Diagnose command changes (5.6.1)

Diagnose command changes (5.6.1)

New diagnose features added to FortiOS 5.6.1.

crash dump improvement on i386/X86_64 (396580)

The output from the WPAD crash dump can now be in binary format as well as hexidecimal. The two commands are:

  1. For dump in binary format diagnose debug app wpad-dump <debug_level>
  2. For dump in hexidecimal format

diagnose debug app wpad-crash-hexdump <debug_level>

LLDP diagnose commands easier to execute (413102)

While there is no change to the syntax of the commands, the LLDP diagnose commands are allowed to execute without switchid/portid parameters configured.

New command to monitor IPS stats (414496)

When WAD IPS scanning took place with a failed result, the message caused the IPS sensor to mistakenly record the event as something triggering the sensor. To correct this, a new command was created.

Command:

diagnose wad stats ips [list | clear ]

list List IPS statistics
clear Clear IPS statistics

Example

diagnose wad stats ips list IPS status unix stream counter = 0 active sess counter = 0 ips provider counter = 0 not running failure = 0 all busy failure = 0 conn close counter = 0 conn connected counter = 0 conn failure = 0 zero len failure = 0

 

suspended failure = 0 push failure = 0 block write counter = 0 un-block write counter = 0 un-matching failure = 0 ips action failure = 0 ips action permit = 0 ips action deny = 0 ips action bypass = 0

New diagnose sys fips kat-error options (440186)

The command diagnose sys fips kat-error has added additional options, like ECDSA.

Diagnose command changes (5.6)

New diagnose features added to FortiOS 5.6.

Add missing “diag npu np6 …” Commands (305808)

The following diag npc np6 commands have been reintroduced into 5.6.0. These options were available in 5.2.x but were not in 5.4.0

l diag npc np6 gmac-stats – Shows the GMAC MIBs counters l diag npc np6 gmac-stats-clear – Clears the GMAC MIBS counters l diag npc np6 gige-port-stats – Shows the GIGE PORT MIBs counters l diag npc np6 gige-port-stats-clear – Clears the GIGE PORT MIBs counters

Diagnose command to show firewall service cache (355819)

A diagnostic command has been added to dump out the service name cache kept by the miglogd daemon for each individual VDOM. diag test app miglogd 106 Example output:

This output has been edited down to conserve space. Only the first 5 of each grouping has been included.

diag test app miglogd 106

tcp port(0), name(NONE) port(21), name(FTP) port(22), name(SSH) port(23), name(TELNET) port(25), name(SMTP) udp port(53), name(DNS) port(67–68), name(DHCP) port(69), name(TFTP) port(88), name(KERBEROS)

port(111), name(ONC-RPC) extra: (ONC-RPC) (NFS) icmp port(1), name(test) port(8), name(PING) port(13), name(TIMESTAMP) port(15), name(INFO_REQUEST) port(17), name(INFO_ADDRESS) general

prot(6), port(4300), name(example.com_Webadmin) prot(6), port(5060), name(SIP) prot(6), port(5190–5194), name(AOL) prot(6), port(5631), name(PC-Anywhere) prot(6), port(5900), name(VNC) service names:

WINFRAME,DNS,DCE-RPC,H323,RLOGIN,IRC,UUCP,example.com_Webadmin,HTTPS,WAIS,FINGER,REXEC, RAUDIO,SNMP,TIMESTAMP,RADIUS-OLD,DHCP,AOL,MGCP,SMTPS,INFO_REQUEST,HTTP,SCCP,SOCKS,PPTP,

ONC-RPC,NNTP,SMTP,QUAKE,PC-Anywhere,TFTP,NONE,SSH,RSH,IMAPS,LDAP_UDP,SIP,RIP,PING,PING6,

X-WINDOWS,SMB,SAMBA,TRACEROUTE,NFS,WINS,L2TP,IMAP,GOPHER,SIP-MSNmessenger,SYSLOG,DHCP6,

TELNET,LDAP,MS-SQL,MMS,KERBEROS,SQUID,NTP,FTP,CVSPSERVER,test,AFS3,POP3,Internet-Locator-

Service, service groups:

Email Access(DNS,IMAP,IMAPS,POP3,POP3S,SMTP,SMTPS,)

Windows AD(DCE-RPC,DNS,KERBEROS,LDAP,LDAP_UDP,SAMBA,SMB,)

Web Access(DNS,HTTP,HTTPS,) Exchange Server(DCE-RPC,DNS,HTTPS,) policies involving multiple service definitions:

Diagnose command to show crash history and adjust crash interval (366691)

In order to alleviate the impact logging put on resources if processes repeatedly crash, limits have been put on crash logs.

  • The default limit is 10 times per 60 minutes for crash logs. This limit can be edited using the command: diagnose debug crashlog interval <interval>

<interval> is the number of second to log crash logs for a particular process l The miglogd daemon is the only one to write crash logs directly. Crash logs from other processes are done through miglogd.

  • Crash logs for a single crash are written all at once so that the logs are easier to read if there are crashes of multiple processes at the same time.
  • A diagnose command has been added to show crash history.

# diagnose debug crashlog history

# Crash log interval is 3600 seconds

# reportd crashed 2 times. The latest crash was at 2016-12-01 17:53:45 diagnose switch-controller commands (368197)

The following diagnose commands in the CLI, are designed to l Output stats on the managed switches l Kick the client from the managed switches diagnose switch-controller dump lldp neighbors-summary <device-id> <portid> diagnose switch-controller dump lldp neighbors-detail <device-id> <portid> diagnose switch-controller dump lldp Stats <device-id> diagnose switch-controller dump port-stats <device-id> diagnose switch-controller dump trunk-state <device-id>

diagnose switch-controller kick <device-id> <vlan ID> <port ID> <MAC ID>

While not a diagnostic command, the following can also be run from VDOMs execute replace-device fortiswitch <device-id>

These commands are now longer restricted to being run from the root VLAN and can be run from any VDOM

Diagnose commands for monitoring NAT sessions (376546)

We have developed the following monitoring capabilities in CLI and SNMP.

  • NAT sessions per IP pool l Total tcp sessions per IP pool l Total udp sessions per IP pool
  • Total others (non-tcp and non-udp) sessions per IP pool FortiGate supports 4 types of NAT, which are l Overload l One-to-one l Fixed-port-range l Port-block-allocation.

diagnose firewall ippool-all

l list – lists all of the IP Pools l stats – Statistics of the IP Pools

list

diagnose firewall ippool-all list

Example output:

vdom:root owns 4 ippool(s) name:Client-IPPool type:port-block-allocation nat-ip-range:10.23.75.5-10.23.75.200

name:Fixed Port Range type:fixed-port-range

nat-ip-range:20.20.20.5-20.20.20.50

name:One to One type:one-to-one

nat-ip-range:10.10.10.5-10.10.10.50 name:Sales_Team

type:overload nat-ip-range:10.23.56.18-10.23.56.20

Stats

This option has two methods of being used. By just hitting enter after stats, the output contains the stats for all of the IP Pools. By putting the name of an IP Pool after stats, the output is filtered so that only stats relating to that particular IP Pool is included in the output.

Example output #1

# diagnose firewall ippool-all stats vdom:root owns 5 ippool(s) name: Client-IPPool type: port-block-allocation startip: 10.23.75.5 endip: 10.23.75.200 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0 name: Fixed Port Range type: fixed-port-range startip: 20.20.20.5 endip: 20.20.20.50 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0 name: One to One type: one-to-one startip: 10.10.10.5 endip: 10.10.10.50 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0 name: Sales_Team type: overload startip: 10.23.56.18 endip: 10.23.56.20 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0

Example #2

# diagnose firewall ippool-all stats “Sales_Team” name: Sales_Team type: overload startip: 10.23.56.18 endip: 10.23.56.20 total ses: 0 tcp ses: 0 udp ses: 0

other ses: 0

SIP diagnose command improvements (376853)

A diagnose command has been added to the CLI that outputs VDOM data located in the voipd daemon.

diagnose sys sip-proxy vdom

Example

(global) # diagnose sys sip-proxy vdom VDOM list by id: vdom 0 root (Kernel: root) vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 4 vdoma2 (Kernel: vdoma2) vdom 5 vdomb2 (Kernel: vdomb2) vdom 6 vdomc2 (Kernel: vdomc2) vdom 7 vdoma (Kernel: vdoma) vdom 8 vdomb (Kernel: vdomb) vdom 9 vdomc (Kernel: vdomc) VDOM list by name: vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 0 root (Kernel: root) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 7 vdoma (Kernel: vdoma) vdom 4 vdoma2 (Kernel: vdoma2) vdom 8 vdomb (Kernel: vdomb) vdom 5 vdomb2 (Kernel: vdomb2) vdom 9 vdomc (Kernel: vdomc) vdom 6 vdomc2 (Kernel: vdomc2)

Diagnose command to get AV virus statistics (378870)

A new diagnostic command has been added for the showing of AV statistics. This can be used within each VDOM Syntax: diagnose ips av stats show

Example output

diagnose ips av stats show AV stats:

HTTP virus detected: 0

HTTP virus blocked: 0

SMTP virus detected: 0

SMTP virus blocked: 0

POP3 virus detected: 0

POP3 virus blocked: 0

IMAP virus detected: 0

IMAP virus blocked: 0

NNTP virus detected: 0

NNTP virus blocked: 0

FTP virus detected: 0

FTP virus blocked: 0

SMB virus detected: 0

SMB virus blocked: 0

Diagnose command to get remote FortiSwitch trunk information (379329)

To ensure that a FortiGate and its managed FortiSwitches stay in synchronization in the event of an inadvertent trunk table change situation, there is a new CLI setting that checks for discrepancies.

The idea is to check to see if there will be a synchronization issue between the FortiGate and the FortiSwitch before applying the configuration

  1. On fortilink reconnection, FGT reads trunk table of FSW using REST API GET– Hence FGT gets all the port and its trunk membership information from FSW
  2. FGT then compares its managed FSW trunk information with received FSW information
  3. If there is any conflict, FGT will delete extra/conflicted trunk on FSW using REST API POST
  4. At the end FGT replays all configuration to FSW as usual

This will help delete the extra trunks, conflicted trunks on the FSW and to make sure in sync Possible reasons for losing synchronization include:

l The FortiGate reboots after a factory reset while there is still a trunk configuration in the FortiSwitch. l The managed FortiSwitch’s trunk table gets edited on the FortiGate while the FortiSwitch is offline. l A trunk table on the FortiSwitch gets added or the existing one gets modified or deleted by a user.

New diagnose command for the CLI: diagnose switch-controller dump trunk-switch-config <Managed FortiSwitch device ID> help provided for diagnose debug application csfd (379675)

The syntax for the command is: diagnose debug application csfd <Integer>

The <Integer> being the debug level. To get the integer value for the debug level, run the command without the integer. You will get the following:

# diagnose debug application csfd csfd debug level is 0 (0x0)

Error 0x01

Warning 0x02

Function trace 0x04

Information 0x08

Detail 0x10

MAC packet encryption debug 0x20

MAC learning debug 0x40

FAZ configuration synchronize debugging 0x0080

FAZ configuration function trace 0x00100

Configuration tree update debug 0x00200

Configuration tree function trace 0x00400

HA Sync plugin debug 0x00800

Convert the value next to the debug level you want to an integer. For example, to set the debug level to Information, convert 0x08 to 8 and use it for the option at the end of the command.

# diagnose debug application csfd 8

New IPS engine diagnose commands (381371)

Periodically, when troubleshooting, an different IPS engine will need to be installed on the FortiGate but there will also be a restriction that the FortiGate can’t be rebooted. Normally, a new IPS engine will not be fully recognized by the system until after a reboot. This command allows the running of new commands or new versions of commands in the IPS engine without having to reboot the FortiGate.

diagnose ips test cmd <command strings>

The command strings are separated by a semicolon such as: diagnose ips test cmd command1;command2;command3

Examples:

  • diagnose ips test cmd “ips session status”

This command triggers the diagnosis command in the double quotation marks: “diagnose ips session status”

  • diag ips test cmd “ips memory track; ips memory status; ips session status”

This command triggers the diagnosis commands in the double quotation marks in order.

The results:

Commands[0]: ips memory track

—-< execute “diagnose ips memory track” >—-

Commands[1]: ips memory status

—-< execute “diagnose ips memory status” >—-

Commands[2]: ips session status

—-< execute “diagnose ips session status” >—-

New AV engine diagnose commands (383352)

The purpose of this diagnostic command is to display information from within the AV engine for the purposes of aiding trouble shooting and diagnostics if the AV engine crashes or times out.

The command is: diagnose antivirus test

It’s syntax can be one of the following:

diagnose antivirus test <command> diagnose antivirus test <command argument1>; <argument2>; …

The command is defined and interpreted by the AV engine. FortiOS just passes the CLI command into the AV engine and outputs the strings returned by AV engine.

In AV engine 5.4.239, the following command are supported. l get scantypes l set scantypes

l debug

NPU diagnose command now included HPE info in results (384692)

There is no change to the CLI but the results of the diagnose npu np6 npu-feature command now include results regarding HPE.

clear checksum log files (diag sys ha checksum log clear) (385905)

There is currently a command, diag sys ha checksum log [enable | disable] that enables a

checksum debug log by saving checksum calculations to a temp file. However, the checksum calculations saved in this file can be processed by two different functions, cmdbsvr and the CLI.

The function cmf_context-is-server() now enables the determining whether the running process is cmdbsvr or the CLI and also a diagnose command has been added to clear the contents of the file. diag sys ha checksum log clear new diagnose command to delete avatars (388634)

It is now possible to delete avatars associated with FortiClient clients. diagnose endpoint avatar delete <FortiClient UID> or

diagnose endpoint avatar delete <FortiClient UID> <username>

  • If only the FortiClient UID is used, all of the avatars, except those that are currently being used will be deleted.
  • If both the FortiClient UID and the username are used, all of the avatars that belong to that combination, except those being used, will be deleted.

CID signatures have been improved for DHCP and CDP (389350, 409436)

More parameters have been added to make them more specific. This helps to reduce false positives.

  • DHCP signatures:
  • A new dhcp signature file has been added ‘cid.dhcp2’ that allows for the class and host name to specified in the same signature. This is for increased accuracy.
  • Relevant signatures from ‘cid.dhcp’ have been ported to the new signature file ‘cid.dhcp2’ l Support DHCP parameter matching in signatures.
  • Support DHCP option list matching in signatures. l CDP mac analyzer now passes all three keys to the OS matcher.
  • Tests:
  • A number of new tests (including pcaps) have been added to match existing signatures and new signatures.
  • Some tests where multiple protocols were present in a single pcap, have been modified. These are now split into multiple pcaps, each containing a single protocol. This allows FortiOS to fully test a signature, where previously a single test may have matched multiple signatures.
  • CID debug statistics now use shared memory. This prevents the daemon from having to respond to CLI requests and allows for the stats to persist across daemon restarts.
  • A Change has been made to the host ip update priority. IP changes for routers that have had their type set by heuristic are not allowed to change IPs.
  • If it is a Fortinet device, the change is allowed if it comes through a protocol we trust more (CDP, DHCP, LLDP, or MAC).

diagnose command to calculate socket memory usage (392655)

This diagnostic command gives the socket memory usage by individual process.

diagnose sys process sock-mem <pid>; <pid> …

Separate arguments with a semicolon “;”

Example

Run diagnose sys top to get the pid of a few process…

diagnose sys top

Run Time: 1 days, 0 hours and 44 minutes

214
173

0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 7996T, 5839F httpsdS 0.1 0.2 httpsd 1398 S 0.1 0.2 snmpdS 0.1 0.1

Then use those pid with the command…

diagnose sys process sock-mem 214; 173

Process ID=214, sock_mem=0(bytes)

Process ID=173, sock_mem=2(bytes)

FortiGuard can determine a FortiGate’s location from its public IP address (393972)

The FortiGate now shows the public IP address and the geographical location (country) in the dashboard. The FortiGate sends a ping to the FortiCare/FortiGuard network and as a response receives the local WAN IP, or if it is being NATed the public IP of the network. Using the public IP address a geo-ip Blackpool is done to determine the country.

In the same location on the Dashboard, it also shows whether or not the listed IP address if a member of the

Fortinet Blacklist.

CLI

The diagnostic command to get the information is:

diag sys waninfo Example:

diagnose sys waninfo Public/WAN IP: 209.87.240.98 Location:

Latitude: 45.250100

Longitude: -75.916100

Accuracy radius: 5

Time zone: America/Toronto City: Stittsville Subdivisions:

0: Ontario Country: Canada Postal:

Code: K2S

Continent: North America

Registered country: Canada

ISP: Unknown

Failed to query whether 209.87.240.98 is in the FortiGuard IP Blacklist: ret=-1 buf_ sz=1024

Command fail. Return code 5

To get information about the address’s inclusion as a member of the Fortinet Blacklist, the command is: diag fortiguard ipblacklist [db | vr | ip | ctx]

  • db – Get Database and Vendor/Reason List Versions. l vr – Get Vendor/Reason List.
  • ip – Get Information on Specific IP.
  • ctx – Show Local Context.

If using the ip option, specify the IPv4 address after the ip option. Example:

diagnose fortiguard ipblacklist ip 209.87.240.98

AWS bootstrapping diagnose commands (394158)

Bootstrap feature is quite similar to cloudinit in Openstack. When user launching a new instance of FGT-VM in AWS, it needs to provide some basic information of license and config stored in AWS s3 bucket via userdata. Bootstrap will download license and config from s3 bucket and apply them to FGT automatically. CLI

Add a new cli to show the results of bootstrap config apply.

Example:

diagnose debug aws-bootstrap show >> FGVM040000066475 $ config sys glo

>> FGVM040000066475 (global) $ set hostname awsondemand

>> FGVM040000066475 (global) $ end

Diagnose command to aid in conserver mode issues (394856)

The diagnose hardware sys conserve command provides memory information about the system that is useful in diagnosing conserve mode issues.

Example

diagnose hardware sys conserve memory conserve mode: off total RAM: 7996 MB

memory used: 2040 MB 25% of total RAM memory used threshold extreme: 7597 MB 95% of total RAM memory used threshold red: 7037 MB 88% of total RAM memory used threshold green: 6557 MB 82% of total RAM

Diagnose commands to display FortiCare registration information (395254)

The Dashboard License widget can display information about the registered company owner and industry. There are some diagnostic commands that can do that in the CLI.

diagnose forticare protocol [HTTP | HTTPS] diagnose forticare server < server IP>

diagnose forticare cnreg-code-list – List of known ISO 3166-1 numeric country/region codes.

diagnose forticare direct-registration reseller-list <cnreg-code> diagnose forticare direct-registration country-data <cnreg-code> diagnose forticare direct-registration organization-list diagnose forticare direct-registration product-registration <arguments>

Options/arguments for product registration:

  • a = account_id l A = address l y = city l C = company
  • c = contract_number l T = country_code l e = existing_account l F = fax
  • f = first_name l h = help
  • I = industry l i = industry_id l l = last_name l O = orgsize l o = orgsize_id l p = password l P = phone
  • z = postal_code l R = reseller l r = reseller_id l S = state
  • s = state_code l t = title l v = version new diag test app csfd options (395302)

Two additional test levels have been added to the diag test app csfd command in order to dump some additional information about timers, file handlers status and received MAC addresses to the HA master. diag test app csfd 11 diag test app csfd 40 new ‘AND’ and ‘OR’ filter capabilities for debug flow addr (398985)

In order to make a more flexible filter for the debug flow address command, the Boolean arguments of ‘AND’ and ‘OR’ have been added to the command parser. This will work regardless of whether or not the source or destination address is being filtered.

Syntax:

diagnose debug flow filter address <IP1|from IP> <IP2|to IP> <ENTER|and/or>

Improve wad debug trace and crash log information (400454)

Previously, when filtering on a wad debug trace or crash log information, the information may not have been as targeted as necessary. A new setting has been added to target a specific policy.

diagnose wad filter firewall-policy <index> diagnose wad filter explicit-policy <index>

These commands will target the firewall or explicit proxy policies. Using a “-1” as the value will index of that particular policy type.

diagnose hardware test added to additional models (403571)

The diagnose hardware test that was previously on FortiGate E Series models, and the FortiGate 300/500D models, has been expanded to include:

l Multiple low range models l Multiple mid range models l FortiGate 3800D model

This diagnostic feature replaces much of the functionality of the HQIP test that requires the installation of a separate firmware image.

diag sys sip-proxy config profile –> diag sys sip-proxy config profiles (404874)

Diagnose command has been changed to make it more consistent with other similar commands.

diagnose sys sip-proxy config profile has been changed to

diagnose sys sip-proxy config profiles

diag debug flow changes (405348)

For crash and console logs, the logs are no longer parsed before being sent to their destination. Now they are dumped directly to the destination.

In addition the following options have been removed from the diagnose command list:

diag debug flow show console diag debug flow show console enable diag debug flow show console disable improve wad memory diagnose process (408236)

The WAD SSL memory dump functions have been moved to migbase so they can be shared by both WAD and

CLI.

CLI additions

l diagnose wad memory – WAD memory diagnostics l diagnose wad memory general – List of WAD memory blocks. l diagnose wad memory bucket List suspicious WAD memory buckets. l diagnose wad memory ssl List SSL memory statistics

New daemon watchdog framework in forticron (409243)

A new feature has been added to dump userspace’s process stacks.

CLI additions: diagnose sys process pstack <pid>

<pid> – Process ID, such as those displayed when using diagnose sys top

Output from diagnose wad debug command filterable(410069)

The output from the command was so verbose that there was some concern that the information that was being looked for could get lost in all of the extraneous data so some parameters were added that allow the information to be filtered by both severity level and the category of the information.

The command has a few settings diagnose wad debug [enable|disable|show|clear|display]

  • enable – Enable the level or category debug setting. l disable – Disable debug setting. l show – Show the current debug setting. l clear – Clear the exiting debug setting.
  • display – Changes to the Display setting.
  • diag wad debug dispay pid enable – enables the display of PID values in the output.

Syntax to set the level diagnose wad debug enable level <level>

Where the <level> is one of:

  • error – error l warn – warning l info – information l verbose – verbose

Syntax to set the category diag wad debug enable category <category>

Where <category> is one of the following:

  • connection – connection l session – session l protocol – protocol l io – I/O l packet – packet l db – cache database l cifs – CIFS l ssl – SSL l webcache – webcache l policy – policy matching l auth – authentication l scan – UTM scan l cache – wanopt cache l tunnel – wanopt tunnel l bank – bank l stats – stats l disk – cache disk l video – cache video l rplmsg – replacement message l ipc – IPC
  • bar – Fortinet top bar
  • waf – WAF
  • memblk – memory block l all – all catetory

DNS log improvements (410132)

DNS logs have been improved to make the presentation of the data clearer. These changes involve a reorganization of the DNS log subtypes.

These changes include:

  • Change dns-subtype to dns-response l Remove status field and add Pass/Block/Redirect to action field l Change the msg field display DNS filter rating results l All error messages now to the error field l Change urlfilteridx to domainfilteridx l Change urlfilterlist to domainfilterlist l Add a query type value field.

 

Explicit web proxy

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.