Fortigate Troubleshooting

General Routing


get router info routing-table all
get router info routing-table database
diagnose ip rtcache list < route cache list (fast routing)
get router info kernel < --- FIB (SSL VPN routes)

BGP

show router bgp
get router info bgp summary
get router info bgp neighbors
get router info bgp neighbors 10.10.1.1
get router info bgp neighbors 10.10.1.1 advertised-routes
get router info bgp neighbors 10.10.1.1 received-routes [ Display Received Routes from 10.10.1.1 Neighbor ]
get router info bgp neighbors 10.10.1.1 routes
get router info bgp community
get router info bgp community 1331:0 [ Filter By Specific Community ]
get router info routing-table bgp

OSPF


get router info ospf neighbor
get router info ospf database brief
VPN Troubleshooting

Debugging VPN:

diagnose vpn ike log-filter src-addr4 < Source Ip >
diagnose vpn ike log-filter dst-addr4 < Peer Ip >
diagnose debug application ike -1
diagnose debug enable
diagnose debug reset
diagnose debug disable

General Commands:



get vpn ipsec tunnel summary
get vpn ike gateway
diagnose vpn ike status  summary
diagnose vpn ike gateway list

Error Checking:

fnsysctl ifconfig <Phase 1 name>
diagnose netlink interface list <Phase 1 name>
HA Diagnostics
get system ha status
get system ha-nonsync-csum
get system ha-monitor

diagnose sys ha status
diagnose sys ha checksum cluster
diagnose sys ha checksum recalculate < VDOM >


execute HA manage < Device ID >
ARP
get system arp
diagnose ip arp list

Session Diagnostics

diagnose system session list exception
diagnose sniffer packet any "host 10.10.1.1"
diagnose system session list
diagnose system session clear
get system session list < you can GREP IP here >

Packet Debugging

diagnose debug reset
diagnose debug disable
diagnose debug flow filter clear
diagnose debug flow filter addr 10.111.10.201
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow filter proto 1
diagnose debug flow trace start 999999 << packets
diagnose debug enable

SD-WAN

config system interface
------------------------
for best quality correct assessment of available bandwidth
config system interface
    edit <port>
        set estimated-upstream-bandwidth <speed>
        set estimated-downstream-bandwidth
    next
end

Fortigate Troubleshooting

Netseclabs

Comment fonctionne le Zero-Trust avec Fortinet ?