Post on 19-Dec-2015
Diagnostics
Module Objectives
• By the end of this module participants will be able to:• Use diagnostic commands to troubleshoot and monitor
performance of the FortiGate unit
Diagnostic Commands
Tools for troubleshooting and performance monitoring
Diagnostics Commands
• Commands can be used to debug the operation of the FortiGate unit and to set parameters for displaying different levels of diagnostic information
Normal Operation
• Commands can be used to establish a baseline of normal operation• Determine how system performs in a best case
scenario
• Can be added to a script to be executed at periodic intervals to gather snapshots of overall CPU and memory usage
• Examples:get system status
get system performance status
Resource Usage
• Commands can be used to check the resource usage of internal processes• For example:diag sys top <delay> <max_lines>
get sys perform top
diag sys kill <signal> <process id>
Proxy Operations
• Commands can be used to test proxy operations• Run these commands in the Global configuration
• For example:diag test application <application> <option>
Hardware Operations
• Commands can be used to monitor hardware network operations• Errors at the interface are indicative of data link or
physical layer issues that may impact the performance of the FortiGate unit
• For example:diag hardware deviceinfo nic <interface>
Memory Utilization
• The FortiGate antivirus/IPS system operates in one of two modes, depending on the unit’s available shared memory.• If the shared memory utilization is below a defined upper
threshold the system is in non-conserve mode
• If the used shared memory goes beyond this threshold the system enters conserve mode
• These thresholds are non-configurable • The threshold above which the system enters conserve mode is 80%,
the system will not go back to non-conserve mode until the shared memory usage goes below 70%
• Commands can be used in the Global configuration to determine to current mode• For example:
diag hardware sysinfo shm
Memory Utilization
• If FortiGate unit receives large volumes of traffic on a specific proxy, it is possible that the unit will exceed the connection pool limit• Commands can be used on certain FortiGate models to determine the behavior of the FortiGate antivirus system if it becomes overloaded in high traffic and low memory situations• For example:config system global
set av-failopen {off|one-shot|pass|idledrop}
Traffic Trace
• Traffic tracing allows a specific packet stream to be followed• Commands can be used in specific VDOMs to trace packets• For example:diag sys session
diag debug flow
diag sniffer packet
Session Table
• An entry is placed in the session table for each traffic session passing through a firewall policy• Commands can be used to display specific session table information• For example:diag sys session list
diag sys session filter <options>
diag sys session filter clear
Object Dependencies
• Configuration objects such as firewall policies may not be deleted if there are other objects that depend on it• Command can be used to identify object dependencies• For example:• diag sys checkused <path.object.mkey>
Flow Trace
• The flow of packets through the FortiGate unit can be monitored• Commands can used to set filters on the traffic and display the data to the console• For example:diag debug flow filter <option>
diag debug flow show console
diag debug flow trace start
diag debug flow trace stop
Packet Sniffing
• The information contained within packets passing through particular interfaces can be monitored • Commands can used to set filters on the packets, identify the interfaces to be monitored and set the level of information to display• For example:diag sniffer packet <interface> <filter> <verbose> <count>
Dealing With Network Processors
•On FortiGate devices using FA2 and NP2-based interfaces, only the initial session setup will be displayed through the flow commands• For troubleshooting purposes, commands can be used to disable NP2 functionality • For example:diag npu np2 list
diag npu np2 fastpath disable <0>
diag npu np2 fastpath-sniffer enable port 1
Debugging
• Continuous, real-time event information can be displayed for troubleshooting purposes• Debug output will continue until explicitly stopped or the
FortiGate unit is rebooted• System performance may be affected
• Output may be generated even though it is not displayed in the console
• Commands can be used to enable, disable and identify the level of information to be displayed• For example:
diag debug <option> <level>
diag debug enable
diag debug disable
ARP Tables
• The ARP table caches the responses to previous ARP requests for MAC address resolution• Commands can be used to view and modify the ARP table cache• For example:get sys arp
diag ip arp list
execute clear system arp table
diag ip arp delete <interface name> <IP address>
diag ip arp flush <interface name>
config system arp-table
Date and Time
• Log entries are timestamped with the current date and time• Commands can be used to set the date and time• For example:execute time
execute date
• Commands can be used to receive time and date information from an NTP server• For example:config system ntp
set ntpsync enable/disable
Self Help Options
• Technical documentation• Release Notes• Knowledge Center• Technical Discussion Forums• Fortinet Training Online Campus
Labs
• Lab - Diagnostics• Capturing packets
• Viewing session tables
• Proxy-based inspection
Click here for step-by-step instructions on completing this lab
Student Resources
Click here to view the list of resources used in this module