3/7/12 Fortigate troubleshooting commands itsecworks

About

RSS Subscribe: RSS feed

itsecworks
It is all about security and co I have already met

Fo iga e o ble hoo ing command

Posted on Jul 18, 2011

Rate This

1.0 Checking he ba ic e ing , ae

Check S em a

myfirewall # ge em pe fo mance a
CPU states: 0% user 0% system 0% nice 100% idle
Memory states: 41% used
Average network usage: 2 kbps in 1 minute, 2 kbps in 10 minutes, 2 kbps in 30 minutes
Average sessions: 5 sessions in 1 minute, 5 sessions in 10 minutes, 5 sessions in 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 1 days, 1 hours, 8 minutes

Check of a e e ion

myfirewall # ge a
Version: Fortigate-200B 3.00,build0660,080201
Virus-DB: 8.631(2008-01-15 14:27)
IPS-DB: 2.461(2008-01-18 11:23)
Serial-Number: FG200B1111111111
BIOS version: 04000000
Log hard disk: Not available
Hostname: myfirewall
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable

itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 1/16
3/7/12 Fortigate troubleshooting commands itsecworks

FIPS-CC mode: disable

Current HA mode: a-p, master
Distribution: International
Branch point: 660
MR/Patch Information: MR6
System time: Fri Jan 21 17:19:25 2011

Check HA a e

with get command the state

myfirewall1 # ge ha a
Model: 311
Mode: a-p
Group: 0
Debug: 0
ses_pickup: enable
Master:254 myfirewall1 FG311B1111111111 0
Slave :128 myfirewall2 FG311B1111111112 1
number of vcluster: 1
vcluster 1: work 10.0.0.1
Master:0 FG311B1111111111
Slave :1 FG311B1111111112

with show command the configuration

myfirewall # ho ha
config system ha
set mode a-p
set hbdev “port5 20 “port6 10
set session-pickup enable
set override enable
set priority 254
set monitor “port4 “port5 “port6
end

with the diagnose command the state again:

myfirewall1 # diagno e ha a
HA information
Statistics
traffic.local = s:2096712 p:2541238162 b:1972123729708
traffic.total = s:9497465 p:2541238496 b:1972123977459
activity.fdb = c:0 q:0Model=311, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=1HA group member information: is_manage_master=1.
FG311B1111111111, 0. Master:254 myfirewall1
itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 2/16
3/7/12 Fortigate troubleshooting commands itsecworks

FG311B1111111112, 1. Slave:128 myfirewall2vcluster 1, state=work, master_ip=10.0.0.1, master_id=0:

FG311B1111111111, 0. Master:254 myfirewall1(prio=0, rev=0)
FG311B1111111112, 1. Slave:128 myfirewall2(prio=1, rev=1)myfirewall1 #

Check he co n e of e ion able of he fi e all

myfirewall # diag e ion f ll- a

session table: table_size=65536 max_depth=1 used=14
expect session table: table_size=1024 max_depth=0 used=0
misc info: session_count=7 exp_count=0 clash=0 memory_tension_drop=0 ephemeral=1/16368
removeable=2
delete=0, flush=0, dev_down=0/0
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000000
tcp reset stat:
syncqf=1 acceptqf=0 no-listener=2605 data=0 ses=0 ips=0

Check he e ion

The following list has only one session, that may be a DNS request from 192.168.227.97 to .the dns server
65.39.139.53.

myfirewall # diag sys session listsession info: proto=17 proto_state=01 duration=2214 expire=123 timeout=0
flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=28310
policy_dir=0 tunnel=/
state=local
statistic(bytes/packets/allow_err): org=5095/76/1 reply=8757/75/1 tuples=2
orgin->sink: org out->post, reply pre->in dev=10->12/12->10 gwy=0.0.0.0/192.168.227.97
hook=out dir=org act=noop 192.168.227.97:54223->65.39.139.53:53(0.0.0.0:0)
hook=in dir=reply act=noop 65.39.139.53:53->192.168.227.97:54223(0.0.0.0:0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=0047c5b4 tos=ff/ff imp2p=0 app=0
dd_type=0 dd_rule_id=0
itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 3/16
3/7/12 Fortigate troubleshooting commands itsecworks

total session 7
Fil e o he e ion ha o looking fo (e ample)

myfirewall1 # diagno e e ion fil e c 192.168.227.129

myfirewall1 # diag e ion li
…

2.0 In e face e ing

Check he a e peed and d ple i of he in e face

myfirewall # ge em in e face ph ical

== [onboard]
==[internal]
mode: static
ip: 6.6.6.6 255.255.255.0
ipv6: ::/0
status: up
speed: 100Mbps (Duplex: full)
==[wan1]
mode: static
ip: 7.7.7.7 255.255.255.0
ipv6: ::/0
status: up
speed: 100Mbps (Duplex: full)
==[wan2]
mode: static
ip: 0.0.0.0 0.0.0.0
ipv6: ::/0
status: down
speed: n/a
==[modem]
mode: static
ip: 0.0.0.0 0.0.0.0
ipv6: ::/0
status: down
speed: n/a
…

Check he MAC and he a e of he in e face . The name of he in e face in he e ample belo i

in e nal.

myfirewall # diagno e ha d a e de iceinfo nic in e nal

Description ip175c-vdev
Part_Number N/A
itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 4/16
3/7/12 Fortigate troubleshooting commands itsecworks

Driver_Name ip175c
Driver_Version 1.01
System_Device_Name internal
Current_HWaddr 00:09:11:6f:88:e3
Permanent_HWaddr 00:09:11:6f:88:e3
Link up
Speed 100
Duplex full
State up (0×00001103)
MTU_Size 1500
…

Check he ARP Table

myfirewall # ge em a p
Address Age(min) Hardware Addr Interface
5.5.5.5 0 00:00:5e:00:44:a6 wan1

3.0 Check he Ro ing Table

In this example we route everything through a vpn tunnel, called fortigw-311b:

myfirewall # ge o e info o ing- able all

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP
O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area
* – candidate defaultS* 0.0.0.0/0 [5/0] is directly connected, fortigw-311b
S 3.3.3.0/24 [10/0] via 5.5.5.5, wan1
C 5.5.5.0/24 is directly connected, wan1
C 192.168.20.0/24 is directly connected, internal

4.0 VPN T o ble hoo ing

The most significant part for vpn is the time on the devices. The check the time use the following command:

myfirewall # ge a
Version: Fortigate-200B 3.00,build0660,080201
Virus-DB: 8.631(2008-01-15 14:27)
IPS-DB: 2.461(2008-01-18 11:23)
Serial-Number: FG200B1111111111
BIOS version: 04000000
Log hard disk: Not available
Hostname: myfirewall
itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 5/16
3/7/12 Fortigate troubleshooting commands itsecworks

Operation Mode: NAT

Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, master
Distribution: International
Branch point: 660
MR/Patch Information: MR6
S em ime: F i Jan 21 17:19:25 2011

B ing p a pn nnel man all . No traffic required.

myfirewall # diag pn nnel p pha e2-name pha e1-name

Sh do n a pn nnel man all .

myfirewall # diag pn nnel do n pha e2-name pha e1-name

Check he nnel a e

If there is no SA that means the tunnel is down and does not work. To see if the tunnel is up we need to check if
any SA exist.
To see if the tunnel is up you can use the diagno e pn nnel li name <peer-name> or diagno e pn
nnel d mp a command.

T nnel a e i do n

Tunnel does not exist if there is no output of the commands below:

myfirewall1 # diagno e pn nnel li name m fi e all3

list ipsec tunnel by names in vd 0
<no output>

with the dumpsa command:

myfirewall1 # diag pn nnel d mp a

<no output>

The output of the command below shows zero sa (security association)

myfirewall3 # diagno e pn nnel a

dev=1 tunnel=0 proxyid=1 a=0 conc=0 p=0

itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 6/16
3/7/12 Fortigate troubleshooting commands itsecworks

T nnel a e i p

Informations from the output of the command below:

- vpn peers
- encrypted traffic (source and destination)
- traffic counters for encrypted traffic
- SPI for encrypt and decrypt
- Encryption method

In the following output the second tunnel with the name fortigw-311b-wlan-ph2 is down.

myfirewall # diagno e pn nnel li name fo ig -311b

list ipsec tunnel by names in vd 0
——————————————————
name=fortigw-311b ver=1 serial=1 2.2.2.2:0->1.1.1.1:0 lgwy=dyn tun=intf mode=auto bound_if=6
proxyid_num=2 child_num=0 refcnt=8 ilast=2 olast=2
stat: rxp=525048 txp=538908 rxb=276286832 txb=115110327
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=671422
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=fortigw-311b-ph2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 192.168.10.0/255.255.255.255:0
dst: 0.0.0.0/0.0.0.0:0
SA: ref=3 options=0000000e type=00 soft=0 mtu=1436 expire=1333 replaywin=1024 seqno=2c
life: type=01 bytes=0/0 timeout=1750/1800
dec: spi=5bafd6aa esp=3des key=24 8e4c7e9d5916fd00fc6f3fe4e7b35c40431735162c537049
ah=sha1 key=20 2462eaec73cbfc473c9cc59c0b39d976dca8b15f
enc: spi=2a05ad80 esp=3des key=24 83f2a4476675a7e810bb467ba0675222e6ad9f5db3ff4fed
ah=sha1 key=20 3fdd10286ff936c3608879315bc3958d8112994e
proxyid=fortigw-311b-wlan-ph2 proto=0 sa=0 ref=1 auto_negotiate=0 serial=2
src: 192.168.20.0/255.255.255.0:0
dst: 0.0.0.0/0.0.0.0:0

In this output are both tunnel up:

myfirewall1 # diag pn nnel d mp a

———————————
vf=0 tun=fortigw-311b
proxyid=fortigw-311b-wlan-ph2 proto=0
src: 192.168.20.0/255.255.255.0:0
dst: 0.0.0.0/0.0.0.0:0
life: type=01 bytes=0/0 timeout=1750/1800
dec: spi=5bafd6ac esp=3des key=24 944c6e0a4e52d578ce4a3f78f6066eae53ade0bf3aeca236
ah=sha1 key=20 9c0ad72b08bf479e81d9109ac0f7f721c7040b46
enc: spi=2a05ad97 esp=3des key=24 5c8141c750de92321c171b44c5473d82fbac47ae464f3107
ah=sha1 key=20 0724b6b197c0cd157aced122bb6482d2d665e1b2
———————————
itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 7/16
3/7/12 Fortigate troubleshooting commands itsecworks

vf=0 tun=fortigw-311b
proxyid=fortigw-311b-ph2 proto=0
src: 192.168.10.0/255.255.255.0:0
dst: 0.0.0.0/0.0.0.0:0
life: type=01 bytes=0/0 timeout=1753/1800
dec: spi=5bafd6ab esp=3des key=24 506055a1caf78cc42d645a94b226f37375eac8bb618efdc7
ah=sha1 key=20 535c1f8ef20e8b7b6d011fdecfa955cef2085995
enc: spi=2a05ad95 esp=3des key=24 1d710d27da29b773abdf3568200d3b4a2688fbc1fa72f43b
ah=sha1 key=20 1d7d6b36084c715e8546369b621effaca60a5ee4

with the diagnose command:

myfirewall1 # diagno e pn nnel a

dev=1 tunnel=0 proxyid=2 sa=2 conc=0 up=2

Check packe co n e fo he nnel

To see if the encryption and decryption of the packages works use 2 or more times the diagno e pn ip ec
a or the diagno e pn nnel li command and compare the values. On the second and third outputs the
counter should show larger number.

myfirewall1 # diagno e pn ip ec a
All ipsec crypto devices in use:
CP5:
null: 0 0
des: 0 0
3des: 1667203998 1374539508
aes: 0 0
null: 0 0
md5: 0 0
sha1: 1667203998 1374539508
SOFTWARE NULL:
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
null: 0 0
md5: 0 0
sha1: 0 0myfirewall1 # diagno e pn ip ec a
All ipsec crypto devices in use:
CP5:
null: 0 0
des: 0 0
3des: 1667204059 1374539566
aes: 0 0
null: 0 0
itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 8/16
3/7/12 Fortigate troubleshooting commands itsecworks

md5: 0 0
sha1: 1667204059 1374539566
SOFTWARE NULL:
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
null: 0 0
md5: 0 0
sha1: 0 0myfirewall1 #

On the following output the firewall has 3 active vpn peers.

myfirewall1 # diag pn nnel li

list all ipsec tunnel in vd 0
——————————————————
name=soho-fw1 1.1.1.1:0->3.3.3.3:0 lgwy=dyn tun=intf mode=auto bound_if=7
proxyid_num=1 child_num=0 refcnt=5 ilast=4 olast=1
stat: rxp=1806451 txp=1447091 rxb=234325504 txb=499316955
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=3908556
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=soho-fw1-p2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 0.0.0.0/0.0.0.0:0
dst: 192.168.40.0/255.255.255.0:0
SA: ref=3 options=0000000e type=00 soft=0 mtu=1436 expire=366 replaywin=1024 seqno=c4
life: type=01 bytes=0/0 timeout=1774/1800
dec: spi=2a02fcf2 esp=3des key=24 b3f265d52c68528f65e622ecda7500049d8dc4c3f41dc1f0
ah=sha1 key=20 846e4236a70d610c3848d8451d1423aa7a7a9b48
enc: spi=bb50f13d esp=3des key=24 bb24fc093724e057e0de454f0be53554adcf8fb158569732
ah=sha1 key=20 fdc777b8c11194e8245add02fbf402e4cac779fc
——————————————————
name=soho-fw2 1.1.1.1:0->4.4.4.4:0 lgwy=dyn tun=intf mode=auto bound_if=7
proxyid_num=1 child_num=0 refcnt=5 ilast=4 olast=4
stat: rxp=17110169 txp=18532534 rxb=5951742192 txb=15247163397
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=3450372
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=soho-fw2-p2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 0.0.0.0/0.0.0.0:0
dst: 192.168.30.0/255.255.255.0:0
SA: ref=3 options=0000000e type=00 soft=0 mtu=1436 expire=576 replaywin=1024 seqno=1063
life: type=01 bytes=0/0 timeout=1774/1800
dec: spi=2a02fcf3 esp=3des key=24 44b0afaf4fcbf8dbff067e1d75fc7222387efb4f434b4ab4
ah=sha1 key=20 333e13671885e08177ea06df5ed88a941d60998c
enc: spi=e5e804dc esp=3des key=24 f1bdc039431716a33761879a5b9ac0aca181ced2b363ca08
ah=sha1 key=20 57a12c61b17f3431b1f8895045558ad408f7d356

itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 9/16
3/7/12 Fortigate troubleshooting commands itsecworks

——————————————————
name=soho-fw3 1.1.1.1:0->5.5.5.5:0 lgwy=dyn tun=intf mode=auto bound_if=7
5.0 niffe ace

The 2. parameter after “…port6 arp 1 is the number of packets to be sniffered. In this example it is set to 2.

myfirewall # diagno e niffe packe po 6 a p ?1: print header of packets

2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf namemyfirewall # diagno e niffe
packe po 6 a p 1 2
interfaces=[port6]
filters=[arp]
0.907592 arp who-has 3.3.3.3 tell 3.3.3.5
1.907597 arp who-has 3.3.3.3 tell 3.3.3.5myfirewall #

If the sniffer should be analysed with Wireshark, the following pl script should be used:
fgt2eth.pl

http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD30877

6.0 Vie logging on cli

There are some fields that you wont ever see in webui as in the column setting you cannot choose them. Just an
example for this is a false pre-shared key, the field that tells you what the problem is, called “error_reason”.

The buffer size is limited and if the buffer is full the old logs will be overwritten.
To check your buffer size issue the following command:

myfirewall # ge log memo global- e ing

full-final-warning-threshold: 95
full-first-warning-threshold: 75
full-second-warning-threshold: 90
max-size : 98304

To view the logs on the CLI issue the following commands (it is better to use a syslog server as checking the logs
from memory, it is slow).

myfirewall # e ec e log fil e de ice memo

myfirewall # e ec e log fil e a -line 1
myfirewall # e ec e log fil e ie -line 10
myfirewall # e ec e log fil e ca ego e en

itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 10/16
3/7/12 Fortigate troubleshooting commands itsecworks

Check if that is correct for you.

myfirewall # e ec e log fil e d mp

category: event
device: memory
roll: 0
start-line: 1
view-lines: 10

Vie ing he log

In this example we can sse a failed vpn session as the preshared key is not identical on the vpn peers. The logs
are not in every cases so talkative, for example the logs for different encryption traffic failure refer to nothing
usefull.

Log fo p e ha ed ke fail e:

myfirewall3 # e ec e log di pla

874 logs found.
10 logs returned.1: 2011-08-31 17:02:33 log_id=0101037127 type=event subtype=ipsec pri=notice
fwver=040003 vd=”root” msg=”progress IPsec phase 1 action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3
rem_port=500 loc_port=500 out_intf=”wan1 cookies=”26fb9f49765a425f/a1da24b19fb1f8ce” user=”N/A”
group=”N/A” xauth_user=”N/A” xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=success init=local
mode=main dir=outbound stage=3 role=initiator result=OK2: 2011-08-31 17:02:33 log_id=0101037127
type=event subtype=ipsec pri=notice fwver=040003 vd=”root” msg=”progress IPsec phase 1
action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3 rem_port=500 loc_port=500 out_intf=”wan1
cookies=”26fb9f49765a425f/a1da24b19fb1f8ce” user=”N/A” group=”N/A” xauth_user=”N/A”
xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=success init=local mode=main dir=outbound stage=2
role=initiator result=OK3: 2011-08-31 17:02:33 log_id=0101037127 type=event subtype=ipsec pri=notice
fwver=040003 vd=”root” msg=”progress IPsec phase 1 action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3
rem_port=500 loc_port=500 out_intf=”wan1 cookies=”26fb9f49765a425f/0000000000000000
user=”N/A” group=”N/A” xauth_user=”N/A” xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=success
init=local mode=main dir=outbound stage=1 role=initiator result=OK4: 2011-08-31 17:02:33
log_id=0101037128 type=event subtype=ipsec pri=error fwver=040003 vd=”root” msg=”progress IPsec
phase 1 action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3 rem_port=500 loc_port=500 out_intf=”wan1
cookies=”8cad3acdda13b8dc/49d8c9464e0a85e9 user=”N/A” group=”N/A” xauth_user=”N/A”
xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=failure init=remote mode=main dir=inbound stage=3
role=responder result=ERROR5: 2011-08-31 17:02:33 log_id=0101037124 type=event subtype=ipsec
pri=error fwver=040003 vd=”root” msg=”IPsec phase 1 error” action=”negotiate” rem_ip=1.1.1.1
loc_ip=3.3.3.3 rem_port=500 loc_port=500 out_intf=”wan1
cookies=”8cad3acdda13b8dc/49d8c9464e0a85e9 user=”N/A” group=”N/A” xauth_user=”N/A”
xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=negotiate_error error_reason=probable preshared key
mismatch peer_notif=N/A6: 2011-08-31 17:02:31 log_id=0101037128 type=event subtype=ipsec pri=error
fwver=040003 vd=”root” msg=”progress IPsec phase 1 action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3
rem_port=500 loc_port=500 out_intf=”wan1 cookies=”8cad3acdda13b8dc/49d8c9464e0a85e9
user=”N/A” group=”N/A” xauth_user=”N/A” xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=failure
itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 11/16
3/7/12 Fortigate troubleshooting commands itsecworks

init=remote mode=main dir=inbound stage=3 role=responder result=ERROR7: 2011-08-31 17:02:31

log_id=0101037124 type=event subtype=ipsec pri=error fwver=040003 vd=”root” msg=”IPsec phase 1
error” action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3 rem_port=500 loc_port=500 out_intf=”wan1
cookies=”8cad3acdda13b8dc/49d8c9464e0a85e9 user=”N/A” group=”N/A” xauth_user=”N/A”
xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=negotiate_error e o _ ea on=p obable p e ha ed
ke mi ma ch pee _no if=N/A

Log fo diffe en enc p ion affic fail e:

Sep 01 10:18:40 3.3.3.3 date=2011-09-01 time=10:18:40 devname=myfirewall3

device_id=FG200B1111111111 log_id=0101037129 type=event subtype=ipsec pri=notice fwver=040003
vd=”root” msg=”progress IPsec phase 2 action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3 rem_port=500
loc_port=500 out_intf=”wan1 cookies=”2c4ea48ce0ad7bb5/1197f346a79b38b3 user=”N/A”
group=”N/A” xauth_user=”N/A” xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=success init=local
mode=quick dir=outbound stage=1 ole=ini ia o e l =OK
Sep 01 10:19:36 3.3.3.3 date=2011-09-01 time=10:19:36 devname=myfirewall3
device_id=FG200B1111111111 log_id=0101037130 type=event subtype=ipsec pri=error fwver=040003
vd=”root” msg=”progress IPsec phase 2 action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3 rem_port=500
loc_port=500 out_intf=”wan1 cookies=”2c4ea48ce0ad7bb5/1197f346a79b38b3 user=”N/A”
group=”N/A” xauth_user=”N/A” xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=failure init=remote
mode=quick dir=inbound stage=1 ole= e ponde e l =ERROR
Sep 01 10:19:38 3.3.3.3 date=2011-09-01 time=10:19:38 devname=myfirewall3
device_id=FG200B1111111111 log_id=0101037130 type=event subtype=ipsec pri=error fwver=040003
vd=”root” msg=”progress IPsec phase 2 action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3 rem_port=500
loc_port=500 out_intf=”wan1 cookies=”2c4ea48ce0ad7bb5/1197f346a79b38b3 user=”N/A”
group=”N/A” xauth_user=”N/A” xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=failure init=remote
mode=quick dir=inbound stage=1 ole= e ponde e l =ERROR
Sep 01 10:19:42 3.3.3.3 date=2011-09-01 time=10:19:42 devname=myfirewall3
device_id=FG200B1111111111 log_id=0101037130 type=event subtype=ipsec pri=error fwver=040003
vd=”root” msg=”progress IPsec phase 2 action=”negotiate” rem_ip=1.1.1.1 loc_ip=3.3.3.3 rem_port=500
loc_port=500 out_intf=”wan1 cookies=”2c4ea48ce0ad7bb5/1197f346a79b38b3 user=”N/A”
group=”N/A” xauth_user=”N/A” xauth_group=”N/A” vpn_tunnel=”fortigw-311b” status=failure init=remote
mode=quick dir=inbound stage=1 ole= e ponde e l =ERROR

CLI guide:

http://docs.fortinet.com/fgt/techdocs/fortigate-cli.pdf

7.0 Back p and Re o e

Backup command with tftp server:

myfirewall # e ec e back p f ll-config f p <f ll-config-filename> < f p e e ip>

With an example:

itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 12/16
3/7/12 Fortigate troubleshooting commands itsecworks

myfirewall1 # e ec e back p f ll-config f p m fi e all1_f ll_config 192.168.1.1

Please wait…
Connect to tftp server 192.168.1.1 …
#
Send config file to tftp server OK.
myfirewall1 #

Restore command with tftp server:

myfirewall # e ec e e o e config f p <f ll-config-filename> < f p e e ip>

Example Restore:

myfirewall1 # e ec e e o e config f p m fi e all1_f ll_config 192.168.1.1

This operation will overwrite the current settings!
Do you want to continue? (y/n)yPlease wait…Connect to tftp server 192.168.1.1 …Get config file from tftp
server OK.
File check OK.The system is going down NOW !!
Please stand by while rebootinFGT200B (14:15-10.01.2008)
Ver:04000010
Serial number:FG200B1111111111
RAM activation
Total RAM: 256MB
Enabling cache…Done.
Scanning PCI bus…Done.
Allocating PCI resources…Done.
Enabling PCI resources…Done.
Zeroing IRQ settings…Done.
Verifying PIRQ tables…Done.
Enabling Interrupts…Done.
Boot up, boot device capacity: 64MB.
Press any key to display configuration menu…
……

Reading boot image 1319595 bytes.

Initializing firewall…
System is started.
The config file may contain errors,
Please see details by the command ‘diagnose debug config-error-log read’

myfirewall1 login:

AD E R T ISE M E N T

AD E R T ISE M E N T

itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 13/16
3/7/12 Fortigate troubleshooting commands itsecworks

Like hi : Like Be he fi o like hi po .

Posted in: Fortigate, Securit , Troubleshooting

← The nat-control is over
Checkpoint firewall debugging basics →
Be the first to start a conversation

Leave a Repl

Enter our comment here...

Fill in our details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

Notif me of follow-up comments via email. Post Comment

Search

itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 14/16
3/7/12 Fortigate troubleshooting commands itsecworks

A chi e

February 2012
December 2011
November 2011
September 2011
August 2011
July 2011
March 2011
December 2010
November 2010

Ca ego ie

Security (53)
Checkpoint (9)
IPSO (4)
Backup (1)
Installation (2)
Provider1 (2)
Troubleshootings (2)
Cisco (31)
ASA (24)
Admin access (1)
AIP-SSM (2)
Application Filtering (1)
Failover (2)
Multiple Context (2)
Nat (1)
Overloaded (2)
Routing (1)
Troubleshootings (5)
VPN (9)
WCCP (1)
FWSM (1)
IOS (5)
Admin access (1)
Application Filtering (3)
GUI (1)
Troubleshootings (1)
Logging (1)
Fortigate (2)
Configuration (1)
Troubleshooting (1)
Linux (11)

itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 15/16
3/7/12 Fortigate troubleshooting commands itsecworks

ddwrt (6)
mail (1)
proxy (1)
tools (2)
openssl (1)
Troubleshooting (1)

Blog at WordPress.com.
Theme: Inuit Types by BizzArtic.

itsecworks.wordpress.com/2011/07/18/fortigate-basic-troubleshooting-commands/ 16/16