkfail=0
name=port2, phyindex=1, 00:09:0F:09:00:02, linkfail=1
name=port3, phyindex=2, 00:09:0F:09:00:03, linkfail=0
name=port4, phyindex=3, 00:09:0F:09:00:04, linkfail=1
# diagnose sys ha recalculate-extfile-signature Recalculate external files signature in hasync daemon. [5.0]
# diagnose sys ha reset-uptime Reset HA up time. [5.0]
NOTE This command resets the age of a unit back to zero so that if no other unit in the cluster was reset at the same time,
it will now have the lowest age and can become the primary unit. The diagnose sys ha reset-uptime command should only
be used as a temporary solution. The command resets the HA age internally and does not affect the up time displayed
for cluster units using the diagnose sys ha dump-by all-vcluster command or the up time displayed on the Dashboard
or cluster members list. To make sure the actual up time for cluster units is the same as the HA age you should reboot
the cluster units during a maintenance window.
# diagnose sys ha session-sync-dev Session sync ports. [5.0]
# diagnose sys ha session-sync-dev clear Clear session sync ports. [5.0]
# diagnose sys ha session-sync-dev set [arg] [arg] [arg] [arg] Configure session sync ports. [5.0]
# diagnose sys ha sesync-stats Dump session sync statistics. [5.0]
# diagnose sys ha showcsum Show HA checksum. [5.0]
# diagnose sys ha showcsum [level] | [path.object] [Show detail checksum for table entry]
# diagnose sys ha showcsum 1
system.global: 29ec8b3f021fc3bed8d6509cc657044f
system.accprofile: 7acee39e9d2d9f8911badae10c754ae2
system.npu: 7acee39e9d2d9f8911badae10c754ae2
system.vdom-link: 7acee39e9d2d9f8911badae10c754ae2
wireless-controller.global: 7acee39e9d2d9f8911badae10c754ae2
wireless-controller.vap: 5f737dda1df100ed964fdeafcfa9811e
system.switch-interface: 5f737dda1df100ed964fdeafcfa9811e
system.lte-modem: 5f737dda1df100ed964fdeafcfa9811e
system.interface: 2aa8491bba9032ba04a908af1acce4dd
system.physical-switch: 99444dbe30124b89f2890533bb622eed
system.virtual-switch: 99444dbe30124b89f2890533bb622eed
system.password-policy: 99444dbe30124b89f2890533bb622eed
system.sms-server: 99444dbe30124b89f2890533bb622eed
system.custom-language: 69409117e787b3584a3c54311d0e5223
system.admin: d6caae54eee0045e7bf796edfc82391f
system.fsso-polling: d6caae54eee0045e7bf796edfc82391f
system.ha: 7311b30a32ce7f20da9bf17d40a9d7bc
# diagnose sys ha stats statistics [5.0]
# diagnose sys ha status status [5.0]
sys kill
# diagnose sys kill [Signal number(1-32)] [Process ID] Kill the process ID. [5.0][5.2]
NOTE Use this command to terminate a process currently running on FortiWeb, or send another signal from the FortiWeb OS
to the process. Type the ID of the signal to send to the process. This in an integer between 1 and 32. For <pid>
type the process ID where the signal is sent to.
Signal Integer
1 Varies by the process’s interpretation, such as re-read configuration files or re-initialize (hang up; SIGHUP).
For example, the FortiWeb web UI verifies its configuration files, then restarts gracefully.
2 Request termination by simulating the pressing of the interrupt keys, such as Ctrl + C (interrupt; SIGINT).
3 Force termination immediately and do a core dump (quit; SIGQUIT).:9 — Force termination immediately (kill; SIGKILL).
9 Force termination immediately (kill; SIGKILL).
15 Request termination by inter-process communication (terminate; SIGTERM).
sys last-modified
# diagnose sys last-modified List files that were modified last.. [5.0][5.2]
sys link-monitor
# diagnose sys link-monitor Link Monitor. [5.2]
sys logdisk
# diagnose sys logdisk Display log disk status. [5.2]
sys modem
# diagnose sys modem modem [5.0][5.2]
# diagnose sys modem cmd [AT command for MODEM] cmd [5.0]
# diagnose sys modem com [arg] [arg] Start a interactive session. [5.0]
# diagnose sys modem detect detect [5.0]
# diagnose sys modem external-modem Show external MODEM information. [5.0]
# diagnose sys modem history List MODEM usage history. [5.0]
# diagnose sys modem query [[0|1] - 1 to force re-query via AT] Query information from external MODEM. [5.0]
# diagnose sys modem reset Reset serial driver from external MODEM. [5.0]
sys mpstat
# diagnose sys mpstat mpstat [5.2]
sys nmi-watchdog
# diagnose sys nmi-watchdog nmi-watchdog [5.0][5.2]
nmi-watchdog is disabled
# diagnose sys nmi-watchdog disable Disable NMI watchdog. [5.0]
# diagnose sys nmi-watchdog enable Enable NMI watchdog. [5.0]
sys ntp
# diagnose sys ntp NTP daemon command. [5.0][5.2]
synchronized: yes, ntpsync: enabled, server-mode: enabled
ipv4 server(developer.local.ch) 193.193.135.65 -- reachable(0x1) S:5 T:1761 selected
server-version=4, stratum=11
reference time is d9f5d7ae.9e7f57e1 -- UTC Tue Nov 17 16:43:26 2015
clock offset is -0.798009 sec, root delay is 0 msec
root dispersion is 724 msec, peer dispersion is 8968 msec
sys pair
# diagnose sys pair Pair device. [5.0][5.2]
sys pipb
# diagnose sys pipb pipb [5.0]
sys pipb-global
# diagnose sys pipb-global Global pipb. [5.0]
# diagnose sys pipb-global bps-list List global per-IP-bandwidth meter ordered by bps. [5.0]
# diagnose sys pipb-global list List global per-IP-bandwidth meter. [5.0]
# diagnose sys pipb-global sort Sort global per-IP-bandwidth meter by bps. [5.0]
# diagnose sys pipb-global stat Global per-IP-bandwidth meter status. [5.0]
sys process
# diagnose sys process Dump process stack. [5.0][5.2]
# diagnose sys process dump [PID of the process to dump] Dump process stack. [5.0]
# diagnose sys process trace [arg] [arg] [arg] [arg] Sample process instructions. [5.0]
sys profile
# diagnose sys profile start start kernel profiling data [5.2]
# diagnose sys profile stop copy kernel profiling data [5.2]
# diagnose sys profile show show kernel profiling result [5.2]
# diagnose sys profile sysmap show kernel sysmap [5.2]
0x80008000 60 _stext
0x8000803c 28 __switch_data
0x80008058 40 __ret
0x80008080 48 __mmap_switched
0x800080b0 140 __create_page_tables
0x8000813c 8 __error
0x80008144 80 __lookup_processor_type
0x80008194 76 __lookup_architecture_type
0x800081e0 40 debug_kernel
0x80008208 40 quiet_kernel
0x80008230 64 profile_setup
0x80008270 296 calibrate_delay
0x80008398 944 start_kernel
0x80008748 24 no_initrd
0x80008760 24 root_data_setup
0x80008778 24 fs_names_setup
...............................
...............................
...............................
# diagnose sys profile cpumask profile which CPUs [5.2]
# diagnose sys profile module show kernel module [5.2]
ftk 1309124 38 0xf8a2c060
sys proxy
# diagnose sys proxy bypass bypass [5.0]
# diagnose sys proxy bypass ftp [on|off bypass proxy AV] FTP protocol. [5.0]
# diagnose sys proxy bypass http [on|off bypass proxy AV] HTTP protocol. [5.0]
# diagnose sys proxy bypass imap [on|off bypass proxy AV] IMAP protocol. [5.0]
# diagnose sys proxy bypass nntp [[on|off bypass proxy AV] NNTP protocol. [5.0]
# diagnose sys proxy bypass pop3 [[on|off bypass proxy AV] POP3 protocol. [5.0]
# diagnose sys proxy bypass smtp [on|off bypass proxy AV] SMTP protocol. [5.0]
# diagnose sys proxy filter Filter for displaying debug information. [5.0]
# diagnose sys proxy filter clear Erase the current filter. [5.0]
# diagnose sys proxy filter list Display the current filter. [5.0]
# diagnose sys proxy filter src [Source IP from] [Source IP to] Source address range to filter by. [5.0]
# diagnose sys proxy stats Proxy statistics. [5.0]
# diagnose sys proxy stats ftp FTP statistics. [5.0]
# diagnose sys proxy stats http HTTP statistics. [5.0]
sample-count: 10
sample-interval: 5 seconds
sample-average: 0
sample[9]: 0
sample[8]: 0
sample[7]: 0
sample[6]: 0
sample[5]: 0
sample[4]: 0
sample[3]: 0
sample[2]: 0
sample[1]: 0
sample[0]: 0
# diagnose sys proxy stats imap IMAP statistics. [5.0]
# diagnose sys proxy stats nntp NNTP statistics. [5.0]
# diagnose sys proxy stats pop3 POP3 statistics. [5.0]
# diagnose sys proxy stats reset [Proxy protocol name] Reset proxy statistics. [5.0]
# diagnose sys proxy stats smtp SMTP statistics. [5.0]
sys sccp-proxy
# diagnose sys sccp-proxy debug-console Debug consoles. [5.0]
# diagnose sys sccp-proxy phone SCCP phones. [5.0]
# diagnose sys sccp-proxy redirect Redirects [5.0]
# diagnose sys sccp-proxy restart Restart IM, SIP, and SCCP. [5.0]
# diagnose sys sccp-proxy stat SCCP statistics. [5.0]
# diagnose sys sccp-proxy stats clear Clear SCCP statistics. [5.0]
# diagnose sys sccp-proxy stats list List SCCP statistics. [5.0]
# diagnose sys sccp-proxy stats mem full Memory usage details. [5.0]
# diagnose sys sccp-proxy stats mem summary Memory usage summary. [5.0]
sys server-probe
# diagnose sys server-probe Server probe. [5.0][5.2]
# diagnose sys server-probe launch [entry-id] Launching an SLA probe. [5.0]
# diagnose sys server-probe response Probe response. [5.0]
# diagnose sys server-probe status [entry-id | all] status [5.0]
sys session
# diagnose sys session clear Clear the sessions defined by filter. [5.0]
# diagnose sys session daemon Session sync daemon. [5.0]
# diagnose sys session daemon pid-log [Log level] Enable/disable PID log. [5.0]
# diagnose sys session daemon shm shm [5.0]
shm[0]: not-exist
shm[1]: not-exist
shm[2]: not-exist
shm[3]: not-exist
shm[4]: not-exist
shm[5]: not-exist
shm[6]: not-exist
shm[7]: not-exist
shm[8]: not-exist
shm[9]: not-exist
shm[10]: not-exist
shm[11]: not-exist
shm[12]: not-exist
shm[13]: not-exist
shm[14]: not-exist
shm[15]: not-exist
# diagnose sys session daemon shm status Shm segment status. [5.0]
shm[0]: not-exist
shm[1]: not-exist
shm[2]: not-exist
shm[3]: not-exist
shm[4]: not-exist
shm[5]: not-exist
shm[6]: not-exist
shm[7]: not-exist
shm[8]: not-exist
shm[9]: not-exist
shm[10]: not-exist
shm[11]: not-exist
shm[12]: not-exist
shm[13]: not-exist
shm[14]: not-exist
shm[15]: not-exist
# diagnose sys session daemon status Daemon status. [5.0]
sesync_next_seq=-1, packet_pid_nr=0, flush_pid_nr=0, shm_seg_nr=16, shm_peak_seg_cnt=0
pid_log=0
now=352011566
shm_seg_cnt=0
0: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
1: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
2: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
3: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
4: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
5: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
6: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
7: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
8: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
9: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
10: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
11: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
12: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
13: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
14: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
15: status=0, append_pid=0, head=0, tail=0, expire_jiffies=0
# diagnose sys session filter clear Clear session filter. [5.0]
# diagnose sys session filter clear dintf [Interface name] Clear destination interface filter. [5.0]
# diagnose sys session filter clear dport [from port0-65535] [to port 0-65535] Clear destination port filter from to. [5.0]
# diagnose sys session filter clear dst [from dst IP] [to dst IP] Clear destination IP filter. [5.0]
# diagnose sys session filter clear duration [from duration] [to durartion] Clear duration filter. [5.0]
# diagnose sys session filter clear expire [from expire] [to expire] Clear expire filter. [5.0]
# diagnose sys session filter clear nport [from expire] [to expire] clear NAT'd source port filter [5.0]
# diagnose sys session filter clear nsrc [from NAT srcip] [to NAT scrcip] clear NAT'd source IP filter [5.0]
# diagnose sys session filter clear policy [from policy] [to policy] Clear policy ID filter. [5.0]
# diagnose sys session filter clear proto [from protocoll] [to protocoll] Clear protocol filter (0-255). [5.0]
# diagnose sys session filter clear proto-state [from 0-9] [to 0-9] Clear protocol state filter. [5.0]
NOTE This command allows you to view the counts of various TCP states. This command can help in enterprise-type
environments when tuning various protocol timers, for example, there are 60 percent of sessions in syn-sent
state in comparison to the established sessions.
# diagnose sys session filter clear sintf [Interface name] Clear source interface filter. [5.0]
# diagnose sys session filter clear sport [from 0-65535] [to 0-65535] Clear source port filter. [5.0]
# diagnose sys session filter clear src [from srcip] [to srcip] Clear source IP filter. [5.0]
# diagnose sys session filter clear vd [Index of virtual domain. -1 matches all] Clear virtual domain filter. [5.0]
# diagnose sys session filter dintf [Interface name] Destination interface. [5.0]
# diagnose sys session filter dport [from port0-65535] [to port 0-65535] Destination port. [5.0]
# diagnose sys session filter dst [from dst IP] [to dst IP] Destination IP address. [5.0]
# diagnose sys session filter duration [from duration] [to durartion] duration [5.0]
# diagnose sys session filter expire [from expire] [to expire] expire [5.0]
# diagnose sys session filter negate Inverse filter. [5.0]
# diagnose sys session filter negate dintf Inverse destination interface. [5.0]
# diagnose sys session filter negate dport Inverse destination port. [5.0]
# diagnose sys session filter negate dst Inverse destination IP. [5.0]
# diagnose sys session filter negate duration Inverse duration. [5.0]
# diagnose sys session filter negate expire Inverse expire. [5.0]
# diagnose sys session filter negate nport inverse NAT'd source port [5.0]
# diagnose sys session filter negate nsrc inverse NAT'd source IP [5.0]
# diagnose sys session filter negate policy Inverse policy ID. [5.0]
# diagnose sys session filter negate proto Inverse protocol. [5.0]
# diagnose sys session filter negate proto-state Inverse protocol state. [5.0]
# diagnose sys session filter negate sintf Inverse source interface. [5.0]
# diagnose sys session filter negate sport Inverse source port. [5.0]
# diagnose sys session filter negate src Inverse source IP. [5.0]
# diagnose sys session filter negate vd Inverse virtual domain. [5.0]
# diagnose sys session filter nport [from expire] [to expire] NAT'd source port [5.0]
# diagnose sys session filter nsrc [from NAT srcip] [to NAT scrcip] NAT'd source ip address [5.0]
# diagnose sys session filter policy [from policy] [to policy] Policy ID. [5.0]
# diagnose sys session filter proto [from protocoll] [to protocoll] Protocol number (0-255). [5.0]
# diagnose sys session filter proto-state [from 0-9] [to 0-9] Protocol state. [5.0]
# diagnose sys session filter sintf [Interface name] Source interface. [5.0]
# diagnose sys session filter sport [from 0-65535] [to 0-65535] Source port. [5.0]
# diagnose sys session filter src [from srcip] [to srcip] Source IP address. [5.0]
# diagnose sys session filter vd [Index of virtual domain. -1 matches all] Index of virtual domain. -1 matches all. [5.0]
# diagnose sys session full-stat Fully stat session. [5.0]
session table: table_size=524288 max_depth=1 used=26
misc info: session_count=13 setup_rate=0 exp_count=0 clash=0
memory_tension_drop=0 ephemeral=0/61440 removeable=0
delete=0, flush=0, dev_down=0/0
TCP sessions:
6 in SYN_SENT state
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=0000008b
ids_recv=000001bb
url_recv=00000000
av_recv=00000116
fqdn_count=00000015
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=0 data=0 ses=0 ips=0
# diagnose sys session help Session help. [5.0]
# diagnose sys session help add [Help name] [Protocol number] [Help port] Add session help. [5.0]
# diagnose sys session help delete [Protocol number] [Help port] Delete session help. [5.0]
# diagnose sys session help list List session help. [5.0]
list builtin help module:
mgcp
dcerpc
rsh
pmap
dns-tcp
dns-udp
rtsp
pptp
sip
mms
tns
h245
h323
ras
tftp
ftp
list session help:
help=pmap, protocol=17 port=111
help=rtsp, protocol=6 port=8554
help=rtsp, protocol=6 port=554
help=pptp, protocol=6 port=1723
help=rtsp, protocol=6 port=7070
help=pmap, protocol=6 port=111
help=rsh, protocol=6 port=512
help=dns-udp, protocol=17 port=53
help=tftp, protocol=17 port=69
help=tns, protocol=6 port=1521
help=mgcp, protocol=17 port=2727
help=dcerpc, protocol=17 port=135
help=rsh, protocol=6 port=514
help=ras, protocol=17 port=1719
help=ftp, protocol=6 port=21
help=mgcp, protocol=17 port=2427
help=dcerpc, protocol=6 port=135
help=mms, protocol=6 port=1863
help=h323, protocol=6 port=1720
# diagnose sys session list [List expectation session] List session. [5.0]
# diag sys session list
session info: proto=6 proto_state=02 duration=16 expire=13 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/
state=local nds
statistic(bytes/packets/allow_err): org=60/1/0 reply=88/1/1 tuples=2
orgin->sink: org out->post, reply pre->in dev=0->7/7->0 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 198.18.0.1:13764->198.18.0.90:541(0.0.0.0:0)
hook=in dir=reply act=noop 198.18.0.90:541->198.18.0.1:13764(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00d42ac1 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0
npu_state=00000000
session info: proto=6 proto_state=02 duration=10 expire=22 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/
state=local nds
statistic(bytes/packets/allow_err): org=120/2/0 reply=176/2/1 tuples=2
orgin->sink: org out->post, reply pre->in dev=0->7/7->0 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 198.18.0.1:13765->198.18.0.90:514(0.0.0.0:0)
hook=in dir=reply act=noop 198.18.0.90:514->198.18.0.1:13765(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00d42adb tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0
npu_state=00000000
........................................................................
........................................................................
........................................................................
# diagnose sys session stat Stat session. [5.0]
misc info: session_count=13 setup_rate=0 exp_count=0 clash=0
memory_tension_drop=0 ephemeral=0/61440 removeable=0
delete=0, flush=0, dev_down=0/0
TCP sessions:
6 in SYN_SENT state
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=0000008b
ids_recv=000001bb
url_recv=00000000
av_recv=00000116
fqdn_count=00000015
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=0 data=0 ses=0 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
# diagnose sys session sync List session sync. [5.0]
sync_ctx: sync_started=0, sync_tcp=0, sync_others=0,
sync_expectation=0, sync_redir=0, sync_nat=0, stdalone_sesync=0.
sync: create=0:0, update=0, delete=0:0, query=0
recv: create=0:0, update=0, delete=0:0, query=0
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
nCfg_sess_sync_num=4, mtu=0
sync_filter:
# diagnose sys session sync reset Reset session sync. [5.0]
# diagnose sys session ttl TTL session. [5.0]
list session timeout:
Default timeout=3600
# diagnose sys session clear Clear the sessions defined by filter. [5.0]
sys session6
# diagnose sys session6 filter clear Clear session filter. [5.0]
# diagnose sys session6 filter clear dintf [Interface name] Clear destination interface filter. [5.0]
# diagnose sys session6 filter clear dport [from port0-65535] [to port 0-65535] Clear destination port filter from to. [5.0]
# diagnose sys session6 filter clear dst [from dst IP] [to dst IP] Clear destination IP filter. [5.0]
# diagnose sys session6 filter clear duration [from duration] [to durartion] Clear duration filter. [5.0]
# diagnose sys session6 filter clear expire [from expire] [to expire] Clear expire filter. [5.0]
# diagnose sys session6 filter clear nport [from expire] [to expire] clear NAT'd source port filter [5.0]
# diagnose sys session6 filter clear nsrc [from NAT srcip] [to NAT scrcip] clear NAT'd source IP filter [5.0]
# diagnose sys session6 filter clear policy [from policy] [to policy] Clear policy ID filter. [5.0]
# diagnose sys session6 filter clear proto [from protocoll] [to protocoll] Clear protocol filter (0-255). [5.0]
# diagnose sys session6 filter clear proto-state [from 0-9] [to 0-9] Clear protocol state filter. [5.0]
NOTE This command allows you to view the counts of various TCP states. This command can help in enterprise-type
environments when tuning various protocol timers, for example, there are 60 percent of sessions in syn-sent
state in comparison to the established sessions.
# diagnose sys session6 filter clear sintf [Interface name] Clear source interface filter. [5.0]
# diagnose sys session6 filter clear sport [from 0-65535] [to 0-65535] Clear source port filter. [5.0]
# diagnose sys session6 filter clear src [from srcip] [to srcip] Clear source IP filter. [5.0]
# diagnose sys session6 filter clear vd [Index of virt. domain. -1 matches all] Clear virtual domain filter. [5.0]
# diagnose sys session6 filter dintf [Interface name] Destination interface. [5.0]
# diagnose sys session6 filter dport [from port0-65535] [to port 0-65535] Destination port. [5.0]
# diagnose sys session6 filter dst [from dst IP] [to dst IP] Destination IP address. [5.0]
# diagnose sys session6 filter duration [from duration] [to durartion] duration [5.0]
# diagnose sys session6 filter expire [from expire] [to expire] expire [5.0]
# diagnose sys session filter negate Inverse filter. [5.0]
# diagnose sys session6 filter negate dintf Inverse destination interface. [5.0]
# diagnose sys session6 filter negate dport Inverse destination port. [5.0]
# diagnose sys session6 filter negate dst Inverse destination IP. [5.0]
# diagnose sys session6 filter negate duration Inverse duration. [5.0]
# diagnose sys session6 filter negate expire Inverse expire. [5.0]
# diagnose sys session6 filter negate nport inverse NAT'd source port [5.0]
# diagnose sys session6 filter negate nsrc inverse NAT'd source IP [5.0]
# diagnose sys session6 filter negate policy Inverse policy ID. [5.0]
# diagnose sys session6 filter negate proto Inverse protocol. [5.0]
# diagnose sys session6 filter negate proto-state Inverse protocol state. [5.0]
# diagnose sys session6 filter negate sintf Inverse source interface. [5.0]
# diagnose sys session6 filter negate sport Inverse source port. [5.0]
# diagnose sys session6 filter negate src Inverse source IP. [5.0]
# diagnose sys session6 filter negate vd Inverse virtual domain. [5.0]
# diagnose sys session6 filter nport [from expire] [to expire] NAT'd source port [5.0]
# diagnose sys session6 filter nsrc [from NAT srcip] [to NAT scrcip] NAT'd source ip address [5.0]
# diagnose sys session6 filter policy [from policy] [to policy] Policy ID. [5.0]
# diagnose sys session6 filter proto [from protocoll] [to protocoll] Protocol number (0-255). [5.0]
# diagnose sys session6 filter proto-state [from 0-9] [to 0-9] Protocol state. [5.0]
# diagnose sys session6 filter sintf [Interface name] Source interface. [5.0]
# diagnose sys session6 filter sport [from 0-65535] [to 0-65535] Source port. [5.0]
# diagnose sys session6 filter src [from srcip] [to srcip] Source IP address. [5.0]
# diagnose sys session6 filter vd [Index of virtual domain. -1 matches all] Index of virtual domain. -1 matches all. [5.0]
# diagnose sys session6 full-stat Fully stat session. [5.0]
# diagnose sys session help Session help. [5.0]
# diagnose sys session help add [Help name] [Protocol number] [Help port] Add session help. [5.0]
# diagnose sys session help delete [Protocol number] [Help port] Delete session help. [5.0]
# diagnose sys session help list List session help. [5.0]
# diagnose sys session6 list List session. [5.0]
# diagnose sys session6 list expectation List IPv6 expectation session. [5.0]
# diagnose sys session6 stat Stat session. [5.0]
# diagnose sys session6 sync List session sync. [5.0]
sys sip
# diagnose sys sip debug-mask [mask - For example, 0, 1, 2, 3..] Mask for SIP kernel trace. [5.0]
# diagnose sys sip dialog SIP dialog. [5.0]
# diagnose sys sip dialog clear Clear SIP dialogs. [5.0]
# diagnose sys sip dialog list List SIP dialogs. [5.0]
# diagnose sys sip mapping SIP mapping. [5.0]
# diagnose sys sip status Display SIP status. [5.0]
dialogs: max=131072, used=0
mappings: used=0
dialog hash by ID: size=8192, used=0, depth=0
dialog hash by RTP: size=8192, used=0, depth=0
mapping hash: size=8192, used=0, depth=0
count0: 0
count1: 0
count2: 0
count3: 0
count4: 0
# diagnose sys sip-proxy calls SIP calls. [5.0]
# diagnose sys sip-proxy calls clear Clear all active SIP calls. [5.0]
# diagnose sys sip-proxy calls idle List idle SIP calls. [5.0]
# diagnose sys sip-proxy calls invite List SIP invite transactions. [5.0]
# diagnose sys sip-proxy calls list List active SIP calls. [5.0]
# diagnose sys sip-proxy debug-console Debug consoles. [5.0]
# diagnose sys sip-proxy filter clear Erase the current filter. [5.0]
# diagnose sys sip-proxy filter dst-addr4 [from dstip] [to dstip] Destination address range to filter by. [5.0]
# diagnose sys sip-proxy filter dst-addr6 [from dstip] [to dstip] IPv6 destination address range to filter by. [5.0]
# diagnose sys sip-proxy filter dst-port [source port] Destination port to filter by. [5.0]
# diagnose sys sip-proxy filter identity-policy [identity-policy] Identity-policy to filter by. [5.0]
# diagnose sys sip-proxy filter list Display the current filter. [5.0]
# diagnose sys sip-proxy filter negate Negate the specified filter parameter. [5.0]
# diagnose sys sip-proxy filter negate dst-addr4 Negate the dst-addr4 filter. [5.0]
# diagnose sys sip-proxy filter negate dst-addr6 Negate the dst-addr6 filter. [5.0]
# diagnose sys sip-proxy filter negate dst-port Negate the dst-port filter. [5.0]
# diagnose sys sip-proxy filter negate identity-policy Negate the identity-policy filter. [5.0]
# diagnose sys sip-proxy filter negate policy Negate the policy filter. [5.0]
# diagnose sys sip-proxy filter negate policy-type Negate the policy-type filter. [5.0]
# diagnose sys sip-proxy filter negate src-addr4 Negate the src-addr4 filter. [5.0]
# diagnose sys sip-proxy filter negate src-addr6 Negate the src-addr6 filter. [5.0]
# diagnose sys sip-proxy filter negate src-port Negate the src-port filter. [5.0]
# diagnose sys sip-proxy filter negate vd Negate the virtual domain filter. [5.0]
# diagnose sys sip-proxy filter negate voip-profile Negate the VoIP-profile filter. [5.0]
# diagnose sys sip-proxy filter policy [policy] Policy to filter by. [5.0]
# diagnose sys sip-proxy filter policy-type Policy-type to filter by. [5.0]
# diagnose sys sip-proxy filter policy-type ipv4 Filter IPv4 policies. [5.0]
# diagnose sys sip-proxy filter policy-type ipv6 Filter IPv6 policies. [5.0]
# diagnose sys sip-proxy filter src-addr4 [from srcip] [to srcip] Source address range to filter by. [5.0]
# diagnose sys sip-proxy filter src-addr6 [from srcip] [to srcip] IPv6 source address range to filter by. [5.0]
# diagnose sys sip-proxy filter src-port [source port] Source port to filter by. [5.0]
# diagnose sys sip-proxy filter vd [index vdom | -1 match all] Index of virtual domain. -1 matches all. [5.0]
# diagnose sys sip-proxy filter voip-profile VoIP profile to filter by. [5.0]
# diagnose sys sip-proxy filter voip-profile [voip-profile] VoIP profile to filter by. [5.0]
# diagnose sys sip-proxy filter voip-profile default default profile [5.0]
# diagnose sys sip-proxy filter voip-profile strict strict profile [5.0]
# diagnose sys sip-proxy log-filter clear Clear the current filter. [5.0]
# diagnose sys sip-proxy log-filter dst-addr4 [from dstip] [to dstip] IPv4 destination address range to filter by. [5.0]
# diagnose sys sip-proxy log-filter dst-addr6 [from dstip] [to dstip] IPv6 destination address range to filter by. [5.0]
# diagnose sys sip-proxy log-filter dst-port [destination port] Destination port to filter by. [5.0]
# diagnose sys sip-proxy log-filter identity-policy [identity-policy] Identity-policy to filter by. [5.0]
# diagnose sys sip-proxy log-filter list Display the current filter. [5.0]
# diagnose sys sip-proxy log-filter negate Negate the specified filter parameter. [5.0]
# diagnose sys sip-proxy log-filter negate dst-addr4 Negate the dst-addr4 filter. [5.0]
# diagnose sys sip-proxy log-filter negate dst-addr6 Negate the dst-addr6 filter. [5.0]
# diagnose sys sip-proxy log-filter negate dst-port Negate the dst-port filter. [5.0]
# diagnose sys sip-proxy log-filter negate identity-policy Negate the identity-policy filter. [5.0]
# diagnose sys sip-proxy log-filter negate policy Negate the policy filter. [5.0]
# diagnose sys sip-proxy log-filter negate policy-type Negate the policy-type filter. [5.0]
# diagnose sys sip-proxy log-filter negate src-addr4 Negate the src-addr4 filter. [5.0]
# diagnose sys sip-proxy log-filter negate src-addr6 Negate the src-addr6 filter. [5.0]
# diagnose sys sip-proxy log-filter negate src-port Negate the src-port filter. [5.0]
# diagnose sys sip-proxy log-filter negate vd Negate the virtual domain filter. [5.0]
# diagnose sys sip-proxy log-filter negate voip-profile Negate the VoIP-profile filter. [5.0]
# diagnose sys sip-proxy log-filter policy Policy to filter by. [5.0]
# diagnose sys sip-proxy log-filter policy-type Policy-type to filter by. [5.0]
# diagnose sys sip-proxy log-filter policy-type ipv4 Filter IPv4 policies. [5.0]
# diagnose sys sip-proxy log-filter policy-type ipv6 Filter IPv6 policies. [5.0]
# diagnose sys sip-proxy log-filter src-addr4 [from srcip] [to srcip] IPv4 source address range to filter by. [5.0]
# diagnose sys sip-proxy log-filter src-addr6 [from srcip] [to srcip] IPv6 source address range to filter by. [5.0]
# diagnose sys sip-proxy log-filter src-port [source port] Source port to filter by. [5.0]
# diagnose sys sip-proxy log-filter vd [index vdom | -1 match all] Index of virtual domain. -1 matches all. [5.0]
# diagnose sys sip-proxy log-filter voip-profile VoIP profile to filter by. [5.0]
# diagnose sys sip-proxy log-filter voip-profile [voip-profile] VoIP profile to filter by. [5.0]
# diagnose sys sip-proxy log-filter voip-profile default profile [5.0]
# diagnose sys sip-proxy log-filter voip-profile strict profile [5.0]
# diagnose sys sip-proxy meters Diagnostics for SIP rate limiting meters. [5.0]
NOTE For the following command: output rate 1 shows that the current (over last second) measured rate for
INVITE/ACK and BYTE was 1 per second, the peak 1 shows that the peak rate recorded is 1 per second,
the max 0 shows that there is no maximum limit set, the count 18 indicates that 18 messages were
received and drop 0 indicates that none were dropped due to being over the limit.
# diagnose sys sip-proxy redirect Redirects [5.0]
# diagnose sys sip-proxy restart Restart IM, SIP, and SCCP. [5.0]
# diagnose sys sip-proxy scheduler-times Scheduler times. [5.0]
# diagnose sys sip-proxy scheduler-times display Display scheduler times. [5.0]
# diagnose sys sip-proxy scheduler-times start Start measuring scheduler times. [5.0]
# diagnose sys sip-proxy scheduler-times stop Stop measuring scheduler times. [5.0]
# diagnose sys sip-proxy session SIP sessions. [5.0]
# diagnose sys sip-proxy stats SIP proxy statistics. [5.0]
# diagnose sys sip-proxy stats call SIP proxy call statistics summary. [5.0]
# diagnose sys sip-proxy stats clear Clear SIP proxy activity statistics. [5.0]
# diagnose sys sip-proxy stats ha SIP proxy HA statistics summary. [5.0]
# diagnose sys sip-proxy stats list SIP proxy activity statistics. [5.0]
# diagnose sys sip-proxy stats mem full Memory usage details. [5.0]
# diagnose sys sip-proxy stats mem summary Memory usage summary. [5.0]
# diagnose sys sip-proxy stats proto SIP proxy general protocol statistics summary. [5.0]
# diagnose sys sip-proxy stats ssl-auth SIP proxy SSL authentication statistics. [5.0]
# diagnose sys sip-proxy stats udp SIP proxy UDP statistics summary. [5.0]
# diagnose sys sip-proxy vip VIPs [5.0]
# diagnose sys sip-proxy vip policy Policy VIP list. [5.0]
# diagnose sys sip-proxy vip real-server Real server VIP list. [5.0]
# diagnose sys sip-proxy vip rtp-policies RTP policies. [5.0]
sys stp
# diagnose sys stp status Display STP status. [5.0][5.2]
sys tcp-option
# diagnose sys tcp-option Enable/disable TCP option. [5.0][5.2]
# diagnose sys tcp-option disable Disable TCP option. [5.0]
# diagnose sys tcp-option enable Enable TCP option. [5.0]
sys tcpsock
# diagnose sys tcpsock TCP sock info. [5.0][5.2]
0.0.0.0:993->0.0.0.0:0->state=listen err=0 sockflag=0x2 rma=0 wma=0 fma=0 tma=0
0.0.0.0:995->0.0.0.0:0->state=listen err=0 sockflag=0x2 rma=0 wma=0 fma=0 tma=0
0.0.0.0:5060->0.0.0.0:0->state=listen err=0 sockflag=0x2 rma=0 wma=0 fma=0 tma=0
0.0.0.0:709->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
0.0.0.0:5190->0.0.0.0:0->state=listen err=0 sockflag=0x2 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1863->0.0.0.0:0->state=listen err=0 sockflag=0x2 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1000->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1001->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1002->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:10443->0.0.0.0:0->state=listen err=0 sockflag=0x4 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1003->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1004->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1005->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:110->0.0.0.0:0->state=listen err=0 sockflag=0x2 rma=0 wma=0 fma=0 tma=0
0.0.0.0:910->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1006->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:143->0.0.0.0:0->state=listen err=0 sockflag=0x2 rma=0 wma=0 fma=0 tma=0
0.0.0.0:80->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
sys top
# diagnose sys top Show top processes information. [5.0][5.2]
# diagnose sys top [Delay in seconds (default 5)] [Maximum lines (default 20)]
Run Time: 40 days, 20 hours and 9 minutes
0U, 0N, 1S, 99I; 1839T, 1403F, 159KF
newcli 12803 R < 1.4 0.7
httpsd 2769 S 0.0 1.5
httpsd 121 S 0.0 1.5
pyfcgid 32457 S 0.0 1.3
pyfcgid 32459 S 0.0 1.3
pyfcgid 32460 S 0.0 1.3
pyfcgid 32461 S 0.0 1.3
proxyworker 87 S 0.0 1.2
cmdbsvr 38 S 0.0 1.2
miglogd 58 S 0.0 1.1
sslvpnd 5439 S 0.0 1.0
ipshelper 23154 S < 0.0 1.0
ipsengine 10176 S < 0.0 1.0
httpsd 60 S 0.0 0.9
httpsd 120 S 0.0 0.9
cw_acd 5444 S 0.0 0.8
fgfmd 110 S 0.0 0.7
newcli 12765 S < 0.0 0.7
src-vis 95 S 0.0 0.7
iked 88 S 0.0 0.6
Press q to quit and return to the normal CLI prompt.
Press p to sort the processes by the amount of CPU that the processes are using.
Press m to sort the processes by the amount of memory that the processes are using.
Where the codes displayed on the second output line mean the following:
U is % of user space applications using CPU. In the example, 0U means 0% of the user space applications are using CPU.
S is % of system processes (or kernel processes) using CPU. In the example, 4S means 4% of the system processes are using the CPU.
I is % of idle CPU. In the example, 95I means the CPU is 95% idle.
T is the total FortiOS system memory in Mb. In the example, 1035792T means there are 1035792 Mb of system memory.
F is free memory in Mb. In the example, 646920F means there is 646920 Mb of free memory.
KF is the total shared memory pages used.
Each additional line of the command output displays information for each of the processes running on the FortiGate unit.
The following table describes the output format of the other lines.
Column 1 Process Name
Column 2 Process identification (PID)
Column 3 One letter process status. S: sleeping process R: running process <: high priority
Column 4 CPU usage (%)
Column 5 Memory usage (%)
sys top-summary
# diagnose sys top-summary [Option] Show top aggregated processes information. [5.0][5.2]
Options
--n or --num: Lines
--i or --interval or : Interval
--s or --sort:Sort (Sort can be: cpu_percent, mem, fds, pid)
--d or --dump: Dump
--h or --help: Help
- These options are only set temporarily. If you run the base command again without any options all of the
default settings will be used.
- Only one option can be used at a time. Combining multiple options will produce an error output.
# diagnose sys top-summary --n=12
CPU [||||||||||||| ] 34.2%
Mem [||||||||| ] 23.0% 438M/1839M
Processes: 12 (running=3 sleeping=82)
PID RSS ^CPU% MEM% FDS TIME+ NAME
* 12765 18M 33.8 1.0 12 00:03.71 newcli [x2]
23150 29M 0.0 1.6 32 00:12.39 ipsmonitor [x3]
5444 16M 0.0 0.9 30 06:22.44 cw_acd
38 23M 0.0 1.3 13 02:22.65 cmdbsvr
6769 10M 0.0 0.6 22 00:00.18 dhcpd
45 11M 0.0 0.6 87 00:01.35 zebos_launcher [x12]
32457 24M 0.0 1.4 12 00:01.21 pyfcgid [x4]
57 10M 0.0 0.5 12 00:00.20 uploadd
58 21M 0.0 1.2 25 00:25.68 miglogd
59 9M 0.0 0.5 8 00:00.00 kmiglogd
60 39M 0.0 2.1 19 02:46.10 httpsd [x4]
5439 20M 0.0 1.1 28 00:00.93 sslvpnd
# diagnose sys top-summary --s=mem
CPU [||||||||||||| ] 33.8%
Mem [||||||||| ] 23.0% 438M/1839M
Processes: 20 (running=3 sleeping=82)
PID RSS CPU% ^MEM% FDS TIME+ NAME
* 60 39M 0.0 2.1 19 02:46.10 httpsd [x4]
23150 29M 0.0 1.6 32 00:12.39 ipsmonitor [x3]
32457 24M 0.0 1.4 12 00:01.21 pyfcgid [x4]
83 23M 0.0 1.3 780 00:00.85 proxyd [x5]
38 23M 0.0 1.3 13 02:22.65 cmdbsvr
58 21M 0.0 1.2 25 00:25.68 miglogd
5439 20M 0.0 1.1 28 00:00.93 sslvpnd
12765 18M 33.8 1.0 12 00:03.71 newcli [x2]
5444 16M 0.0 0.9 30 06:22.48 cw_acd
110 14M 0.0 0.8 16 00:00.43 fgfmd
95 14M 0.0 0.8 16 00:12.30 src-vis
85 12M 0.0 0.7 25 00:02.90 scanunitd [x3]
88 12M 0.0 0.7 29 00:07.10 iked
84 12M 0.0 0.7 34 00:10.60 imd
108 11M 0.0 0.6 30 00:29.27 dnsproxy
97 11M 0.0 0.6 20 00:00.45 urlfilter
71 11M 0.0 0.6 21 00:00.52 forticron
45 11M 0.0 0.6 87 00:01.35 zebos_launcher [x12]
73 11M 0.0 0.6 38 00:00.30 authd
89 10M 0.0 0.6 11 00:03.17 updated
sys tos-based-priority
# diagnose sys tos-based-priority ToS based priority. [5.0]
NOTE This example displays the priority value currently correlated with each possible TOS bit value. Priority
values are displayed in order of their corresponding TOS bit values, which can range between 0 and 15,
from lowest TOS bit value to highest.
sys traffic-priority
# diagnose sys traffic-priority Traffic Priority (DSCP/TOS). [5.2]
sys uuid
# diagnose sys uuid UUID debug. [5.2]
sys vd
# diagnose sys vd Virtual domain management. [5.0][5.2]
# diagnose sys vd add [Virtual Domain Name] Add a Virtual System. [5.0]
# diagnose sys vd delete [Virtual Domain Name] Delete a Virtual System. [5.0]
# diagnose sys vd list List Virtual Domains. [5.0]
system fib version=62
list virtual firewall info:
name=vsys_fgfm index=2 enabled use=8 rt_num=0 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-ip-based asym_rt6=0 rt6_num=4 strict_src_check=0 dns_log=0 ses_num=0 ses6_num=0 pkt_num=0
tree_flag=0 tree6_flag=0 dnat_tree_flag=0 nataf=0 traffic_log=0 extended_traffic_log=0 svc_depth=0
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no
ipv4_rate=0, ipv6_rate=0
name=vsys_ha index=1 enabled use=11 rt_num=0 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-ip-based asym_rt6=0 rt6_num=6 strict_src_check=0 dns_log=0 ses_num=0 ses6_num=0 pkt_num=1167
tree_flag=0 tree6_flag=0 dnat_tree_flag=0 nataf=0 traffic_log=0 extended_traffic_log=0 svc_depth=0
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no
ipv4_rate=0, ipv6_rate=0
ha_flags={no-ses-sync,no-ses-flush,no-ha-stats} mode=standalone ha_state=work prio=0 vid=0
name=root index=0 enabled use=76 rt_num=13 asym_rt=0 sip_helper=0, sip_nat_trace=0, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-ip-based asym_rt6=0 rt6_num=38 strict_src_check=0 dns_log=1 ses_num=13 ses6_num=0 pkt_num=70604913
tree_flag=1 tree6_flag=1 dnat_tree_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=19
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no
ipv4_rate=0, ipv6_rate=0
vf_count=4 vfe_count=21
# diagnose sys vd set [Virtual Domain Name] Set current VDOM. [5.0]
sys vlan
# diagnose sys vlan vlan [5.0][5.2]
sys wccp
# diagnose sys wccp wccp [5.0][5.2]
# diagnose sys wccp delete [Service ID] Delete one wccp service. [5.0]
# diagnose sys wccp flush Flush wccp services. [5.0]
# diagnose sys wccp list List wccp services. [5.0]
test
test application
# diagnose test application ddnscd [Integer] DDNS client daemon. [5.0]
Integer
1. Show Peanut Hull Status
2. Peanut Hull Reconnect
3. Show FortiDDNS Status
4. Reset FortiDDNS Status
# diagnose test application dhcp6c [Integer] DHCP6 client daemon. [5.0]
# diagnose test application dhcprelay [Integer] DHCP relay daemon. [5.0]
# diagnose test application dnsproxy [Integer] DNS proxy. [5.0]
Integer
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Reload Secure DNS setting
12. Show Hostname cache
13. Clear Hostname cache
14. DNS debug bit mask
# diagnose test application dsd [Integer] DLP Statistics daemon. [5.0]
Integer
1. This menu
2. Display memory usage
3. Display malloced devices
# diagnose test application forticldd [Integer] FortiCloud daemon. [5.0]
Integer
1. dump fds setting
2. dump log controller status
3. dump log server status
4. dump msg controller status
5. dump msg server status
7. dump FDS default update server status
8. dump FDNI status
9. dump Contract Controller status
10. dump Configuration Manager status
11. dump FortiClient status
12. dump FortiManager status
13. dump image/cfg/script schedule
14. dump image list
15. dump fap version list
20. toggle debug of FortiGuard log
# diagnose test application forticron [Integer] Forticron daemon. [5.0]
Integer
1. show stats
2. dump certificate list
3. dump CRL
4. dump misc timers
5. dump scheduled jobs
6. dump scep list
100. dump vdom-root log setting
# diagnose test application fsd [Integer] FortiExplorer daemon. [5.0]
# diagnose test application ftpd [Integer] FTP proxy. [5.0]
Integer
Proxy Worker 0 - ftpd:
[0:F]
FTP Proxy Test Usage
[0:F]
[0:F] 2: Drop all connections
[0:F] 4: Display connection stat
[0:F] 44: Display info per connection
[0:F] 444: Display connections per state
[0:F] 4444: Display per vdom stats
# diagnose test application harelay [Integer] HA relay daemon. [5.0]
# diagnose test application http [Integer] HTTP proxy. [5.0]
Integer
Proxy Worker 0 - http:
[0:H]
HTTP Proxy Test Usage
[0:H]
[0:H] 2: Drop all connections
[0:H] 22: Drop idle connections
[0:H] 4: Display connection stat
[0:H] 44: Display info per connection
[0:H] 444: Display connections per state
[0:H] 4444: Display per-VDOM statistics
[0:H] 55: Display tcp info per connection
[0:H] 6: Display ICAP information
[0:H] 70: Disable ICAP 'Allow: 204' (default)
[0:H] 71: Enable ICAP 'Allow: 204'
[0:H] 72: Drop all ICAP server connections
[0:H] 8: Display client comfort / infection cache stats
[0:H] 88: Display client comfort / infection cache stats
[0:H] 11: Display the SSL session ID cache statistics
[0:H] 12: Clear the SSL session ID cache statistics
[0:H] 13: Display the SSL session ID cache
[0:H] 14: Clear the SSL session ID cache
[0:H] 80: Show Fortinet bar SSL-VPN bookmark info
[0:H] 81: Show Fortinet bar SSL-VPN bookmark cache
[0:H] 82: Show Fortinet bar SSL-VPN bookmark LRU list
# diagnose test application imap [Integer] IMAP proxy. [5.0]
Integer
Proxy Worker 0 - imap:
[0:I]
IMAP Proxy Test Usage
[0:I]
[0:I] 2: Drop all connections
[0:I] 4: Display connection stat
[0:I] 44: Display info per connection
[0:I] 444: Display connections per state
[0:I] 4444: Display per vdom stats
# diagnose test application info-sslvpnd [Integer] SSL-VPN info daemon. [5.0]
Integer
SSL-VPN Info Daemon Test Usage:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1 : Dump app session cache
11 : Dump app session LRU list
2 : Dump web session cache
21 : Dump web session cache (IP index)
50 : Dump daemon memory stats
51 : Dump daemon object counts
99 : Restart daemon
# diagnose test application ipldbd [Integer] IP load balancing daemon. [5.0]
# diagnose test application ipsengine [Integer] ips sensor [5.0]
# diagnose test application ipsmonitor [Integer] ips monitor [5.0]
Integer
IPS Engine Test Usage:
1: Display IPS engine information
2: Toggle IPS engine enable/disable status
3: Display restart log
4: Clear restart log
5: Toggle bypass status
6: Submit attack characteristics now
10: IPS queue length
11: Clear IPS queue length
12: IPS L7 socket statistics
13: IPS session list
14: IPS NTurbo statistics
15: IPSA statistics
16: Display device identification cache
17: Clear device identification cache
96: Toggle IPS engines watchdog timer
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor
# diagnose test application ipsufd [Integer] IPS urlfilter daemon. [5.0]
Integer
Test Commands:
1. show all domain name & ip entries
2. show all unresolved domain names
3. show summary statistics
4. verify routing table entries
44. verify routing table entries (verbose)
5. show all join table entries
91. remove stale routes in routing table
Debug Levels:
1. critical - disabled. To enable, set level 1
2. error - disabled. To enable, set level 2
4. major - disabled. To enable, set level 4
8. minor - disabled. To enable, set level 8
16. CMDB - disabled. To enable, set level 16
32. routes - disabled. To enable, set level 32
64. detailed - disabled. To enable, set level 64
128. DNS - disabled. To enable, set level 128
256. memory - disabled. To enable, set level 256
# diagnose test application l2tpcd [Integer] L2TP client daemon. [5.0]
# diagnose test application lted [Integer] USB LTE daemon. [5.0]
# diagnose test application miglogd [Integer] Miglog logging daemon. [5.0]
Integer
1. Show global log setting.
2. Show vdom log setting.
3. Show log buffer sz.
4. Show active log devices.
5. Show MAX file descriptor number.
6. Dump statistics.
9. Delete all policy sniffer files.
10. Show cid cache.
11. Show UTM traffic cache.
13. Increase the number of miglog children.
14. Decrease the number of miglog children.
15. Show miglog ID.
16. Show log disk usage.
18. Show network interface cache.
19. Show application cache.
20. Show FortiCloud log state.
21. Show memory log statistics.
22. Show memory traffic logs.
23. Show memory event logs.
101. Vdom-root Show log setting.
102. Vdom-root Show application custom cache.
103. Vdom-root Show application list cache.
104. Vdom-root Show UTM traffic cache.
105. Vdom-root Show reputation traffic cache.
# diagnose test application nntp [Integer] NNTP proxy. [5.0]
Integer
Proxy Worker 0 - nntp:
[0:N]
NNTP Proxy Test Usage
[0:N]
[0:N] 2: Drop all connections
[0:N] 4: Display connection stat
[0:N] 44: Display info per connection
[0:N] 444: Display connections per state
[0:N] 4444: Display per vdom stats
# diagnose test application pop3 [Integer] POP3 proxy. [5.0]
Integer
Proxy Worker 0 - pop3:
[0:P]
POP3 Proxy Test Usage
[0:P]
[0:P] 2: Drop all connections
[0:P] 4: Display connection stat
[0:P] 44: Display info per connection
[0:P] 444: Display connections per state
[0:P] 4444: Display per vdom stats
# diagnose test application pptpcd [Integer] PPTP client. [5.0]
# diagnose test application proxyacceptor[Integer] Proxy acceptor. [5.0]
Integer
Proxy Acceptor Test Usage
1: Dump Memory Usage
4: Display acceptor stats
99: Restart proxy acceptor
# diagnose test application proxyworker [Integer] Proxy worker. [5.0]
Integer
Proxy Worker 0 - worker:
[0:W]
Proxy Worker Test Usage
[0:W]
[0:W] 1: Dump Memory Usage
[0:W] 2: Dump vdom list
[0:W] 3: Display pid
[0:W] 4: Display stats for all protocols
[0:W] 4444: Display per vdom stats for all protocols
[0:W] 5: Display debug log stats
[0:W] 6: Toggle Print Stat mode every ~40 seconds
[0:W] 88: Toggle statistic recording
[0:W] 99: Restart proxy
# diagnose test application quarantined [Integer] Quarantine daemon. [5.0]
Integer
1. Dump daemon setting
2. Dump daemon status
3. Dump quarantine cache
4. Clear quarantine cache
5. Dump quarantine list
6. Reclaim disk space
7. Dump fortiguard analytic cache
8. Clear fortiguard analytic cache
9. Request analytic stats
50. Toggle quarantine processing
100. Dump vdom-root quaratine setting
# diagnose test application radiusd [Integer] RADIUS daemon. [5.0]
# diagnose test application scanunit [Integer] Scanning unit. [5.0]
Integer
Scanunit Test Usage
20: Set ASE debug flag bit 0
21: Set ASE debug flag bit 1
22: Set ASE debug flag bit 2
23: Set ASE debug flag bit 3
24: Set ASE debug flag bit 4
25: Set ASE debug flag bit 5
26: Set ASE debug flag bit 6
27: Set ASE debug flag bit 7
# diagnose test application sflowd [Integer] sFlow daemon. [5.0]
# diagnose test application smtp [Integer] SMTP proxy. [5.0]
Integer
Proxy Worker 0 - smtp:
[0:S]
SMTP Proxy Test Usage
[0:S]
[0:S] 2: Drop all connections
[0:S] 4: Display connection stat
[0:S] 44: Display info per connection
[0:S] 444: Display connections per state
[0:S] 4444: Display per vdom stats
# diagnose test application snmpd [Integer] SNMP daemon. [5.0]
Integer
SNMP Daemon Test Usage
1: display daemon pid
2: display snmp statistics
3: clear snmp statistics
4: generate test trap (oid: 999)
99: restart daemon
# diagnose test application sslacceptor [Integer] SSL proxy. [5.0]
Integer
SSL Proxy Acceptor Test Usage
1: Dump Memory Usage
3: Display PID
4: Display Acceptor stats
99: Restart proxy
# diagnose test application sslworker [Integer] SSL proxy. [5.0]
Integer
SSL Worker 0:
SSL Proxy Test Usage
1: Dump Memory Usage
2: Drop all connections
3: Display PID
4: Display connection stat
5: Toggle AV Bypass mode
6: Display memory statistics
7: Display SSL proxy options
8: Toggle SSL only mode
10: Display connection TCP info
44: Display info per connection
444: Display connections per state
11: Display connection TTL list
12: Clear the SSL certificate cache
13: Display config statistics
99: Restart proxy
# diagnose test application uploadd [Integer] Upload daemon. [5.0]
Integer
1. show stats
99. restart
# diagnose test application urlfilter [Integer] URL filter daemon. [5.0]
Integer
1. This menu
2. Clear WF cache
3. Display WF cache contents
4. Display WF cache TTL list
5. Display WF cache LRU list
6. Display WF cache in tree format
7. Toggle switch for dumping unrated packet
10. Print debug values
11. Clear Spam Filter cache
12. Clear AV Query cache
13. Toggle switch for dumping expired license packets
14. Show running timers (except request timers)
144. Show running timers (including request timers)
15. Send INIT requests.
16. Display WF cache contents of prefix type
19. Display object counts
20. Display FTGD TCP stats
99. Restart the urlfilter daemon.
Debug levels:
Warning messages: 1 (0x001)
Block events: 2 (0x002)
Pass events: 4 (0x004)
URL request events: 8 (0x008)
Cache events: 16 (0x010)
Prefix events: 32 (0x020)
Prefix delete subtree events: 64 (0x040)
Add after prefix events: 128 (0x080)
CMDB events: 256 (0x100)
DNS resolver messages: 512 (0x200)
Keyword search messages: 1024 (0x400)
INIT request messages: 2048 (0x800)
Quota messages: 4096 (0x1000)
# diagnose test application wad [Integer] WAD related processes. [5.0]
# diagnose test application wccpd [Integer] WCCP daemon. [5.0]
# diagnose test application wpad [Integer] WPA daemon. [5.0]
Integer
wpad test usage:
1: Dump VAP
2: Dump STA
3: Reauth EAPOL STA in 5...25 seconds
4: rekey gtk in 5 seconds
5: STA debugging filter
6: Dump VAP with key
7: Dump STA with key
test authserver
# diagnose test authserver cert [please input args] Test certificate authentication. [5.0]
# diagnose test authserver ldap [server_name] [username] [password] Test LDAP server. [5.0]
# diagnose test authserver ldap-digest [please input args] Test LDAP HA1 password query. [5.0]
# diagnose test authserver ldap-direct [server_name or IP] Test LDAP server directly. [5.0]
# diagnose test authserver ldap-group [ldapserver] [account] [domain] [DomainDN] [BaseDN] Search LDAP server. [5.0]
# diagnose test authserver ldap-search [please input args] Search LDAP server. [5.0]
# diagnose test authserver local [please input args] Test local user. [5.0]
# diagnose test authserver pop3 [please input args] Test POP3 server. [5.0]
# diagnose test authserver radius [server_name] [chap | pap | mschap | mschap2] [username] [password] Test RADIUS server. [5.0]
# diagnose test authserver radius-direct [server_name or IP] [port no(0=default port] [secret] [user] [password] Test RADIUS server directly. [5.0]
# diagnose test authserver tacacs+ [server_name] [username] [password] Test TACACS+ server. [5.0]
# diagnose test authserver tacacs+-direct [server_name or IP] [port no(0=default port] [key] Test TACACS+ server directly. [5.0]
# diagnose test authserver user [please input args] Test user group ID(s) name(s). [5.0]
test guest
# diagnose test guest add [please input args] Add a guest user. [5.0]
# diagnose test guest del [please input args] Delete guest users. [5.0]
# diagnose test guest list [please input args] List guest users. [5.0]
test update
# diagnose test update info Display debug info. [5.0]
traffictest
# diagnose traffictest show Traffic settings show (show filters) [5.2.5]
to set filter parameters:
# diagnose traffictest server-intf set server interface [5.2.5]
# diagnose traffictest client-intf set client interface [5.2.5]
# diagnose traffictest port TCP or UDP port number (0 - 65535) [5.2.5]
# diagnose traffictest proto 0 for TCP or 1 for UDP (default = 0) [5.2.5]
# diagnose traffictest run Start traffic [5.2.5]
# diagnose traffictest run [argument] Start traffic with argument [5.2.5]
Where argument can be : [KMG] indicates options that support a K/M/G suffix for kilo-, mega-, or giga-
-f format [kmgKMG] format to report: Kbits, Mbits, KBytes, MBytes
-i interval # seconds between periodic bandwidth reports
-F file name xmit/recv the specified file
-A affinity n/n,m set CPU affinity
-V verbose more detailed output
-J json output in JSON format
-d debug emit debugging output
-v version show version information and quit
-h help show this message and quit
-b bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited)
(default %d Mbit/sec for UDP, unlimited for TCP) (optional slash and packet count for burst mode)
-t time # time in seconds to transmit for (default %d secs)
-n bytes #[KMG] number of bytes to transmit (instead of -t)
-k blockcount #[KMG] number of blocks (packets) to transmit (instead of -t or -n)
-l len #[KMG] length of buffer to read or write (default %d KB for TCP, %d KB for UDP)
-P parallel # number of parallel client streams to run
-R reverse run in reverse mode (server sends, client receives)
-w window #[KMG] TCP window size (socket buffer size)
-C linux-congestion <algo> set TCP congestion control algorithm (Linux only)
-M set-mss # set TCP maximum segment size (MTU - 40 bytes)
-N nodelay set TCP no delay, disabling Nagle's Algorithm
-4 version4 only use IPv4
-6 version6 only use IPv6
-S tos N set the IP 'type of service'
-L flowlabel N set the IPv6 flow label (only supported on Linux)
-Z zerocopy use a 'zero copy' method of sending data
-O omit N omit the first n seconds
-T title str prefix every output line with this string
-get-server-output get results from server
user
# diagnose user device clear Clear discovered hosts. [5.0]
# diagnose user device del [MAC address] Remove a specific host. [5.0]
# diagnose user device filter addr [from ip] [to ip] IPv4 address range. [5.0]
# diagnose user device filter clear Clear the filter or parameter. [5.0]
# diagnose user device filter clear addr Clear parameter. [5.0]
# diagnose user device filter clear generation Clear parameter. [5.0]
# diagnose user device filter clear index Clear parameter. [5.0]
# diagnose user device filter clear joined Clear parameter. [5.0]
# diagnose user device filter clear os-name Clear parameter. [5.0]
# diagnose user device filter clear type Clear parameter. [5.0]
# diagnose user device filter clear type-generation Clear parameter. [5.0]
# diagnose user device filter clear type-src Clear parameter. [5.0]
# diagnose user device filter clear vd Clear parameter. [5.0]
# diagnose user device filter generation [from] [to] Device generation. [5.0]
# diagnose user device filter joined [value] Device is joined to another. [5.0]
# diagnose user device filter list Display the current filter. [5.0]
# diagnose user device filter negate Negate the specified filter parameter. [5.0]
# diagnose user device filter negate addr Negate parameter. [5.0]
# diagnose user device filter negate generation Negate parameter. [5.0]
# diagnose user device filter negate index Negate parameter. [5.0]
# diagnose user device filter negate joined Negate parameter. [5.0]
# diagnose user device filter negate os-name Negate parameter. [5.0]
# diagnose user device filter negate type Negate parameter. [5.0]
# diagnose user device filter negate type-generation Negate parameter. [5.0]
# diagnose user device filter negate type-src Negate parameter. [5.0]
# diagnose user device filter negate vd Negate parameter. [5.0]
# diagnose user device filter os-name [OS | "" matches unknown] Operating system name; "" matches unknown. [5.0]
# diagnose user device filter type [Device | "" matches unknown] Device type; "" matches unknown. [5.0]
# diagnose user device filter type-generation [from] [to] Device type generation. [5.0]
# diagnose user device filter type-src Device type source. [5.0]
# diagnose user device filter vd [index vdom] Index of virtual domain. [5.0]
# diagnose user device get [MAC address] List a specific host. [5.0]
# diagnose user device host-type-summary Discovered host type summary. [5.0]
# diagnose user device invalidate [MAC address] Flag discovered data for revalidation. [5.0]
# diagnose user device list List known hosts. [5.0]
# diagnose user device os-summary Discovered OS summary. [5.0]
# diagnose user device stats User device stats. [5.0]
vpn
vpn auto-ipsec
# diagnose vpn auto-ipsec bootstrap accept [preshared-key] Accept tunnel setup request from remote server. [5.0]
# diagnose vpn auto-ipsec bootstrap reject Reject tunnel setup request from remote server. [5.0]
# diagnose vpn auto-ipsec bootstrap status Show IPsec auto-configuration bootstrap status. [5.0]
# diagnose vpn auto-ipsec client clear-config [name] Clear dynamically created IPsec configuration. [5.0]
# diagnose vpn auto-ipsec client status Show IPsec auto-configuration client status. [5.0]
# diagnose vpn auto-ipsec gateway notify [Name auto-config gw] Send IPsec auto-configuration notification to peer. [5.0]
# diagnose vpn auto-ipsec gateway status Show IPsec auto-configuration gateway status. [5.0]
vpn concentrator
# diagnose vpn concentrator list [please input args] List all concentrators [5.0]
vpn ike
# diagnose vpn ike config list List IKE configuration [5.0]
vd: root/0
name: ipsec-cisco
serial: 4
version: 1
type: dynamic
mode: main
dpd: enable retry-count 3 interval 5000ms
auth: psk
dhgrp: 2
fragmentation: enable
xauth: server-auto
xauth-group: gr-ipsec-cisco-vpn-local.intra
interface: wan1
add-route: enable
distance: 1
priority: 0
phase2s:
ipsec-cisco proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0 replay keep-alive
policy: yes
# diagnose vpn ike counts IKE object counts. [5.0]
NOTE This command displays list of IKE objects and their current, maximum, and total counts.
# diagnose vpn ike crypto hardware Use hardware crypto if available. [5.0]
# diagnose vpn ike crypto software Use software crypto. [5.0]
# diagnose vpn ike crypto stats Crypto statistics. [5.0]
software.dh-modp: 0 0
hardware.dh-modp: 0 0
software.dh-ecp: 0 0
hardware.dh-ecp: 0 0
....................
....................
....................
# diagnose vpn ike errors IKE errors. [5.0]
limits.euthanized: 0
limits.blocked: 0
in.truncated: 0
in.giant: 0
in.baby: 0
in.baby.float: 0
out.fail: 0
isakmp.truncated: 0
isakmp.embryonic.connection.killed: 0
isakmp.embryonic.sa.killed: 0
isakmp.established.sa.killed: 0
isakmp.duplicate: 0
isakmp.unknown: 0
isakmp.remote-addr-mismatch: 0
isakmp.local-addr-mismatch: 0
...................................
...................................
...................................
# diagnose vpn ike filter autoconf-status [Auto status | 0=all] Auto-configuration status. [5.0]
# diagnose vpn ike filter autoconf-type [Auto type | 0=all] Auto-configuration type. [5.0]
# diagnose vpn ike filter clear Erase the current filter. [5.0]
# diagnose vpn ike filter dst-addr4 [dstip] IPv4 destination address range to filter by. [5.0]
# diagnose vpn ike filter dst-addr6 [dstip] IPv6 destination address range to filter by. [5.0]
# diagnose vpn ike filter dst-port [dst port] Destination port range to filter by. [5.0]
# diagnose vpn ike filter interface [Index Interface | 0=all] Interface that IKE connection is negotiated over. [5.0]
# diagnose vpn ike filter list Display the current filter. [5.0]
# diagnose vpn ike filter name [Name to filter by] Phase1 name to filter by. [5.0]
# diagnose vpn ike filter negate autoconf-status Negate autoconf-status. [5.0]
# diagnose vpn ike filter negate autoconf-type Negate autoconf-type. [5.0]
# diagnose vpn ike filter negate dst-addr4 Negate IPv4 destination address. [5.0]
# diagnose vpn ike filter negate dst-addr6 Negate IPv6 destination address. [5.0]
# diagnose vpn ike filter negate dst-port Negate destination port. [5.0]
# diagnose vpn ike filter negate interface Negate interface. [5.0]
# diagnose vpn ike filter negate name Negate name. [5.0]
# diagnose vpn ike filter negate src-addr4 Negate IPv4 source address. [5.0]
# diagnose vpn ike filter negate src-addr6 Negate IPv6 source address. [5.0]
# diagnose vpn ike filter negate src-port Negate source port. [5.0]
# diagnose vpn ike filter negate vd Negate virtual domain. [5.0]
# diagnose vpn ike filter src-addr4 [srcip] IPv4 source address range to filter by. [5.0]
# diagnose vpn ike filter src-addr6 [srcip] IPv6 source address range to filter by. [5.0]
# diagnose vpn ike filter src-port [source port] Source port range to filter by. [5.0]
# diagnose vpn ike filter vd [index vdom | -1=all] Index of virtual domain. -1 matches all. [5.0]
# diagnose vpn ike gateway clear [Clear gateway by name] Clear IKE gateways. [5.0]
# diagnose vpn ike gateway flush [Flush gateway by name] Synonym for clear. [5.0]
# diagnose vpn ike gateway list [List gateway by name] list [5.0]
# diagnose vpn ike log filter clear Erase the current filter. [5.0]
# diagnose vpn ike log filter dst-addr4 [dstip] IPv4 destination address range to filter by. [5.0]
# diagnose vpn ike log filter dst-addr6 [dstip] IPv6 destination address range to filter by. [5.0]
# diagnose vpn ike log filter dst-port [dst port] Destination port range to filter by. [5.0]
# diagnose vpn ike log filter interface [index interface | 0=all] Interface that IKE connection is negotiated over. [5.0]
# diagnose vpn ike log filter list Display the current filter. [5.0]
# diagnose vpn ike log filter name [Name to filter by] Phase1 name to filter by. [5.0]
# diagnose vpn ike log filter negate dst-addr4 Negate IPv4 destination address. [5.0]
# diagnose vpn ike log filter negate dst-addr6 Negate IPv6 destination address. [5.0]
# diagnose vpn ike log filter negate dst-port Negate destination port. [5.0]
# diagnose vpn ike log filter negate interface Negate interface. [5.0]
# diagnose vpn ike log filter negate name Negate name. [5.0]
# diagnose vpn ike log filter negate src-addr4 Negate IPv4 source address. [5.0]
# diagnose vpn ike log filter negate src-addr6 Negate IPv6 source address. [5.0]
# diagnose vpn ike log filter negate src-port Negate source port. [5.0]
# diagnose vpn ike log filter negate vd Negate virtual domain. [5.0]
# diagnose vpn ike log filter src-addr4 [srcip] IPv4 source address range to filter by. [5.0]
# diagnose vpn ike log filter src-addr6 [srcip] IPv6 source address range to filter by. [5.0]
# diagnose vpn ike log filter src-port [source port] Source port range to filter by. [5.0]
# diagnose vpn ike log filter vd [index vdom | -1=0] Index of virtual domain. -1 matches all. [5.0]
# diagnose vpn ike log terminal clear Clear IKE debug log terminals. [5.0]
# diagnose vpn ike log terminal reset Reset IKE debug log terminals. [5.0]
# diagnose vpn ike log terminal stats Show IKE debug log terminal statistics. [5.0]
# diagnose vpn ike restart Restart IKE. [5.0]
# diagnose vpn ike routes list List IKE routes. [5.0]
# diagnose vpn ike status detailed Detailed status. [5.0]
# diagnose vpn ike status summary Status summary. [5.0]
vpn ipsec
# diagnose vpn ipsec status Show status of IPsec [5.0]
vpn l2tp
# diagnose vpn l2tp status Display L2TP status [5.0]
vpn pptp
# diagnose vpn pptp status Display PPTP status. [5.0]
vpn ssl
# diagnose vpn ssl debug-filter clear Erase the current filter. [5.0]
# diagnose vpn ssl debug-filter list Display the current filter. [5.0]
# diagnose vpn ssl debug-filter negate src-addr4 [srcip] IPv4 source address. [5.0]
# diagnose vpn ssl debug-filter negate src-addr6 [srcip] IPv6 source address. [5.0]
# diagnose vpn ssl debug-filter negate vd [vdom] Virtual domain. [5.0]
# diagnose vpn ssl debug-filter src-addr4 IPv4 source address range. [5.0]
# diagnose vpn ssl debug-filter src-addr6 IPv6 source address range. [5.0]
# diagnose vpn ssl debug-filter vd Name of of virtual domain. [5.0]
# diagnose vpn ssl hw-acceleration-status SSL hardware acceleration status. [5.0]
# diagnose vpn ssl list List current connections. [5.0]
# diagnose vpn ssl mux Show mux information. [5.0]
# diagnose vpn ssl statistics statistics [5.0]
# diagnose vpn ssl statistics [all|vdom-name|vfid] Display SSL-VPN statistics for all vdoms or given vdom or vifd. [5.0]
NOTE Without argument, statistics for current vdom is shown!
vpn tunnel
# diagnose vpn tunnel delinbsa [Name of tunnel] Remove tunnel sa. [5.0]
# diagnose vpn tunnel deloutbsa [Name of tunnel] Remove tunnel sa. [5.0]
# diagnose vpn tunnel dialup-list [please input args] List dialup tunnel. [5.0]
# diagnose vpn tunnel down [Name of phase2] Shut down tunnel. [5.0]
# diagnose vpn tunnel dumpsa Dump all sa. [5.0]
# diagnose vpn tunnel flush [please input args] Flush tunnel SAs. [5.0]
# diagnose vpn tunnel list name [please input args] List tunnel by name. [5.0]
# diagnose vpn tunnel list number [Index of tunnel] List tunnel by number. [5.0]
# diagnose vpn tunnel reset [please input args] Flush tunnel SAs and reset NAT-T and DPD configuration. [5.0]
# diagnose vpn tunnel stat flush [please input args] Flush tunnel stats by name. [5.0]
# diagnose vpn tunnel up [Name of Phase2] Activate tunnel. [5.0]
wacs
Display diagnostic information for the web cache database daemon (wacs)
wacs clear
# diagnose wacs clear Remove all entries from the database. [5.0][5.2]
wacs recents
# diagnose wacs recents Recent DB activities. [5.0][5.2]
wacs restart
# diagnose wacs restart Restart the daemon and reset the statistical parameters. [5.0][5.2]
wacs stats
# diagnose wacs stats Show statistics. [5.0][5.2]
NOTE Use this command to display information about the WAN optimization web cache daemon. The command will only
display information if the web cache daemon is running and the statistics displayed show the number of open
connections and other indications of activity.
wad
wad console-log
# diagnose wad console-log disable disable logging. [5.0]
# diagnose wad console-log enable Enable logging. [5.0]
wad debug-url
# diagnose wad debug-url disable disable debug-URL. [5.0]
# diagnose wad debug-url enable Enable debug-URL. [5.0]
wad stats
# diagnose wad stats clear Clear statistics. [5.0]
# diagnose wad stats crypto clear clear crypto statistics [5.0]
# diagnose wad stats crypto list list crypto statistics [5.0]
# diagnose wad stats filter clear clear filter statistics [5.0]
# diagnose wad stats filter list list filter statistics [5.0]
# diagnose wad stats list List all statistics. [5.0]
# diagnose wad stats mem clear clear mem statistics [5.0]
# diagnose wad stats mem list list mem statistics [5.0]
# diagnose wad stats scan clear clear scan statistics [5.0]
# diagnose wad stats scan list list scan statistics [5.0]
# diagnose wad stats scripts clear clear scripts statistics [5.0]
# diagnose wad stats scripts list list scripts statistics [5.0]
# diagnose wad stats summary clear clear summary statistics [5.0]
# diagnose wad stats summary list list summary statistics [5.0]
wad filter
# diagnose wad filter clear Erase current filter settings. [5.0]
# diagnose wad filter dport [destination port] Destination port range to filter by. [5.0]
# diagnose wad filter drop-unknown-session [1=enable | 2=disable] Enable drop message unknown sessions. [5.0]
# diagnose wad filter dst [dstip] Destination address range to filter by. [5.0]
# diagnose wad filter list Display current filter. [5.0]
# diagnose wad filter negate [parameter to negate] Negate the specified filter parameter. [5.0]
# diagnose wad filter protocol [http To match (1), otherwise (0)] Select protocols to filter by. [5.0]
# diagnose wad filter sport [source port] Source port range to filter by. [5.0]
# diagnose wad filter src [srcip] Source address range to filter by. [5.0]
# diagnose wad filter vd [index vdom | -1=all] Index of virtual domain. -1 matches all. [5.0]
wad user
# diagnose wad user clear [User ID] Enter a user's id, ip and vdom to clear this particular user [5.0]
# diagnose wad user list List proxy users. [5.0]
wad history
# diagnose wad history [proto] Statistics history. [5.2]
[proto] All | HTTP | FTP | CIFS | MAPI | TCP <period> 10min | hour | day | 30days
wad tunnel
# diagnose wad tunnel [clear | list] Tunnel diagnostics. [5.0][5.2]
NOTE Use this command to list all of the running WAN optimization tunnels and display information about each one
wadbd
Display diagnostic information for the WAN optimization database daemon (waddb).
wadbd check
# diagnose wadbd check Check database integrity. [5.0][5.2]
wadbd clear
# diagnose wadbd clear Remove all entries from the database. [5.0][5.2]
wadbd recents
# diagnose wadbd recents Recent DB activities. [5.0][5.2]
wadbd restart
# diagnose wadbd restart Restart the daemon and reset the statistical parameters. [5.0][5.2]
wadbd stats
# diagnose wadbd stats how statistics. [5.0][5.2]
web-ui
# diagnose web-ui Web user interface. [5.0][5.2]
webfilter
webfilter bword
# diagnose webfilter bword [Filter string] Web banned word match filter. [5.0][5.2]
webfilter fortiguard
# diagnose webfilter fortiguard FortiGuard Web Filter information [5.0][5.2]
# diagnose webfilter fortiguard ovrd refresh remove expired rules from FortiGuard Web Filter overrides [5.0]
# diagnose webfilter fortiguard statistics flush Flush rating cache and daemon statistics. [5.0]
# diagnose webfilter fortiguard statistics list Display rating cache and daemon statistics. [5.0]
wireless-controller
wireless-controller wlac
# diagnose wireless-controller wlac [-c|-d|-k|-h] Control plane, data plane or help [5.0][5.2]
wlac usage:
wlac help --show this usage
wlac ping [-c cnt] [-s len] <ip> --send cnt len-bytes ping request
wlac tpt --show non-wireless terminaton point info
wlac kickmac mac --disassociate a sta
wlac kickwtp ip cport --tear down a wtp session
wlac plain-ctl [[wtp-id] [0|1] | clear] --show, set or clear current plain control setting
wlac sniff-cfg [[ip port] | clear] --show, set or clear sniff server ip and port
wlac sniff [intf [wtp-id] [0|1|2] | clear] --show, set or clear sniff setting on intf for wtp-id
wlac scanclr --clear the scanned rogue ap list
wlac scanstaclr --clear the scanned rogue sta list
wlac sta_filter [sta-mac level | clear] --show, set or clear sta filter
wlac wtp_filter [id vfid-ip:port level | clear] --show, set or clear wtp filter
wlac clear debug --clear all debug settings
wlac show debug --show all debug settings
wlac show kernel --show all -k command settings
wlac show data --show all -d settings
wlac show control --show all -c settings
wlac show all --show all -k,-c,-d and debug settings
wlac -k cws [wlan] --list cws info(kern)
wlac -k wtp [vfid-ip:port lip:port] --list wtp info(kern)
wlac -k vap [wlan | bssid] --list vap info(kern)
wlac -k sta [wlan | bssid mac] --list sta info(kern)
wlac -k wlan-sta wlan sta-ip --list wlan's sta info(kern)
wlac -d usage --list objects usage(data)
wlac wpad_vap [ip|bssid] --list vap info in wpad_ac
wlac wpad_sta [mac] --list sta info in wpad_ac
wlac sta-idle-auth [time] --get/set non-auth sta idle time
wlac -d all --list wlan/wtp/vap/sta info(data)
wlac -d wlan --list wlan info(data)
wlac -d wtp --list wtp info(data)
wlac -d vap --list vap info(data)
wlac -d sta --list sta info(data)
wlac -d sta-idx [wlan mac next] --list indexed sta info(data)
wlac -d wlsta wlan --list wlan's sta info(data)
wlac -d wtpsta wtp-index --list wtp's sta info(data)
wlac -d radiosta wtp-id rId --list radio's sta info(data)
wlac -c sta [mac] --list sta(ctl)
wlac -c wtpprof [wtpprof] --list configured wtp profiles(ctl)
wlac -c wtp [wtp] --list configured wtps(ctl)
wlac -c wtp-idx [wtp next] --list indexed wtp (ctl)
wlac -c radio-idx [wtp rId next] --list indexed radio (ctl)
wlac -c vap-idx [wtp rId wlan next] --list indexed vap (ctl)
wlac -c wlan [wlan|ssid] --list configured wlans(ctl)
wlac -c swintf --list configured switch interface(ctl)
wlac -c ap-status --list configured ap status(ctl)
wlac -c widsprof --list configured wids profiles(ctl)
wlac -c byod_dev [dev | mac] --list configured devices(ctl)
wlac -c byod_devgrp [devgrp --list configured device groups(ctl)
wlac -c byod_devacl [devacl] --list configured device access lists(ctl)
wlac -c byod_devtype [devtype] --list configured device types(ctl)
wlac -c byod [wlan] --show device access in control plane
wlac -c byod_detected [wlan] --list detected devices(ctl)
wlac -c ws [ip] --list current wtp sessions(ctl)
wlac -c ws-fail --show current wtp sessions with SSID config failures
wlac -c ws-mesh vfid-ip:port --list this wtp session's mesh parent and child info(ctl)
wlac -c vap --list vap info(ctl)
wlac -c ap-rogue --list rogue ap info(ctl)
wlac -c sta-rogue --list rogue sta info(ctl)
wlac -c rap-hostlist bssid --list hosts related to the ap(ctl)
wlac -c arp-req --list arp info on the controller(ctl)
wlac -c mac-table --list mac table(ctl)
wlac -c br-table --list bridge table(ctl)
wlac -c nol --list the AP's non occupancy channel list for radar
wlac -c scan-clr-all --clear the scanned rogue ap and sta data(ctl)
wlac -c ap-onwire-clr bssid --clear the rogue ap's on wire flag(ctl)
wlac -c darrp --list darrp radio table(ctl)
wlac -c sta-cap [mac] --list sta capability(ctl)
wlac -c sta-locate --list located wireless stations(ctl)
wlac -c sta-locate-reset [1|2] --reset sta-locate data(ctl); 1: reset stats, 2 (default): flush entries
wlac -c rf-analysis [wtp-id|ac] --list rf analysis results(ctl)
wlac -c rf-sa wtp-id rId [chan] --list rf spectrum info
wlac -c radio-ifr wtp-id rId --list radio's interfering APs
wlac -c wids --show detected sta threat in control plane