FortiGate troubleshooting Tips

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Auth_Access.htm

Windows AD SSO

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/SSO-
WindowsAD.htm

URL Filtering:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Web_Filter/Static
%20URL%20Filter.htm

Install FortiAnalyzer/Manager

The following section defines the SCSI controller for the virtual machine, and this is where the problem
lies.

<Item>

<rasd:Address>0</rasd:Address>

<rasd:Caption>scsiController0</rasd:Caption>

<rasd:Description>SCSI Controller</rasd:Description>

<rasd:ElementName>scsiController0</rasd:ElementName>

<rasd:InstanceID>5</rasd:InstanceID>

<rasd:ResourceSubType>VirtualSCSI</rasd:ResourceSubType>
<rasd:ResourceType>6</rasd:ResourceType>
</Item>

Simply edit the ‘ResourceSubType’ to lsilogic, as shown below.

<Item>

<rasd:Address>0</rasd:Address>
 <rasd:Caption>scsiController0</rasd:Caption>

<rasd:Description>SCSI Controller</rasd:Description>

<rasd:ElementName>scsiController0</rasd:ElementName>

<rasd:InstanceID>5</rasd:InstanceID>

<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
<rasd:ResourceType>6</rasd:ResourceType>
</Item>

1. Policy Trace
Use the follwing command to trace a specific traffic on which firewall policy that it will be
matching:
#diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source
interface>
Example scenario:

The FortiGate was configured with 2 specific firewall policies as below:

# show firewall policy
# config firewall policy
    edit 1
        set name "clientToServer"
        set uuid 06f1be4a-fb9f-51e9-ef16-dc4000a2a577
        set srcintf "port2"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "VIP1"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "IPPool"
    next
    edit 2
        set name "any-allow"
        set uuid 194f0af0-22f7-51ea-c381-c68f1572bea6
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_TCP"
        set nat enable
    next
end

Output of the debug commands:

Alza-kvm12 # diag firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 udp
port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto udp dev port2> matches policy
id: 0  < -----

Alza-kvm12 # diag firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 tcp

port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto tcp dev port2> matches policy
id: 2  < -----

Note that it is possible to trace the different matching of firewall policy with the different
protocol.
The first trace traffic is hitting implicit deny rule (policy id 0) as firewall policy id 2 will only
be match for traffic with TCP protocol.

This command allows to easily trace the matching firewall policies even if there are long list
of firewall policies configured.

Use the command as below to trace the best route for  a specific traffic:
#get router info routing-table details <destination ip address>
Example:
# get router info routing-table details 8.8.8.8
Routing entry for 0.0.0.0/0
  Known via "static", distance 10, metric 0, best
  * 10.47.3.254, via port1

2. SSL VPN
diagnose debug application sslvpn -1
diagnose debug enable

As you can see, the SSL_accept state is failed that mean that no suitable algorithm suits has been
found between the client en the server. The only solution I found at the moment is to configure
the Fortigate so that it allows these weaker cryptographic suites. For this, you must change the
“algorithm” parameter in the SSL VPN configuration on the Fortigate CLI with the following
commands:

config vpn ssl settings

set algorithm medium
https://www.cyrill-gremaud.ch/forticlient-the-server-you-want-to-connect-requests-identification-
please-choose-a-certificate-and-try-again-5/
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

3. HA CLI Tshoot

https://kb.fortinet.com/kb/documentLink.do?externalID=FD31379

4. Forti Analyer and FG connectivity issue (SSL error)

hi guys,
i am having the same issue with my lab on VM workstation, with the same error message.
but now it is solved for me.
this is my config :
 
on Fortigate :
FortiGate-VM64-1 # config log fortianalyzer setting
FortiGate-VM64-1 (setting) # set status enable
FortiGate-VM64-1 (setting) # set server 172.16.10.250
FortiGate-VM64-1 (setting) # set reliable enable
FortiGate-VM64-1 (setting) # get
status : enable
ips-archive : enable
server : 172.16.10.250
certificate-verification: enable
serial :
access-config : enable
enc-algorithm : low
ssl-min-proto-version: default
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
certificate :
source-ip :
upload-option : 5-minute
reliable : enable
 
on FAZ:
FAZVM64 # config system global
(global)# set enc-algorithm low
(global)# set ssl-low-encryption enable
(global)# set oftp-ssl-protocol tlsv1.0
(global)# end
enc-algorithm setting change will cause all existing FGFM tunnel/WebService connection reset.
Do you want to continue? (y/n)y
killall: fgfmsd: no process killed
killall: fgfmsd: no process killed
FAZVM64 #
 
i hope this work with you ,, ;)
Thank You
 
regards
Genar

https://forum.fortinet.com/tm.aspx?m=177802

Fortimanager and Fortigate SSL issues:

https://forum.fortinet.com/tm.aspx?m=173981

FortiManager: Delete devices from CLI

diagnose dvm device list

diagnose dvm adom list

diagnose dvm check-integrity

diagnose dvm device delete [adom_name] [device_name]

Debug log when add FG device to FMG:

TAC Support
TAC words of wisdom
 Thou shall provide Back up of the affected unit config
 Thou shall provide Diag logs (see below)
 Thou Shall provide A good description of the problem and software/firmware version
 Thou Shall provide A good subject
o FortiGate not working (bad subject)
o Users unable to connect vis SSL-VPN to FortiGate 60F (6.2.3) (good
subject)

HOW TO SAVE SSH OUTPUT

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36043
GUI CLI OPTION
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47327

Top DIAG Commands

get system status
get system startup-error-log
execute tac report

Optional Commands
get sys perf status <---------------- repeat 10 times
diag sys session stat <---------------- repeat 10 times
diag hard sysinfo memory
diag hard sysinfo shm
diag debug crashlog read
get sys performance firewall statistics
diag sys top 2 20 <---------------- let it run for 10 seconds and quit with Q
diag sys top 5 99 <---------------- let it run for 10 seconds and quit with Q
diag sys top-sum '-s mem'
diag sys flash list

"diag debug report"

Diagnose session

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

SSL VPN Web access portal

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36530