Diagnose command changes

This chapter describes new diagnose features added to FortiOS 5.4.

Antivirus diagnose command changes (299408)

There is a new diagnose command that shows antivirus database information.

diagnose antivirus database-info

This command shows:

• virus count
• grayware count
• signature count for antivirus databases.

The following antivirus diagnose commands have been removed:

diagnose antivirus heuristic showthreshold

diagnose antivirus heuristic showrules

diagnose antivirus virus list

Diagnose hardware test command supported on FortiGate-300D and 500D (302021)

The diagnose hardware test command with all of it options, replaces the functionality of the HQIP test firmware. Now hardware tests can be performed without installing an alternate firmware on the device. A listing of the options to this command can be found at http://wiki.diagnose.fortinet.com/index.php/diagnose_hardware_test.

This feature has been available on the E series FortiGates with 5.4 . It is now available in 5.4.1 on the FortiGate 300D and 500D models.

Option to skip interfaces in diagnose hardware test command (310778)

This diagnostic option allow specific interfaces to be skipped when perform performance tests on a FortiGate.

diag hardware test skip

One of the advantages of this method of hardware testing compared to the HQIP test, is that the device does not have to be shut down to run the tests. This advantage would be nullified if the running of the test brought down the functionality of the FortiGate. By skipping interfaces, tests can be run without impacting traffic.

This option of the diagnose hardware test command can be used with the following options.

clear - Clears the list of interfaces to be skipped during testing

show - Shows the current list of interfaces that are skipped during testing

<interface> - Includes an interface to the list of interfaces that are skipped during testing. This function is cumulative. Using the command to skip another interface does not replace the previous interface, it adds an additional one.

New diagnose sys top option (302607)

You can now enter the diagnose sys top command and include an option to control the number of times the command refreshes the listed processes before exiting.

The syntax for the command is now diagnose sys top <time between intervals> <number of processes> <number of intervals before quiting>

For example the following command displays 20 lines of output (the default), refreshes the display every 5 seconds (the default), and exits after refreshing the display 3 times.

diagnose sys top 5 20 3

By default the process list refreshes until you press "ctrl-c" or "q" to interrupt it. Setting a refresh limit is useful when you are using the command to gather information for Fortinet Support or for other reasons where you don't need the display to keep refreshing.

New diagnose command to display more detailed geographic information (310567)

Previously, there was a command that could return the country that an IPv4 address is located in.

diagnose geoip ip2country x.x.x.x

Now there is a command that will provide more granular information about the geographic location of an IPv4 address. I.e.not just the country, but the city or town as well.

diagnose geoip geoip-query x.x.x.x

Most diagnose sys dashboard commands removed (129248)

The diagnose sys dashboard reset command is still available.

FortiView network segmentation tree diagnose command (286116)

Enter diagnose sys nst {downstream | query} to display information about the FortiView network segmentation tree,

downstream shows connected downstream FortiGates.

query query the network segmentation tree.

Changes to diagnose hardware deviceinfo disk command (271816)

Extraneous information has been removed from the diagnose hardware deviceinfo disk command output and some field names have been changed.

Display the CLI schema (256892)

You can use these diagnose commands to display the CLI schema:

Enter diagnose web-ui cli-schema to display the entire schema.

Enter diagnose web-ui cli-schema <branch-name> to display just a single branch of the tree. For example, enter diagnose web-ui cli-schema firewall policy to dipslay the firewall policy schema.

New NP4 DDR diagnose command (261258)

Use the diagnose np4 ddr command to debug NP4 DDR settings.

diagnose npu np4 dqs-write

diagnosis npu np4 dqs-read <dev-id>

diagnosis npu np4 crps-write <dev-id> <CRPS>

diagnosis npu np4 crps-read <dev-id>

Ekahau site survey information to diagnose wireless wlac command (267384)

The output of the diagnose wireless wlac command includes information about Ehahau site survey results.

Port kernel profiling (237984)

Use the diagnose sys profile {start | stop | show | sysmap | cpumask | module} command to display port kernel profiling information.

start start kernel profiling data

stop copy kernel profiling data

show show kernel profiling result

sysmap show kernel sysmap

cpumask profile which CPUs

module show kernel module

Use the following steps:

1. set cpu mask first
2. run start command
3. run stop command to read the profiling data and analyze
4. run show command to show the result
5. set cpu mask 00 to stop profiling

List the most recently modified files (254827)

Use the diagnose sys last-modified-files {path | number} command to list the last (by default 10) modified files in a given directory.

path file system path from which to list modified files (default = /data).

number number of files to list (default = 10).

LTE modem diagnose command (279545)

dia test application lted <id>

Where <id> can be:

1. Show device info

2. Show data session connection status

3. Test connection

4. Test disconnection

5. Get signal strength

6. Get IP address

7. Get IP address and DNS server

8. Get SIM card status

9. Restart LTE device

10. Show LTED status

11. Resync LTED status

12. Check USB LTE/WiMAX configuration conflict

13. Stop monitor

14. Start monitor

15. List supported AT commands

16. Disable RF(Should stop monitor first)

17. Enable RF(Should start monitor first)

18. Get MIP information

19. Show current network service mode

20. Show current Channel/Bandclass

21. Show activation status

22. Show SIM status

23. Show registration status

24. Get IMEI

25. Get ICCID

 

New diagnose sys botnet command

Use the diagnose sys botnet {stat | list | find | flush | reload | file} command to display information about botnet information in the kernel and to flush and reload botnet information into the kernel.

stat the number of botnet entries in the kernel.

list list the botnet entries.

find find a botnet entry by ip address, port number, protocol etc.

flush flush botnet entries from the kernel.

reload reload botnet file into the kernel

file botnet file diagnostics.

Example command output:

diagnose sys botnet list

Read 10 botnet entry:

0. proto=TCP ip=0.175.57.24, port=80, name_id=8, rule_id=48

1. proto=UDP ip=1.22.117.135, port=16470, name_id=0, rule_id=32

2. proto=UDP ip=1.22.177.28, port=16465, name_id=0, rule_id=32

3. proto=UDP ip=1.22.213.38, port=16465, name_id=0, rule_id=32

4. proto=UDP ip=1.23.81.128, port=16465, name_id=0, rule_id=32

5. proto=UDP ip=1.23.82.125, port=16465, name_id=0, rule_id=32

6. proto=UDP ip=1.23.83.46, port=16465, name_id=0, rule_id=32

7. proto=UDP ip=1.23.83.138, port=16465, name_id=0, rule_id=32

8. proto=UDP ip=1.23.89.60, port=16465, name_id=0, rule_id=32

9. proto=UDP ip=1.23.128.18, port=16470, name_id=0, rule_id=32

Unquarantine all quarantined FortiClient devices (284146)

You can use the diagnose endpoint registration unquarantine all command to unquarantine all quarantined FortiClient devices.

Port HQIP to FortiOS using standard diagnose CLI (290272)

On FortiGate E series models, instead of downloading a special HQIP image to run hardware tests you can use the following command .

diagnose hardware test, followed by one of the following options:

• bios - perform BIOS related tests.
• system - perform system related tests.
• usb - perform USB related tests.
• button - perform button related tests.
• cpu - perform CPU related tests.
• memory - perform memory related tests.
• network - perform network related tests.
• disk - perform disk related tests.
• led - perform LED related tests.
• wifi - perform wifi related tests.
• suite - runthe HQIP test suite.
• setting - change test settings.
• info - show test parameters.

Access Control List (ACL) diagnose command (0293399)

Use the diagnose firewall acl {counter | counter6 | clearcounter | clearcounter6} command to display information about the access control list feature:

counter Show number of packets dropped by ACL.

counter6 Show number of packets dropped by IPv6 ACL.

clearcounter Clear ACL packet counter.

clearcounter6 Clear the IPv6 ACL packet counter.

New traffic test functionality (279363)

diagnose traffictest {show | run -h arg | server-intf | client-intf | port | proto}

Where -h arg can be

-f, --format [kmgKMG] format to report: Kbits, Mbits, KBytes, MBytes

-i, --interval # seconds between periodic bandwidth reports

-F, --file name xmit/recv the specified file

-A, --affinity n/n,m set CPU affinity

-V, --verbose more detailed output

-J, --json output in JSON format

-d, --debug emit debugging output

-v, --version show version information and quit

-h, --help show this message and quit

-b, --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited) (default %d Mbit/sec for UDP, unlimited for TCP) (optional slash and packet count for burst mode)

-t, --time # time in seconds to transmit for (default %d secs)

-n, --bytes #[KMG] number of bytes to transmit (instead of -t)

-k, --blockcount #[KMG] number of blocks (packets) to transmit (instead of -t or -n)

-l, --len #[KMG] length of buffer to read or write (default %d KB for TCP, %d KB for UDP)

-P, --parallel # number of parallel client streams to run

-R, --reverse run in reverse mode (server sends, client receives)

-w, --window #[KMG] TCP window size (socket buffer size)

-C, --linux-congestion <algo> set TCP congestion control algorithm (Linux only)

-M, --set-mss # set TCP maximum segment size (MTU - 40 bytes)

-N, --nodelay set TCP no delay, disabling Nagle's Algorithm

-4, --version4 only use IPv4

-6, --version6 only use IPv6

-S, --tos N set the IP 'type of service'

-L, --flowlabel N set the IPv6 flow label (only supported on Linux)

-Z, --zerocopy use a 'zero copy' method of sending data

-O, --omit N omit the first n seconds

-T, --title str prefix every output line with this string

--get-server-output get results from server

[KMG] indicates options that support a K/M/G suffix for kilo-, mega-, or giga-

New switch error counters for diagnose hardware deviceinfo nic command (285730)

New diag hardware deviceinfo flash command (300119)

To display flashprogram/erase count on 30D/60D/30E/50E/51E Platforms.