= Fortianalyzer diagnose and debug cheat sheet Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ :homepage: https://yurisk.info :toc: auto <> + <> + <> + <> + == General Health [cols=2, options="header"] |=== |Command |Description |*get sys status* |Get general information: firmware version, serial number, ADOMs enabled or not, time and time zone, general license status (Valid or not). |*get sys performance* |Detailed performance statistics: CPU load, memory usage, hard disk/flash disk used space and input/output (`iostat`) statistics. |*exe top* |Display real time list of running processes with their CPU load. |*diag log device* |Shows how much space is used by each device logging to the Fortianalyzer, including quotas. |*exe iotop -b -n 1* |Display and update every 1 second READ/WRITE statistics for all the processes. |*diagnose system print cpuinfo* |Display hardware CPU information - vendor, number of CPUs etc. |*diagnose hardware info* |Even more hardware-related info. |*diagnose system print df* |Show disk partitions and space used. Analog of the Linux `df`. |*exe lvm info* |Shows disks status and size |*diagnose system print loadavg* |Show average system load, analog to the Linux `uptime` command. |*diagnose system print netstat* |Show established connections to the Fortianalyzer, as well as listening ports. Every logging device can (and usually does) have multiple connections established. |*diagnose system print route* |Show routing table of the Fortianalyzer. |=== == Communication debug [cols=2, options="header"] |=== |Command |Description |*diagnose test application oftpd 3* |List all devices sending logs to the Fortianalyzer with their IP addresses, serial numbers, _uptime_ meaning connection establishment uptime, not remote device uptime, and packets received (should be growing). |*diagnose debug application oftpd 8 <__Device name__>* *diagnose debug enable* |Real time debug of communicating with the __Device name__ device. |*diagnose sniffer packet any "host __IP of remote device__"* |Sniff packets from/to remote device, to make sure they are sending each other packets. The communication is encrypted. |*diagnose sniffer packet any "port 514"* |Sniff all packets to/from port 514 used by Fortianalyzer to receive logs from remote devices. |=== == Logs from devices [cols=2, options="header"] |=== |Command |Description |*diagnose test application oftpd 50* |Show log types received and stored for each device. |*diag log device* |Shows how much space is used by each device logging to the Fortianalyzer, including quotas. |*diagnose fortilogd lograte* |Show in one line last 5/30/60 seconds rate of receiving logs. |*diagnose fortilogd lograte-adom all* |Show as table log receiving rates for all ADOMs aggregated per device type (i.e. rate for all Fortigates will be as one data per ADOM). |*diagnose fortilogd lograte-device* |Show average logs receive rate per device for the last hour, day, and week. |*diagnose fortilogd lograte-total* |Show summary log receive rate for all devices on this Fortianalyzer. |=== == Licensing [cols=2, options="header"] |=== |Command |Description |*diagnose dvm device list* |Look for the line _There are currently N devices/vdoms count for license_. |*diagnose debug vminfo* |Show report on Virtual Machine license: whether valid or not, type, licensed storage volume, licensed log receive rate, licensed maximum device count. |===