mirrors/cheat-sheets
1
0
Fork 0
mirror of https://github.com/yuriskinfo/cheat-sheets.git synced 2025-12-24 14:31:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
de496ab0ece41176ff2b5e2d63cdc3d7d915b00a
cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc
Yuri Slobodyanyuk de496ab0ec ongoing additions, changes, and fixes
2020-09-03 12:17:34 +00:00

140 lines
4.1 KiB
Plaintext
Raw Blame History

= Fortigate debug and diagnose commands complete cheat sheet
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2020-09-01
:homepage: https://yurisk.info
NOTE: To enable debug set by any of the commands below, you need to run *diagnose debug enable*. This is assumed and not reminded any further.
NOTE: To disable and stop immediately any debug, run *dia deb res* which is short for *diagnose debug reset*.
== IPSEC VPN debug
.IPSEC VPN Debug
[cols=2*,options="header"]
|===
|Command
|Description
| *diagnose vpn ike log-filter <parameter>*
a| Filter VPN debug messages using various parameters:
* `list` Display the current filter.
* `clear` Erase the current filter.
* `name` Phase1 name to filter by.
* `src-addr4`/`src-addr6` IPv4/IPv6 source address range to filter by.
* `dst-addr4`/`dst-addr6` IPv4/IPv6 destination address range to filter by.
* `src-port` Source port range
* `dst-port` Destination port range
* `vd` Index of virtual domain. -1 matches all.
* `interface` Interface that IKE connection is negotiated over.
* `negate` Negate the specified filter parameter.
|*diagnose debug application ike -1*
| Enable IPSec VPN debug, shows phase 1 and phase 2 negotiations (for IKEv1) and everything for IKEv2.
"-1" sets the verbosity level to maximum, any other number will show less output.
|*diagnose vpn ike gateway flush name <vpn_name>*
|Flush (delete) all SAs of the given VPN peer only. Identify the peer by its Phase 1 name.
|*get vpn ipsec tunnel details*
| Detailed info about the tunnels: Rx/Tx packets/bytes, IP addresses of the peers, algorithms used, detailed selectors info, lifetime, whether NAT Traversal is enabled or not.
|*get vpn ipsec stats tunnel*
| Short general statistics about tunnels: number, kind, number of selectors, state
|*get vpn ipsec tunnel summary*
| Short statistics per each tunnel: number of selectors up/down, number of packets Rx/Tx.
|*get vpn ipsec stats crypto*
| Statistics of the crypto component (ASIC/software) of the Fortigate: encryption algorithm, hasshing algorithm.
|===
== NTP debug
.NTP daemon diagnostics and debug
[cols=2,options="header"]
|===
|Command
|Description
|*diag sys ntp status*
|Current status of NTP time synchronization. Shows all NTP peers and their details info: reachability, stratum, clock offset, delay, NTP version.
|*execute date*
| Show current date as seen by Fortigate
|*exec time*
| Show current time as seen by Fortigate
|===
== BGP
.BGP debug
[cols=2*,options="header"]
|===
|Command
|Description
|*diagnose ip router bgp level info*
*diagnose ip router bgp all enable*
| Set BGP debug level to INFO (the default is ERROR which gives very little info) and enable the BGP debug.
|*exec router clear bgp all*
| Disconnect all BGP peering sessions and clear BGP routes in BGP table and RIB. Use with care, involves downtime.
|*get router info bgp summary*
| State of BGP peering sessions with peers, one per line.
|*get router info bgp network <prefix>*
| Detailed info about <prefix> from the BGP process table. Output includes all learned via BGP routes, even those not currently installed in RIB. E.g. `get router info bgp network 0.0.0.0/0`. The <prefix> is optional, if absent shows the whole BGP table.
|*get router info routing-table bgp*
| Show BGP routes actually installed in the RIB.
|*get router info bgp neighbors*
| Detailed info on BGP peers: BGP version, state, supported capabilities, how many hops away, reson for the last reset.
|*get router info bgp neighbors <IP of the neighbor> advertised-routes*
| Show all routes advertised by us to the specific neighbor.
|*get router info bgp neighbors <IP of the neighbor> routes*
| Show all routes learned from this BGP peer. It shows routes AFTER filtering on local peer, if any.
|*get router info bgp neighbors 12.12.12.12 received-routes*
| Show all received routes from the neighbor BEFORE any local filtering is being applied. It only works if `set soft-reconfiguration enable` is set for this peer under `router bgp` configuration.
|*diagnose sys tcpsock | grep 179*
| List all incoming/outgoing TCP port 179 sessions for BGP.
|===
Reference in New Issue View Git Blame Copy Permalink