FortiGate Debug Commands

Quite often I have to use the CLI interface on FortiGate firewalls to troubleshoot traffic connections, VPNs, etc.  Using the built in CLI is very useful and powerful tool to isolate issues and resolve very quickly rather than pouring through traffic logs using the web interface.  The following are a list of common commands to be able to troubleshoot:

“diag debug enable” – This will enable debug logging

“diag debug disable” – This will turn off debug logging

“diag debug reset” – This will reset the debug logging

“diag debug flow show console enable” – This will output the debug logs to the CLI screen so they can been seen

“diag debug flow filter addr <IP address>” – This will show the flow of traffic from a particular IP address

“diag debug flow filter clear” – This will clear the logs for any flow filter debug command

Let’s say you wanted to see if a particular node was sending pings successfully on any interface:

“diag sniffer packet any ‘icmp and host x.x.x.x’ 4” – If pings are successfully hitting the appropriate interface, you will see the output on the CLI console

These are some basic commands that of course can be adjusted for certain troubleshooting needs but are essential to be able to turn on logging and see what is going on.  For more FortiGate specific CLI commands, go here:

Pin It on Pinterest

Share This