CLI troubleshooting cheat sheet Command Description

diagnose debug config-error-log Show errors in the configuration file.

read
This reference lists some important command line interface (CLI) commands
that can be used for log gathering, analysis, and troubleshooting. diagnose snmp ip frags Show fragmentation and reassembly
information.
It provides a basic understanding of CLI usage for users with different skill
diagnose sys process dump <PID> Show essential process related information
levels. Exploring additional commands beyond the ones listed here to gain a diagnose sys process pstack for a particular process PID.
comprehensive understanding of the CLI is recommended. <PID>
diagnose sys process trace
Enable/Disable debugging <PID>
diagnose sys mpstat {n} Show CPU usage every n seconds.
Command Description
diagnose hardware sysinfo Show system memory information.
diagnose debug reset Stop all the prior debugs that were enabled memory
and running in the foreground or diagnose firewall packet Show packet distribution statistics.
background. distribution
diagnose debug enable Start printing debugs in the console. execute reboot Reboot the device.
diagnose debug disable Stop printing debugs in the console. The
debugs are still running in the background; Hardware
use diagnose debug reset to
completely stop them. Command Description
diagnose debug duration 0 Start debugging for infinite duration. By diagnose hardware sysinfo Show hardware interrupts statistics.
default, debug is set for 30 minutes. interrupts
diagnose hardware test suite Execute a hardware diagnostic test, also
System all known as an HQIP test.
diagnose hardware deviceinfo Show disk information.
Command Description disk
get system status Show system information. diagnose sys flash list Show flash partitions.
execute time Show current system time. execute disk list Show available mounted disks.
get system performance status Show CPU and memory utilization. execute disk format <partition Format the referenced partition.
execute tac report Execute TAC report used to open a ref>
support ticket with Fortinet Support. diagnose disktest device Execute a disk check to check if disk is
<device> faulty.
diagnose sys top {s} {n} {i} Show a list of the first n processes every s
diagnose disktest block <block> l <device>: Device to test
seconds for i iterations.
diagnose disktest size <mb>
l Shift +C: Sort by highest CPU l <block>: Block size of each
diagnose disk test run
l Shift + M: Sort by highest memory read/write operation.
diagnose debug crashlog read Show system and application crashes.
l<mb>: Test size limit for each cycle
diagnose sys process pidof Show PID of the daemon that is running.
execute formatlogdisk Format the log disk.
<daemon> The names of currently running daemons diagnose hardware sysinfo cpu Show CPU information.
can be found using diagnose sys top. diagnose sys modem detect Detect the modem and start real-time
For example: diagnose sys process diagnose debug application debugging of the modem daemon.
modemd -1
pidof httpsd
diagnose debug enable
diagnose sys kill 11 <pid> Kill the PID with signal 11.
diagnose sys session stat Show session statistics. FortiGuard
diagnose sys session exp-stat Show expectation session statistics.
diagnose sys vd list Show virtual domain information and Command Description
system statistics. diagnose webfilter Show rating cache and daemon statistics.
diagnose sys cmdb info Show information about the latest fortiguard
configuration change performed by the statistics
daemon. diagnose debug rating Show web filter rating server information.
execute factoryreset Immediately reset to factory defaults and diagnose debug Start debugging for updated daemon to troubleshoot
[keepvmlicense] reboot. application update FortiGuard update issues.
-1
If keepvmlicense is specified (VM models
diagnose debug enable
only), the VM license is retained after reset.
execute update-now Execute the FortiGuard update manually.
execute factoryreset-shutdown Immediately reset to factory defaults and
[keepvmlicense] shutdown. diagnose autoupdate Show license information.
status
If keepvmlicense is specified (VM models diagnose autoupdate
only), the VM license is retained after reset. versions
execute factoryreset2 Reset to factory default, except system
[keepvmlicense] settings, system interfaces, VDOMs, static Session table
routes, and virtual switches.
If keepvmlicense is specified (VM models Command Description
only), the VM license is retained after reset. diagnose sys session Set session table filters.
filter <filter>

FortiOS 7.4 Troubleshooting Cheat Sheet Fortinet Inc. 01-740-755024-20240906

Command Description
diagnose sys session Show session filters, if set. For more detailed debug flow filter information, see Technical
filter Tip: Using filters to review traffic traversing the FortiGate.
diagnose sys session Show session table after filtering.
list
diagnose sys session Clear the session table for the specified filter. UTM
clear
diagnose firewall Show FortiGate’s internal firewall table. Command Description
iprope list diagnose debug urlfilter Start real-time debugging for web filter
<filter> traffic.
diagnose debug application
Network diagnostics
urlfilter -1
diagnose debug enable
Command Description
diagnose debug enable List the web filter debug outputs.
execute ping-options {options} Ping IP address <x.x.x.x> using the diagnose test application
execute ping <x.x.x.x> specified options. urlfilter
execute ssh-options {options} SSH to IP address <x.x.x.x> using the diagnose test application Show the web filter debug output for the
execute ssh <x.x.x.x> specified options. urlfilter <option> specified option.
execute traceroute-options Traceroute IP address <x.x.x.x> using the diagnose debug application Start real-time debugging for DNS proxy.
{options} specified options. dnsproxy -1 DNS proxy is responsible for DNS filter,
execute traceroute <x.x.x.x> diagnose debug enable DNS translation, DNS resolution etc.
get system arp Show ARP entries. diagnose debug enable List the DNS proxy debug outputs.
diagnose ip arp list diagnose test application
diagnose netlink brctl list Show the names of all of the switches on dnsproxy
the FortiGate. diagnose test application Show the DNS proxy debug output for the
diagnose netlink brctl name Show the switching table of the specified dnsproxy <option> specified option.
host <switch-name> switch. diagnose ips filter set "host Start IPS engine debugs for Application
get system interface Show a summary of interface details, <x.x.x.x> and port <port>" Control and IPS Security profile
get sys interface physical including IP address information. diagnose ips debug enable all
diagnose debug enable
diagnose ip address list Show IP address information.
diagnose ips debug enable av Start real-time debugging for antivirus
diagnose hardware deviceinfo Show detailed interface information. diagnose ips debug status show profile when antivirus profile is configured
nic <interface>
diagnose sys scanunit debug all in flow mode.
get hardware nic <interface>
enable
get sys interface transceiver Show connected transceivers. diagnose sys scanunit debug
level verbose
Packet sniffer diagnose sys scanunit debug
show
diagnose debug enable
Command Description
diagnose wad debug enable Start real time debugging for antivirus
diagnose sniffer packet Execute the inbuilt packet sniffer, filtered category scan profile when antivirus profile is configured
<interface> <'filter'> on a particular interface with the specified diagnose wad stream-scan av-
<verbose> <count> <a|l> in proxy mode.
filter. For more information, see Performing test "debug enable"
a sniffer trace or packet capture. diagnose wad stream-scan av-
test "debug all:debug"
diagnose sys scanunit debug all
Debug flow
enable
diagnose sys scanunit debug
Command Description level verbose
diagnose debug reset Stop all the prior debugs that were enabled diagnose sys scanunit debug
and running in the foreground or show
background. diagnose debug enable
diagnose debug flow filter Clear any IPv4 debug flow filters.
clear IPS engine
diagnose debug flow filter6 Clear any IPv6 debug flow filters. The IPS engine handles traffic related to flow-based processing.
clear
diagnose debug flow filter Set a filter for running IPv4 traffic debug Real-time debugs are CPU intensive tasks. Running real-time
<filter> flows. IPS engine debugs with proper filters can result in high CPU
diagnose debug flow filter6 Set a filter for running IPv6 traffic debug usage.
<filter> flows.
diagnose debug flow show Show the function name of the code that
function-name enable the traffic accesses. Command Description
diagnose debug flow show iprope Show which internal firewall policy that the diagnose test application Show IPS engine information
enable ipsmonitor 1
traffic is going through.
diagnose debug console Start printing timestamps on debugs.
diagnose test application Set the IPS engine enable/disable status.
ipsmonitor 2
timestamp enable
diagnose debug flow trace start Show n lines of IPv4 debugs.
diagnose test application Restart all IPS engines and monitor.
ipsmonitor 99
<n>
diagnose debug flow trace Show n lines of IPv6 debugs.
diagnose test application Start all IPS engines.
ipsmonitor 97
start6 <n>
diagnose debug enable Start printing debugs in the console.
diagnose test application Stop all IPS engines.
ipsmonitor 98

FortiOS 7.4 Troubleshooting Cheat Sheet Fortinet Inc. 2

Command Description IPv4 and IPv6 routing
diagnose ips session list Show the IPS sessions in each engine's
diagnose test application memory space. Command Description
ipsmonitor 13 get router info routing-table Show routing table.
diagnose ips filter set "host Show IPS engine debugs for the traffic all
<x.x.x.x> and port <port>" specified by the filter. get router info routing-table Show IPv4 and IPv6 routing database
diagnose ips debug enable all database information.
diagnose debug enable get router info6 routing-table
database
WAD diagnose ip route list Show the IPv4 and IPv6 kernel routing
get router info kernel table.
The WAD daemon handles proxy related processing. diagnose ipv6 route list
get router info6 kernel

Real-time debugs are CPU intensive tasks. Running real-time

WAD debugs with proper filters can result in high CPU usage.
get router info protocols Show routing protocol information for IPv4
get router info6 protocols and IPv6.

Command Description execute router restart Restart the routing daemon

diagnose test application wad Show all WAD processes. get router info ospf status Show OSPF status for IPv4 and IPv6.
1000 get router info6 ospf status

diagnose test application wad 2 Show total memory usage. get router info ospf neighbor Show OSPF neighbors for IPv4 and IPv6.
get router info6 ospf neighbor
diagnose test application wad Restart all WAD processes.
99
get router info ospf database Show OSPF database in brief.
brief
diagnose wad debug display pid Start real-time debugging of the traffic
enable
get router info bfd neighbor Show BFD neighbors for IPv4 and IPv6.
processed by WAD daemon. get router info6 bfd neighbor
diagnose wad filter <filter>
diagnose wad filter list diagnose test application bfd 1 Show BFD statistics.
diagnose wad debug enable level diagnose test application bfd 2
<level> diagnose test application bfd 3
diagnose wad debug enable diagnose debug application bfdd Start real-time BFD debugging .
category <category> <debug level>
diagnose debug enable diagnose debug enable
diagnose wad filter <filter> Set the filter for the WAD debugs. get router info bgp summary Show BGP summary for IPv4 and IPv6.
diagnose wad filter list Show all the filters that have been set for get router info6 bgp summary
debugging. get router info bgp neighbors Show BGP peer and the advertised and
get router info6 bgp neighbors received routes from the BGP peer.
diagnose wad filter clear Clear the WAD filter settings.
get router info bgp neighbors l Substitute <x.x.x.x> with IPv4
diagnose wad debug enable level Set the verbosity level of the debugs. <x.x.x.x> advertised-routes
<level> address of the peer.
get router info6 bgp neighbors
l Substitute <x:x::x:x/m> with IPv6
diagnose wad debug enable Set the traffic category. <x:x::x:x/m> advertised-
category <category> routes address of the peer.
diagnose wad debug display pid Show the WAS worker PID in debugs that get router info bgp neighbors
enable <x.x.x.x> received-routes
handle the session request.
get router info6 bgp neighbors
diagnose debug enable Start printing debugs in the console. <x:x::x:x/m> received-routes
get router info bgp neighbors
CPU profiling <x.x.x.x> routes
get router info6 bgp neighbors
<x:x::x:x/m> routes
Command Description
diagnose ip router bgp all Start real-time BGP debugging.
diagnose sys profile cpumask Set the CPU core to profile. enable
<cpu_id>
diagnose ip router bgp level
diagnose sys profile start Start CPU profiling and wait for one to two info
minutes to stop. diagnose debug enable
diagnose sys profile stop Stop CPU profiling. execute router clear bgp {all | Execute a hard reset based on the
diagnose sys profile module Show the applied kernel modules. as <ASN> | ip x.x.x.x | ipv6 specified parameters:
y:y:y:y:y:y:y:y} l all: all BGP peers
diagnose sys profile show Show the CPU profiling result for the
detail respective core. las <ASN>: BGP peers specified by
diagnose sys profile show order AS number
l ip x.x.x.x: BGP peer specified by

Tree IPv4 address (x.x.x.x)

l ipv6 y:y:y:y:y:y:y:y: BGP

Command Description peer specified by IPv6 address

(y:y:y:y:y:y:y:y)
tree Show the entire command tree.
execute router clear bgp {all | Executea soft reset based on the specified
tree execute Show the execute command tree. ip x.x.x.x | ipv6 parameter:
tree diagnose Show the diagnose command tree. y:y:y:y:y:y:y:y} soft l all: all BGP peers
{in|out}
l ip x.x.x.x: BGP peer specified by

IPv4 address (x.x.x.x)

l ipv6 y:y:y:y:y:y:y:y: BGP

peer specified by IPv6 address

(y:y:y:y:y:y:y:y)
l in: received BGP routes only

FortiOS 7.4 Troubleshooting Cheat Sheet Fortinet Inc. 3

Command Description Command Description
l out: advertised BGP routes only diagnose debug application Start real-time link monitor debugging.
A soft reset will occur in both link-monitor -1
directions if neither in nor out is diagnose debug enable
specified. diagnose test application Show link monitoring statistics.
get router info ospf status Show OSPF status for IPv4 and IPv6. lnkmtd 1
get router info6 ospf status diagnose test application
lnkmtd 2
get router info ospf interface Show OSPF running on interface for IPv4
diagnose test application
get router info6 ospf interface and IPv6.
lnkmtd 3
get router info ospf neighbor Show OSFP neighbor information for IPv4
all and IPv6.
get router info6 ospf neighbor
Authentication
all
Command Description
get router info ospf database Show OSPF database in brief for IPv4 and
brief IPv6. diagnose firewall auth filter Set the filter used to list entries.
get router info6 ospf database <filter>
brief diagnose firewall auth list List filtered, authenticated IPv4 users.
diagnose ip router ospf all Start real-time OSPF debugging. diagnose wad user list List current users authenticated by proxy
enable (wad daemon).
diagnose ip router ospf level
info
diagnose debug application Start real-time debugging for remote and
fnbamd -1 local authentication.
diagnose debug enable
diagnose debug application
authd -1
Multicast routing diagnose debug enable
diagnose test authserver <auth_ Test authentication directly from the CLI.
Command Description protocol> <server_name>
Caution: The password is visible in clear
get router info multicast igmp Show IGMP statistics for an interface. <user> <password>
text; be careful when capture this
interface
command to a log file.
get router info multicast igmp Show multicast groups subscribed to with diagnose test authserver ldap Test user authentication using an LDAP
groups IGMP. <server_name> <user> server.
diagnose ip multicast get-igmp- Show maximum IGMP states. <password>
Caution: The password is visible in clear
limit
text; be careful when capture this
diagnose ip router igmp decode Start real-time debugging of IGMP command to a log file.
enable daemon.
diagnose ip router igmp level diagnose test authserver radius Test user authentication using a Radius
info <server_name> <auth_type> server.
diagnose debug console <user> <password>
Caution: The password is visible in clear
timestamp enable text; be careful when capture this
diagnose debug enable command to a log file.
execute mrouter clear igmp- Clear all IGMP entries from one interface. diagnose debug fsso-polling Show information about the polls from
interface <interface> detail FortiGate to DC.
execute mrouter clear igmp- Clear all IGMP entries for one or all groups. diagnose debug fsso-polling
group <group-address> summary
get router info multicast pim Show sparse-mode interface information. diagnose debug fsso-polling Show FSSO logged on users when
sparse-mode <interface>. user Fortigate polls the DC.
get router info multicast pim Show sparse-mode neighbor information. diagnose debug authd fsso list
sparse-mode <neighbor> diagnose debug application Start real-time debugging when the
get router info multicast pim Show RP to group mapping information. fssod -1 FortiGate is used for FSSO polling.
sparse-mode rp-mapping diagnose debug application
smbcd -1
get router info multicast pim Show sparse-mode routing table.
diagnose debug enable
sparse-mode table
diagnose ip router pim-sm Start real-time debugging of PIM sparse
diagnose debug fsso-polling Refresh the current logged on FSSO users
refresh-user and refresh the list.
events enable mode. execute fsso refresh
diagnose ip router pim-sm all Caution: This command can cause an
enable outage, use it carefully.
diagnose ip router pim-sm level
diagnose debug authd fsso Show current status of connection between
info
server-status FortiGate and the collector agent.
diagnose debug enable
diagnose debug application Start real-time debugging for the
authd 8256 connection between FortiGate and the
SD-WAN diagnose debug enable collector agent.
Command Description diagnose debug authd fsso Resend the logged-on users list to
refresh-logons FortiGate from the collector agent.
diagnose sys sdwan health-check Show SD-WAN health check statistics.
status diagnose debug application Start real-time debugging for the
authd 8256 connection between FortiGate and the
diagnose sys sdwan service Show SD-WAN rules in control plane. diagnose debug enable collector agent.
diagnose sys sdwan member Show SD-WAN members.
diagnose debug application Start real-time SAML debugging.
diagnose firewall proute list Show SDWAN rule and policy routes in the samld -1
data plane. diagnose debug enable
diagnose sys link-monitor Show link monitoring statistics.
status
diagnose sys link-monitor
interface <interface>

FortiOS 7.4 Troubleshooting Cheat Sheet Fortinet Inc. 4

IPsec Command Description
diagnose switch-controller Show POE-related information.
Command Description switch-info poe
diagnose vpn ike gateway list Show IPsec phase 1 information. diagnose switch-controller Show LLDP-related information.
switch-info lldp
diagnose vpn tunnel list Show IPsec phase 2 information.
get vpn ipsec tunnel summary Show summary and detailed information
diagnose switch-controller Show managed FortiSwitch port
switch-info port-properties properties.
get vpn ipsec tunnel details about IPsec tunnels.
diagnose vpn ipsec status Show information about encryption
diagnose switch-controller Show managed FortiSwitch port ACL
switch-info acl-counters counters information.
counters.
diagnose vpn ike log filter Set a filter for IKE daemon debugs.
diagnose switch-controller Show managed FortiSwitch pdu-counters
switch-info pdu-counters-list information.
<filter>
diagnose debug application ike Start real-time debugging of IKE daemon diagnose switch-controller Show managed FortiSwitch flapguard
-1 switch-info flapguard information.
with the filter set.
diagnose debug enable diagnose switch-controller Show managed FortiSwitch QoS statistics.
diagnose vpn ike restart Restart the IKE process. switch-info qos-stats
diagnose vpn ike counts Show other information, such as IKE diagnose switch-controller Show modules related information from
diagnose vpn ike routes counts, routes, errors, and statistics. switch-info modules FortiSwitch.
diagnose vpn ike errors diagnose switch-controller Show managed FortiSwitch STP instance
diagnose vpn ike stats switch-info stp status.
diagnose vpn ike status
diagnose vpn ike crypto diagnose switch-controller Show managed FortiSwitch STP BPDU
switch-info bpdu-guard-status guard status.

SSL VPN diagnose switch-controller Show managed FortiSwitch IGMP

switch-info igmp-snooping snooping information.
Command Description diagnose switch-controller Show managed FortiSwitch loop-guard
switch-info loop-guard status.
diagnose vpn ssl debug-filter Show any filters that are set for SSL VPN
list debug. diagnose switch-controller Show managed FortiSwitch DHCP
switch-info dhcp-snooping snooping interface list.
diagnose vpn ssl debug-filter Clear any filters that are set for SSL VPN
clear daemon debug. diagnose switch-controller Show managed FortiSwitch ARP
switch-info arp-inspection inspection interface list.
diagnose vpn ssl debug-filter Set a filter for SSL VPN debugs.
<filter> diagnose switch-controller Show managed FortiSwitch DHCP option
switch-info option82-mapping 82 mapping information.
diagnose debug application Start SSL VPN debugs for traffic that the
sslvpn -1 filter is applied to. diagnose switch-controller Show managed FortiSwitch port 802.1X
diagnose debug enable switch-info 802.1X status.
diagnose vpn ssl list Show the current SSL VPN sessions for diagnose switch-controller Show managed FortiSwitch port 802.1X
get vpn ssl monitor both web and tunnel mode. switch-info 802.1X-dacl dynamic ACL status.
execute vpn sslvpn list
diagnose switch-controller Show managed FortiSwitch violated MACs
diagnose vpn ssl statistics Show the SSL VPN statistics. switch-info mac-limit-
diagnose vpn ssl mux-stat information.
violations
execute vpn sslvpn list Show all SSL VPN web and tunnel mode diagnose switch-controller Show managed FortiSwitch flow
connections. switch-info flow-tracking information.
execute vpn sslvpn del-tunnel Disconnect the users from tunnel mode diagnose switch-controller Show managed FortiSwitch mirror
SSL VPN connection. switch-info mirror information.
execute vpn sslvpn del-web Disconnect the users from web mode SSL diagnose switch-controller Show managed FortiSwitch source guard
VPN connection. switch-info ip-source-guard information in hardware.
diagnose switch-controller Show managed FortiSwitch STP port
Managed FortiSwitches switch-info rpvst information when inter-operating with rapid
PVST network.
The successful execution of commands for managed
execute switch-controller get- Show FortiSwitch connection status.
FortiSwitches requires that the feature is available on the conn-status <FortiSwitch-SN>
FortiSwitch device itself. See the FortiSwitchOS Feature
Matrix.
execute switch-controller get- Show FortiLink connectivity graph.
physical-conn standard
<FortiSwitch-SN>
Enter ? to view additional options or parameters required to execute switch-controller Show FortiSwitch connection diagnostics.
obtain the required information in the diagnose switch- diagnose-connection
controller switch-info commands. <FortiSwitch-SN>

Managed FortiAPs
Command Description
diagnose switch-controller Show managed FortiSwitch MAC address Command Description
switch-info mac-table list. diagnose wireless-controller Show information about the FortiAP
diagnose switch-controller Show managed FortiSwitch port statistics. wlac -c wtp devices.
switch-info port-stats diagnose wireless-controller
diagnose switch-controller Show managed FortiSwitch trunk wlac -d wtp
switch-info trunk status information. diagnose wireless-controller Show information about the wireless
wlac -c sta clients connected to the FortiAP devices.
diagnose switch-controller Show MCLAG related information from
switch-info mclag diagnose wireless-controller
FortiSwitch.
wlac -d sta

FortiOS 7.4 Troubleshooting Cheat Sheet Fortinet Inc. 5

Command Description Command Description
diagnose wireless-controller Show a list of debug options available for diagnose endpoint record list Show the endpoint record list. Optionally,
wlac help the wireless controller. <ip> filter by the endpoint IP address.
diagnose wireless-controller Start real-time debugging of a wireless diagnose endpoint wad-comm Query endpoints by client UID.
wlac sta_filter client/station that connects to the FortiAP. find-by uid <uid>
diagnose wireless-controller l <aa:bb:cc:dd:ee:ff>: MAC diagnose endpoint wad-comm Query endpoints by the client IP-VDOM
wlac sta_filter clear find-by ip-vdom <ip> <vdom>
address of endpoint/station pair.
diagnose wireless-controller
wlac sta_filter diagnose wad dev query-by uid Query from WAD diagnose command by
<aa:bb:cc:dd:ee:ff> 255 <uid> UID.
diagnose debug enable diagnose wad dev query-by ipv4 Query from WAD diagnose command by
diagnose wireless-controller Show virtual access point information, <ip> IP address.
wlac -c vap including its MAC address, BSSID, SSID, diagnose firewall dynamic list Show EMS ZTNA tags and all dynamic IP
the interface name, and the IP address of and MAC addresses.
the APs that are broadcasting it. diagnose test application Show the FortiClient NAC daemon ZTNA
diagnose wireless-controller Show the wireless termination point fcnacd 7 and route cache.
wlac wtp_filter (WTP), or FortiAP, debugging on the diagnose test application
diagnose wireless-controller wireless controller if FortiAP is failing to fcnacd 8
wlac wtp_filter clear connect to FortiGate. diagnose wad debug display pid Start real-time debugging of the traffic
diagnose wireless-controller enable
l <FAP-SN>: FortiAP serial number processed by WAD daemon.
wlac wtp_filter <FAP-SN> 0- diagnose wad filter <filter>
l <x.x.x.x>: FortiAP IP address
<x.x.x.x>:5246 255 diagnose wad filter list
diagnose debug application cw_ diagnose wad debug enable level
acd 0x7ff <level>
diagnose wad debug enable
High availability category <category>
diagnose debug enable
Command Description
diagnose system ha status Show HA status and information. Logging
get system ha status
execute ha manage <index> Log into and manage a specific HA Command Description
<username> member. diagnose log test Generate logs for testing.
diagnose sys ha checksum Show checksum information of all cluster execute log filter <filter> Set log filters.
cluster members. execute log filter Show log filters.
diagnose sys ha checksum show Show detailed checksum information for a exec log display Show filtered logs.
<vdom> VDOM. execute log delete Delete filtered logs.
diagnose sys ha checksum Recalculate HA checksums.
recalculate
diagnose debug application Start real-time debugging of logging
miglogd -1 process miglogd.
diagnose sys ha recalculate- Recalculate HA external files signatures. diagnose debug enable
extfile-signature
execute log fortianalyzer test- Test connectivity between FortiGate and
diagnose sys ha reset-uptime Reset the HA uptime. This is used to test connectivity FortiAnalyzer.
failover.
diagnose debug application Start real-time debugging of HA daemons. Traffic shaping
hatalk -1
diagnose debug application
hasync -1 Command Description
diagnose debug application diagnose firewall shaper Show configured traffic shapers.
harelay -1 traffic-shaper list
diagnose debug enable diagnose firewall shaper Show traffic shaper statistics.
diagnose sys ha history read Show HA history. traffic-shaper stats list
execute ha synchronize stop Manually start and stop HA
execute ha synchronize start synchronization. SIP session helper

ZTNA Command Description

diagnose sys sip status Show SIP status.
The WAD daemon handles proxy related processing. diagnose sys sip mapping list Show SIP mapping list.
The FortiClient NAC daemon (fcnacd) handles FortiGate to diagnose sys sip dialog list Show SIP dialogue list.
EMS connectivity. diagnose debug application sip Start real-time SIP debugging.
-1
diagnose debug enable
Command Description
diagnose endpoint fctems test- Test FortiGate to FortiClient EMS SIP ALG
connectivity <EMS> connectivity.
execute fctems verify <EMS> Verify FortiClient EMS’s certificate. Command Description
diagnose test application Show EMS connectivity information. diagnose sys sip-proxy calls Show list of active SIP proxy calls.
fcnacd 2 list
diagnose debug application Start real-time debugging of FortiClient diagnose sys sip-proxy stats Show SIP proxy statistics.
fcnacd -1 NAC daemon.
diagnose debug enable diagnose sys sip-proxy session Show SIP proxy session list.
list
diagnose debug application sip Start real-time SIP debugging.
-1
diagnose debug enable

FortiOS 7.4 Troubleshooting Cheat Sheet Fortinet Inc. 6