From 657fdb2ac1f50a705a726c4191f0186a8cfb4201 Mon Sep 17 00:00:00 2001 From: yuriskinfo Date: Thu, 14 Dec 2023 12:29:57 +0200 Subject: [PATCH] ongoing additions, changes, and fixes --- .gitignore | 4 + CONTRIBUTING.md | 10 +- LICENSE | 42 +- README.md | 152 +- ...zip-command-line-cookbook-of-examples.adoc | 50 +- ...tches-configuration-examples-cookbook.adoc | 94 +- ...-and-diagnostics-commands-cheat-sheet.adoc | 1034 ++++---- ...heckpoint-firewalls-debug-cheat-sheet.adoc | 90 +- ...-CUCM-CLI-useful-commands-cheat-sheet.adoc | 170 +- ...g-and-diagnostic-commands-cheat-sheet.adoc | 120 +- ...ger-cheat-sheet-of-keyboard-shortcuts.adoc | 234 +- ...e-debug-diagnose-complete-cheat-sheet.adoc | 2138 ++++++++--------- cheat-sheets/FreeBSD-cheat-sheet.adoc | 126 +- cheat-sheets/FreeBSD-cheat-sheet.html | 212 +- .../HIEW-hexadecimal-editor-cheat-sheet.adoc | 140 +- .../ImageMagick-command-line-examples.adoc | 48 +- .../Linux-and-BSD-firewalls-cheat-sheet.adoc | 282 +-- .../Linux-ip-route-reference-by-examples.adoc | 570 ++--- ...6-OS912-debug-and-diagnostic-commands.adoc | 206 +- ...-and-information-commands-cheat-sheet.adoc | 222 +- cheat-sheets/Route53-AWS-CLI-examples.adoc | 286 +-- ...cmd-shell-batch-scripting-cheat-sheet.adoc | 126 +- cheat-sheets/Windows-cmd-shell-tips.adoc | 136 +- cheat-sheets/custom-theme.yml | 10 +- .../fortigate-ssl-vpn-hardening-guide.adoc | 754 +++--- cheat-sheets/git-and-github-cheat-sheet.adoc | 106 +- cheat-sheets/gnu-screen-cheat-sheet.adoc | 278 +-- .../links-text-browser-cheat-sheet.adoc | 130 +- .../macos-mdfind-examples-cheat-sheet.adoc | 444 ++-- ...ommands-reference-by-example-cookbook.adoc | 72 +- 30 files changed, 4145 insertions(+), 4141 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b63dba6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +#VS Code stuff +.vscode/* +*.code-workspace + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 94b7576..5547bcd 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,5 +1,5 @@ -# Contributions -Contributions are welcome, of course. Any way will do: -* Open PR on any page you found bug/missing info -* Send me an email yuri@yurisk.info -* If we are connected, send me a message on LinkedIn https://www.linkedin.com/in/yurislobodyanyuk/ +# Contributions +Contributions are welcome, of course. Any way will do: +* Open PR on any page you found bug/missing info +* Send me an email yuri@yurisk.info +* If we are connected, send me a message on LinkedIn https://www.linkedin.com/in/yurislobodyanyuk/ diff --git a/LICENSE b/LICENSE index 1f63a76..eba2221 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1,21 @@ -MIT License - -Copyright (c) 2021 Yuri Slobodyanyuk - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +MIT License + +Copyright (c) 2021 Yuri Slobodyanyuk + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 1ca5ee9..450e30d 100644 --- a/README.md +++ b/README.md @@ -1,76 +1,76 @@ -# Configuration, Debug and Diagnostics cheat sheets for Network and Linux based equipment -[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) - - - -Collection of cheat sheets to help you with hands-on tasks of troubleshooting and configuring the production equipment. -Make sure to __watch__ this repository to get notified on updates (usually updated once per week). Your stars on the repository as a sign that you found it useful are appreciated, thanks. I also blog at https://yurisk.info about these topics as well. - - - -## Network and Security vendors (Fortinet, Cisco, Checkpoint, Rad, MRV, HP/Aruba) - -[Fortigate debug and diagnose commands complete cheat sheet](cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc) | [PDF](cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.pdf) - -[**Fortigate SSL VPN Hardening Guide**](cheat-sheets/fortigate-ssl-vpn-hardening-guide.adoc) [RU](https://habr.com/ru/articles/734044/) | [PDF](cheat-sheets/fortigate-ssl-vpn-hardening-guide.pdf) - -[Fortianalyzer diagnose and debug cheat sheet](cheat-sheets/Fortianalyzer-debug-cheat-sheet.adoc) | [PDF](cheat-sheets/Fortianalyzer-debug-cheat-sheet.pdf) - -[Checkpoint cpstat tool complete cheat sheet](cheat-sheets/Checkpoint-cpstat-complete-reference-cheat-sheet.adoc) | [PDF](cheat-sheets/Checkpoint-cpstat-complete-reference-cheat-sheet.pdf) - -[Checkpoint Firewalls Debug Cheat Sheet](/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.adoc)| [PDF](/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.pdf) - -[Cisco Nexus 9000 9k debug and diagnostic commands cheat sheet](cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.pdf) - -[Cisco CUCM/Unity/Presence useful CLI commands cheat sheets](cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.pdf) - -[RAD ETX 203, 205, 220 debug and information commands](cheat-sheets/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.pdf) - -[MRV Optiswitch OS904 OS906 OS912 debug and diagnostic commands](cheat-sheets/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands.adoc) | [PDF](cheat-sheets/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands.pdf) - -[Aruba and HP switches debug and diagnostics commands](cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.pdf) - -[Aruba HP switches configuration examples cookbook](/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.adoc) | [PDF](/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.pdf) - -[Ruckus ICX switches 7150, 7250, 7450, 7650, 7750, 7850 diagnostics commands](cheat-sheets/Ruckus-Brocade-ICX-FastIron-switch-debug-nad-diagnostics-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Ruckus-Brocade-ICX-FastIron-switch-debug-nad-diagnostics-commands-cheat-sheet.pdf) - -## Linux, FreeBSD, OpenBSD, and Open Source Tools - -[Linux ip route reference by example](cheat-sheets/Linux-ip-route-reference-by-examples.adoc) | [PDF](cheat-sheets/Linux-ip-route-reference-by-examples.pdf) - -[GNU tar archive manager cookbook of examples](cheat-sheets/gnu-tar-example-reference.adoc) | [PDF](cheat-sheets/gnu-tar-example-reference.pdf) - -[Linux and PF BSD firewalls cheat sheet](cheat-sheets/Linux-and-BSD-firewalls-cheat-sheet.adoc) | [PDF](cheat-sheets/Linux-and-BSD-firewalls-cheat-sheet.pdf) - -[Ubuntu Uncomplicated Firewall (ufw) cookbook of configuration examples](/cheat-sheets/Ubuntu-ufw-firewall-cookbook.adoc) | [PDF](/cheat-sheets/Ubuntu-ufw-firewall-cookbook.pdf) - -[FreeBSD cheat sheet](/cheat-sheets/FreeBSD-cheat-sheet.adoc) | [PDF](/cheat-sheets/FreeBSD-cheat-sheet.pdf) - -[Git and github.com commands cheat sheet](cheat-sheets/git-and-github-cheat-sheet.adoc) | [PDF](cheat-sheets/git-and-github-cheat-sheet.pdf) - -[GNU screen terminal multiplexor cheat sheet](cheat-sheets/gnu-screen-cheat-sheet.adoc) | [PDF](cheat-sheets/gnu-screen-cheat-sheet.pdf) - -[Links text browser cheat sheet](cheat-sheets/links-text-browser-cheat-sheet.adoc) | [PDF](cheat-sheets/links-text-browser-cheat-sheet.pdf) - -[Ed text editor complete cheat sheet](cheat-sheets/ed-text-editor-cheat-sheet.adoc) | [PDF](cheat-sheets/ed-text-editor-cheat-sheet.pdf) - -[ncftp Ftp Client Commands example cookbook](cheat-sheets/ncftp-commands-reference-by-example-cookbook.adoc) | [PDF](cheat-sheets/ncftp-commands-reference-by-example-cookbook.pdf) - -[curl cookbook of examples](cheat-sheets/curl-cookbook-of-examples.adoc) | [PDF](cheat-sheets/curl-cookbook-of-examples.pdf) - - -## Apple macOS tools - -[mdfind examples cheat sheet](cheat-sheets/macos-mdfind-examples-cheat-sheet.adoc) | [PDF](cheat-sheets/macos-mdfind-examples-cheat-sheet.pdf) - - -## Windows software and utilities - - -[FAR file manager cheat sheet of keyboard shortcuts](cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.adoc) | [PDF](cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.pdf) - -[Windows cmd.exe shell batch scripting cheat sheet](cheat-sheets/Windows-cmd-shell-batch-scripting-cheat-sheet.adoc) | [PDF](Windows-cmd-shell-batch-scripting-cheat-sheet.pdf) - -## Amazon AWS CLI v2.x - -[Route53 cheat sheet of examples](cheat-sheets/Route53-AWS-CLI-examples.adoc) | [PDF](cheat-sheets/Route53-AWS-CLI-examples.pdf) +# Configuration, Debug and Diagnostics cheat sheets for Network and Linux based equipment +[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) + + + +Collection of cheat sheets to help you with hands-on tasks of troubleshooting and configuring the production equipment. +Make sure to __watch__ this repository to get notified on updates (usually updated once per week). Your stars on the repository as a sign that you found it useful are appreciated, thanks. I also blog at https://yurisk.info about these topics as well. + + + +## Network and Security vendors (Fortinet, Cisco, Checkpoint, Rad, MRV, HP/Aruba) + +[Fortigate debug and diagnose commands complete cheat sheet](cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc) | [PDF](cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.pdf) + +[**Fortigate SSL VPN Hardening Guide**](cheat-sheets/fortigate-ssl-vpn-hardening-guide.adoc) [RU](https://habr.com/ru/articles/734044/) | [PDF](cheat-sheets/fortigate-ssl-vpn-hardening-guide.pdf) + +[Fortianalyzer diagnose and debug cheat sheet](cheat-sheets/Fortianalyzer-debug-cheat-sheet.adoc) | [PDF](cheat-sheets/Fortianalyzer-debug-cheat-sheet.pdf) + +[Checkpoint cpstat tool complete cheat sheet](cheat-sheets/Checkpoint-cpstat-complete-reference-cheat-sheet.adoc) | [PDF](cheat-sheets/Checkpoint-cpstat-complete-reference-cheat-sheet.pdf) + +[Checkpoint Firewalls Debug Cheat Sheet](/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.adoc)| [PDF](/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.pdf) + +[Cisco Nexus 9000 9k debug and diagnostic commands cheat sheet](cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.pdf) + +[Cisco CUCM/Unity/Presence useful CLI commands cheat sheets](cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.pdf) + +[RAD ETX 203, 205, 220 debug and information commands](cheat-sheets/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.pdf) + +[MRV Optiswitch OS904 OS906 OS912 debug and diagnostic commands](cheat-sheets/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands.adoc) | [PDF](cheat-sheets/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands.pdf) + +[Aruba and HP switches debug and diagnostics commands](cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.pdf) + +[Aruba HP switches configuration examples cookbook](/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.adoc) | [PDF](/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.pdf) + +[Ruckus ICX switches 7150, 7250, 7450, 7650, 7750, 7850 diagnostics commands](cheat-sheets/Ruckus-Brocade-ICX-FastIron-switch-debug-nad-diagnostics-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Ruckus-Brocade-ICX-FastIron-switch-debug-nad-diagnostics-commands-cheat-sheet.pdf) + +## Linux, FreeBSD, OpenBSD, and Open Source Tools + +[Linux ip route reference by example](cheat-sheets/Linux-ip-route-reference-by-examples.adoc) | [PDF](cheat-sheets/Linux-ip-route-reference-by-examples.pdf) + +[GNU tar archive manager cookbook of examples](cheat-sheets/gnu-tar-example-reference.adoc) | [PDF](cheat-sheets/gnu-tar-example-reference.pdf) + +[Linux and PF BSD firewalls cheat sheet](cheat-sheets/Linux-and-BSD-firewalls-cheat-sheet.adoc) | [PDF](cheat-sheets/Linux-and-BSD-firewalls-cheat-sheet.pdf) + +[Ubuntu Uncomplicated Firewall (ufw) cookbook of configuration examples](/cheat-sheets/Ubuntu-ufw-firewall-cookbook.adoc) | [PDF](/cheat-sheets/Ubuntu-ufw-firewall-cookbook.pdf) + +[FreeBSD cheat sheet](/cheat-sheets/FreeBSD-cheat-sheet.adoc) | [PDF](/cheat-sheets/FreeBSD-cheat-sheet.pdf) + +[Git and github.com commands cheat sheet](cheat-sheets/git-and-github-cheat-sheet.adoc) | [PDF](cheat-sheets/git-and-github-cheat-sheet.pdf) + +[GNU screen terminal multiplexor cheat sheet](cheat-sheets/gnu-screen-cheat-sheet.adoc) | [PDF](cheat-sheets/gnu-screen-cheat-sheet.pdf) + +[Links text browser cheat sheet](cheat-sheets/links-text-browser-cheat-sheet.adoc) | [PDF](cheat-sheets/links-text-browser-cheat-sheet.pdf) + +[Ed text editor complete cheat sheet](cheat-sheets/ed-text-editor-cheat-sheet.adoc) | [PDF](cheat-sheets/ed-text-editor-cheat-sheet.pdf) + +[ncftp Ftp Client Commands example cookbook](cheat-sheets/ncftp-commands-reference-by-example-cookbook.adoc) | [PDF](cheat-sheets/ncftp-commands-reference-by-example-cookbook.pdf) + +[curl cookbook of examples](cheat-sheets/curl-cookbook-of-examples.adoc) | [PDF](cheat-sheets/curl-cookbook-of-examples.pdf) + + +## Apple macOS tools + +[mdfind examples cheat sheet](cheat-sheets/macos-mdfind-examples-cheat-sheet.adoc) | [PDF](cheat-sheets/macos-mdfind-examples-cheat-sheet.pdf) + + +## Windows software and utilities + + +[FAR file manager cheat sheet of keyboard shortcuts](cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.adoc) | [PDF](cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.pdf) + +[Windows cmd.exe shell batch scripting cheat sheet](cheat-sheets/Windows-cmd-shell-batch-scripting-cheat-sheet.adoc) | [PDF](Windows-cmd-shell-batch-scripting-cheat-sheet.pdf) + +## Amazon AWS CLI v2.x + +[Route53 cheat sheet of examples](cheat-sheets/Route53-AWS-CLI-examples.adoc) | [PDF](cheat-sheets/Route53-AWS-CLI-examples.pdf) diff --git a/cheat-sheets/7zip-command-line-cookbook-of-examples.adoc b/cheat-sheets/7zip-command-line-cookbook-of-examples.adoc index b41444a..9807059 100644 --- a/cheat-sheets/7zip-command-line-cookbook-of-examples.adoc +++ b/cheat-sheets/7zip-command-line-cookbook-of-examples.adoc @@ -1,25 +1,25 @@ -= 7z Linux Command Line Cookbook of Examples -:homepage: https://github.com/yuriskinfo/cheat-sheets -:toc: - -Author: https://www.linkedin.com/in/yurislobodyanyuk/ - -== Important facts about 7-zip -* 7-zip does NOT store the owner/group of the files/folders being archived, which is good for privacy, but may not suite your specifc use case, especially as a back up tool. -* 7-zip is a name of the compression tool created by Igor Pavlov. -* While Igor Pavlov provides Linux/macOS versions as well, another implementation by independent developer (Mohammed Adnene Trojette) has become wide used in the Linux realm - `p7zip`. This cookbook relates to this, independent version, so options and switches may differ a bit from 7-zip Windows canonical version. - -== Install p7zip package on Linux -This tool is already in all the major repositories, so you should have no problems installing it. - -`Ubuntu`: `sudo apt install p7zip-full` - -`CentOS/Fedora`: `sudo yum install p7zip p7zip-plugins` - -== Create an archive adding all the files in the current folder -We first indicate to `7-zip` that we want to _add_ to an archive with `a` command, then we specify the archive name, and finally, we use `*` as wildcard to include all files in the current folder. - -`7z a folder.7z *` - -The result - _folder.7z_ will be placed in the same folder where it run. - += 7z Linux Command Line Cookbook of Examples +:homepage: https://github.com/yuriskinfo/cheat-sheets +:toc: + +Author: https://www.linkedin.com/in/yurislobodyanyuk/ + +== Important facts about 7-zip +* 7-zip does NOT store the owner/group of the files/folders being archived, which is good for privacy, but may not suite your specifc use case, especially as a back up tool. +* 7-zip is a name of the compression tool created by Igor Pavlov. +* While Igor Pavlov provides Linux/macOS versions as well, another implementation by independent developer (Mohammed Adnene Trojette) has become wide used in the Linux realm - `p7zip`. This cookbook relates to this, independent version, so options and switches may differ a bit from 7-zip Windows canonical version. + +== Install p7zip package on Linux +This tool is already in all the major repositories, so you should have no problems installing it. + +`Ubuntu`: `sudo apt install p7zip-full` + +`CentOS/Fedora`: `sudo yum install p7zip p7zip-plugins` + +== Create an archive adding all the files in the current folder +We first indicate to `7-zip` that we want to _add_ to an archive with `a` command, then we specify the archive name, and finally, we use `*` as wildcard to include all files in the current folder. + +`7z a folder.7z *` + +The result - _folder.7z_ will be placed in the same folder where it run. + diff --git a/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.adoc b/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.adoc index 76f59fd..396c701 100644 --- a/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.adoc +++ b/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.adoc @@ -1,47 +1,47 @@ -= Aruba HP switches configuration examples cookbook -Yuri SLobodyanyuk, admin@yurisk.info -:homepage: https://yurisk.info -:toc: - -Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ - - -== Reset/wipe switch configuration to the factory defaults -WARNING: This will erase all the configuration and cannot be undone. - -If you don't have priveleged EXEC access to the switch: - -. Push and hold the _Reset_ button with sharp object like pen/pencil. -. Now also push and hold _Clear_ button with another sharp object. -. When LEDs are turned on - release _Reset_ button, while holding the _Clear_. -. When LEDs start to blink, release the _Clear_ button as well. - -If you have privileged EXEC access to the switch, just run *(config)# erase startup* and reboot. - -== Restrict management access to specific IP addresses -To limit access to the switch, use *ip authorized-managers* command. Example - limit access to a single IP of 192.168.13.127: - ----- -ip authorized-managers 192.168.13.127 255.255.255.255 access operator -ip authorized-managers 192.168.13.127 255.255.255.255 access manager ----- - - -== Add default gateway on Layer 2 switch for management -We have to set default gateway on a switch for the management VLAN we choose to be reachable and managed remotely. The command does not mention explicitly the VLAN number, just make sure the network is the network configured on the management VLAN. - ----- -ip default-gateway 10.13.13.127 ----- - -It is, for example, when VLAN 200 is configured as management VLAN: - ----- -vlan 200 - name "MgmtVlan" - tagged Trk1 - ip address 10.13.13.250 255.255.255.0 - exit ----- - - += Aruba HP switches configuration examples cookbook +Yuri SLobodyanyuk, admin@yurisk.info +:homepage: https://yurisk.info +:toc: + +Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ + + +== Reset/wipe switch configuration to the factory defaults +WARNING: This will erase all the configuration and cannot be undone. + +If you don't have priveleged EXEC access to the switch: + +. Push and hold the _Reset_ button with sharp object like pen/pencil. +. Now also push and hold _Clear_ button with another sharp object. +. When LEDs are turned on - release _Reset_ button, while holding the _Clear_. +. When LEDs start to blink, release the _Clear_ button as well. + +If you have privileged EXEC access to the switch, just run *(config)# erase startup* and reboot. + +== Restrict management access to specific IP addresses +To limit access to the switch, use *ip authorized-managers* command. Example - limit access to a single IP of 192.168.13.127: + +---- +ip authorized-managers 192.168.13.127 255.255.255.255 access operator +ip authorized-managers 192.168.13.127 255.255.255.255 access manager +---- + + +== Add default gateway on Layer 2 switch for management +We have to set default gateway on a switch for the management VLAN we choose to be reachable and managed remotely. The command does not mention explicitly the VLAN number, just make sure the network is the network configured on the management VLAN. + +---- +ip default-gateway 10.13.13.127 +---- + +It is, for example, when VLAN 200 is configured as management VLAN: + +---- +vlan 200 + name "MgmtVlan" + tagged Trk1 + ip address 10.13.13.250 255.255.255.0 + exit +---- + + diff --git a/cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.adoc b/cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.adoc index cdc00b6..7663db1 100644 --- a/cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.adoc +++ b/cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.adoc @@ -1,517 +1,517 @@ -= Aruba and HP switches debug and diagnostics commands cheat sheet -Yuri SLobodyanyuk, admin@yurisk.info -:homepage: https://yurisk.info -:toc: - -Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ - -NOTE: All commands were tested on HP/Aruba 5400 switches (specifically 5406Rzl2), but will work on any model with recent firmware versions (16.x or newer), except for the hardware features unavailable on smaller models, like VSF . - - -== General Health -[cols=2, options="header"] -|=== -|Command -|Description - -|*show system* -|Show general info: current CPU load, uptime, memory used/free, software version. - -|*show cpu [_seconds_]* -|Show CPU stats of average load for 1 second, 5 seconds, and 1 minute, optionally setting period in _seconds_ (300 is max). - -|*show uptime* -|Show uptime of the switch since reboot, for VSF stacked switches shows uptime for each member. - -|*show time* -|Show switch time and date, for log correlation. - - -|*show flash* -| Show what firmware images are stored in the flash, and which one is the primary/secondary for the next boot. - -|*show boot-history* -|Show log of previous boots with their reason (user reboot/cold reboot), crashes and what process crashed with its memory dump, and timestamps. - -|*boot system flash primary\|secondary* -|Set the image to boot from on the next reboot. - -|*show redundancy [detail]* -|In module management redundancy standalone/stack topology, shows firmware image version of each module, as well as the number of failovers. - -|*show system power-supply [detail]* -|Show statistics of the power supplies: power consumed, power supplied, fan speed,inlet and internal temperature. - -|*show system fans* -|Show fans state: OK/Failed, and number of failures if any. For VSF shows info -for both members. - -|*show config _option_* -a| Display part of saved configuration given by _option_: - -`status`: Tell if the running config differs from the startup config. - -`interface` _port-id_: Show startup config for the specified interface. - -`router bgp\|ospf\|pim`: Show startup configuration section for this routing protocol. - -`vlan` _vlan-id_: Startup configuration for VLAN(s). - -|*show modules* -|Show installed modules and their state and serial numbers. - -|*show tech [all]* -|WARNING: I bring this command for completeness sake, but this command will run dozens/hundreds of debug commands, printing lots of info, hundreds of pages, which in turn will load the switch as well. Run it with caution, most probably at the HPE support request only. - -|*show environment* -|Show the chassis' sensors temperature - - -|=== - -== Logs -[cols=2, options="header"] -|=== -|Command -|Description - -a| Logs severity: - -* W=Warning -* I=Information -* M=Major -* D=Debug -* E=Error -| All logs are categorized into severities when written, and the severity is presented in the 1st column of each log. This also -allows filtering logs for display by their severity, see below. - - -| *show logging -r* -| Show system logs and events in reverse chronological order, i.e. newest logs first. - -|*show log -a* -|Show logs from previous boot cycles. HP/Aruba will display only logs since the last boot, by default, but you can add `-a` to any of the log display commands below to work on previous logs as well. - -|*show log _string-to-search_* -|Search and display only logs containing the specified string. The search is *case sensitive*, and no regex - just plain strings with exact match. E.g. to search for logs containing the interface _1/B2_: `show log 1/B2`; to search for all bgp-related logs like peer up/down: `show log -r bgp`. - -|*show log command [-a]* -|Show log of commands issued by users on CLI. This log is NOT hidden even by -the `clear log` and records all commands - both configuration and not. So, it will record commands like `ping 8.8.8.8`, `clear log`, `no router bgp`. Adding `-a` will show logs from previous boot cycles. - -|*show running-config changes-history [detail]* -|Display history of up to 32 last changes to the configuration, including time of change, IP address if any, event id. This will NOT show what the changes were themselves though. - -|*show log -m/-e/-p/-w/-i/-d* -|Show only logs of the specified severity, see above for the available severities. - -|*clear log* -|Hides, not deletes, (almost) all logs for the current session. Applying `-a` will still display all logs. - -|*show log -s* -|Display logs from the Standby commander/management module in a VSF stack or in standalone switch with management module redundancy. - -|*show log -b* -|Show logs with time since boot instead of an absolute date/time format. -|=== - - - - - -== Interfaces -[cols=2,options="header"] -|=== -|Command -|Description - -|*show interface [_port-id_]* -|Show as a table (if _port-id_ is not given) all ports with the total bytes/frames, Rx/Tx errors, and Broadcast limit if set for each port. - -|*clear statistics global* -|Clear counters on all interfaces. - -|*show interface status* -| Show list of all interfaces with info for each: state (Up/Down), Actual Speed, Tagged or not, VLANs configured for the interface (single VLAN for Untagged, `multiple` for Tagged). NOTE: In Cisco world Tagged interface is called *trunk*. - -|*display interface [_name_]* -|Show detailed information of an interface: media type, speed/duplex state, MAC address, up/down, max frame size, VLAN id if any untagged set and `.` (dot) for -multiple tagged VLANs, input/output erros, buffer failures, CRC errors, runts. - -|*show interface display* -|Present TUI dialog window with real-time information for all interfaces, including total bytes/frames, Rx/Tx errors, and drops. The information is updated every 3 seconds dynamically. Use arrows/tab to navigate, CTRL + C to exit the menu. - -|*show interfaces custom _start-port_[-_end-port_] * -|Show selected ports with only specified fields: `port`, `type`, `status` etc. E.g. `show interface custom 1/B1 port status speed vlan`. - - -|*show interface port-utilization* -|Show one time as a table the current traffic rates passing each interface. - -|*show interface trunk-utilization* -|Show current traffic rates of all trunks. - -|*show int queue _port-name_* -| Show statistics of all queue buffers of a given interface, including _drops_ for each. - -|*conf t* - -*int _name_* - -*disable/enable* -|Disable/enable a specific interface (in Cisco world `shut`/`no shut`) - -|*show interface transceiver [_name_] [detail]* -|Info on installed optical transceivers: Port number where installed, Type/Speed, Serial Number. If _detail_ is added, will also show temperature, voltage, Transmit (TX) and Receive (RX) power in mW and dBm. - -|*show ip* -| Show all configured IP addresses on a switch. - -|*show arp vlan _vlan-id_* -|List all IP addresses (provided Layer 3 features are enabled) learned on the VLAN _vlan-id_. - - -|*show name* -|Lists all interfaces with their names if set. In Cisco it would be `show int description` - -|*show trunks* -| Show trunk interfaces with their state and type. NOTE: In HP/Aruba world *trunk* means aggregated interfaces (LAG), what in Cisco world is called port/ether-channel. - -|*show trunk-statistics _trunk-name_* -| Show cumulative statistics for the trunk interface: packets passed, bytes received, drops if any. - -|*show lacp* -|Show LACP state on the trunking interfaces. - -|*show lacp counters* -|show stats for received/sent LACP PDUs per trunk (should be increasing). - -|*show port-security _port-id_* -|Show port security state for all/specified interfaces. - -|*test cable-diagnostics _port-list_* - -*show cable-diagnostics* -|Initiate and show results of Time-domain reflectometer cable diagnostics test to check Ethernet cables for faults. This will *shut down* temporarily all the tested ports! - -|=== - -== VLANs -[cols=2,options="header"] -|=== -|Command -|Description - -|*show vlans* -|Show a list of all VLANs configured on this switch. - -|*show vlans ports _port-name_[_,port2-name_...]* -|Show vlans enabled on the specified physical port. - -|*show vlans _vlan-id_* -|Show ports where the specified _vlan-id_ is enabled, either as `tagged` or `untagged` - -|*conf t* - -*(config)# no vlan _vlan-id_* -| Deletes VLAN _vlan-id_ from configuration and un-assigns all ports from it, if some ports have no other VLAN association, they will be auto-assigned to default VLAN 1. WARNING: this command deletes the VLAN specified no matter from which sub-config mode you issue it. That is, even under interface config mode, this will remove all configuration for this VLAN from everywhere. - - - - -|=== - -== Daemons Real-Time Debug - -[cols=2,options="header"] -|=== -|Command -|Description - -|*show debug* -|Show currently enabled debug - -|*debug destination logging/session/buffer* -|Set location to output the debug to (default `none`), run before enabling the debug: - -`logging` - send the debug to the configured (if any) syslog server. - -`session` - send to the terminal (Cisco analog of `term mon`). - -`buffer` - send to the switch memory buffer. - -|*show debug buffer* -|Show log buffer with the collected debug output if the destination was set to `buffer`. - -|*[no] debug _daemon-name_* -a|enable real-time debug of the specified daemon. Use `no` option to disable the debug. The daemons are: - -* `acl` Displays debug messages for access control lists. -* `all` Display all debug messages. -* `aruba-central` Display Aruba Central server debug information. -* `bfd` Enable BFD debug logging. -* `cdp` Display CDP information. -* `cfg-restore` Display cfg-restore debug messages. -* `dhcp-server` Display DHCP server debug messages. -* `distributed-trunking` Display DT debug messages. -* `est` Display EST debug messages. -* `event` Display event log messages. -* `ip` Display debug messages for IPv4. -* `ip-sla` Enable debug logs for IP SLA. -* `ipv6` Enable debug messages for IPv6. -* `lacp` Display LACP information. -* `lldp` Display LLDP information. -* `mdns` Display mDNS debug messages. -* `mstp` Display MSTP debug messages. -* `mvrp` Enable MVRP debug messages. -* `ntp` Display debug messages for NTP. -* `openflow` Display all OpenFlow packets. -* `rest-interface` Display REST debug information. -* `rpvst` Display RPVST debug messages. -* `security` Display all Security messages. -* `services` Display debug messages on services module. -* `smart-link` Display Smart link debug messages. -* `snmp` Display SNMP debug messages. -* `time-stamp` Enable/disable system-time to be associated with debug messages. -* `tunnel` Display tunnel debug messages. -* `udld` Display UDLD debug messages. -* `uplink-failure-detection` Display UFD debug messages. -* `usertn` Displays authentication module log messages for user-based tunneled node -* `vrrp` Display VRRP debug messages. -* `ztp` Display ZTP debug messages. - - -|*debug ip _routing-process_* -a|Debug various routing processes. The _routing-process_ is one of the: - -* `bgp` Display all BGP routing messages. -* `client-tracker` Displays debug messages for IP client tracker. -* `fib` Display IP Forwarding Information Base messages & events. -* `forwarding` Display IPv4 forwarding messages. -* `iface` Display interface management messages. -* `igmp` Display all IGMP messages. -* `ospf` Display all OSPF routing messages. -* `ospfv3` [Deprecated] Enable debug messages for OSPFv3. -* `packet` Display IPv4 packet messages. -* `pbr` Enable debug messages for PBR. -* `pim` Enable/disable tracing of PIM messages. -* `rip` Display all RIP routing messages. - - -|*show ip ssh*, *kill _session-number_* -|HP Aruba allows up to 5 SSH sessions at the same time, additional users will -not be able to connect. To disconnect existing SSH sessions, run `show ip ssh` -and notice session number in the leftmose column, then disconnect it with `kill -` - -|=== - -== Spanning Tree Protocol (STP) -[cols=2,options="header"] -|=== -|Command -|Description - -|*display stp root* -| Show root switch for each VLAN. - -|*display stp brief* -| Show STP state for each port/VLAN - Forwarding/Blocking, STP role. - -|=== - -== Routing Info -=== Static -[cols=2,options="header"] -|=== -|Command -|Description - -|*show ip* -| Show IP routing state: disabled/enabled. It is disabled by default, to enable: *(config)# ip routing* on platforms that support Layer 3 routing. Also displays list of all the interfaces/VLANs with IP address set. - -|*show ip route* -| Show static and connected routes on the switch. - - - -|=== - -=== BGP -[cols=2,options="header"] -|=== -|Command -|Description - -|*show ip bgp summary* -|Show in short format all BGP peers with their IP address, AS number, and state. The first command to try for BGP. - -|*show ip bgp _prefix/mask_* -|Show BGP info for the specified prefix. - -|*show ip bgp* -|Display routes learned via BGP. - -|*show ip bgp neighbor [_ip-address-of-peer_]* -|Show detailed information about the BGP session with all or the specified peer(s), including hold time, weight, prefixes advertised/received, etc. - -|*show ip bgp neighbor _ip-address_ advertised-routes* -|Display routes we advertise via BGP to the _ip-address_ neighbor. - -|*show ip bgp neighbor _ip-address_ received-routes* -|Display routes we learned from the given BGP peer. - -|*show log bgp* -|Show logs that include the word `bgp`. It will include BGP peering establishment/tear up. - -|=== - - -=== OSPF -[cols=2,options="header"] -|=== -|Command -|Description - -|*show ip ospf* -|Show if the OSPF process is running and router id. - -|*show ip ospf area* -|Show all areas configured on this device. - -|*show ip ospf statistics* -|List OSPF packet statistics (OSPF sent,recieved and error packet count) of all OSPF enabled interfaces. - -|*show ip ospf interface* -|Show OSPF interfaces' information. - -|*show ip ospf neighbor* -|List all established neighborships on this device. - -|*show ip ospf link-state* -|Show all Link State Advertisements. - -|=== - - -== LLDP & MAC & CDP - -[cols=2,options="header"] -|=== -|Command -|Description - -|*show lldp info remote-device [detail]* -|Display LLDP neighbors. The info includes: local port name, chassis id of the peer, remote system name, remote port. If _detail_ is added, will also show exact firmware version used, and management IP address if configured. Useful for -topology discovery, which switch is connected to which. - -|*show lldp info local-device [detail]* -|Show info about the device you are connected to: chassis id, system name, firmware image version, IP addresses configured. - -|*show lldp stats* -|Show LLDP packets sent/received per port. - -|*show mac-address [detail]* -|Show complete MAC addresses table with port names, MAC addresses, and VLANs. If _detail_ is added, will also show age of -each entry. - -|*show mac-address vlan _vlanid_* -| Show MAC addresses learned on the specified VLAN. - -|*show mac-address _port1_[,_port2_...]* -|Show MAC addresses learned on specified ports. - -|*show cdp neighbors [detail]* -|Show list of CDP neighhbors with info on their MAC address, model, local port where it was seen. Adding `detail` also shows IP address of the CDP neighbor, if configured. - -|=== - - - -== PoE -[cols=2,options="header"] -|=== -|Command -|Description - -|*show power-over-ethernet brief [_port name_]* -|Show detailed information about PoE-enabled interfaces, including information on drawn/available -power per port, state. Optionally, limit information to a specific port. - -|*show power-over-ethernet brief vsf member _member id_* -|Show PoE detailed info per VSF member. - -|*show power-over-ethernet* -| Display PoE general information for the whole switch: total available/used power, PoE redundancy status, -internal power. - - -|=== - -== DHCP -[cols=2,options="header"] -|=== -|Command -|Description - -|*show dhcp-server statistics* -|Show DHCP server stats for Discover/Offer/Ack/NAK messages received/sent, number of pools configured. - -|*clear dhcp-server statistics* -|Clear DHCP server stats. - -|*show dhcp-server binding\|conflict\|database\|pool* -|Show variouis operational parameters of the DHCP server. -|=== - - - - - -== NTP -[cols=2,options="header"] -|=== -|Command -|Description - -|*show ntp status* -|Show current status of NTP - -|*show ntp servers* -|Display configured NTP servers - -|*show ntp statistics* -|Show stats for NTP - number of NTP packets sent/received, and errors. - -|*show ntp associations [detail]* -|Show state of associations with the configured NTP servers, together with stats: delay, offset, dispersion, and stratum. - -|*show run \| i ntp* -|Show NTP-related configs. - -|=== - - -== VSF (Virtual Switching Framework) -[cols=2,options="header"] -|=== -|Command -|Description - -|*show vsf [detail]* -|Show general VSF status: who is active, priority, software versions. - -|*show vsf member _member-id_* -|Show general info on a specific member: serial number, uptime, cpu usage, memory usage, status: Commander/Standby, priority. - -|*show vsf link [detail\|utilization]* -|Show info on VSF link (VPC peer link in the Cisco world). Problems with VSF link may cause split-brain situation, when each member acts independently. - -|*show redundancy* -|Shows firmware image version of each member, as well as the number of failovers. - -|*boot vsf member _member-id_* -|Reboot the specified VSF member. - - -|=== += Aruba and HP switches debug and diagnostics commands cheat sheet +Yuri SLobodyanyuk, admin@yurisk.info +:homepage: https://yurisk.info +:toc: + +Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ + +NOTE: All commands were tested on HP/Aruba 5400 switches (specifically 5406Rzl2), but will work on any model with recent firmware versions (16.x or newer), except for the hardware features unavailable on smaller models, like VSF . + + +== General Health +[cols=2, options="header"] +|=== +|Command +|Description + +|*show system* +|Show general info: current CPU load, uptime, memory used/free, software version. + +|*show cpu [_seconds_]* +|Show CPU stats of average load for 1 second, 5 seconds, and 1 minute, optionally setting period in _seconds_ (300 is max). + +|*show uptime* +|Show uptime of the switch since reboot, for VSF stacked switches shows uptime for each member. + +|*show time* +|Show switch time and date, for log correlation. + + +|*show flash* +| Show what firmware images are stored in the flash, and which one is the primary/secondary for the next boot. + +|*show boot-history* +|Show log of previous boots with their reason (user reboot/cold reboot), crashes and what process crashed with its memory dump, and timestamps. + +|*boot system flash primary\|secondary* +|Set the image to boot from on the next reboot. + +|*show redundancy [detail]* +|In module management redundancy standalone/stack topology, shows firmware image version of each module, as well as the number of failovers. + +|*show system power-supply [detail]* +|Show statistics of the power supplies: power consumed, power supplied, fan speed,inlet and internal temperature. + +|*show system fans* +|Show fans state: OK/Failed, and number of failures if any. For VSF shows info +for both members. + +|*show config _option_* +a| Display part of saved configuration given by _option_: + +`status`: Tell if the running config differs from the startup config. + +`interface` _port-id_: Show startup config for the specified interface. + +`router bgp\|ospf\|pim`: Show startup configuration section for this routing protocol. + +`vlan` _vlan-id_: Startup configuration for VLAN(s). + +|*show modules* +|Show installed modules and their state and serial numbers. + +|*show tech [all]* +|WARNING: I bring this command for completeness sake, but this command will run dozens/hundreds of debug commands, printing lots of info, hundreds of pages, which in turn will load the switch as well. Run it with caution, most probably at the HPE support request only. + +|*show environment* +|Show the chassis' sensors temperature + + +|=== + +== Logs +[cols=2, options="header"] +|=== +|Command +|Description + +a| Logs severity: + +* W=Warning +* I=Information +* M=Major +* D=Debug +* E=Error +| All logs are categorized into severities when written, and the severity is presented in the 1st column of each log. This also +allows filtering logs for display by their severity, see below. + + +| *show logging -r* +| Show system logs and events in reverse chronological order, i.e. newest logs first. + +|*show log -a* +|Show logs from previous boot cycles. HP/Aruba will display only logs since the last boot, by default, but you can add `-a` to any of the log display commands below to work on previous logs as well. + +|*show log _string-to-search_* +|Search and display only logs containing the specified string. The search is *case sensitive*, and no regex - just plain strings with exact match. E.g. to search for logs containing the interface _1/B2_: `show log 1/B2`; to search for all bgp-related logs like peer up/down: `show log -r bgp`. + +|*show log command [-a]* +|Show log of commands issued by users on CLI. This log is NOT hidden even by +the `clear log` and records all commands - both configuration and not. So, it will record commands like `ping 8.8.8.8`, `clear log`, `no router bgp`. Adding `-a` will show logs from previous boot cycles. + +|*show running-config changes-history [detail]* +|Display history of up to 32 last changes to the configuration, including time of change, IP address if any, event id. This will NOT show what the changes were themselves though. + +|*show log -m/-e/-p/-w/-i/-d* +|Show only logs of the specified severity, see above for the available severities. + +|*clear log* +|Hides, not deletes, (almost) all logs for the current session. Applying `-a` will still display all logs. + +|*show log -s* +|Display logs from the Standby commander/management module in a VSF stack or in standalone switch with management module redundancy. + +|*show log -b* +|Show logs with time since boot instead of an absolute date/time format. +|=== + + + + + +== Interfaces +[cols=2,options="header"] +|=== +|Command +|Description + +|*show interface [_port-id_]* +|Show as a table (if _port-id_ is not given) all ports with the total bytes/frames, Rx/Tx errors, and Broadcast limit if set for each port. + +|*clear statistics global* +|Clear counters on all interfaces. + +|*show interface status* +| Show list of all interfaces with info for each: state (Up/Down), Actual Speed, Tagged or not, VLANs configured for the interface (single VLAN for Untagged, `multiple` for Tagged). NOTE: In Cisco world Tagged interface is called *trunk*. + +|*display interface [_name_]* +|Show detailed information of an interface: media type, speed/duplex state, MAC address, up/down, max frame size, VLAN id if any untagged set and `.` (dot) for +multiple tagged VLANs, input/output erros, buffer failures, CRC errors, runts. + +|*show interface display* +|Present TUI dialog window with real-time information for all interfaces, including total bytes/frames, Rx/Tx errors, and drops. The information is updated every 3 seconds dynamically. Use arrows/tab to navigate, CTRL + C to exit the menu. + +|*show interfaces custom _start-port_[-_end-port_] * +|Show selected ports with only specified fields: `port`, `type`, `status` etc. E.g. `show interface custom 1/B1 port status speed vlan`. + + +|*show interface port-utilization* +|Show one time as a table the current traffic rates passing each interface. + +|*show interface trunk-utilization* +|Show current traffic rates of all trunks. + +|*show int queue _port-name_* +| Show statistics of all queue buffers of a given interface, including _drops_ for each. + +|*conf t* + +*int _name_* + +*disable/enable* +|Disable/enable a specific interface (in Cisco world `shut`/`no shut`) + +|*show interface transceiver [_name_] [detail]* +|Info on installed optical transceivers: Port number where installed, Type/Speed, Serial Number. If _detail_ is added, will also show temperature, voltage, Transmit (TX) and Receive (RX) power in mW and dBm. + +|*show ip* +| Show all configured IP addresses on a switch. + +|*show arp vlan _vlan-id_* +|List all IP addresses (provided Layer 3 features are enabled) learned on the VLAN _vlan-id_. + + +|*show name* +|Lists all interfaces with their names if set. In Cisco it would be `show int description` + +|*show trunks* +| Show trunk interfaces with their state and type. NOTE: In HP/Aruba world *trunk* means aggregated interfaces (LAG), what in Cisco world is called port/ether-channel. + +|*show trunk-statistics _trunk-name_* +| Show cumulative statistics for the trunk interface: packets passed, bytes received, drops if any. + +|*show lacp* +|Show LACP state on the trunking interfaces. + +|*show lacp counters* +|show stats for received/sent LACP PDUs per trunk (should be increasing). + +|*show port-security _port-id_* +|Show port security state for all/specified interfaces. + +|*test cable-diagnostics _port-list_* + +*show cable-diagnostics* +|Initiate and show results of Time-domain reflectometer cable diagnostics test to check Ethernet cables for faults. This will *shut down* temporarily all the tested ports! + +|=== + +== VLANs +[cols=2,options="header"] +|=== +|Command +|Description + +|*show vlans* +|Show a list of all VLANs configured on this switch. + +|*show vlans ports _port-name_[_,port2-name_...]* +|Show vlans enabled on the specified physical port. + +|*show vlans _vlan-id_* +|Show ports where the specified _vlan-id_ is enabled, either as `tagged` or `untagged` + +|*conf t* + +*(config)# no vlan _vlan-id_* +| Deletes VLAN _vlan-id_ from configuration and un-assigns all ports from it, if some ports have no other VLAN association, they will be auto-assigned to default VLAN 1. WARNING: this command deletes the VLAN specified no matter from which sub-config mode you issue it. That is, even under interface config mode, this will remove all configuration for this VLAN from everywhere. + + + + +|=== + +== Daemons Real-Time Debug + +[cols=2,options="header"] +|=== +|Command +|Description + +|*show debug* +|Show currently enabled debug + +|*debug destination logging/session/buffer* +|Set location to output the debug to (default `none`), run before enabling the debug: + +`logging` - send the debug to the configured (if any) syslog server. + +`session` - send to the terminal (Cisco analog of `term mon`). + +`buffer` - send to the switch memory buffer. + +|*show debug buffer* +|Show log buffer with the collected debug output if the destination was set to `buffer`. + +|*[no] debug _daemon-name_* +a|enable real-time debug of the specified daemon. Use `no` option to disable the debug. The daemons are: + +* `acl` Displays debug messages for access control lists. +* `all` Display all debug messages. +* `aruba-central` Display Aruba Central server debug information. +* `bfd` Enable BFD debug logging. +* `cdp` Display CDP information. +* `cfg-restore` Display cfg-restore debug messages. +* `dhcp-server` Display DHCP server debug messages. +* `distributed-trunking` Display DT debug messages. +* `est` Display EST debug messages. +* `event` Display event log messages. +* `ip` Display debug messages for IPv4. +* `ip-sla` Enable debug logs for IP SLA. +* `ipv6` Enable debug messages for IPv6. +* `lacp` Display LACP information. +* `lldp` Display LLDP information. +* `mdns` Display mDNS debug messages. +* `mstp` Display MSTP debug messages. +* `mvrp` Enable MVRP debug messages. +* `ntp` Display debug messages for NTP. +* `openflow` Display all OpenFlow packets. +* `rest-interface` Display REST debug information. +* `rpvst` Display RPVST debug messages. +* `security` Display all Security messages. +* `services` Display debug messages on services module. +* `smart-link` Display Smart link debug messages. +* `snmp` Display SNMP debug messages. +* `time-stamp` Enable/disable system-time to be associated with debug messages. +* `tunnel` Display tunnel debug messages. +* `udld` Display UDLD debug messages. +* `uplink-failure-detection` Display UFD debug messages. +* `usertn` Displays authentication module log messages for user-based tunneled node +* `vrrp` Display VRRP debug messages. +* `ztp` Display ZTP debug messages. + + +|*debug ip _routing-process_* +a|Debug various routing processes. The _routing-process_ is one of the: + +* `bgp` Display all BGP routing messages. +* `client-tracker` Displays debug messages for IP client tracker. +* `fib` Display IP Forwarding Information Base messages & events. +* `forwarding` Display IPv4 forwarding messages. +* `iface` Display interface management messages. +* `igmp` Display all IGMP messages. +* `ospf` Display all OSPF routing messages. +* `ospfv3` [Deprecated] Enable debug messages for OSPFv3. +* `packet` Display IPv4 packet messages. +* `pbr` Enable debug messages for PBR. +* `pim` Enable/disable tracing of PIM messages. +* `rip` Display all RIP routing messages. + + +|*show ip ssh*, *kill _session-number_* +|HP Aruba allows up to 5 SSH sessions at the same time, additional users will +not be able to connect. To disconnect existing SSH sessions, run `show ip ssh` +and notice session number in the leftmose column, then disconnect it with `kill +` + +|=== + +== Spanning Tree Protocol (STP) +[cols=2,options="header"] +|=== +|Command +|Description + +|*display stp root* +| Show root switch for each VLAN. + +|*display stp brief* +| Show STP state for each port/VLAN - Forwarding/Blocking, STP role. + +|=== + +== Routing Info +=== Static +[cols=2,options="header"] +|=== +|Command +|Description + +|*show ip* +| Show IP routing state: disabled/enabled. It is disabled by default, to enable: *(config)# ip routing* on platforms that support Layer 3 routing. Also displays list of all the interfaces/VLANs with IP address set. + +|*show ip route* +| Show static and connected routes on the switch. + + + +|=== + +=== BGP +[cols=2,options="header"] +|=== +|Command +|Description + +|*show ip bgp summary* +|Show in short format all BGP peers with their IP address, AS number, and state. The first command to try for BGP. + +|*show ip bgp _prefix/mask_* +|Show BGP info for the specified prefix. + +|*show ip bgp* +|Display routes learned via BGP. + +|*show ip bgp neighbor [_ip-address-of-peer_]* +|Show detailed information about the BGP session with all or the specified peer(s), including hold time, weight, prefixes advertised/received, etc. + +|*show ip bgp neighbor _ip-address_ advertised-routes* +|Display routes we advertise via BGP to the _ip-address_ neighbor. + +|*show ip bgp neighbor _ip-address_ received-routes* +|Display routes we learned from the given BGP peer. + +|*show log bgp* +|Show logs that include the word `bgp`. It will include BGP peering establishment/tear up. + +|=== + + +=== OSPF +[cols=2,options="header"] +|=== +|Command +|Description + +|*show ip ospf* +|Show if the OSPF process is running and router id. + +|*show ip ospf area* +|Show all areas configured on this device. + +|*show ip ospf statistics* +|List OSPF packet statistics (OSPF sent,recieved and error packet count) of all OSPF enabled interfaces. + +|*show ip ospf interface* +|Show OSPF interfaces' information. + +|*show ip ospf neighbor* +|List all established neighborships on this device. + +|*show ip ospf link-state* +|Show all Link State Advertisements. + +|=== + + +== LLDP & MAC & CDP + +[cols=2,options="header"] +|=== +|Command +|Description + +|*show lldp info remote-device [detail]* +|Display LLDP neighbors. The info includes: local port name, chassis id of the peer, remote system name, remote port. If _detail_ is added, will also show exact firmware version used, and management IP address if configured. Useful for +topology discovery, which switch is connected to which. + +|*show lldp info local-device [detail]* +|Show info about the device you are connected to: chassis id, system name, firmware image version, IP addresses configured. + +|*show lldp stats* +|Show LLDP packets sent/received per port. + +|*show mac-address [detail]* +|Show complete MAC addresses table with port names, MAC addresses, and VLANs. If _detail_ is added, will also show age of +each entry. + +|*show mac-address vlan _vlanid_* +| Show MAC addresses learned on the specified VLAN. + +|*show mac-address _port1_[,_port2_...]* +|Show MAC addresses learned on specified ports. + +|*show cdp neighbors [detail]* +|Show list of CDP neighhbors with info on their MAC address, model, local port where it was seen. Adding `detail` also shows IP address of the CDP neighbor, if configured. + +|=== + + + +== PoE +[cols=2,options="header"] +|=== +|Command +|Description + +|*show power-over-ethernet brief [_port name_]* +|Show detailed information about PoE-enabled interfaces, including information on drawn/available +power per port, state. Optionally, limit information to a specific port. + +|*show power-over-ethernet brief vsf member _member id_* +|Show PoE detailed info per VSF member. + +|*show power-over-ethernet* +| Display PoE general information for the whole switch: total available/used power, PoE redundancy status, +internal power. + + +|=== + +== DHCP +[cols=2,options="header"] +|=== +|Command +|Description + +|*show dhcp-server statistics* +|Show DHCP server stats for Discover/Offer/Ack/NAK messages received/sent, number of pools configured. + +|*clear dhcp-server statistics* +|Clear DHCP server stats. + +|*show dhcp-server binding\|conflict\|database\|pool* +|Show variouis operational parameters of the DHCP server. +|=== + + + + + +== NTP +[cols=2,options="header"] +|=== +|Command +|Description + +|*show ntp status* +|Show current status of NTP + +|*show ntp servers* +|Display configured NTP servers + +|*show ntp statistics* +|Show stats for NTP - number of NTP packets sent/received, and errors. + +|*show ntp associations [detail]* +|Show state of associations with the configured NTP servers, together with stats: delay, offset, dispersion, and stratum. + +|*show run \| i ntp* +|Show NTP-related configs. + +|=== + + +== VSF (Virtual Switching Framework) +[cols=2,options="header"] +|=== +|Command +|Description + +|*show vsf [detail]* +|Show general VSF status: who is active, priority, software versions. + +|*show vsf member _member-id_* +|Show general info on a specific member: serial number, uptime, cpu usage, memory usage, status: Commander/Standby, priority. + +|*show vsf link [detail\|utilization]* +|Show info on VSF link (VPC peer link in the Cisco world). Problems with VSF link may cause split-brain situation, when each member acts independently. + +|*show redundancy* +|Shows firmware image version of each member, as well as the number of failovers. + +|*boot vsf member _member-id_* +|Reboot the specified VSF member. + + +|=== diff --git a/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.adoc b/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.adoc index 84a8451..f1286d1 100644 --- a/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.adoc +++ b/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.adoc @@ -1,45 +1,45 @@ -= Checkpoint Firewalls Debug Cheat Sheet - -Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ - -Status: Work in progress. - -== Cluster XL (ClusterXL) debug -[cols=2,"options="header"] -|=== -|command -|Description - -|*cphaprob state* -|Show status of the cluster and its members, if down - show the descriptive reason and when the state change happened,type of clustering - HA/Load Sharing/VRRP, IP address of each member's sync interface, problematic _pnote_ that causes failover, number of failovers since last restart. - -|*cphaprob -ia list* -|Show detailed information on the failed __pnote__/Critical Device of this member. List of pnotes enabled by default (differs by version/model so not a reference): _Interface Active Check_, _Recovery Delay_ , _CoreXL Configuration_, _Fullsync_, _Policy/filter_, _routed_, _fwd_, _cphad_, _init_, _cvpnd_. - -|*cphaprob -l list* -|List ALL _pnotes_ of the member, including in _OK_ state. - - -|*cphaprob -a if* -|Show all the interfaces seen by the cluster on this member. _Monitored_ are interfaces monitored by the cluster and if failed would cause fail over. _Secured_ is/are interface(s) the cluster uses to synchronize members. In Checkpoint appliances it is usually named `Sync`. Also show cluster synchronization mode - broadcast/multicast, - -|*cphaprob -m if* -|Show the monitored interfaces but also add ClusterXL VLAN monitoring info - which VLANs on which interface are being monitored. - -|*cphaprob syncstat* -|Show detailed synchronization states and traffic statistics: sync traffic drops/sent/received/queue szie/delta interval. Good at showing network/communication problems between cluster members. - -|*cphaprob show_failover* -|Show detailed history log of failover events with their dates and reasons. Checkpoint records last 20 failovers by default. - -|*cphaprob mmagic* -|Show the cluster magic number, relevant if multiple clusters are present in the same network. - - -|*cphaprob show_bond* -|Show bond interfaces. - -|*cpview -> Advanced -> ClusterXL* -|Partial output of the above commands in TUI interface. - -|=== += Checkpoint Firewalls Debug Cheat Sheet + +Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ + +Status: Work in progress. + +== Cluster XL (ClusterXL) debug +[cols=2,"options="header"] +|=== +|command +|Description + +|*cphaprob state* +|Show status of the cluster and its members, if down - show the descriptive reason and when the state change happened,type of clustering - HA/Load Sharing/VRRP, IP address of each member's sync interface, problematic _pnote_ that causes failover, number of failovers since last restart. + +|*cphaprob -ia list* +|Show detailed information on the failed __pnote__/Critical Device of this member. List of pnotes enabled by default (differs by version/model so not a reference): _Interface Active Check_, _Recovery Delay_ , _CoreXL Configuration_, _Fullsync_, _Policy/filter_, _routed_, _fwd_, _cphad_, _init_, _cvpnd_. + +|*cphaprob -l list* +|List ALL _pnotes_ of the member, including in _OK_ state. + + +|*cphaprob -a if* +|Show all the interfaces seen by the cluster on this member. _Monitored_ are interfaces monitored by the cluster and if failed would cause fail over. _Secured_ is/are interface(s) the cluster uses to synchronize members. In Checkpoint appliances it is usually named `Sync`. Also show cluster synchronization mode - broadcast/multicast, + +|*cphaprob -m if* +|Show the monitored interfaces but also add ClusterXL VLAN monitoring info - which VLANs on which interface are being monitored. + +|*cphaprob syncstat* +|Show detailed synchronization states and traffic statistics: sync traffic drops/sent/received/queue szie/delta interval. Good at showing network/communication problems between cluster members. + +|*cphaprob show_failover* +|Show detailed history log of failover events with their dates and reasons. Checkpoint records last 20 failovers by default. + +|*cphaprob mmagic* +|Show the cluster magic number, relevant if multiple clusters are present in the same network. + + +|*cphaprob show_bond* +|Show bond interfaces. + +|*cpview -> Advanced -> ClusterXL* +|Partial output of the above commands in TUI interface. + +|=== diff --git a/cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.adoc b/cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.adoc index 909df03..76ed157 100644 --- a/cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.adoc +++ b/cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.adoc @@ -1,85 +1,85 @@ -= Useful CLI commands for Cisco CUCM, Cisco Unity Connection and IM and Presence -Yuri Slobodyanyuk -v1.0, 2021-02-22 -:homepage: https://yurisk.info - -Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ - - -[cols=2,options="header"] -|=== -|Command -|Descritption - -|*show status* -|General health info, first to run on unusual CPU/IO load. Shows uptime, CPU load, memory usage, CUCM/Unity version. - -|*utils ntp status* -|Show NTP status - NTP source, synchronization, stratum. Note: this is not necessarily time source for the phones. - -|*utils network ping [count VALUE] [size VALUE]* -| Ping to test network quality and connectivity. E.g. `utils network ping 8.8.8.8 count 10 size 1300` - -|*utils network traceroute * -|Network trace. - -|*show tech network routes* -|Show routing table. - -|*show network status [process nodns search [search term]]* -|Show established connections with the process using the port. E.g. to show established connections to port 5060 (SIP phones and SIP trunks): `show network status process nodns search 5060`. - -|*utils network arp list* - -*utils network arp delete* - -*utils network arp set* - -|Working with ARP table. - -|*show network ipprefs public* - -*show open ports* - -*show open ports all* - -*show open ports regexp* - -|Show open and accessible over the network ports with listening daemons. - -|*show network ip_conntrack* -|Show number of open connections . While the number of connections does NOT equal number of registered phones, if there is some network connectivity issue this number will be unusually low. E.g. on CUCM with 52 registered SIP phones this commands shows 301 connections. - -|*show process list* -|Show list of running processes (Linux style). - -|*utils iostat* -|Show I/O stats - writes/reads per second, averages - -|*show hardware* -|Show the hardware server on which the CUCM is installed. - -|*utils service list* - -*utils service * - -|List running CUCM/Unity services (not previously mentioned Linux ones) and then stop/restart any of them by their name. Copy & paste service name exactly as shown in the listing. - -|*utils system restart* -|Last resort - restart the whole CUCM/Unity. - - -|*show diskusage activelog* -|Get the disk usage. - -|*show logins* -|Show logged in admins - -|*show password expiry user list* -|Show user password expiration, by default it is set to 99999 days, if not changed by the administrator. - -|*set password { age / complexity / expiry / inactivity / user }* -|Changing password for yourself/another user . Be very careful with changing password of course. - - -|=== += Useful CLI commands for Cisco CUCM, Cisco Unity Connection and IM and Presence +Yuri Slobodyanyuk +v1.0, 2021-02-22 +:homepage: https://yurisk.info + +Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ + + +[cols=2,options="header"] +|=== +|Command +|Descritption + +|*show status* +|General health info, first to run on unusual CPU/IO load. Shows uptime, CPU load, memory usage, CUCM/Unity version. + +|*utils ntp status* +|Show NTP status - NTP source, synchronization, stratum. Note: this is not necessarily time source for the phones. + +|*utils network ping [count VALUE] [size VALUE]* +| Ping to test network quality and connectivity. E.g. `utils network ping 8.8.8.8 count 10 size 1300` + +|*utils network traceroute * +|Network trace. + +|*show tech network routes* +|Show routing table. + +|*show network status [process nodns search [search term]]* +|Show established connections with the process using the port. E.g. to show established connections to port 5060 (SIP phones and SIP trunks): `show network status process nodns search 5060`. + +|*utils network arp list* + +*utils network arp delete* + +*utils network arp set* + +|Working with ARP table. + +|*show network ipprefs public* + +*show open ports* + +*show open ports all* + +*show open ports regexp* + +|Show open and accessible over the network ports with listening daemons. + +|*show network ip_conntrack* +|Show number of open connections . While the number of connections does NOT equal number of registered phones, if there is some network connectivity issue this number will be unusually low. E.g. on CUCM with 52 registered SIP phones this commands shows 301 connections. + +|*show process list* +|Show list of running processes (Linux style). + +|*utils iostat* +|Show I/O stats - writes/reads per second, averages + +|*show hardware* +|Show the hardware server on which the CUCM is installed. + +|*utils service list* + +*utils service * + +|List running CUCM/Unity services (not previously mentioned Linux ones) and then stop/restart any of them by their name. Copy & paste service name exactly as shown in the listing. + +|*utils system restart* +|Last resort - restart the whole CUCM/Unity. + + +|*show diskusage activelog* +|Get the disk usage. + +|*show logins* +|Show logged in admins + +|*show password expiry user list* +|Show user password expiration, by default it is set to 99999 days, if not changed by the administrator. + +|*set password { age / complexity / expiry / inactivity / user }* +|Changing password for yourself/another user . Be very careful with changing password of course. + + +|=== diff --git a/cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.adoc b/cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.adoc index befc704..aba04d0 100644 --- a/cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.adoc +++ b/cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.adoc @@ -1,60 +1,60 @@ -= Cisco Nexus 9000 9k debug and diagnostic commands complete cheat sheet (work in progress) -Yuri Slobodyanyuk -v1.0, 2020-09-01 -:homepage: https://yurisk.info - -Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ - -Status: Work in progress. - - -[cols=2,options="header"] -|=== -|Command -|Descritption - -|*show run interface membership* -|List physical interfaces included in the given Port-Channel, e.g. `show run int po1 membership` - -|*show port-channel usage* -|Show port-channel numbers already in use. - -|*show port-channel summary* -|Display list of all configured Port-Channels with their state, protocol (LACP or None), physical interface members. - -|*show vpc role* -|Role of this peer in vPC, also vPC MAC address, vPC and system priority, local Nexus switch MAC. - -|*show vpc brief* -|Gives verbose info about the vPC (vPC domain stats, vPC peer-link stats, port-channels with active VLANs etc.). - -|*show vpc peer-keepalive* -| Display real-time stats on peering keepalives: last send/receive time, IP of the peer, port and protocol used, vrf for communicaiton. - -|*show feature* -|Show enabled features, make sure FEX is on. - -|*show fex [_fex-num_] [detail]* -| Show FEX, optionally with details - FEX associated number, state -(Online/Offline/Connecting), model, serial number (of the module). If _detail_, -then also show log of the last registration/offline/online of the FEX. - -|*show interface fex* -| In addition to above, show physical interface names (uplinks) where FEX is connected on -Nexus and its state. - -|*reload fex _fex-num_* -| Reload the specified FEX (it should be online for this). - -|*show inventory fex _fex-num_* -|Show hardware info and serial numbers of the FEX chassis, network module, fans, -power supplies. - -|*show environment fex _fex-num_/all* -|Show power consumed, temperature. - -|*show int port-channel _n_ fex* -|Show physical interfaces pinned to a given port-channel. - -|=== - += Cisco Nexus 9000 9k debug and diagnostic commands complete cheat sheet (work in progress) +Yuri Slobodyanyuk +v1.0, 2020-09-01 +:homepage: https://yurisk.info + +Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ + +Status: Work in progress. + + +[cols=2,options="header"] +|=== +|Command +|Descritption + +|*show run interface membership* +|List physical interfaces included in the given Port-Channel, e.g. `show run int po1 membership` + +|*show port-channel usage* +|Show port-channel numbers already in use. + +|*show port-channel summary* +|Display list of all configured Port-Channels with their state, protocol (LACP or None), physical interface members. + +|*show vpc role* +|Role of this peer in vPC, also vPC MAC address, vPC and system priority, local Nexus switch MAC. + +|*show vpc brief* +|Gives verbose info about the vPC (vPC domain stats, vPC peer-link stats, port-channels with active VLANs etc.). + +|*show vpc peer-keepalive* +| Display real-time stats on peering keepalives: last send/receive time, IP of the peer, port and protocol used, vrf for communicaiton. + +|*show feature* +|Show enabled features, make sure FEX is on. + +|*show fex [_fex-num_] [detail]* +| Show FEX, optionally with details - FEX associated number, state +(Online/Offline/Connecting), model, serial number (of the module). If _detail_, +then also show log of the last registration/offline/online of the FEX. + +|*show interface fex* +| In addition to above, show physical interface names (uplinks) where FEX is connected on +Nexus and its state. + +|*reload fex _fex-num_* +| Reload the specified FEX (it should be online for this). + +|*show inventory fex _fex-num_* +|Show hardware info and serial numbers of the FEX chassis, network module, fans, +power supplies. + +|*show environment fex _fex-num_/all* +|Show power consumed, temperature. + +|*show int port-channel _n_ fex* +|Show physical interfaces pinned to a given port-channel. + +|=== + diff --git a/cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.adoc b/cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.adoc index f5b0fa4..eabe25e 100644 --- a/cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.adoc +++ b/cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.adoc @@ -1,117 +1,117 @@ -= FAR manager cheat sheet of keyboard shortcuts -Yuri Slobodyanyuk -v1.0, 2020-11-09 -:homepage: https://yurisk.info - -Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ - - -[cols=2, options="header"] -|=== -|Shortcut -|Description - - -|*Ctrl + \* -|Change working directory to the root folder, i.e. root of the drive. - -|*Ctrl + PgUp* -|Move up to the parent directory. - -|*Alt + F1* -|Set the working drive for the left panel. - -|*Alt + F2* -|Set the working drive for the right panel. - -|*Ctrl + u* -|Swap panels (left becomes right and vice versa). - -|*Ctrl + Left/Right Arrow* -|Move the separating bar between panels left/right, changing the occupied space. - -|*Ctrl + Up/Down Arrow* -|Move the bottom border of the panels up/down. - - -|*Alt + F7* -|Open File Search dialog box - -|*Alt + F12* -|Open history of the visited folders. - -|*Alt + F8* -|Open history of the viewed files. - -|*F9 + c + c* or *F11 + Advanced Compare* -|Compare files/directories open in Panels. Standard compare (F9 + c + c) compares by name,size and time stamp. Advanced Compare allows to choose what to compare on. The files that differ are highlighted in blue. - -|*Ctrl + 1* -|Set panel view to 3-column layout showing just names. - -|*Ctrl + 2* -|Return to the standard 2-column view of names only. - -|*Ctrl + 3* -|Full panel view - shows name, size, date, time columns. - -|*Ctrl + 5* -|Full screen view - name, size, allocated, write, created, accessed, attributes columns. - -2+|_Sort displayed items_ - -|*Ctrl + F3* -| Sort by file/folder name. - -|*Ctrl + F4* -|Sort by extension. - -|*Ctrl + F5* -|Sort by modified date. - -|*Ctrl + F6* -|Sort by size. - -|*Ctrl + F8* -|Sort by creation time - -|*Ctrl + F9* -|Sort by access time - -2+|_Selecting files and folders_ -|*Insert* -|Select the item under the cursor. Press again to deselect. - -|*Shift + move up/down* -|Select single/multiple items. To deselect, hold Shift and move in the opposite direction. - -|* (asterisk) -|Select all files/folders in the panel. Press again to invert the selection. - -|COLORS fix later -| Fix me - -|*F9 -> o -> l* -|Open color selection dialog box. - -|*F11 + Temporary Panel* -| Create and switch to a Temporary Panel. You can copy/drag files and folders from the visible Panel to it. This allows to work on multiple items from different locations at the same time. - - -2+|_Filter what is shown in the Panel_ - -|*Ctrl + i* -a|Open Filter dialog menu. It contains all file types/extensions seen in the current folder. By moving with _Arrow Up/Down_ you can select/deselect any single or combination of multiple extensions to include or exclude in the display. Highlight the extension in question and press: - -- ** or *+* or *i*: Include files with such extension in the display, exclude from display anything else. Pressing the same key again clears the selection. - -- *Shift + Backspace*: Clear all selections made so far. - -- *x*: Exclude the selected extensions from showing, display what is left. - -- *Insert*: Open a dialog menu to create Custom filter. This allows to include/exclude files by their name/extension, size, attributes, and modification date. You can use relative operators `>=, <=`. All operands in a Custom filter are ANDed. Make sure to activate this Custom filter with Space or `+` in the filter list later. - -|*Enter* -|Activate the filter. - -|=== += FAR manager cheat sheet of keyboard shortcuts +Yuri Slobodyanyuk +v1.0, 2020-11-09 +:homepage: https://yurisk.info + +Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ + + +[cols=2, options="header"] +|=== +|Shortcut +|Description + + +|*Ctrl + \* +|Change working directory to the root folder, i.e. root of the drive. + +|*Ctrl + PgUp* +|Move up to the parent directory. + +|*Alt + F1* +|Set the working drive for the left panel. + +|*Alt + F2* +|Set the working drive for the right panel. + +|*Ctrl + u* +|Swap panels (left becomes right and vice versa). + +|*Ctrl + Left/Right Arrow* +|Move the separating bar between panels left/right, changing the occupied space. + +|*Ctrl + Up/Down Arrow* +|Move the bottom border of the panels up/down. + + +|*Alt + F7* +|Open File Search dialog box + +|*Alt + F12* +|Open history of the visited folders. + +|*Alt + F8* +|Open history of the viewed files. + +|*F9 + c + c* or *F11 + Advanced Compare* +|Compare files/directories open in Panels. Standard compare (F9 + c + c) compares by name,size and time stamp. Advanced Compare allows to choose what to compare on. The files that differ are highlighted in blue. + +|*Ctrl + 1* +|Set panel view to 3-column layout showing just names. + +|*Ctrl + 2* +|Return to the standard 2-column view of names only. + +|*Ctrl + 3* +|Full panel view - shows name, size, date, time columns. + +|*Ctrl + 5* +|Full screen view - name, size, allocated, write, created, accessed, attributes columns. + +2+|_Sort displayed items_ + +|*Ctrl + F3* +| Sort by file/folder name. + +|*Ctrl + F4* +|Sort by extension. + +|*Ctrl + F5* +|Sort by modified date. + +|*Ctrl + F6* +|Sort by size. + +|*Ctrl + F8* +|Sort by creation time + +|*Ctrl + F9* +|Sort by access time + +2+|_Selecting files and folders_ +|*Insert* +|Select the item under the cursor. Press again to deselect. + +|*Shift + move up/down* +|Select single/multiple items. To deselect, hold Shift and move in the opposite direction. + +|* (asterisk) +|Select all files/folders in the panel. Press again to invert the selection. + +|COLORS fix later +| Fix me + +|*F9 -> o -> l* +|Open color selection dialog box. + +|*F11 + Temporary Panel* +| Create and switch to a Temporary Panel. You can copy/drag files and folders from the visible Panel to it. This allows to work on multiple items from different locations at the same time. + + +2+|_Filter what is shown in the Panel_ + +|*Ctrl + i* +a|Open Filter dialog menu. It contains all file types/extensions seen in the current folder. By moving with _Arrow Up/Down_ you can select/deselect any single or combination of multiple extensions to include or exclude in the display. Highlight the extension in question and press: + +- ** or *+* or *i*: Include files with such extension in the display, exclude from display anything else. Pressing the same key again clears the selection. + +- *Shift + Backspace*: Clear all selections made so far. + +- *x*: Exclude the selected extensions from showing, display what is left. + +- *Insert*: Open a dialog menu to create Custom filter. This allows to include/exclude files by their name/extension, size, attributes, and modification date. You can use relative operators `>=, <=`. All operands in a Custom filter are ANDed. Make sure to activate this Custom filter with Space or `+` in the filter list later. + +|*Enter* +|Activate the filter. + +|=== diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 12b139f..868912d 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -1,1069 +1,1069 @@ -= Fortigate debug and diagnose commands complete cheat sheet -:homepage: https://yurisk.info -:toc: - -Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ - - -NOTE: To enable debug set by any of the commands below, you need to run -*diagnose debug enable*. This is assumed and not reminded any further. Use *dia -debug info* to know what debug is enabled, and at what level. - -NOTE: To disable and stop immediately any debug, run *dia deb res* which is short for *diagnose debug reset*. - -NOTE: All debug will run for 30 minutes by default, to increase use `diagnose debug duration `, setting to 0 means unlimited by time. Reboot will reset this setting. - - - - - - - -== Security rulebase debug (diagnose debug flow) -.Security rulebase diagnostics with `diagnose debug flow` -[cols=2, options="header"] -|=== -|Command -|Description - -|*diagnose firewall iprope lookup - * -|Policy lookup for any combination of IPs and ports - use to see what policy (if -any) matches traffic between specific IP addresses and ports. E.g. `dia firewall -iprope lookup 10.10.10.1 34567 8.8.8.8 443 6 LAN1` - -|*diagnose debug flow filter* -|Show the active filter for the flow debug - -|*diagnose debug filter clear* -|Remove any filtering of the debug output set - -|*diagnose debug flow filter / dia debug flow filter6 * -| Set filter for security rulebase processing packets output. You can set multiple filters - act as AND, by issuing this command multiple times. Parameters: - -`vd` - id number of the vdom. When entering the vdom with `edit vdom`, this number is shown first. - -`vd-name` - limit debug to specific VDOM by its name. Fortigate translates the name to VDOM ID (`vd`). - -`proto` - Protocol number. - -`addr` - IP address of the packet(s), be it a destination or/and a source. - -`saddr` - IP source address of the packet(s). - -`daddr` - IP destination address of the packet(s). - -`port` - Source or/and destination port in the packet(s). - -`sport` - Source port of the packet(s). - -`dport` - Destination port of the packet(s). - -`negate ` - negate the match, i.e. match if a packet does NOT contain `* -| Same as `diagnose debug filter` but for IPv6 packets. The rest of matching and conditions remain of the same syntax. - -|*diagnose debug flow show function-name enable* -|Show function names responsible for each step in processing. - -|*diagnose debug flow trace start [number]* -|Actually start the debug with optional `number` to limit number of packets traced. - -|*diagnose debug flow trace start6 [number]* -|Start the debug trace for IPv6 traffic, with optional `number` to limit number of packets traced. - - -|=== - - -== Packet Sniffer (diagnose sniffer packet) - -[cols=2, options="header"] -|=== -|Command -|Description - -|*dia sni pa _if-name_/any 'tcpdump syntax filter' _verbosity_ _count_ -_time-format_* -a| Network level packet sniffer like tcpdump/tshark/wireshark, presenting captured -packets on CLI. It gives definite answers whether a packet reached the -Fortigate, whether it was dropped by firewall rules, what was incoming/outgoing -interface, and contents of the packet if needed. - -`verbosity` - level of detail to present, can be one of: - -1 - packets' header, includes IP addresses, ports, and flags if set. - -2 - packets' header and data for IP packet, i.e. same as above plus contents of -the packet. - -3 - same as 2 above plus Ethernet header. - -4 - packets' header (no contents) plus incoming/outgoing interface name for each -packet. This gives the indication whether the packet passed the Fortigate or was -dropped by it. - -5 - same data as `4` plus contents of IP packets. - -6 - packets' header starting from Ethernet plus contents and incoming/outgoing -interface names. - - -`count` - number of packets to capture, integer. If not set, will be capturing -until the SSH/console timeout or until stopped with `CTRL + C`. - -`time-format`: - -* `a` - absolute UTC time -* `l` - local time -* _default_ - relative to the start of sniffing in seconds.milliseconds. - -|_IPv6_ -|For IPv6 traffic, the command is the same, but use the relevant `filter` clauses instead, -e.g. `host 2001:db8::1` or `net 2001:db8::/64` or `icmp6`. - -|*set auto-asic-offload disable* -|You may need to temporarily disable NPU hardware acceleration offloading, to see accelerated packets. You do so inside a specific firewall policy. This will cause all packets passing on this policy rule to be processed by CPU and thus make packets visible to the sniffer. This may increase the CPU load. E.g. `config firewall policy`, `edit 1`, `set auto-asic-offload disable`. Do not forget to turn it on again: `set auto-asic-offload enable`. - -|=== - - -== General Health, CPU, and Memory -.General Health, CPU, and Memory loads -[cols=2, options="header"] -|=== -|Command -|Description - -|*get sys stat* -|Get statistics about the Fortigate device: FortiOS used, license status, Operation mode, VDOMs configured, last update dates for AntiVirus, IPS, Application Control databases. - -|*get sys performance stat* -|Show real-time operational statistics: CPU load per CPU, memory usage, average network/session, uptime. - -|*diagnose sys top [_refresh_] [_num-of-processes_] [_iterations_]* -|Print list of running processes updated every _refresh_ seconds (default 5), for -_iterations_ times, sorted in descending order by the CPU load. This `top` command does not display all processes by -default, to show them all, set _num-of-processes_ to high number, for example -100. Press "m" to sort the processes by memory consumption. The displayed table -is in this order: `Process id`, `process state: (R)unning, (S)leep, (Z)ombie, -(D)isk Sleep, < Means higher priority`, `CPU used`, `Memory used`. - -|*dia sys kill _signal-id_ _process-id_* -|Forcefully kill the process with the id of _process-id_, sending it the given _signal-id_ (Linux signals, e.g. 9, 11). - -|*diagnose debug crashlog read* -| Display crash log. Records all daemons crashes and restarts. Some daemons are more critical than others. - -|*diagnose debug crashlog clear* -| Clear the crash log. - -|*dia sys top-mem [_num-processes_] [detail]* -|Show top (default 5) processes by memory usage, optionally set number of -processes to show with _num-processes_, and use `detail` to get verbose output -(a lot). - -|*get hardware memory* -| Show memory statistics: free, cached, swap, shared - -|*dia hardware sysinfo conserve* -|Info whether the conserve mode on or off, total memory available, conserve mode -thresholds `red` and `green` - -|*execute sensor list* -|List current readings of all sensors present on this model of the Fortigate. Larger models (1500 and up) show CPUs voltage, fan speeds, temperature, power supply voltage and more. - -|*dia sys flash list* -|Show contents of the flash memory holding FortiOS firmware images. One of the images -will have `Active` set to `yes`, which means it is the used one. - -|*diagnose hardware deviceinfo disk* -|Show all storage attached to the firewall, including disk type, volume, free -space. - -|=== - - -== Session stateful table - -[cols=2, options="header"] -|=== -|Command -|Description - -|*get system session status / get system session6 status* -|Show current number of sessions passing the Fortigate (IPv4/IPv6). Run inside the VDOM in multi-vdom environment to get number of connections/sessions for this specific VDOM. - -|*get sys session-info statistics* -| Get general statistics on sessions: current number of, global limits, number of clashes (different sessions trying to use the same ports), TCP sessions stats per state - -|*get sys session-info ttl* -|Show the default TTL setting for the connections in the table, default being 3600 seconds. - -|*diagnose sys session filter / diagnose sys session6 filter * -| Set filter to show/manipulate only specific connections in the stateful table. Run without any filter parameters this command displays the current filter applied if any. Parameters: - -`vd` - id number of the vdom. When entering the vdom with edit vdom, this number is shown first. - -`sintf` - source interface. - -`dintf` - destination interface. - -`proto` - protocol, by IANA protocol number. - -`proto-state` - protocol state. - -`src` - source IP. - -`dst` - destination IP. - -`nsrc` - NATed source IP. - -`sport` - source port. - -`nport` - NATed source port. - -`dport` - destination port. - -`policy` - policy id. - -`duration ` - duration. - -`expire ` - expiration time. - -`session-state1 ` - session state, where _x_ is in hex, state bits. - -`negate ` - negate the match, i.e. match if a connection does NOT contain _parameter_. Where parameter is one of the mentioned above. - - -|*diagnose sys session clear / dia sys session6 clear* -|Clear/delete connections from the session table. IMPORTANT: If no session filter is set (see above) before running this command, ALL connections passing the Fortigate will be deleted! Which means they will be disconnected. So use carefully. - -|*diagnose sys session list / dia sys session6 list* -|List connections limited to the filter set if any, or all session table if not. - -|=== - - -== High Availability Clustering debug -.HA Clustering related debug and verification -[cols=2, options="header"] -|=== -|Command -|Description - -|*get sys ha status* -|Show general status and statistics of the clustering - health status, cluster uptime, last cluster state change, reason for selecting the current master, configuration status of each member (`in-sync/out-of-sync`), usage stats (average CPU, memory, session number), status (`up/down`, `duplex/speed`, `packets received/dropped`) for the heartbeat interface(s), HA cluster index (used to enter the secondary member CLI with `exe ha manage`). - -|*diagnose sys ha dump-by group* -| Print detailed info per cluster group, shows actual uptime of each member in `start_time`, as well monitored links failures, status. - - -|*diagnose sys ha checksum cluster* -|Shows configuration checksum for each cluster member separated in individual VDOMs and _global_. In properly synchronized cluster all member checksums should be identical, look at `all` value. - -|*diagnose sys ha checksum recalculate* -|Force cluster member to recalculate checksums, often will solve the out of sync problem. No adverse effects. Run on each cluster member. - -|*diagnose sys ha checksum show <__VDOM__/global>* -|Print detailed synchronization status for each configuration part. Use after seeing `out-of-sync` in *diagnose sys ha checksum cluster* to know which part of configuration causes members to be out-of-sync. Need to run on each cluster member and compare, long output - use `diff`/`vimdiff/Notepad++ Compare plugin` to spot the differences. - -|*diagnose sys ha checksum show <__VDOM__/global> * -|Show exact setting inside the settings tree that causes out-of-sync. Use output from *diagnose sys ha checksum show* (see above) for _settings part name_. E.g. if `diagnose sys ha checksum show root` indicates that _firewall.vip_ is out-of-sync, running `diagnose sys ha checksum show root firewall.vip` will give checksums of each VIP in the root domain to compare with those of secondary member. - - -|*diagnose debug app hatalk -1* -|Enable heartbeat communications debug. It shows in real time if members are talking over sync interfaces. -The output will look like `state/chg_time/now=2(work)/1610773657/1617606630`, where the desired `state` is _work_, _chg\_time_ is last cluster state/failover date in epoch, and _now_ is the last time communication occurred on heartbeat interface(s), also in epoch. - -|*diag debug application hasync -1* -|Real time synchronization between members. As only things that changed get synchronized after 1st sync is established, may take time to produce output. See next. - -|*execute ha synchronize stop* - -*diag debug enable* - -*diag debug application hasync -1* - -*execute ha synchronize start* - -|Stop, enable debug, then start again HA synchronization process, will produce lots of output. - - -|*exe ha manage ?* - -*exe ha manage * - -|First show index of all Fortigate cluster members, then enter any secondary member CLI via its index. - - -|*diagnose sys ha reset-uptime* -a| Resets uptime of this member making it less than the other member(s)'s uptime -and so fails over to those member(s). This is a temporary way to force cluster -fail-over to another member from the current one. NOTE: check that the setting -below is present or immediately after the reset and failover, this member will become -active again if it has higher HA priority. - ----- -config sys ha -set ha override disable ----- - - -|=== - -== IPSEC VPN debug - -.IPSEC VPN Debug -[cols=2*,options="header"] -|=== -|Command -|Description - -| *diagnose vpn ike log-filter * -a| Filter VPN debug messages using various parameters: - -* `list` Display the current filter. -* `clear` Delete the current filter. -* `name` Phase1 name to filter by. -* `src-addr4`/`src-addr6` IPv4/IPv6 source address range to filter by. -* `dst-addr4`/`dst-addr6` IPv4/IPv6 destination address range to filter by. -* `src-port` Source port range -* `dst-port` Destination port range -* `vd` Index of virtual domain. -1 matches all. -* `interface` Interface that IKE connection is negotiated over. -* `negate` Negate the specified filter parameter. - - -|*diagnose debug application ike -1* -| Enable IPSec VPN debug, shows phase 1 and phase 2 negotiations (for IKEv1) and everything for IKEv2. -"-1" sets the verbosity level to maximum, any other number will show less output. - -|*diagnose vpn ike gateway flush name * -|Flush (delete) all SAs of the given VPN peer only. Identify the peer by its Phase 1 name. - -|*diagnose vpn tunnel list [name ]* -| Show operational parameters for all or just specific tunnels: Type (dynamic dial up or static), packets/bytes passed, NAT traversal state, Quick Mode selectors/Proxy Ids, mtu, algorithms used, whether NPU-offloaded or not, lifetime, DPD state. - -|*diagnose vpn ike gateway list* -| Show each tunnel details, including user for XAuth dial-up connection. - -|*get vpn ipsec tunnel details* -| Detailed info about the tunnels: Rx/Tx packets/bytes, IP addresses of the peers, algorithms used, detailed selectors info, lifetime, whether NAT Traversal is enabled or not. - -|*get vpn ipsec stats tunnel* -| Short general statistics about tunnels: number, kind, number of selectors, state - -|*get vpn ipsec tunnel summary* -| Short statistics per each tunnel: number of selectors up/down, number of packets Rx/Tx. - - -|*get vpn ipsec stats crypto* -| Crypto stats per component (ASIC/software) of the Fortigate: encryption algorithm, hashing algorithm. Useful to see if unwanted situation of software encryption/decryption occurs. - - - - - -|=== - - -== SSL VPN debug -.SSL VPN client to site/Remote Access debug -[cols=2, options="header"] -|=== -|Command -|Description - -|*get vpn ssl monitor* -|List logged in SSL VPN users with allocated IP address, username, connection duration. - -|*diagnose vpn ssl debug-filter _criteria_* -|Limit debug output according to the _criteria_ below: - -`src-addr4\|src-addr6` _source-ip-of-client_ Source IP of the connecting client - -`vd` _VDOM name_ Limit debug to a specific VDOM, specify VDOM by its string -name, not numerical index. - -`negate` Negate the filter. - -`clear` Clear the filter. - -`list` List active filter. - -|*diagnose debug app sslvpn -1* -|Debug SSL VPN connection. Shows only SSL protocol negotiation and set up. That is - ciphers used, algorithms and such, does NOT show user names, groups, or any client related info. - - -|=== - -== Static Routing Debug - -.Static and Policy Based Routing debug & diagnostics -[cols=2,options="header"] -|=== -|Command -|Description - -|*get router info kernel* - -*get router info6 kernel* - -a|View the kernel routing table (FIB). This is the list of resolved routes actually being used by the FortiOS kernel. - -`tab` Table number, either 254 for unicast or 255 for multicast. - -`vf` Virtual domain index, if no VDOMs are enabled will be 0. - -`type` 0 - unspecific, 1 - unicast, 2 - local , 3 - broadcast, 4 - anycast , 5 - multicast, 6 - blackhole, 7 - unreachable , 8 - prohibited. - -`proto` Type of installation, i.e. where did it come from: 0 - unspecific, 2 - kernel, 11 zebOS module, 14 - FortiOS, 15 - HA, 16 - authentication based, 17 - HA1 - -`prio` priority of the route, lower is better. - -`pref` preferred next hop for this route. - -`Gwy` the address of the gateway this route will use - -`dev` outgoing interface index. If VDOMs enabled, VDOM will be included as well, if alias is set it will be shown. - -|*get router info routing-table all* - -*get router info6 routing* - -|Show RIB - active routing table with installed and actively used routes. It will not show routes with worse priority, multiple routes to the same destination if unused. - -|*get router info routing database* - -*get rotuer info6 routing database* -|Show ALL routes, the Fortigate knows of - including not currently used. - -|*get router info routing-table details * -| Show verbose info about specific route, e.g. `get router info routing-table details 0.0.0.0/0` - -|*diagnose ip rtcache list* -| Show the routes cache table. - -|*get firewall proute* - -*get firewall proute6* -| Get all configured Policy Based Routes on the Fortigate. - - -| *exe traceroute-options [source _ip_ / device _ifname_ / view-settings / use-sdwan yes]* - -*exe traceroute _host_* -| Run traceroute, setting various options if needed. - -|*exe tracert6 [-s _source-ip_] _host_* -| Run IPv6 trace route. - -|*exe ping-options* [data-size _bytes_ / df-bit / interface _if-name_ / interval -_seconds_ / repeat-count _integer_ / reset / view-settings / timeout _seconds_ / -source _ip_ / ttl _integer_ / use-sdwan yes] -| Set various options before running pings. - -|*exe ping _host_* -|Run the IPv4 ping. - -|*exe ping6-options* _see available options above for ipv4_ -|Set various ping6 options before running it. - -|*exe ping6 _host_* -|Run the IPv6 ping. - - -|=== - -== Interfaces - -.Interafces of all kinds diagnostics -[cols=2,options="header"] -|=== -|Command -|Description - -|*get hardware nic * -|Hardware info of the interface: MAC address, state (up/down), duplex (full, half), Rx/Tx packets, drops. - -|*diagnose hardware deviceinfo nic * -|Same as above. - -|*get sys interface transceiver* -|List all SFP/SFP+ transceivers installed with info on: vendor name, serial -number, temperature, voltage consumed, and, most important - Transmit (TX) and -Receive (RX) signal power in dBm. - -|*get hardware npu np6 port-list* -|Show on which interfaces the NPU offloading is enabled. - -|*diagnose npu np6lite port-list* -| Same as above but for NP6-lite. - -|*fnsysctl ifconfig * -|Gives the same info as Linux `ifconfig`. The only way to see the actual MTU of the interface. - -|*fnsysctl cat /proc/net/dev* -|Similar to `netstat` shows errors on the interfaces, drops, packets sent/received. - -|*diagnose ip address list* -|Show IP addresses configured on all the Fortigate interfaces. - -|*diagnose sys gre list* -| Show configured GRE tunnles and their state. - - -|*diag debug application pppoed -1* - -*dia debug application pppoe -1* - -*dia debug applicaiton ppp -1* - -|Enable all ADSL/PPPoE-related debug. - - -|*execute interface pppoe-reconnect* -|Force ADSL re-connection. - -|*diagnose sys waninfo* -|Show WAN interface info: public IP address of the WAN interface, guessed geo -location of this IP, and whetehr this IP address is in FortiGuard black list. - -|=== - - -== LACP Aggregate Interfaces - -[cols=2, options="heade"] -|=== -|Command -|Description - -|*diagnose netlink aggregate list* -|List all aggregate interfaces in the current VDOM, shows names, state -(up/down), LACP mode and algorithm used - -|*diagnose netlink aggregate name * -|Shows details of the given aggregate interface under the entry `actor state` -(preferred state is *ASAIEE*): LACP Mode (Active/Passive), -LACP Speed mode (Slow [default]/Fast), Synced or Out of Sync, minimal physical -interfaces to be up for the whole aggregate to be up, Aggregator ID (has to be -identical on both sides), own and peer's MAC addresses, link failure count. - -|*diagnose sniffer packet any "ether proto 0x8809" 6 0 a* -|Sniffer to see all LACP traffic on this Fortigate: `0x8809` LACP Ethernet -protocol designation, `6` - maximum verbosity, `0` - do not limit number of captured packets, `a` - show -time in UTC format, rather than delta from the 1st packet seen. LACP packets -should arrive from the peer's MAC address on the aggregate logical interface -name, and should leave from the physical interface(s) destined to the peer's MAC -address. This capture will also show LACP actor state in arriving/leaving -packets - for working LACP aggregate it should be `ASAIEE` in both directions. - -|*diagnose netlink port src-ip dst-ip * -|Show what physical port a packet given by the filter will exit. Available -filter keywords: - -`src-ip` - Source IP address. - -`dst-ip` - Destination IP address. - -`src-mac` - Source MAC address. - -`dst-mac` - Destination MAC. - -`proto` - Protocol number. - -`src-port/dst-port` - Source/Destination port. - -`vlan-id` - VLAN number. - - -|=== - -== DHCP server, relay, client - -.DHCP server, relay, client -[cols=2, options="header"] -|=== -|Command -|Description - - -|*show system dhcp/dhcp6 server* -|Show DHCP server configuration, including DHCP address pools. - -|*execute dhcp/dhcp6 lease-list [_interface name_]* -|Show real-time list of allocated by Fortigate addresses via DHCP. It will show IP address of each client, its MAC - address, device type/name (Android, iOS, Windows, etc.), the lease time and expiration. - -|*execute dhcp/dhcp6 lease-clear all/_start-end-IP-address-range_* -|Clear DHCP allocations on the Fortigate. This will NOT cause clients that already have IP addresses to release them, but will -just clear Fortigate DHCP database and will start over allocating again. You can either clear _all_ IP addresses in the database, or only specific IPs. - - -|*diagnose debug application dhcps/dhcp6s -1* -|Enable real-time debug of DHCP server activity. This will show DHCP messages sent/received, DHCP options sent in each reply, details of requesting hosts. - -|*diagnose debug application dhcprelay/dhcp6r -1* -|Enable real-time debug of the DHCP relay agent, `dhcp6r` is for DHCPv6. - -|*diagnose debug application dhcpc/dhcp6c -1* -|Enable real-time debug when Fortigate is itself a DHCP Client. - -|*dia sni pa any 'port 67 or port 68' 6* and for DHCPv6 -*dia sni pa any 'port 546 or port 547' 6* -|Run packet sniffer for DHCP or DHCPv6 packets reaching the Fortigate. - -|=== - -== NTP debug - -.NTP daemon diagnostics and debug -[cols=2,options="header"] -|=== -|Command -|Description - -|*diag sys ntp status* -|Current status of NTP time synchronization. Shows all NTP peers and their detailed info: reachability, stratum, clock offset, delay, NTP version. - -|*execute date* -| Show current date as seen by Fortigate. - -|*exec time* -| Show current time as seen by Fortigate. - - -|=== - - -== SNMP daemon debug - -.SNMP daemon debug -[cols=2, options="header"] -|=== -|Command -|Description - -|*diagnose debug application snmpd -1* -|ENable SNMP daemon messages debug. - -|*show system snmp community* -|Show SNMP community and allowed hosts configuration - - -|=== - - -== BGP - -.BGP debug -[cols=2*,options="header"] -|=== -|Command -|Description - - -|*diagnose ip router bgp level info* - - *diagnose ip router bgp all enable* - -| Set BGP debug level to INFO (the default is ERROR which gives very little info) and enable the BGP debug. - -|*exec router clear bgp all* -| Disconnect all BGP peering sessions and clear BGP routes in BGP table and RIB. Use with care, involves downtime. - - -|*get router info bgp summary* -| State of BGP peering sessions with peers, one per line. - -|*get router info bgp network * -| Detailed info about from the BGP process table. Output includes all learned via BGP routes, even those not currently installed in RIB. E.g. `get router info bgp network 0.0.0.0/0`. The is optional, if absent shows the whole BGP table. - -|*get router info routing-table bgp* -| Show BGP routes actually installed in the RIB. - -|*get router info bgp neighbors* -| Detailed info on BGP peers: BGP version, state, supported capabilities, how many hops away, reason for the last reset. - -|*get router info bgp neighbors advertised-routes* -| Show all routes advertised by us to the specific neighbor. - -|*get router info bgp neighbors routes* -| Show all routes learned from this BGP peer. It shows routes AFTER filtering on local peer, if any. - -|*get router info bgp neighbors received-routes* -| Show all received routes from the neighbor BEFORE any local filtering is being applied. It only works if `set soft-reconfiguration enable` is set for this peer under `router bgp` configuration. - -|*diagnose sys tcpsock \| grep 179* -| List all incoming/outgoing TCP port 179 sessions for BGP. - - - - - - -|=== - - -== Admin sessions -.Admin sessions management -[cols=2,options="header"] -|=== -|Command -|Description - -|*get sys info admin status* -|List logged in administrators showing `INDEX` value for each session - -|*execute disconnect-admin-session * -|Disconnect logged in administrator by the session INDEX. - - -|=== - - - -== Authentication -.Authentication in all kinds LDAP, Radius, FSSO -[cols=2, options="header"] -|=== -|Command -|Description - - -|*diagnose firewall auth list* -|List all authenticated and known by firewall usernames. It does not matter what -the source is - LDAP/SSO/etc. Also shows client's IP, idle time, duration. - -|*diagnose debug app fnbamd -1* -|Enable debug for authentication daemon, valid for ANY remote authentication - RADIUS, LDAP, TACACS+. - - -|*diagnose test authserver ldap * -| Test user authenticaiton on Fortigate CLI against Active Directory via LDAP. E.g. test user `Tara Addison` against LDAP server configured in Fortigate as `LDAP-full-tree` having password `secret`: `diagnose test authserver ldap LDAP-full-tree "Tara Addison" secret`. - - -|*diagnose debug authd fsso list* -|List logged in users the Fortigate learned via FSSO - -|*diagnose debug authd fsso server-status* -| Show status of connections with FSSO servers. Note: it shows both, local and remote FSSO Agent(s). The local Agent is only relevant when using Direct DC Polling, without installing FSSO Agent on AD DC, so it is ok for it to be `waiting for retry ... 127.0.0.1` if you don't use it. The working state should be `connected`. - - - -|=== - - - -== Fortianalyzer logging debug -.Verify and debug sending logs from Fortigate to Fortianalyzer -[cols=2, options="header"] -|=== -|Command -|Description - -|*get log fortianalyzer setting* -|Show active Fortianalyzer-related settings on Fortigate. - -|*config log fortianalyzer* -|Complete Fortianalyzer configuration on CLI, as GUI configuring is usually not enough for it to work. - -|*get log fortianalyzer filter* -|Verify if any log sending filtering is being done, look for values of `filter` and `filter-type`. If there are any filters, it means not all logs are sent to FAZ. - -|*exec log fortianalyzer test-connectivity* -|Verify that Fortigate communicates with Fortianalyzer. Look at the statistics in `Log: Tx & Rx` line - it should report increasing numbers, and make sure the status is `Registration: registered`. - -|*exec telnet 514* -|Test connectivity to port 514 on the Fortianalyzer. If pings are allowed between them, you can also try pinging. - -|*diagnose sniffer packet any 'port 514' 4* -|Run sniffer on Fortigate to see if devices exchange packets on port 514. Click in GUI on `Test Connectivity` to initiate connection. - -|=== - - - - - -== SD-WAN verification and debug -.SD-WAN verification and debug -[cols=2, options="header"] -|=== -|Command -|Description - -|*diagnose sys sdwan health-check* (6.4 and newer) - -*diagnose sys virtual-link health-check* (5.6 up to 6.4) - -| Show state of all the health checks/probes. Successful probes are marked `alive`, failed probes are marked `dead`. Also displays `packet-loss, latency, jitter` for each probe. - -|*diagnose sys sdwan member* - -*diagnose sys virtual-wan-link member* (5.6 up to 6.4) - -|Show list of SD-WAN zone/interface members. Also gives each interface gateway IP (if was set, 0.0.0.0 if not), `priority`, and `weight` both by default equal `0`, used with some SLA Types. - -|*diagnose sys sdwan service* - -*diagnose sys virtual-wan-link service* (5.6 up to 6.4) - -|List configured SD-WAN rules (aka `services`), except the Implied one which is always present and cannot be disabled, but is editable for the default load balancing method used. Shows member interfaces and their status `alive` or `dead` for this rule. - - - -|*diag sys sdwan intf-sla-log * - -*diag sys virtual-wan-link intf-sla-log * (5.6 up to 6.4) - -|Print log of usage for the last 10 minutes. The statistics shown in bps: `inbandwidth`, `outbandwidth`, `bibandwidth`, `tx bytes`, `rx bytes`. - - -|*diag netlink interface clear * - -|Clear traffic statistics on the interface, this resets statistics of the SD-WAN traffic passing over this interface. Needed, if, for example, you changed SD-WAN rules, but not sure if it's already active. E.g. `diag netlink interface clear port1`. - - -|*diagnose firewall proute list* -|List ALL Policy Based Routes (PBR). SD-WAN in Fortigate, after all, is implemented as a variation of PBR. This command lists manual (classic) PBR rules, along with SD-WAN created via SD-WAN rules. *Important*: Manually created PBR rules (via `Network -> Policy Routes` or on CLI `config route policy` always have preference over the SD-WAN rules, and this command will show them higher up. - - - - - -|=== - - -== Virtual Fortigate License Status -.Verify status of VM Fortigate License -[cols=2, options='header"] -|=== -|Command -|Description - -|*get sys status \| grep -i lic* -|Get status of the license (for VM only). The corect status is `Valid`. - -|*diagnose debug vm-print-license* -| Show detailed info on VM Fortigate license status: allowed CPUs and memory, date of license activation, license expiration date (if set), serial number. - -|*diagnose hardware sysinfo vm full* -|Show license data as seen by FortiGuard: status (should be `valid=1`), last time it was checked (`recv`), answer code, should be `code: 200`, `code: 401` is for duplicate license found, `code: 502` is for VM cannot connect to FortiGuard, and `code: 400` is for invalid license. - - -|=== - - - -== SIP ALG and helper -.SIP proxy or helper debug -[cols=2, options="header"] -|=== -|Command -|Description - -|*config sys settings* - -*get \| grep alg* - -|Show the current SIP inspection mode. If the output is `default-voip-alg-mode: proxy-based` then the full Layer 7 -proxy SIP inspection is on (_ALG_ inspection). If the output is `default-voip-alg-mode: kernel-helper-based` then the Layer 4 _helper_ inspection is on. In both modes Fortigate does IP address translation inside SIP packets (if needed), and opens dynamically high ports for incoming media/voice streams ports. In _ALG_ mode, the Fortigate additionally does RFC compliance verification and more. So, the _ALG_ mode is more prone to cause issues but also provides more security. - -|*show system session-helper \| grep sip -f* -|If using SIP _helper_ and not _ALG_, make sure there is an entry for SIP in the helpers list, usually on port 5060, but may be custom as well. - - -|*diagnose debug application sip -1* -|Display SIP debug in real-time (lots of output). It shows IP replacement inside SIP packets if NAT involved, all SIP communication requests (`REGISTER`,`INVITE` etc.), and reply codes. - - -|=== - - -== DNS server and proxy debug -[cols=2, options="header"] -|=== -|Command -|Description - -|*get system dns* -|Show configured DNS servers, DNS cache limit and TTL, source IP used, timeout and retry, whther NDS over TLS is enabled. - -|*diagnose test app dnsproxy* -|Will present all debug options for dnsproxy. Belowi are some of more useful of -them. - -|*diagnose test app dnsproxy 2* -|Show the following statatistics: number of DNS process workers (if multiple), DNS latency against each server used, Secure DNS IP and latency - DNS server used for DNS filtering and Botnet detections, DNS cache usage, UDP vs TCP requests statistics, name of DNS Filter applied if any. - -|*diagnose test app dnsproxy 1* -|Clear DNS responses cache - -|*diagnose test app dnsproxy 3* -|Display detailed statistics for each DNS/SDNS server used and those that could be used. - -|*diagnose test app dnsproxy 7* -|Show the responses cached entries. - -|*diagnose test app dnsproxy 6\|4\|5* -| Work with FQDN resolved objects: - -`6` - Display currently resolved FQDN addresses - -`4,5` - Reload/Requery all FQDN addresses - -|*diagnose test app dnsproxy 8* -|Show DNS database of domain(s) configured on the Fortigate itself. - -|*diagnose test app dnsproxy 9* -|Reload DNS database of domain(s) configured on the Fortigate itself. - -|*diagnose test app dnsproxy 10* -|Show active SDNS, i.e. DNS Filter Policy used. Shows Categories as numbers, so not easily readable. - -|*diagnose test app dnsproxy 12* -|Reload configuration of DNS Filter, in case the changes made do not take effect immediately. - -|*diagnose test app dnsproxy 15* -|Show cached responses and their rating of the DNS Filter for each URL/domain scanned. - -|*diagnose test app dnsproxy 16* -|Clear the DNS Filter responses and ratings cache. - -|*diagnose test app dnsproxy 99* -|Restart the dns proxy service. - -|*diagnose test app dnsproxy -1* -|Enable all possible debug, a lot of output. - - -|=== - - -== Administrator GUI, SSH access and API automation requests debug - -[cols=2, options="header"] -|=== -|Command -|Descritption - -| *diagnose debug application httpsd -1* - -|Enable diagnostics for administrator and remote REST API access via `api-user`. When debugging API automation, refrain from working in admin GUI as it will produce a lot of unrelated output. - -|*diagnose debug application sshd -1* -|Debug SSH administrator session. - -|*dia debug cli 8* -|Nice trick: this will print CLI commands the Fortigate runs when you do -something in the GUI. This way we can find CLI commands without long search in -Google or documentation. - -|=== - - -== Wireless Controller and managed Access Points debug - -[cols=2, options="header"] -|=== -|Command -|Description - -|*diagnose wireless-controller wlac -c ap-status* -|Show list of all Access Points (APs) this Fortigate is aware of with their BSSID (MAC), SSID, and Status (`accepted`, `rogue`, `suppressed`) - -|*diagnose wireless-controller wlac -c vap* -|Show list of APs with their BSSIDs, broadcasted SSIDs, IDs, and unlike `wlac -c ap-status` above, also shows management IP and port which can be later used for real-time debug. - -|*show wireless-controller wtp-profile* -|Show available Wireless Termination Points (i.e. APs) profiles with their settings. Profiles are applied to individual APs, i.e. a single profile can be applied to multiple APs. - -|*show wireless-controller wtp* -|Show APs known to this Fortigate individually. We can enter any given AP configuration and change settings for this AP only, i.e. `set admin disable`. - - - -|=== - -== FortiTokens - -[cols=2, options="header"] -|=== -|Command -|Description - -|*diagnose fortitoken info* -|Show all existing on the Fortigate Fortitokens, including their status: - -`new` - new token, available to be assigned to a user. - -`active` - normal state, assigned to a user, hardware Fortitoken. - -`provisioning` - Fortitoken Mobile (FTM), assigned to a user, waits for end - user to activate it on his/her mobile phone. - -`provisioned` - FTM, assigned to a user and activated by him/her as well. - -`provision timeout` - user hasn't activated the assigned token in the given - time window (3 days default), the token needs to be re-provisioned to a user again. - -`locked` - token was locked either manually by administrator, or because -Fortigate was not able to reach Fortiguard servers. - - -|*exec ping fds1.fortinet.com* - -*exec ping directregistration.fortinet.com* - -*exec ping globalftm.fortinet.net* - -|Verify that Fortigate can resolve and ping the FortiGuard servers -responsible for FortiToken activation/license validation. - -|*show user fortitoken* -|Display all Fortitokens info on license number, activation expiration (in epoch -format). - -|=== - -== Automation stitches debug - -[cols=2, options="header"] -|=== -|Command -|Description - -|*diag test app autod 1* -|Enable automation stitches logging. - -|*diag debug cli 7* -|Show stitches' running log on the CLI. - -|*diag debug enable* -|Enable debug. - -|*diagnose automation test _stitch-name_ _log-if-needed_* -|Run the specified _stitch name_, optionally adding log when using Log based -events. - -|=== - - -== Alerts Sending debug - -[cols=2, options="header"] -|=== -|Command -|Description - -|*dia debug app alertmail -1* -|Enable sessions debug for sending alerts by mail. This will show the configured -settings, like from/to email address, as well as SMTP session log of connecting -to the remote mail server and received/sent SMTP session codes. - - -|=== += Fortigate debug and diagnose commands complete cheat sheet +:homepage: https://yurisk.info +:toc: + +Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ + + +NOTE: To enable debug set by any of the commands below, you need to run +*diagnose debug enable*. This is assumed and not reminded any further. Use *dia +debug info* to know what debug is enabled, and at what level. + +NOTE: To disable and stop immediately any debug, run *dia deb res* which is short for *diagnose debug reset*. + +NOTE: All debug will run for 30 minutes by default, to increase use `diagnose debug duration `, setting to 0 means unlimited by time. Reboot will reset this setting. + + + + + + + +== Security rulebase debug (diagnose debug flow) +.Security rulebase diagnostics with `diagnose debug flow` +[cols=2, options="header"] +|=== +|Command +|Description + +|*diagnose firewall iprope lookup + * +|Policy lookup for any combination of IPs and ports - use to see what policy (if +any) matches traffic between specific IP addresses and ports. E.g. `dia firewall +iprope lookup 10.10.10.1 34567 8.8.8.8 443 6 LAN1` + +|*diagnose debug flow filter* +|Show the active filter for the flow debug + +|*diagnose debug filter clear* +|Remove any filtering of the debug output set + +|*diagnose debug flow filter / dia debug flow filter6 * +| Set filter for security rulebase processing packets output. You can set multiple filters - act as AND, by issuing this command multiple times. Parameters: + +`vd` - id number of the vdom. When entering the vdom with `edit vdom`, this number is shown first. + +`vd-name` - limit debug to specific VDOM by its name. Fortigate translates the name to VDOM ID (`vd`). + +`proto` - Protocol number. + +`addr` - IP address of the packet(s), be it a destination or/and a source. + +`saddr` - IP source address of the packet(s). + +`daddr` - IP destination address of the packet(s). + +`port` - Source or/and destination port in the packet(s). + +`sport` - Source port of the packet(s). + +`dport` - Destination port of the packet(s). + +`negate ` - negate the match, i.e. match if a packet does NOT contain `* +| Same as `diagnose debug filter` but for IPv6 packets. The rest of matching and conditions remain of the same syntax. + +|*diagnose debug flow show function-name enable* +|Show function names responsible for each step in processing. + +|*diagnose debug flow trace start [number]* +|Actually start the debug with optional `number` to limit number of packets traced. + +|*diagnose debug flow trace start6 [number]* +|Start the debug trace for IPv6 traffic, with optional `number` to limit number of packets traced. + + +|=== + + +== Packet Sniffer (diagnose sniffer packet) + +[cols=2, options="header"] +|=== +|Command +|Description + +|*dia sni pa _if-name_/any 'tcpdump syntax filter' _verbosity_ _count_ +_time-format_* +a| Network level packet sniffer like tcpdump/tshark/wireshark, presenting captured +packets on CLI. It gives definite answers whether a packet reached the +Fortigate, whether it was dropped by firewall rules, what was incoming/outgoing +interface, and contents of the packet if needed. + +`verbosity` - level of detail to present, can be one of: + +1 - packets' header, includes IP addresses, ports, and flags if set. + +2 - packets' header and data for IP packet, i.e. same as above plus contents of +the packet. + +3 - same as 2 above plus Ethernet header. + +4 - packets' header (no contents) plus incoming/outgoing interface name for each +packet. This gives the indication whether the packet passed the Fortigate or was +dropped by it. + +5 - same data as `4` plus contents of IP packets. + +6 - packets' header starting from Ethernet plus contents and incoming/outgoing +interface names. + + +`count` - number of packets to capture, integer. If not set, will be capturing +until the SSH/console timeout or until stopped with `CTRL + C`. + +`time-format`: + +* `a` - absolute UTC time +* `l` - local time +* _default_ - relative to the start of sniffing in seconds.milliseconds. + +|_IPv6_ +|For IPv6 traffic, the command is the same, but use the relevant `filter` clauses instead, +e.g. `host 2001:db8::1` or `net 2001:db8::/64` or `icmp6`. + +|*set auto-asic-offload disable* +|You may need to temporarily disable NPU hardware acceleration offloading, to see accelerated packets. You do so inside a specific firewall policy. This will cause all packets passing on this policy rule to be processed by CPU and thus make packets visible to the sniffer. This may increase the CPU load. E.g. `config firewall policy`, `edit 1`, `set auto-asic-offload disable`. Do not forget to turn it on again: `set auto-asic-offload enable`. + +|=== + + +== General Health, CPU, and Memory +.General Health, CPU, and Memory loads +[cols=2, options="header"] +|=== +|Command +|Description + +|*get sys stat* +|Get statistics about the Fortigate device: FortiOS used, license status, Operation mode, VDOMs configured, last update dates for AntiVirus, IPS, Application Control databases. + +|*get sys performance stat* +|Show real-time operational statistics: CPU load per CPU, memory usage, average network/session, uptime. + +|*diagnose sys top [_refresh_] [_num-of-processes_] [_iterations_]* +|Print list of running processes updated every _refresh_ seconds (default 5), for +_iterations_ times, sorted in descending order by the CPU load. This `top` command does not display all processes by +default, to show them all, set _num-of-processes_ to high number, for example +100. Press "m" to sort the processes by memory consumption. The displayed table +is in this order: `Process id`, `process state: (R)unning, (S)leep, (Z)ombie, +(D)isk Sleep, < Means higher priority`, `CPU used`, `Memory used`. + +|*dia sys kill _signal-id_ _process-id_* +|Forcefully kill the process with the id of _process-id_, sending it the given _signal-id_ (Linux signals, e.g. 9, 11). + +|*diagnose debug crashlog read* +| Display crash log. Records all daemons crashes and restarts. Some daemons are more critical than others. + +|*diagnose debug crashlog clear* +| Clear the crash log. + +|*dia sys top-mem [_num-processes_] [detail]* +|Show top (default 5) processes by memory usage, optionally set number of +processes to show with _num-processes_, and use `detail` to get verbose output +(a lot). + +|*get hardware memory* +| Show memory statistics: free, cached, swap, shared + +|*dia hardware sysinfo conserve* +|Info whether the conserve mode on or off, total memory available, conserve mode +thresholds `red` and `green` + +|*execute sensor list* +|List current readings of all sensors present on this model of the Fortigate. Larger models (1500 and up) show CPUs voltage, fan speeds, temperature, power supply voltage and more. + +|*dia sys flash list* +|Show contents of the flash memory holding FortiOS firmware images. One of the images +will have `Active` set to `yes`, which means it is the used one. + +|*diagnose hardware deviceinfo disk* +|Show all storage attached to the firewall, including disk type, volume, free +space. + +|=== + + +== Session stateful table + +[cols=2, options="header"] +|=== +|Command +|Description + +|*get system session status / get system session6 status* +|Show current number of sessions passing the Fortigate (IPv4/IPv6). Run inside the VDOM in multi-vdom environment to get number of connections/sessions for this specific VDOM. + +|*get sys session-info statistics* +| Get general statistics on sessions: current number of, global limits, number of clashes (different sessions trying to use the same ports), TCP sessions stats per state + +|*get sys session-info ttl* +|Show the default TTL setting for the connections in the table, default being 3600 seconds. + +|*diagnose sys session filter / diagnose sys session6 filter * +| Set filter to show/manipulate only specific connections in the stateful table. Run without any filter parameters this command displays the current filter applied if any. Parameters: + +`vd` - id number of the vdom. When entering the vdom with edit vdom, this number is shown first. + +`sintf` - source interface. + +`dintf` - destination interface. + +`proto` - protocol, by IANA protocol number. + +`proto-state` - protocol state. + +`src` - source IP. + +`dst` - destination IP. + +`nsrc` - NATed source IP. + +`sport` - source port. + +`nport` - NATed source port. + +`dport` - destination port. + +`policy` - policy id. + +`duration ` - duration. + +`expire ` - expiration time. + +`session-state1 ` - session state, where _x_ is in hex, state bits. + +`negate ` - negate the match, i.e. match if a connection does NOT contain _parameter_. Where parameter is one of the mentioned above. + + +|*diagnose sys session clear / dia sys session6 clear* +|Clear/delete connections from the session table. IMPORTANT: If no session filter is set (see above) before running this command, ALL connections passing the Fortigate will be deleted! Which means they will be disconnected. So use carefully. + +|*diagnose sys session list / dia sys session6 list* +|List connections limited to the filter set if any, or all session table if not. + +|=== + + +== High Availability Clustering debug +.HA Clustering related debug and verification +[cols=2, options="header"] +|=== +|Command +|Description + +|*get sys ha status* +|Show general status and statistics of the clustering - health status, cluster uptime, last cluster state change, reason for selecting the current master, configuration status of each member (`in-sync/out-of-sync`), usage stats (average CPU, memory, session number), status (`up/down`, `duplex/speed`, `packets received/dropped`) for the heartbeat interface(s), HA cluster index (used to enter the secondary member CLI with `exe ha manage`). + +|*diagnose sys ha dump-by group* +| Print detailed info per cluster group, shows actual uptime of each member in `start_time`, as well monitored links failures, status. + + +|*diagnose sys ha checksum cluster* +|Shows configuration checksum for each cluster member separated in individual VDOMs and _global_. In properly synchronized cluster all member checksums should be identical, look at `all` value. + +|*diagnose sys ha checksum recalculate* +|Force cluster member to recalculate checksums, often will solve the out of sync problem. No adverse effects. Run on each cluster member. + +|*diagnose sys ha checksum show <__VDOM__/global>* +|Print detailed synchronization status for each configuration part. Use after seeing `out-of-sync` in *diagnose sys ha checksum cluster* to know which part of configuration causes members to be out-of-sync. Need to run on each cluster member and compare, long output - use `diff`/`vimdiff/Notepad++ Compare plugin` to spot the differences. + +|*diagnose sys ha checksum show <__VDOM__/global> * +|Show exact setting inside the settings tree that causes out-of-sync. Use output from *diagnose sys ha checksum show* (see above) for _settings part name_. E.g. if `diagnose sys ha checksum show root` indicates that _firewall.vip_ is out-of-sync, running `diagnose sys ha checksum show root firewall.vip` will give checksums of each VIP in the root domain to compare with those of secondary member. + + +|*diagnose debug app hatalk -1* +|Enable heartbeat communications debug. It shows in real time if members are talking over sync interfaces. +The output will look like `state/chg_time/now=2(work)/1610773657/1617606630`, where the desired `state` is _work_, _chg\_time_ is last cluster state/failover date in epoch, and _now_ is the last time communication occurred on heartbeat interface(s), also in epoch. + +|*diag debug application hasync -1* +|Real time synchronization between members. As only things that changed get synchronized after 1st sync is established, may take time to produce output. See next. + +|*execute ha synchronize stop* + +*diag debug enable* + +*diag debug application hasync -1* + +*execute ha synchronize start* + +|Stop, enable debug, then start again HA synchronization process, will produce lots of output. + + +|*exe ha manage ?* + +*exe ha manage * + +|First show index of all Fortigate cluster members, then enter any secondary member CLI via its index. + + +|*diagnose sys ha reset-uptime* +a| Resets uptime of this member making it less than the other member(s)'s uptime +and so fails over to those member(s). This is a temporary way to force cluster +fail-over to another member from the current one. NOTE: check that the setting +below is present or immediately after the reset and failover, this member will become +active again if it has higher HA priority. + +---- +config sys ha +set ha override disable +---- + + +|=== + +== IPSEC VPN debug + +.IPSEC VPN Debug +[cols=2*,options="header"] +|=== +|Command +|Description + +| *diagnose vpn ike log-filter * +a| Filter VPN debug messages using various parameters: + +* `list` Display the current filter. +* `clear` Delete the current filter. +* `name` Phase1 name to filter by. +* `src-addr4`/`src-addr6` IPv4/IPv6 source address range to filter by. +* `dst-addr4`/`dst-addr6` IPv4/IPv6 destination address range to filter by. +* `src-port` Source port range +* `dst-port` Destination port range +* `vd` Index of virtual domain. -1 matches all. +* `interface` Interface that IKE connection is negotiated over. +* `negate` Negate the specified filter parameter. + + +|*diagnose debug application ike -1* +| Enable IPSec VPN debug, shows phase 1 and phase 2 negotiations (for IKEv1) and everything for IKEv2. +"-1" sets the verbosity level to maximum, any other number will show less output. + +|*diagnose vpn ike gateway flush name * +|Flush (delete) all SAs of the given VPN peer only. Identify the peer by its Phase 1 name. + +|*diagnose vpn tunnel list [name ]* +| Show operational parameters for all or just specific tunnels: Type (dynamic dial up or static), packets/bytes passed, NAT traversal state, Quick Mode selectors/Proxy Ids, mtu, algorithms used, whether NPU-offloaded or not, lifetime, DPD state. + +|*diagnose vpn ike gateway list* +| Show each tunnel details, including user for XAuth dial-up connection. + +|*get vpn ipsec tunnel details* +| Detailed info about the tunnels: Rx/Tx packets/bytes, IP addresses of the peers, algorithms used, detailed selectors info, lifetime, whether NAT Traversal is enabled or not. + +|*get vpn ipsec stats tunnel* +| Short general statistics about tunnels: number, kind, number of selectors, state + +|*get vpn ipsec tunnel summary* +| Short statistics per each tunnel: number of selectors up/down, number of packets Rx/Tx. + + +|*get vpn ipsec stats crypto* +| Crypto stats per component (ASIC/software) of the Fortigate: encryption algorithm, hashing algorithm. Useful to see if unwanted situation of software encryption/decryption occurs. + + + + + +|=== + + +== SSL VPN debug +.SSL VPN client to site/Remote Access debug +[cols=2, options="header"] +|=== +|Command +|Description + +|*get vpn ssl monitor* +|List logged in SSL VPN users with allocated IP address, username, connection duration. + +|*diagnose vpn ssl debug-filter _criteria_* +|Limit debug output according to the _criteria_ below: + +`src-addr4\|src-addr6` _source-ip-of-client_ Source IP of the connecting client + +`vd` _VDOM name_ Limit debug to a specific VDOM, specify VDOM by its string +name, not numerical index. + +`negate` Negate the filter. + +`clear` Clear the filter. + +`list` List active filter. + +|*diagnose debug app sslvpn -1* +|Debug SSL VPN connection. Shows only SSL protocol negotiation and set up. That is - ciphers used, algorithms and such, does NOT show user names, groups, or any client related info. + + +|=== + +== Static Routing Debug + +.Static and Policy Based Routing debug & diagnostics +[cols=2,options="header"] +|=== +|Command +|Description + +|*get router info kernel* + +*get router info6 kernel* + +a|View the kernel routing table (FIB). This is the list of resolved routes actually being used by the FortiOS kernel. + +`tab` Table number, either 254 for unicast or 255 for multicast. + +`vf` Virtual domain index, if no VDOMs are enabled will be 0. + +`type` 0 - unspecific, 1 - unicast, 2 - local , 3 - broadcast, 4 - anycast , 5 - multicast, 6 - blackhole, 7 - unreachable , 8 - prohibited. + +`proto` Type of installation, i.e. where did it come from: 0 - unspecific, 2 - kernel, 11 zebOS module, 14 - FortiOS, 15 - HA, 16 - authentication based, 17 - HA1 + +`prio` priority of the route, lower is better. + +`pref` preferred next hop for this route. + +`Gwy` the address of the gateway this route will use + +`dev` outgoing interface index. If VDOMs enabled, VDOM will be included as well, if alias is set it will be shown. + +|*get router info routing-table all* + +*get router info6 routing* + +|Show RIB - active routing table with installed and actively used routes. It will not show routes with worse priority, multiple routes to the same destination if unused. + +|*get router info routing database* + +*get rotuer info6 routing database* +|Show ALL routes, the Fortigate knows of - including not currently used. + +|*get router info routing-table details * +| Show verbose info about specific route, e.g. `get router info routing-table details 0.0.0.0/0` + +|*diagnose ip rtcache list* +| Show the routes cache table. + +|*get firewall proute* + +*get firewall proute6* +| Get all configured Policy Based Routes on the Fortigate. + + +| *exe traceroute-options [source _ip_ / device _ifname_ / view-settings / use-sdwan yes]* + +*exe traceroute _host_* +| Run traceroute, setting various options if needed. + +|*exe tracert6 [-s _source-ip_] _host_* +| Run IPv6 trace route. + +|*exe ping-options* [data-size _bytes_ / df-bit / interface _if-name_ / interval +_seconds_ / repeat-count _integer_ / reset / view-settings / timeout _seconds_ / +source _ip_ / ttl _integer_ / use-sdwan yes] +| Set various options before running pings. + +|*exe ping _host_* +|Run the IPv4 ping. + +|*exe ping6-options* _see available options above for ipv4_ +|Set various ping6 options before running it. + +|*exe ping6 _host_* +|Run the IPv6 ping. + + +|=== + +== Interfaces + +.Interafces of all kinds diagnostics +[cols=2,options="header"] +|=== +|Command +|Description + +|*get hardware nic * +|Hardware info of the interface: MAC address, state (up/down), duplex (full, half), Rx/Tx packets, drops. + +|*diagnose hardware deviceinfo nic * +|Same as above. + +|*get sys interface transceiver* +|List all SFP/SFP+ transceivers installed with info on: vendor name, serial +number, temperature, voltage consumed, and, most important - Transmit (TX) and +Receive (RX) signal power in dBm. + +|*get hardware npu np6 port-list* +|Show on which interfaces the NPU offloading is enabled. + +|*diagnose npu np6lite port-list* +| Same as above but for NP6-lite. + +|*fnsysctl ifconfig * +|Gives the same info as Linux `ifconfig`. The only way to see the actual MTU of the interface. + +|*fnsysctl cat /proc/net/dev* +|Similar to `netstat` shows errors on the interfaces, drops, packets sent/received. + +|*diagnose ip address list* +|Show IP addresses configured on all the Fortigate interfaces. + +|*diagnose sys gre list* +| Show configured GRE tunnles and their state. + + +|*diag debug application pppoed -1* + +*dia debug application pppoe -1* + +*dia debug applicaiton ppp -1* + +|Enable all ADSL/PPPoE-related debug. + + +|*execute interface pppoe-reconnect* +|Force ADSL re-connection. + +|*diagnose sys waninfo* +|Show WAN interface info: public IP address of the WAN interface, guessed geo +location of this IP, and whetehr this IP address is in FortiGuard black list. + +|=== + + +== LACP Aggregate Interfaces + +[cols=2, options="heade"] +|=== +|Command +|Description + +|*diagnose netlink aggregate list* +|List all aggregate interfaces in the current VDOM, shows names, state +(up/down), LACP mode and algorithm used + +|*diagnose netlink aggregate name * +|Shows details of the given aggregate interface under the entry `actor state` +(preferred state is *ASAIEE*): LACP Mode (Active/Passive), +LACP Speed mode (Slow [default]/Fast), Synced or Out of Sync, minimal physical +interfaces to be up for the whole aggregate to be up, Aggregator ID (has to be +identical on both sides), own and peer's MAC addresses, link failure count. + +|*diagnose sniffer packet any "ether proto 0x8809" 6 0 a* +|Sniffer to see all LACP traffic on this Fortigate: `0x8809` LACP Ethernet +protocol designation, `6` - maximum verbosity, `0` - do not limit number of captured packets, `a` - show +time in UTC format, rather than delta from the 1st packet seen. LACP packets +should arrive from the peer's MAC address on the aggregate logical interface +name, and should leave from the physical interface(s) destined to the peer's MAC +address. This capture will also show LACP actor state in arriving/leaving +packets - for working LACP aggregate it should be `ASAIEE` in both directions. + +|*diagnose netlink port src-ip dst-ip * +|Show what physical port a packet given by the filter will exit. Available +filter keywords: + +`src-ip` - Source IP address. + +`dst-ip` - Destination IP address. + +`src-mac` - Source MAC address. + +`dst-mac` - Destination MAC. + +`proto` - Protocol number. + +`src-port/dst-port` - Source/Destination port. + +`vlan-id` - VLAN number. + + +|=== + +== DHCP server, relay, client + +.DHCP server, relay, client +[cols=2, options="header"] +|=== +|Command +|Description + + +|*show system dhcp/dhcp6 server* +|Show DHCP server configuration, including DHCP address pools. + +|*execute dhcp/dhcp6 lease-list [_interface name_]* +|Show real-time list of allocated by Fortigate addresses via DHCP. It will show IP address of each client, its MAC + address, device type/name (Android, iOS, Windows, etc.), the lease time and expiration. + +|*execute dhcp/dhcp6 lease-clear all/_start-end-IP-address-range_* +|Clear DHCP allocations on the Fortigate. This will NOT cause clients that already have IP addresses to release them, but will +just clear Fortigate DHCP database and will start over allocating again. You can either clear _all_ IP addresses in the database, or only specific IPs. + + +|*diagnose debug application dhcps/dhcp6s -1* +|Enable real-time debug of DHCP server activity. This will show DHCP messages sent/received, DHCP options sent in each reply, details of requesting hosts. + +|*diagnose debug application dhcprelay/dhcp6r -1* +|Enable real-time debug of the DHCP relay agent, `dhcp6r` is for DHCPv6. + +|*diagnose debug application dhcpc/dhcp6c -1* +|Enable real-time debug when Fortigate is itself a DHCP Client. + +|*dia sni pa any 'port 67 or port 68' 6* and for DHCPv6 +*dia sni pa any 'port 546 or port 547' 6* +|Run packet sniffer for DHCP or DHCPv6 packets reaching the Fortigate. + +|=== + +== NTP debug + +.NTP daemon diagnostics and debug +[cols=2,options="header"] +|=== +|Command +|Description + +|*diag sys ntp status* +|Current status of NTP time synchronization. Shows all NTP peers and their detailed info: reachability, stratum, clock offset, delay, NTP version. + +|*execute date* +| Show current date as seen by Fortigate. + +|*exec time* +| Show current time as seen by Fortigate. + + +|=== + + +== SNMP daemon debug + +.SNMP daemon debug +[cols=2, options="header"] +|=== +|Command +|Description + +|*diagnose debug application snmpd -1* +|ENable SNMP daemon messages debug. + +|*show system snmp community* +|Show SNMP community and allowed hosts configuration + + +|=== + + +== BGP + +.BGP debug +[cols=2*,options="header"] +|=== +|Command +|Description + + +|*diagnose ip router bgp level info* + + *diagnose ip router bgp all enable* + +| Set BGP debug level to INFO (the default is ERROR which gives very little info) and enable the BGP debug. + +|*exec router clear bgp all* +| Disconnect all BGP peering sessions and clear BGP routes in BGP table and RIB. Use with care, involves downtime. + + +|*get router info bgp summary* +| State of BGP peering sessions with peers, one per line. + +|*get router info bgp network * +| Detailed info about from the BGP process table. Output includes all learned via BGP routes, even those not currently installed in RIB. E.g. `get router info bgp network 0.0.0.0/0`. The is optional, if absent shows the whole BGP table. + +|*get router info routing-table bgp* +| Show BGP routes actually installed in the RIB. + +|*get router info bgp neighbors* +| Detailed info on BGP peers: BGP version, state, supported capabilities, how many hops away, reason for the last reset. + +|*get router info bgp neighbors advertised-routes* +| Show all routes advertised by us to the specific neighbor. + +|*get router info bgp neighbors routes* +| Show all routes learned from this BGP peer. It shows routes AFTER filtering on local peer, if any. + +|*get router info bgp neighbors received-routes* +| Show all received routes from the neighbor BEFORE any local filtering is being applied. It only works if `set soft-reconfiguration enable` is set for this peer under `router bgp` configuration. + +|*diagnose sys tcpsock \| grep 179* +| List all incoming/outgoing TCP port 179 sessions for BGP. + + + + + + +|=== + + +== Admin sessions +.Admin sessions management +[cols=2,options="header"] +|=== +|Command +|Description + +|*get sys info admin status* +|List logged in administrators showing `INDEX` value for each session + +|*execute disconnect-admin-session * +|Disconnect logged in administrator by the session INDEX. + + +|=== + + + +== Authentication +.Authentication in all kinds LDAP, Radius, FSSO +[cols=2, options="header"] +|=== +|Command +|Description + + +|*diagnose firewall auth list* +|List all authenticated and known by firewall usernames. It does not matter what +the source is - LDAP/SSO/etc. Also shows client's IP, idle time, duration. + +|*diagnose debug app fnbamd -1* +|Enable debug for authentication daemon, valid for ANY remote authentication - RADIUS, LDAP, TACACS+. + + +|*diagnose test authserver ldap * +| Test user authenticaiton on Fortigate CLI against Active Directory via LDAP. E.g. test user `Tara Addison` against LDAP server configured in Fortigate as `LDAP-full-tree` having password `secret`: `diagnose test authserver ldap LDAP-full-tree "Tara Addison" secret`. + + +|*diagnose debug authd fsso list* +|List logged in users the Fortigate learned via FSSO + +|*diagnose debug authd fsso server-status* +| Show status of connections with FSSO servers. Note: it shows both, local and remote FSSO Agent(s). The local Agent is only relevant when using Direct DC Polling, without installing FSSO Agent on AD DC, so it is ok for it to be `waiting for retry ... 127.0.0.1` if you don't use it. The working state should be `connected`. + + + +|=== + + + +== Fortianalyzer logging debug +.Verify and debug sending logs from Fortigate to Fortianalyzer +[cols=2, options="header"] +|=== +|Command +|Description + +|*get log fortianalyzer setting* +|Show active Fortianalyzer-related settings on Fortigate. + +|*config log fortianalyzer* +|Complete Fortianalyzer configuration on CLI, as GUI configuring is usually not enough for it to work. + +|*get log fortianalyzer filter* +|Verify if any log sending filtering is being done, look for values of `filter` and `filter-type`. If there are any filters, it means not all logs are sent to FAZ. + +|*exec log fortianalyzer test-connectivity* +|Verify that Fortigate communicates with Fortianalyzer. Look at the statistics in `Log: Tx & Rx` line - it should report increasing numbers, and make sure the status is `Registration: registered`. + +|*exec telnet 514* +|Test connectivity to port 514 on the Fortianalyzer. If pings are allowed between them, you can also try pinging. + +|*diagnose sniffer packet any 'port 514' 4* +|Run sniffer on Fortigate to see if devices exchange packets on port 514. Click in GUI on `Test Connectivity` to initiate connection. + +|=== + + + + + +== SD-WAN verification and debug +.SD-WAN verification and debug +[cols=2, options="header"] +|=== +|Command +|Description + +|*diagnose sys sdwan health-check* (6.4 and newer) + +*diagnose sys virtual-link health-check* (5.6 up to 6.4) + +| Show state of all the health checks/probes. Successful probes are marked `alive`, failed probes are marked `dead`. Also displays `packet-loss, latency, jitter` for each probe. + +|*diagnose sys sdwan member* + +*diagnose sys virtual-wan-link member* (5.6 up to 6.4) + +|Show list of SD-WAN zone/interface members. Also gives each interface gateway IP (if was set, 0.0.0.0 if not), `priority`, and `weight` both by default equal `0`, used with some SLA Types. + +|*diagnose sys sdwan service* + +*diagnose sys virtual-wan-link service* (5.6 up to 6.4) + +|List configured SD-WAN rules (aka `services`), except the Implied one which is always present and cannot be disabled, but is editable for the default load balancing method used. Shows member interfaces and their status `alive` or `dead` for this rule. + + + +|*diag sys sdwan intf-sla-log * + +*diag sys virtual-wan-link intf-sla-log * (5.6 up to 6.4) + +|Print log of usage for the last 10 minutes. The statistics shown in bps: `inbandwidth`, `outbandwidth`, `bibandwidth`, `tx bytes`, `rx bytes`. + + +|*diag netlink interface clear * + +|Clear traffic statistics on the interface, this resets statistics of the SD-WAN traffic passing over this interface. Needed, if, for example, you changed SD-WAN rules, but not sure if it's already active. E.g. `diag netlink interface clear port1`. + + +|*diagnose firewall proute list* +|List ALL Policy Based Routes (PBR). SD-WAN in Fortigate, after all, is implemented as a variation of PBR. This command lists manual (classic) PBR rules, along with SD-WAN created via SD-WAN rules. *Important*: Manually created PBR rules (via `Network -> Policy Routes` or on CLI `config route policy` always have preference over the SD-WAN rules, and this command will show them higher up. + + + + + +|=== + + +== Virtual Fortigate License Status +.Verify status of VM Fortigate License +[cols=2, options='header"] +|=== +|Command +|Description + +|*get sys status \| grep -i lic* +|Get status of the license (for VM only). The corect status is `Valid`. + +|*diagnose debug vm-print-license* +| Show detailed info on VM Fortigate license status: allowed CPUs and memory, date of license activation, license expiration date (if set), serial number. + +|*diagnose hardware sysinfo vm full* +|Show license data as seen by FortiGuard: status (should be `valid=1`), last time it was checked (`recv`), answer code, should be `code: 200`, `code: 401` is for duplicate license found, `code: 502` is for VM cannot connect to FortiGuard, and `code: 400` is for invalid license. + + +|=== + + + +== SIP ALG and helper +.SIP proxy or helper debug +[cols=2, options="header"] +|=== +|Command +|Description + +|*config sys settings* + +*get \| grep alg* + +|Show the current SIP inspection mode. If the output is `default-voip-alg-mode: proxy-based` then the full Layer 7 +proxy SIP inspection is on (_ALG_ inspection). If the output is `default-voip-alg-mode: kernel-helper-based` then the Layer 4 _helper_ inspection is on. In both modes Fortigate does IP address translation inside SIP packets (if needed), and opens dynamically high ports for incoming media/voice streams ports. In _ALG_ mode, the Fortigate additionally does RFC compliance verification and more. So, the _ALG_ mode is more prone to cause issues but also provides more security. + +|*show system session-helper \| grep sip -f* +|If using SIP _helper_ and not _ALG_, make sure there is an entry for SIP in the helpers list, usually on port 5060, but may be custom as well. + + +|*diagnose debug application sip -1* +|Display SIP debug in real-time (lots of output). It shows IP replacement inside SIP packets if NAT involved, all SIP communication requests (`REGISTER`,`INVITE` etc.), and reply codes. + + +|=== + + +== DNS server and proxy debug +[cols=2, options="header"] +|=== +|Command +|Description + +|*get system dns* +|Show configured DNS servers, DNS cache limit and TTL, source IP used, timeout and retry, whther NDS over TLS is enabled. + +|*diagnose test app dnsproxy* +|Will present all debug options for dnsproxy. Belowi are some of more useful of +them. + +|*diagnose test app dnsproxy 2* +|Show the following statatistics: number of DNS process workers (if multiple), DNS latency against each server used, Secure DNS IP and latency - DNS server used for DNS filtering and Botnet detections, DNS cache usage, UDP vs TCP requests statistics, name of DNS Filter applied if any. + +|*diagnose test app dnsproxy 1* +|Clear DNS responses cache + +|*diagnose test app dnsproxy 3* +|Display detailed statistics for each DNS/SDNS server used and those that could be used. + +|*diagnose test app dnsproxy 7* +|Show the responses cached entries. + +|*diagnose test app dnsproxy 6\|4\|5* +| Work with FQDN resolved objects: + +`6` - Display currently resolved FQDN addresses + +`4,5` - Reload/Requery all FQDN addresses + +|*diagnose test app dnsproxy 8* +|Show DNS database of domain(s) configured on the Fortigate itself. + +|*diagnose test app dnsproxy 9* +|Reload DNS database of domain(s) configured on the Fortigate itself. + +|*diagnose test app dnsproxy 10* +|Show active SDNS, i.e. DNS Filter Policy used. Shows Categories as numbers, so not easily readable. + +|*diagnose test app dnsproxy 12* +|Reload configuration of DNS Filter, in case the changes made do not take effect immediately. + +|*diagnose test app dnsproxy 15* +|Show cached responses and their rating of the DNS Filter for each URL/domain scanned. + +|*diagnose test app dnsproxy 16* +|Clear the DNS Filter responses and ratings cache. + +|*diagnose test app dnsproxy 99* +|Restart the dns proxy service. + +|*diagnose test app dnsproxy -1* +|Enable all possible debug, a lot of output. + + +|=== + + +== Administrator GUI, SSH access and API automation requests debug + +[cols=2, options="header"] +|=== +|Command +|Descritption + +| *diagnose debug application httpsd -1* + +|Enable diagnostics for administrator and remote REST API access via `api-user`. When debugging API automation, refrain from working in admin GUI as it will produce a lot of unrelated output. + +|*diagnose debug application sshd -1* +|Debug SSH administrator session. + +|*dia debug cli 8* +|Nice trick: this will print CLI commands the Fortigate runs when you do +something in the GUI. This way we can find CLI commands without long search in +Google or documentation. + +|=== + + +== Wireless Controller and managed Access Points debug + +[cols=2, options="header"] +|=== +|Command +|Description + +|*diagnose wireless-controller wlac -c ap-status* +|Show list of all Access Points (APs) this Fortigate is aware of with their BSSID (MAC), SSID, and Status (`accepted`, `rogue`, `suppressed`) + +|*diagnose wireless-controller wlac -c vap* +|Show list of APs with their BSSIDs, broadcasted SSIDs, IDs, and unlike `wlac -c ap-status` above, also shows management IP and port which can be later used for real-time debug. + +|*show wireless-controller wtp-profile* +|Show available Wireless Termination Points (i.e. APs) profiles with their settings. Profiles are applied to individual APs, i.e. a single profile can be applied to multiple APs. + +|*show wireless-controller wtp* +|Show APs known to this Fortigate individually. We can enter any given AP configuration and change settings for this AP only, i.e. `set admin disable`. + + + +|=== + +== FortiTokens + +[cols=2, options="header"] +|=== +|Command +|Description + +|*diagnose fortitoken info* +|Show all existing on the Fortigate Fortitokens, including their status: + +`new` - new token, available to be assigned to a user. + +`active` - normal state, assigned to a user, hardware Fortitoken. + +`provisioning` - Fortitoken Mobile (FTM), assigned to a user, waits for end + user to activate it on his/her mobile phone. + +`provisioned` - FTM, assigned to a user and activated by him/her as well. + +`provision timeout` - user hasn't activated the assigned token in the given + time window (3 days default), the token needs to be re-provisioned to a user again. + +`locked` - token was locked either manually by administrator, or because +Fortigate was not able to reach Fortiguard servers. + + +|*exec ping fds1.fortinet.com* + +*exec ping directregistration.fortinet.com* + +*exec ping globalftm.fortinet.net* + +|Verify that Fortigate can resolve and ping the FortiGuard servers +responsible for FortiToken activation/license validation. + +|*show user fortitoken* +|Display all Fortitokens info on license number, activation expiration (in epoch +format). + +|=== + +== Automation stitches debug + +[cols=2, options="header"] +|=== +|Command +|Description + +|*diag test app autod 1* +|Enable automation stitches logging. + +|*diag debug cli 7* +|Show stitches' running log on the CLI. + +|*diag debug enable* +|Enable debug. + +|*diagnose automation test _stitch-name_ _log-if-needed_* +|Run the specified _stitch name_, optionally adding log when using Log based +events. + +|=== + + +== Alerts Sending debug + +[cols=2, options="header"] +|=== +|Command +|Description + +|*dia debug app alertmail -1* +|Enable sessions debug for sending alerts by mail. This will show the configured +settings, like from/to email address, as well as SMTP session log of connecting +to the remote mail server and received/sent SMTP session codes. + + +|=== diff --git a/cheat-sheets/FreeBSD-cheat-sheet.adoc b/cheat-sheets/FreeBSD-cheat-sheet.adoc index 88d771b..9977ad7 100644 --- a/cheat-sheets/FreeBSD-cheat-sheet.adoc +++ b/cheat-sheets/FreeBSD-cheat-sheet.adoc @@ -1,63 +1,63 @@ -= FreeBSD cheat sheet -:homepage: https://yurisk.info - -Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ - - -== Working with disks and partitions - -[cols=2, options="header"] -|=== -|Command -|Description - - -|*camcontrol devlist* -|Show list of attached storage devices - -|*geom list* -|Display detailed information for the given GEOM class `disk` - physical disk, `label` - device labels, `part` - partitions. Other classes are available, but not mentioned for irrelevance here. - -|*mount* -|Show mounted in fact partitions and their properties (journaled or not, type). - -|*glabel list* -|Show labels, same as `geom label list`. - -|*gpart show* -|Show partitions, similar to `geom part list` minus labels information, so is shorter. Add `-r` to show GPT partition types, see for the complete list at https://en.wikipedia.org/wiki/GUID_Partition_Table . - - -|*gpart recover * -|Recover partition information, e.g. when increasing the size of already partitioned disk in Virtual Machine, the last sector holding the partition info is lost, so to put the needed info in the last sector of now increased disk: `gpart recover da0`. - -|*swapoff * -|Turn off temporarily the swap file, e.g. to move its partition to the end of the increased virtual disk: `swapoff /dev/da0p3` - -|*gpart delete -i * -|Delete partition number `n` (as shown by `gpart show`) on the device `device name`. E.g. If the swap partition was number 3 on disk /dev/da0, to delete it: `gpart delete -i 3 /dev/da0`. - -|*gpart create -s * -|Set type of partition to be added on device `device name`. E.g. to set up device _da1_ for GPT partitioning: `gpart create -s gpt da1`. - -|*sysctl kern.geom.debugflags=16* -|Resizing a live partition may require turning off this protection. - -|*gpart resize -i [ -s ] [-a ] * -|Resize existing partition number `n` to `new size`, optionally setting alighnment, on device `device name`. If `-s` size is not given, use up all available _free_ space. E.g. to increase the _2nd_ partition on device _da0_ to 47 Gigabyte with 4k alignment: `gpart resize -i 2 -s 47G -a 4k da0`. - -|*growfs * -|After resizing a partition, grow the existing file system on it to encompass the new free space. E.g.`growfs /dev/da0p2`. - -|*gpart add -t [-a ] [-l