Troubleshooting
In the web-based manager, a good tool for troubleshooting is the packet counter column on the security policy page at Policy & Objects > IPv4 Policy. This column displays the number of packets that have passed through this security policy. Its value when you are troubleshooting is that when you are testing your configuration (end to end connectivity, user authentication, policy use) watching the packet count for an increase confirms any other methods you may be using for troubleshooting. It provides the key of which policy is allowing the traffic, useful information if you expect a user to require authentication and it never happens.
This section addresses how to get more information from the CLI about users and user authentication attempts to help troubleshoot failed authentication attempts. diag firewall iprope list
Shows the IP that the computer connected from. This is useful to confirm authorization and VPN settings.
diag firewall iprope clear
Clear all authorized users from the current list. Useful to force users to re-authenticate after system or group changes. However, this command may easily result in many users having to re-authenticate, so use carefully.
diag rsso query ip diag rsso query rsso-key
Queries the RSSO database.
For more information on troubleshooting specific features, go to that section of this document. Most sections have troubleshooting information at the end of the section. In addition to that information, see the FortiOS Handbook Troubleshooting guide for general troubleshooting information.