Fortigate debug and diagnose

commands complete cheat sheet

Table of Contents
Security rulebase debug (diagnose debug flow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2  

General Health, CPU, and Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3  

Session stateful table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3  

High Availability Clustering debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5  

IPSEC VPN debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6  

SSL VPN debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8  

Static Routing Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8  

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9  

DHCP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10  

NTP debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11  

SNMP daemon debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11  

BGP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
 

Admin sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12  

Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12  

Fortianalyzer logging debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13  

SD-WAN verification and debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14  

Virtual Fortigate License Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14  

SIP ALG and helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15  

DNS server and proxy debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15  

Administrator GUI access and API automation requests debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16  

Wireless Controller and managed Access Points debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17  

Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/

To enable debug set by any of the commands below, you need to run diagnose
NOTE
debug enable. This is assumed and not reminded any further.

To disable and stop immediately any debug, run dia deb res which is short for
NOTE
diagnose debug reset.

All debug will run for 30 minutes by default, to increase use diagnose debug
NOTE duration <minutes>, setting to 0 means unlimited by time. Reboot will reset this
setting.

1
Security rulebase debug (diagnose debug
flow)
Table 1. Security rulebase diagnostics with diagnose debug flow

Command Description

diagnose debug flow filter Show the active filter for the flow debug

diagnose debug filter clear Remove any filtering of the debug output set

diagnose debug flow filter <filtering param> Set filter for security rulebase processing
packets output. You can set multiple filters - act
as AND, by issuing this command multiple times.
Parameters:

vd - id number of the vdom. When entering the

vdom with edit vdom, this number is shown first.

vd-name - limit debug to specific VDOM by its

name. Fortigate translates the name to VDOM ID
(vd).

proto - Protocol number.

addr - IP address of the packet(s), be it a

destination or/and a source.

saddr - IP source address of the packet(s).

daddr - IP destination address of the packet(s).

port - Source or/and destination port in the

packet(s).

sport - Source port of the packet(s).

dport - Destination port of the packet(s).

negate <parameter> - negate the match, i.e. match

if a packet does NOT contain <parameter. Where
parameter is one of the above: vd, addr, saddr,
port, sport, dport

diagnose debug filter6 <parameter> Same as diagnose debug filter but for IPv6
packets. The rest of matching and conditions
remain of the same syntax.

diagnose debug flow show function-name Show function names responsible for each step
enable in processing.

2 https://www.linkedin.com/in/yurislobodyanyuk/ Fortigate debug and diagnose commands complete cheat sheet

Command Description

diagnose debug flow trace start [number] Actually start the debug with optional number to
limit number of packets traced.

General Health, CPU, and Memory

Table 2. General Health, CPU, and Memory loads

Command Description

get sys stat Get statistics about the Fortigate device: FortiOS
used, license status, Operation mode, VDOMs
configured, last update dates for AntiVirus, IPS,
Application Control databases.

get sys performance stat Show real-time operational statistics: CPU load
per CPU, memory usage, average
network/session, uptime.

diagnose debug crashlog read Display crash log. Records all daemons crashes
and restarts. Some daemons are more critical
than others.

diagnose debug crashlog clear Clear the crash log.

get hardware memory Show memory statistics: free, cached, swap,

shared

execute sensor list List current readings of all sensors present on

this model of the Fortigate. ALrger models (1500
and up) show CPUs voltage, fan speeds,
temperature, power supply voltage and more.

Session stateful table

Command Description

get system session status Show current number of sessions passing the
Fortigate. Run inside the VDOM in multi-vdom
environment to get number of
connections/sessions for this specific VDOM.

get sys session-info statistics Get general statistics on sessions: current

number of, global limits, number of clashes
(different sessions trying to use the same ports),
TCP sessions stats per state

get sys session-info ttl Show the default TTL setting for the connections
in the table, default being 3600 seconds.

3
Command Description

diagnose sys session filter <filter parameter> Set filter to show/manipulate only specific
<filter value> connections in the stateful table. Run without
any filter parameters this command displays the
current filter applied if any. Parameters:

vd - id number of the vdom. When entering the

vdom with edit vdom, this number is shown
first.

sintf - source interface.

dintf - destination interface.

proto - protocol, by IANA protocol number.

proto-state - protocol state.

src - source IP.

dst - destination IP.

nsrc - NATed source IP.

sport - source port.

nport - NATed source port.

dport - destination port.

policy - policy id.

duration <from> <to> - duration.

expire <from> <to> - expiration time.

session-state1 <x> - session state, where x is in

hex, state bits.

negate <parameter> - negate the match, i.e. match

if a connection does NOT contain parameter.
Where parameter is one of the mentioned
above.

4 https://www.linkedin.com/in/yurislobodyanyuk/ Fortigate debug and diagnose commands complete cheat sheet

Command Description

diagnose sys session clear Clear/delete connections from the session table.
IMPORTANT: If no session filter is set (see above)
before running this command, ALL connections
passing the Fortigate will be deleted! Which
means they will be disconnected. So use
carefully.

diagnose sys session list List connections limited to the filter set if any, or
all session table if not.

High Availability Clustering debug

Table 3. HA Clustering related debug and verification

Command Description

get sys ha status Show general status and statistics of the

clustering - health status, cluster uptime, last
cluster state change, reason for selecting the
current master, configuration status of each
member (in-sync/out-of-sync), usage stats
(average CPU, memory, session number), status
(up/down, duplex/speed, packets received/dropped)
for the heartbeat interface(s), HA cluster index
(used to enter the secondary member CLI with
exe ha manage).

diagnose sys ha dump-by group Print detailed info per cluster group, shows
actual uptime of each member in start_time, as
well monitored links failures, status.

diagnose sys ha checksum cluster Shows configuration checksum for each cluster
member separated in individual VDOMs and
global. In properly synchronized cluster all
member checksums should be identical, look at
all value.

diagnose sys ha checksum recalculate Force cluster member to recalculate checksums,

often will solve the out of sync problem. No
adverse effects. Run on each cluster member.

diagnose sys ha checksum show < Print detailed synchronization status for each
VDOM/global> configuration part. Use after seeing out-of-sync
in diagnose sys ha checksum cluster to know
which part of configuration causes members to
be out-of-sync. Need to run on each cluster
member and compare, long output - use diff
/vimdiff/Notepad++ Compare plugin to spot the
differences.

5
Command Description

diagnose sys ha checksum show < Show exact setting inside the settings tree that
VDOM/global> <settings part name> causes out-of-sync. Use output from diagnose
sys ha checksum show (see above) for settings
part name. E.g. if diagnose sys ha checksum show
root indicates that firewall.vip is out-of-sync,
running diagnose sys ha checksum show root
firewall.vip will give checksums of each VIP in
the root domain to compare with those of
secondary member.

diagnose debug app hatalk -1 Enable heartbeat communications debug. It

shows in real time if members are talking over
sync interfaces. The output will look like
state/chg_time/now=2(work)/1610773657/16176066
30, where the desired state is work, chg\_time is
last cluster state/failover date in epoch, and now
is the last time communication occurred on
heartbeat interface(s), also in epoch.

diag debug application hasync -1 Real time synchronization between members. As

only things that changed get synchronized after
1st sync is established, may take time to produce
output. See next.

execute ha synchronize stop Stop, enable debug, then start again HA

synchronization process, will produce lots of
diag debug enable output.

diag debug application hasync -1

execute ha synchronize start

exe ha manage ? First show index of all Fortigate cluster

members, then enter any secondary member
exe ha manage <id> CLI via its index.

IPSEC VPN debug

Table 4. IPSEC VPN Debug

6 https://www.linkedin.com/in/yurislobodyanyuk/ Fortigate debug and diagnose commands complete cheat sheet

Command Description

diagnose vpn ike log-filter <parameter> Filter VPN debug messages using various
parameters:

• list Display the current filter.

• clear Delete the current filter.

• name Phase1 name to filter by.

• src-addr4/src-addr6 IPv4/IPv6 source address

range to filter by.

• dst-addr4/dst-addr6 IPv4/IPv6 destination

address range to filter by.

• src-port Source port range

• dst-port Destination port range

• vd Index of virtual domain. -1 matches all.

• interface Interface that IKE connection is

negotiated over.

• negate Negate the specified filter parameter.

diagnose debug application ike -1 Enable IPSec VPN debug, shows phase 1 and
phase 2 negotiations (for IKEv1) and everything
for IKEv2. "-1" sets the verbosity level to
maximum, any other number will show less
output.

diagnose vpn ike gateway flush name Flush (delete) all SAs of the given VPN peer only.
<vpn_name> Identify the peer by its Phase 1 name.

diagnose vpn tunnel list [name <Phase1 Show operational parameters for all or just
name>] specific tunnels: Type (dynamic dial up or
static), packets/bytes passed, NAT traversal state,
Quick Mode selectors/Proxy Ids, mtu, algorithms
used, whether NPU-offloaded or not, lifetime,
DPD state.

diagnose vpn ike gateway list Show each tunnel details, including user for
XAuth dial-up connection.

get vpn ipsec tunnel details Detailed info about the tunnels: Rx/Tx
packets/bytes, IP addresses of the peers,
algorithms used, detailed selectors info, lifetime,
whether NAT Traversal is enabled or not.

get vpn ipsec stats tunnel Short general statistics about tunnels: number,
kind, number of selectors, state

get vpn ipsec tunnel summary Short statistics per each tunnel: number of
selectors up/down, number of packets Rx/Tx.

7
Command Description

get vpn ipsec stats crypto Crypto stats per component (ASIC/software) of
the Fortigate: encryption algorithm, hashing
algorithm. Useful to see if unwanted situation of
software encryption/decryption occurs.

SSL VPN debug

Table 5. SSL VPN client to site/Remote Access debug

Command Description

get vpn ssl monitor List logged in SSL VPN users with allocated IP
address, username, connection duration.

diagnose debug app sslvpn -1 Debug SSL VPN connection. Shows only SSL
protocol negotiation and set up. That is - ciphers
used, algorithms and such, does NOT show user
names, groups, or any client related info.

Static Routing Debug

Table 6. Static and Policy Based Routing debug & diagnostics

8 https://www.linkedin.com/in/yurislobodyanyuk/ Fortigate debug and diagnose commands complete cheat sheet

Command Description

get router info kernel View the kernel routing table (FIB). This is the
list of resolved routes actually being used by the
FortiOS kernel.

tab Table number, either 254 for unicast or 255

for multicast.

vf Virtual domain index, if no VDOMs are

enabled will be 0.

type 0 - unspecific, 1 - unicast, 2 - local , 3 -

broadcast, 4 - anycast , 5 - multicast, 6 -
blackhole, 7 - unreachable , 8 - prohibited.

proto Type of installation, i.e. where did it come

from: 0 - unspecific, 2 - kernel, 11 zebOS module,
14 - FortiOS, 15 - HA, 16 - authentication based,
17 - HA1

prio priority of the route, lower is better.

pref preferred next hop for this route.

Gwy the address of the gateway this route will

use

dev outgoing interface index. If VDOMs enabled,

VDOM will be included as well, if alias is set it
will be shown.

get router info routing-table all Show RIB - active routing table with installed
and actively used routes. It will not show routes
with worse priority, multiple routes to the same
destination if unused.

get router info routing database Show ALL routes, the Fortigate knows of -
including not currently used.

get router info routing-table details <route> Show verbose info about specific route, e.g. get
router info routing-table details 0.0.0.0/0

get firewall proute Get all configured Policy Based Routes on the
Fortigate.

Interfaces
Table 7. Interafces of all kinds diagnostics

9
Command Description

get hardware nic <inerface name> Hardware info of the interface: MAC address,
state (up/down), duplex (full, half), Rx/Tx
packets, drops.

diagnose hardware deviceinfo nic <nic name> Same as above.

get hardware npu np6 port-list Show on which interfaces the NPU offloading is
enabled.

diagnose npu np6lite port-list Same as above but for NP6-lite.

fnsysctl ifconfig <interface name> Gives the same info as Linux ifconfig. The only
way to see the actual MTU of the interface.

fnsysctl cat /proc/net/dev Similar to netstat shows errors on the

interfaces, drops, packets sent/received.

diagnose ip address list Show IP addresses configured on all the

Fortigate interfaces.

diagnose sys gre list Show configured GRE tunnles and their state.

diag debug application pppoed -1 Enable all ADSL/PPPoE-related debug.

dia debug application pppoe -1

dia debug applicaiton ppp -1

execute interface pppoe-reconnect Force ADSL re-connection.

DHCP server
Table 8. DHCP server

Command Description

show system dhcp server Show DHCP server configuration, including

DHCP address pools.

execute dhcp lease-list [interface name] Show real-time list of allocated by Fortigate
addresses via DHCP. It will show IP address of
each client, its MAC address, device type/name
(Android, iOS, Windows, etc.), the lease time and
expiration.

execute dhcp lease-clear all/start-end-IP- Clear DHCP allocations on the Fortigate. This will
address-range NOT cause clients that already have IP addresses
to release them, but will just clear Fortigate
DHCP database and will start over allocating
again. You can either clear all IP addresses in the
database, or only specific IPs.

10 https://www.linkedin.com/in/yurislobodyanyuk/ Fortigate debug and diagnose commands complete cheat sheet

Command Description

diagnose debug application dhcps -1 enable real-time debug of DHCP server activity.
This will show DHCP messages sent/received,
DHCP options sent in each reply, details of
requesting hosts.

NTP debug
Table 9. NTP daemon diagnostics and debug

Command Description

diag sys ntp status Current status of NTP time synchronization.

Shows all NTP peers and their detailed info:
reachability, stratum, clock offset, delay, NTP
version.

execute date Show current date as seen by Fortigate.

exec time Show current time as seen by Fortigate.

SNMP daemon debug

Table 10. SNMP daemon debug

Command Description

diagnose debug application snmpd -1 ENable SNMP daemon messages debug.

show system snmp community Show SNMP community and allowed hosts
configuration

BGP
Table 11. BGP debug

Command Description

diagnose ip router bgp level info Set BGP debug level to INFO (the default is
ERROR which gives very little info) and enable
diagnose ip router bgp all enable the BGP debug.

exec router clear bgp all Disconnect all BGP peering sessions and clear
BGP routes in BGP table and RIB. Use with care,
involves downtime.

get router info bgp summary State of BGP peering sessions with peers, one per
line.

11
Command Description

get router info bgp network <prefix> Detailed info about <prefix> from the BGP
process table. Output includes all learned via
BGP routes, even those not currently installed in
RIB. E.g. get router info bgp network 0.0.0.0/0.
The <prefix> is optional, if absent shows the
whole BGP table.

get router info routing-table bgp Show BGP routes actually installed in the RIB.

get router info bgp neighbors Detailed info on BGP peers: BGP version, state,
supported capabilities, how many hops away,
reason for the last reset.

get router info bgp neighbors <IP of the Show all routes advertised by us to the specific
neighbor> advertised-routes neighbor.

get router info bgp neighbors <IP of the Show all routes learned from this BGP peer. It
neighbor> routes shows routes AFTER filtering on local peer, if
any.

get router info bgp neighbors <IP of the Show all received routes from the neighbor
neighbor> received-routes BEFORE any local filtering is being applied. It
only works if set soft-reconfiguration enable is
set for this peer under router bgp configuration.

diagnose sys tcpsock | grep 179 List all incoming/outgoing TCP port 179 sessions
for BGP.

Admin sessions
Table 12. Admin sessions management

Command Description

get sys info admin status List logged in administrators showing INDEX
value for each session

execute disconnect-admin-session <INDEX> Disconnect logged in administrator by the

session INDEX.

Authentication
Table 13. Authentication in all kinds LDAP, Radius, FSSO

Command Description

diagnose debug app fnbamd -1 Enable debug for authentication daemon, valid
for ANY remote authentication - RADIUS, LDAP,
TACACS+.

12 https://www.linkedin.com/in/yurislobodyanyuk/ Fortigate debug and diagnose commands complete cheat sheet

Command Description

diagnose test authserver ldap <LDAP server Test user authenticaiton on Fortigate CLI against
name in FG> <username> <password> Active Directory via LDAP. E.g. test user Tara
Addison against LDAP server configured in
Fortigate as LDAP-full-tree having password
secret: diagnose test authserver ldap LDAP-
full-tree "Tara Addison" secret.

diagnose debug authd fsso list List logged in users the Fortigate learned via
FSSO

diagnose debug authd fsso server-status Show status of connections with FSSO servers.
Note: it shows both, local and remote FSSO
Agent(s). The local Agent is only relevant when
using Direct DC Polling, without installing FSSO
Agent on AD DC, so it is ok for it to be waiting
for retry … 127.0.0.1 if you don’t use it. The
working state should be connected.

Fortianalyzer logging debug

Table 14. Verify and debug sending logs from Fortigate to Fortianalyzer

Command Description

get log fortianalyzer setting Show active Fortianalyzer-related settings on

Fortigate.

config log fortianalyzer Complete Fortianalyzer configuration on CLI, as

GUI configuring is usually not enough for it to
work.

get log fortianalyzer filter Verify if any log sending filtering is being done,
look for values of filter and filter-type. If
there are any filters, it means not all logs are
sent to FAZ.

exec log fortianalyzer test-connectivity Verify that Fortigate communicates with

Fortianalyzer. Look at the statistics in Log: Tx &
Rx line - it should report increasing numbers,
and make sure the status is Registration:
registered.

exec telnet <IP of Fortianalyzer> 514 Test connectivity to port 514 on the
Fortianalyzer. If pings are allowed between
them, you can also try pinging.

diagnose sniffer packet any 'port 514' 4 Run sniffer on Fortigate to see if devices
exchange packets on port 514. Click in GUI on
Test Connectivity to initiate connection.

13
SD-WAN verification and debug
Table 15. SD-WAN verification and debug

Command Description

diagnose sys sdwan health-check (6.4 and Show state of all the health checks/probes.
newer) Successful probes are marked alive, failed
probes are marked dead. Also displays packet-
diagnose sys virtual-link health-check (5.6 up loss, latency, jitter for each probe.
to 6.4)

diagnose sys sdwan member Show list of SD-WAN zone/interface members.

Also gives each interface gateway IP (if was set,
diagnose sys virtual-wan-link member 0.0.0.0 if not), priority, and weight both by
default equal 0, used with some SLA Types.

diagnose sys sdwan service List configured SD-WAN rules (aka services),
except the Implied one which is always present
diagnose sys virtual-wan-link service and cannot be disabled, but is editable for the
default load balancing method used. Shows
member interfaces and their status alive or dead
for this rule.

diag sys sdwan intf-sla-log <interface name> Print log of <interface name> usage for the last
10 minutes. The statistics shown in bps:
diag sys virtual-wan-link intf-sla-log inbandwidth, outbandwidth, bibandwidth, tx bytes,
<interface name> rx bytes.

diag netlink interface clear <interface name> Clear traffic statistics on the interface, this resets
statistics of the SD-WAN traffic passing over this
interface. Needed, if, for example, you changed
SD-WAN rules, but not sure if it’s already active.
E.g. diag netlink interface clear port1.

diagnose firewall proute list List ALL Policy Based Routes (PBR). SD-WAN in
Fortigate, after all, is implemented as a variation
of PBR. This command lists manual (classic) PBR
rules, along with SD-WAN created via SD-WAN
rules. Important: Manually created PBR rules
(via Network → Policy Routes or on CLI config
route policy always have preference over the
SD-WAN rules, and this command will show
them higher up.

Virtual Fortigate License Status

Table 16. Verify status of VM Fortigate License

Command Description

14 https://www.linkedin.com/in/yurislobodyanyuk/ Fortigate debug and diagnose commands complete cheat sheet

get sys status | grep -i lic Get status of the license (for VM only). The corect
status is Valid.

diagnose debug vm-print-license Show detailed info on VM Fortigate license

status: allowed CPUs and memory, date of
license activation, license expiration date (if set),
serial number.

diagnose hardware sysinfo vm full Show license data as seen by FortiGuard: status
(should be valid=1), last time it was checked
(recv), answer code, should be code: 200, code:
401 is for duplicate license found, code: 502 is for
VM cannot connect to FortiGuard, and code: 400
is for invalid license.

SIP ALG and helper

Table 17. SIP proxy or helper debug

Command Description

config sys settings Show the current SIP inspection mode. If the
output is default-voip-alg-mode: proxy-based
get | grep alg then the full Layer 7 proxy SIP inspection is on
(ALG inspection). If the output is default-voip-
alg-mode: kernel-helper-based then the Layer 4
helper inspection is on. In both modes Fortigate
does IP address translation inside SIP packets (if
needed), and opens dynamically high ports for
incoming media/voice streams ports. In ALG
mode, the Fortigate additionally does RFC
compliance verification and more. So, the ALG
mode is more prone to cause issues but also
provides more security.

show system session-helper | grep sip -f If using SIP helper and not ALG, make sure there
is an entry for SIP in the helpers list, usually on
port 5060, but may be custom as well.

diagnose debug application sip -1 Display SIP debug in real-time (lots of output). It
shows IP replacement inside SIP packets if NAT
involved, all SIP communication requests
(REGISTER,INVITE etc.), and reply codes.

DNS server and proxy debug

15
Command Description

get system dns Show configured DNS servers, DNS cache limit
and TTL, source IP used, timeout and retry,
whther NDS over TLS is enabled.

diagnose test app dnsproxy 2 Show the following statatistics: number of DNS
process workers (if multiple), DNS latency
against each server used, Secure DNS IP and
latency - DNS server used for DNS filtering and
Botnet detections, DNS cache usage, UDP vs TCP
requests statistics, name of DNS Filter applied if
any.

diagnose test app dnsproxy 1 Clear DNS responses cache

diagnose test app dnsproxy 3 Display detailed statistics for each DNS/SDNS
server used and those that could be used.

diagnose test app dnsproxy 7 Show the responses cached entries.

diagnose test app dnsproxy 6|4|5 Work with FQDN resolved objects:

6 - Display currently resolved FQDN addresses

4,5 - Reload/Requery all FQDN addresses

diagnose test app dnsproxy 8 Show DNS database of domain(s) configured on

the Fortigate itself.

diagnose test app dnsproxy 9 Reload DNS database of domain(s) configured on

the Fortigate itself.

diagnose test app dnsproxy 10 Show active SDNS, i.e. DNS Filter Policy used.
Shows Categories as numbers, so not easily
readable.

diagnose test app dnsproxy 12 Reload configuration of DNS Filter, in case the
changes made do not take effect immediately.

diagnose test app dnsproxy 15 Show cached responses and their rating of the
DNS Filter for each URL/domain scanned.

diagnose test app dnsproxy 16 Clear the DNS Filter responses and ratings cache.

diagnose test app dnsproxy 99 Restart the dns proxy service.

Administrator GUI access and API

automation requests debug

16 https://www.linkedin.com/in/yurislobodyanyuk/ Fortigate debug and diagnose commands complete cheat sheet

Command Descritption

diagnose debug httpsd -1 Enable diagnostics for administrator and remote

REST API access via api-user. When debugging
diagnose debug application httpsd -1 API automation, refrain from working in admin
GUI as it will produce a lot of unrelated output.

Wireless Controller and managed Access

Points debug
Command Description

diagnose wireless-controller wlac -c ap-status Show list of all Access Points (APs) this Fortigate
is aware of with their BSSID (MAC), SSID, and
Status (accepted, rogue, suppressed)

diagnose wireless-controller wlac -c vap Show list of APs with their BSSIDs, broadcasted
SSIDs, IDs, and unlike wlac -c ap-status above,
also shows management IP and port which can
be later used for real-time debug.

show wireless-controller wtp-profile Show available Wireless Termination Points (i.e.

APs) profiles with their settings. Profiles are
applied to individual APs, i.e. a single profile can
be applied to multiple APs.

show wireless-controller wtp Show APs known to this Fortigate individually.

We can enter any given AP configuration and
change settings for this AP only, i.e. set admin
disable.

17