= Fortigate debug and diagnose commands complete cheat sheet Yuri Slobodyanyuk v1.0, 2020-09-01 :homepage: https://yurisk.info NOTE: To enable debug set by any of the commands below, you need to run *diagnose debug enable*. This is assumed and not reminded any further. NOTE: To disable and stop immediately any debug, run *dia deb res* which is short for *diagnose debug reset*. == IPSEC VPN debug .IPSEC VPN Debug [cols=2*,options="header"] |=== |Command |Description | *diagnose vpn ike log-filter * a| Filter VPN debug messages using various parameters: * `list` Display the current filter. * `clear` Erase the current filter. * `name` Phase1 name to filter by. * `src-addr4`/`src-addr6` IPv4/IPv6 source address range to filter by. * `dst-addr4`/`dst-addr6` IPv4/IPv6 destination address range to filter by. * `src-port` Source port range * `dst-port` Destination port range * `vd` Index of virtual domain. -1 matches all. * `interface` Interface that IKE connection is negotiated over. * `negate` Negate the specified filter parameter. |*diagnose debug application ike -1* | Enable IPSec VPN debug, shows phase 1 and phase 2 negotiations (for IKEv1) and everything for IKEv2. "-1" sets the verbosity level to maximum, any other number will show less output. |*diagnose vpn ike gateway flush name * |Flush (delete) all SAs of the given VPN peer only. Identify the peer by its Phase 1 name. |*get vpn ipsec tunnel details* | Detailed info about the tunnels: Rx/Tx packets/bytes, IP addresses of the peers, algorithms used, detailed selectors info, lifetime, whether NAT Traversal is enabled or not. |*get vpn ipsec stats tunnel* | Short general statistics about tunnels: number, kind, number of selectors, state |*get vpn ipsec tunnel summary* | Short statistics per each tunnel: number of selectors up/down, number of packets Rx/Tx. |*get vpn ipsec stats crypto* | Statistics of the crypto component (ASIC/software) of the Fortigate: encryption algorithm, hasshing algorithm. |=== == NTP debug .NTP daemon diagnostics and debug [cols=2,options="header"] |=== |Command |Description |*diag sys ntp status* |Current status of NTP time synchronization. Shows all NTP peers and their details info: reachability, stratum, clock offset, delay, NTP version. |*execute date* | Show current date as seen by Fortigate |*exec time* | Show current time as seen by Fortigate |=== == BGP .BGP debug [cols=2*,options="header"] |=== |Command |Description |*diagnose ip router bgp level info* *diagnose ip router bgp all enable* | Set BGP debug level to INFO (the default is ERROR which gives very little info) and enable the BGP debug. |*exec router clear bgp all* | Disconnect all BGP peering sessions and clear BGP routes in BGP table and RIB. Use with care, involves downtime. |*get router info bgp summary* | State of BGP peering sessions with peers, one per line. |*get router info bgp network * | Detailed info about from the BGP process table. Output includes all learned via BGP routes, even those not currently installed in RIB. E.g. `get router info bgp network 0.0.0.0/0`. The is optional, if absent shows the whole BGP table. |*get router info routing-table bgp* | Show BGP routes actually installed in the RIB. |*get router info bgp neighbors* | Detailed info on BGP peers: BGP version, state, supported capabilities, how many hops away, reson for the last reset. |*get router info bgp neighbors advertised-routes* | Show all routes advertised by us to the specific neighbor. |*get router info bgp neighbors routes* | Show all routes learned from this BGP peer. It shows routes AFTER filtering on local peer, if any. |*get router info bgp neighbors 12.12.12.12 received-routes* | Show all received routes from the neighbor BEFORE any local filtering is being applied. It only works if `set soft-reconfiguration enable` is set for this peer under `router bgp` configuration. |*diagnose sys tcpsock | grep 179* | List all incoming/outgoing TCP port 179 sessions for BGP. |===