From 10717cf3950c04fe02993c93fc86be811c7210d6 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:11:23 +0000 Subject: [PATCH 01/13] ongoing additions, changes, and fixes --- .../Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index f8ac591..5f73d4c 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -111,7 +111,7 @@ processes to show with _num-processes_, and use `detail` to get verbose output | Show memory statistics: free, cached, swap, shared |*execute sensor list* -|List current readings of all sensors present on this model of the Fortigate. ALrger models (1500 and up) show CPUs voltage, fan speeds, temperature, power supply voltage and more. +|List current readings of all sensors present on this model of the Fortigate. Larger models (1500 and up) show CPUs voltage, fan speeds, temperature, power supply voltage and more. |=== @@ -359,6 +359,13 @@ a|View the kernel routing table (FIB). This is the list of resolved routes actua | Get all configured Policy Based Routes on the Fortigate. +| *exe traceroute-options [source _ip_ / device _ifname_ / view-settings / use-sdwan yes]* + +*exe traceroute _host_ +| Run traceroute, setting various options if needed. + +|*exe tracert6 [-s _source-ip_] _host_* +| Run IPv6 trace route. |=== From b2bc47903c564450959770ae9abc7013a5e9b121 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:16:07 +0000 Subject: [PATCH 02/13] ongoing additions, changes, and fixes --- .../Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 5f73d4c..a90460c 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -367,6 +367,14 @@ a|View the kernel routing table (FIB). This is the list of resolved routes actua |*exe tracert6 [-s _source-ip_] _host_* | Run IPv6 trace route. +|*exe ping-options data-size _bytes_ / df-bit / interface _if-name_ / interval +_seconds_ / repeat-count _integer_ / reset / view-settings / timeout _seconds_ / +source _ip_ / ttl _integer_ / use-sdwan yes* +| Set various options before running pings. + +|*exe ping _host_* +|Run the ping. + |=== From d3a09c6b4bce459cfb699a6c6f9cf73cb8bb6057 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:16:56 +0000 Subject: [PATCH 03/13] ongoing additions, changes, and fixes --- cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index a90460c..0ff0648 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -361,7 +361,7 @@ a|View the kernel routing table (FIB). This is the list of resolved routes actua | *exe traceroute-options [source _ip_ / device _ifname_ / view-settings / use-sdwan yes]* -*exe traceroute _host_ +*exe traceroute _host_* | Run traceroute, setting various options if needed. |*exe tracert6 [-s _source-ip_] _host_* From a7f95e5b21696c88fc1bcea3db880f540ebf7528 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:18:07 +0000 Subject: [PATCH 04/13] ongoing additions, changes, and fixes --- .../Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 0ff0648..da91610 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -367,9 +367,9 @@ a|View the kernel routing table (FIB). This is the list of resolved routes actua |*exe tracert6 [-s _source-ip_] _host_* | Run IPv6 trace route. -|*exe ping-options data-size _bytes_ / df-bit / interface _if-name_ / interval +|*exe ping-options [data-size _bytes_ / df-bit / interface _if-name_ / interval _seconds_ / repeat-count _integer_ / reset / view-settings / timeout _seconds_ / -source _ip_ / ttl _integer_ / use-sdwan yes* +source _ip_ / ttl _integer_ / use-sdwan yes]* | Set various options before running pings. |*exe ping _host_* From e8a4502d1d37a6bd60049046d3db4eaa0eaf761a Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:20:54 +0000 Subject: [PATCH 05/13] ongoing additions, changes, and fixes --- ...ortigate-debug-diagnose-complete-cheat-sheet.adoc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index da91610..7a59a62 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -367,13 +367,19 @@ a|View the kernel routing table (FIB). This is the list of resolved routes actua |*exe tracert6 [-s _source-ip_] _host_* | Run IPv6 trace route. -|*exe ping-options [data-size _bytes_ / df-bit / interface _if-name_ / interval +|*exe ping-options* [data-size _bytes_ / df-bit / interface _if-name_ / interval _seconds_ / repeat-count _integer_ / reset / view-settings / timeout _seconds_ / -source _ip_ / ttl _integer_ / use-sdwan yes]* +source _ip_ / ttl _integer_ / use-sdwan yes] | Set various options before running pings. |*exe ping _host_* -|Run the ping. +|Run the IPv4 ping. + +|*exe ping6-options* _see available options above for ipv4_ +|Set various ping6 options before running it. + +|*exe ping6 _host_* +|Run the IPv6 ping. |=== From 56b8b47171483496b4ab00abcf061480deb78d20 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:27:33 +0000 Subject: [PATCH 06/13] ongoing additions, changes, and fixes --- .../Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 7a59a62..3e6d0d8 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -328,6 +328,9 @@ name, not numerical index. |Description |*get router info kernel* + +*get router info6 kernel* + a|View the kernel routing table (FIB). This is the list of resolved routes actually being used by the FortiOS kernel. `tab` Table number, either 254 for unicast or 255 for multicast. @@ -347,15 +350,22 @@ a|View the kernel routing table (FIB). This is the list of resolved routes actua `dev` outgoing interface index. If VDOMs enabled, VDOM will be included as well, if alias is set it will be shown. |*get router info routing-table all* + +*get router info6 routing* + |Show RIB - active routing table with installed and actively used routes. It will not show routes with worse priority, multiple routes to the same destination if unused. |*get router info routing database* + +*get rotuer info6 routing database* |Show ALL routes, the Fortigate knows of - including not currently used. |*get router info routing-table details * | Show verbose info about specific route, e.g. `get router info routing-table details 0.0.0.0/0` |*get firewall proute* + +*get firewall proute6* | Get all configured Policy Based Routes on the Fortigate. From 3387fafbd44693364a7405450eecdcd1f2387213 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:30:44 +0000 Subject: [PATCH 07/13] ongoing additions, changes, and fixes --- .../Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 3e6d0d8..76ea37e 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -363,6 +363,9 @@ a|View the kernel routing table (FIB). This is the list of resolved routes actua |*get router info routing-table details * | Show verbose info about specific route, e.g. `get router info routing-table details 0.0.0.0/0` +|*diagnose ip rtcache list* +| Show the routes cache table. + |*get firewall proute* *get firewall proute6* From bd25b6702e3f1abcaf29f42b1c9ea743f78d9935 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:42:17 +0000 Subject: [PATCH 08/13] ongoing additions, changes, and fixes --- ...e-debug-diagnose-complete-cheat-sheet.adoc | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 76ea37e..615fbc9 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -72,6 +72,27 @@ iprope lookup 10.10.10.1 34567 8.8.8.8 443 6 LAN1` |=== + +== Packet Sniffer (diagnose sniffer packet) + +[cols=2, options="header"] +|=== +|Command +|Description + +|*dia sni pa _if-name_/any 'tcpdump syntax filter' _verbosity_ _count_ +_time-format_* +|Network level packet sniffer like tcpdump/tshark/wireshark, presenting captured +packets on CLI. It gives definite answers whether a packet reached the +Fortigate, whether it was dropped by firewall rules, what was incoming/outgoing +interface, and contents of the packet if needed. + + + + +|=== + + == General Health, CPU, and Memory .General Health, CPU, and Memory loads [cols=2, options="header"] From 3c7af804df47f0a3499d3e293bb5e2c3c0ed891c Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:47:13 +0000 Subject: [PATCH 09/13] ongoing additions, changes, and fixes --- .../Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 615fbc9..886914b 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -82,12 +82,16 @@ iprope lookup 10.10.10.1 34567 8.8.8.8 443 6 LAN1` |*dia sni pa _if-name_/any 'tcpdump syntax filter' _verbosity_ _count_ _time-format_* -|Network level packet sniffer like tcpdump/tshark/wireshark, presenting captured +a| Network level packet sniffer like tcpdump/tshark/wireshark, presenting captured packets on CLI. It gives definite answers whether a packet reached the Fortigate, whether it was dropped by firewall rules, what was incoming/outgoing interface, and contents of the packet if needed. +`time-format`: +* `a` - absolute UTC time +* `l` - local time +* _default_ - relative to the start of sniffing in seconds.milliseconds. |=== From 460d759929c4784dfa6c56114179af110131d509 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:49:14 +0000 Subject: [PATCH 10/13] ongoing additions, changes, and fixes --- cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 886914b..59c6a8e 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -87,6 +87,8 @@ packets on CLI. It gives definite answers whether a packet reached the Fortigate, whether it was dropped by firewall rules, what was incoming/outgoing interface, and contents of the packet if needed. +`count` - number of packets to capture, integer. If not set, will be capturing +until the SSH/console timeout or until stopped with `CTRL + C`. `time-format`: * `a` - absolute UTC time From 57a831ceea1652ad70f1f81dbea10f1e0f6bd318 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 13:49:41 +0000 Subject: [PATCH 11/13] ongoing additions, changes, and fixes --- cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 59c6a8e..5b3ac92 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -89,6 +89,7 @@ interface, and contents of the packet if needed. `count` - number of packets to capture, integer. If not set, will be capturing until the SSH/console timeout or until stopped with `CTRL + C`. + `time-format`: * `a` - absolute UTC time From 35da397d706d6a0161d65a9a87d905d55f749248 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 14:58:05 +0000 Subject: [PATCH 12/13] ongoing additions, changes, and fixes --- ...Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 5b3ac92..9da21d3 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -257,6 +257,17 @@ The output will look like `state/chg_time/now=2(work)/1610773657/1617606630`, wh |First show index of all Fortigate cluster members, then enter any secondary member CLI via its index. +|*diagnose sys ha reset-uptime* +|Resets uptime of this member making it less than the other member(s)'s uptime +and so fails over to those member(s). This is a temporary way to force cluster +fail-over to another member from the current one. NOTE: check that the setting +below is present or immediately after the reset and failover, this member will become +active again if it has higher HA priority. + +---- +config sys ha +set ha override disable +---- |=== From e296daf2303ca8266d9e33264c26e664ce8521a6 Mon Sep 17 00:00:00 2001 From: Yuri Slobodyanyuk Date: Thu, 24 Nov 2022 14:59:03 +0000 Subject: [PATCH 13/13] ongoing additions, changes, and fixes --- cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc index 9da21d3..eba4d4c 100644 --- a/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc +++ b/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc @@ -258,7 +258,7 @@ The output will look like `state/chg_time/now=2(work)/1610773657/1617606630`, wh |*diagnose sys ha reset-uptime* -|Resets uptime of this member making it less than the other member(s)'s uptime +a| Resets uptime of this member making it less than the other member(s)'s uptime and so fails over to those member(s). This is a temporary way to force cluster fail-over to another member from the current one. NOTE: check that the setting below is present or immediately after the reset and failover, this member will become