diff --git a/Fortianalyzer-SQL-tables-reference-cheat-sheet.adoc b/Fortianalyzer-SQL-tables-reference-cheat-sheet.adoc new file mode 100755 index 0000000..ca2ad6a --- /dev/null +++ b/Fortianalyzer-SQL-tables-reference-cheat-sheet.adoc @@ -0,0 +1,186 @@ += Fortigate debug and diagnose commands complete cheat sheet +Yuri Slobodyanyuk +v1.0, 2021-02-02 +:homepage: https://yurisk.info + +Author: Yuri Slobodyanyuk, admin@yurisk.info + +Reference: https://docs.fortinet.com/document/fortigate/6.4.0/fortios-log-message-reference/384955/traffic + + +.Table columns for Traffic Log +[cols=2, options="header"] +|=== +|Column Name +|Description + +|id +|Numerical, 28 number, differ per row e.g. 1612273830 epoch time, the rest unclear + +|bid +|Numerical, 9 numbers, same for the table for all rows + +|dvid +| Numerical, 4 numbers, + +|itime +|Numerical, epoch time, e.g. 1612273830, stays the same for all rows (?) + +|dtime +|Numerical, epoch, e.g. 1612281024, changes but not with each row, every few rows, probably end time + +|euid +|Numerical, 1 number + +|epid +|Numerical, varies + +|dsteuid +|Numerical, all = 0 + +|dstepid +| Numerical, the same for all rows + +|logflag +|Numerical, differes but not each row, some rows are missing it + +|logver +|Numerical, the same for all rows, e.g. 60 + +|proto +|Numerical, IP/TCP protocol number + +|vrf +|Empty + +|logid +|Numerical, log type, e.g. 0000000015, 000000013 + +|type +|String, e.g. traffic + +|subtype +|String, e.g. forward + +|level +|String, e.g. notice + +|action +|String, e.g `deny`, `start`, `close` + +|policyid +|Numerical, e.g. 2 + +|sentbyte +|Numerical, variable + +|rcvdbyte +|Numerical + +|sessionid +|Numerical + +|srcport +|Numerical + +|dstport +|Numerical + +|transport +|EMpty + +|trandisp +|String, `snat` + +|duration +|Numerical + +|sentpkt +|Numerical + +|rcvdpkt +|Numerical + +|utmaction +|String, `block` + +|slot +|Empty + +|srcip +|IP address + +|dstip +|IP address + +|srcname +|Empry + +|dstname +|Empty + +|service +|String, `HTTP` + +|user +|empty + +|poluuid +|Hex long number + +|app +|String, `HTTP`, `HTTPS`, `DNS`, `TeamViewer` + +|appcat +|String, `unknown`, `Remote.Access` + +|tranip +|{} + +|unauthuser +|{} + +|unauthusersource +|{} + +|vpn +|{} + +|srcintf +|String, `bla_INT` + +|dstintf +|String, `bla_EXT` + +|group +|{} + +|custom_field1 +|{} + +|srcintfrole +|`undefined` + +|dstintfrole +|`undefined` + +|fctuid +|{} + +|wanoptapptype +|{} + +|wanin +|Numerical, `3317`, `0` + +|wanout +|Numerical, differs from _wanin_ + +|lanin\ +|Numerical, `164` + +|lanout +|Numerical, equals to _lanin_ + +|shaperdropsentbyte + diff --git a/Fortianalyzer-debug-cheat-sheet.adoc b/Fortianalyzer-debug-cheat-sheet.adoc new file mode 100755 index 0000000..d335706 --- /dev/null +++ b/Fortianalyzer-debug-cheat-sheet.adoc @@ -0,0 +1,94 @@ += Fortianalyzer diagnose and debug cheat sheet +Yuri Slobodyanyuk +:homepage: https://yurisk.info + + +=== General Health +[cols=2, options="header"] +|=== +|Command +|Description + + +|*get sys status* +|Get general information: firmware version, serial number, ADOMs enabled or not, time and time zone, general license status (Valid or not). + +|*get sys performance* +|Detailed performance statistics: CPU load, memory usage, hard disk/flash disk used space and input/output (`iostat`) statistics. + +|*exe top* +|Display real time list of running processes with their CPU load. + +|*diag log device* +|Shows how much space is used by each device logging to the Fortianalyzer, including quotas. + +|*exe iotop -b -n 1* +|Display and update every 1 second READ/WRITE statistics for all the processes. + + +|*diagnose system print cpuinfo* +|Display hardware CPU information - vendor, number of CPUs etc. + +|*diagnose hardware info* +|Even more hardware-related info. + +|*diagnose system print df* +|Show disk partitions and space used. Analog of the Linux `df`. + +|*exe lvm info* +|Shows disks status and size + +|*diagnose system print loadavg* +|Show average system load, analog to the Linux `uptime` command. + +|*diagnose system print netstat* +|Show established connections to the Fortianalyzer, as well as listening ports. Every logging device can (and usually does) have multiple connections established. + +|*diagnose system print route* +|Show routing table of the Fortianalyzer. + + +|=== + +=== Communication debug +[cols=2, options="header"] +|=== +|Command +|Description + +|*diagnose test application oftpd 3* +|List all devices sending logs to the Fortianalyzer with their IP addresses, serial numbers, _uptime_ meaning connection establishment uptime, not remote device uptime, and packets received (should be growing). + +|=== + + +=== Logs from devices +[cols=2, options="header"] +|=== +|Command +|Description + +|*diagnose test application oftpd 50* +|Show log types received and stored for each device. + + +|*diag log device* +|Shows how much space is used by each device logging to the Fortianalyzer, including quotas. + +|*diagnose fortilogd lograte* +|Show in one line last 5/30/60 seconds rate of receiving logs. + +|*diagnose fortilogd lograte-adom all* +|Show as table log receiving rates for all ADOMs aggregated per device type (i.e. rate for all Fortigates will be as one data per ADOM). + +|*diagnose fortilogd lograte-device* +| + + + + + + +|=== + +