Troubleshooting
In the web-based manager, a good tool for troubleshooting is the packet counter column on the security policy page (
Policy > Policy). This column displays the number of packets that have passed through this security policy. Its value when you are troubleshooting is that when you are testing your configuration (end to end connectivity, user authentication, policy use) watching the packet count for an increase confirms any other methods you may be using for troubleshooting. It provides the key of which policy is allowing the traffic, useful information if you expect a user to require authentication and it never happens. For more information about authentication security policies, see
“Authentication in security policies”.
This section addresses how to get more information from the CLI about users and user authentication attempts to help troubleshoot failed authentication attempts.
diag firewall iprope authuser
Shows the IP of where your computer is connected from. This is useful to confirm authorization and VPN settings.
diag firewall iprope resetauth
Clear all authorized users from the current list. Useful to force users to re-authenticate after system or group changes. However, this command may easily result in many users having to re-authenticate, so use carefully.
diag firewall auth list
List all the authorized users on this system.
diag rsso query ip
diag rsso query rsso-key
Queries the RSSO database.
For more information on troubleshooting specific features, go to that section of this document. Most sections have troubleshooting information at the end of the section. In addition to that information, see the
FortiOS Handbook Troubleshooting chapter for general troubleshooting information.