Diagnose command changes
This chapter describes new diagnose features added to FortiOS 5.4.
Antivirus diagnose command changes (299408)
There is a new diagnose command that shows antivirus database information.
diagnose antivirus database-info
This command shows:
- virus count
- grayware count
- signature count for antivirus databases.
The following antivirus diagnose commands have been removed:
diagnose antivirus heuristic showthreshold
diagnose antivirus heuristic showrules
diagnose antivirus virus list
Diagnose hardware test command supported on FortiGate-300D and 500D (302021)
The diagnose hardware test
command with all of it options, replaces the functionality of the HQIP test firmware. Now hardware tests can be performed without installing an alternate firmware on the device. A listing of the options to this command can be found at http://wiki.diagnose.fortinet.com/index.php/diagnose_hardware_test.
This feature has been available on the E series FortiGates with 5.4 . It is now available in 5.4.1 on the FortiGate 300D and 500D models.
Option to skip interfaces in diagnose hardware test command (310778)
This diagnostic option allow specific interfaces to be skipped when perform performance tests on a FortiGate.
diag hardware test skip
One of the advantages of this method of hardware testing compared to the HQIP test, is that the device does not have to be shut down to run the tests. This advantage would be nullified if the running of the test brought down the functionality of the FortiGate. By skipping interfaces, tests can be run without impacting traffic.
This option of the diagnose hardware test command can be used with the following options.
clear
- Clears the list of interfaces to be skipped during testing
show
- Shows the current list of interfaces that are skipped during testing
<interface>
- Includes an interface to the list of interfaces that are skipped during testing. This function is cumulative. Using the command to skip another interface does not replace the previous interface, it adds an additional one.
New diagnose sys top option (302607)
You can now enter the diagnose sys top
command and include an option to control the number of times the command refreshes the listed processes before exiting.
The syntax for the command is now diagnose sys top <time between intervals> <number of processes> <number of intervals before quiting>
For example the following command displays 20 lines of output (the default), refreshes the display every 5 seconds (the default), and exits after refreshing the display 3 times.
diagnose sys top 5 20 3
By default the process list refreshes until you press "ctrl-c" or "q" to interrupt it. Setting a refresh limit is useful when you are using the command to gather information for Fortinet Support or for other reasons where you don't need the display to keep refreshing.
New diagnose command to display more detailed geographic information (310567)
Previously, there was a command that could return the country that an IPv4 address is located in.
diagnose geoip ip2country x.x.x.x
Now there is a command that will provide more granular information about the geographic location of an IPv4 address. I.e.not just the country, but the city or town as well.
diagnose geoip geoip-query x.x.x.x
Most diagnose sys dashboard commands removed (129248)
The diagnose sys dashboard reset
command is still available.
FortiView network segmentation tree diagnose command (286116)
Enter diagnose sys nst {downstream | query}
to display information about the FortiView network segmentation tree,
downstream
shows connected downstream FortiGates.
query
query the network segmentation tree.
Changes to diagnose hardware deviceinfo disk command (271816)
Extraneous information has been removed from the diagnose hardware deviceinfo disk
command output and some field names have been changed.
Display the CLI schema (256892)
You can use these diagnose commands to display the CLI schema:
Enter diagnose web-ui cli-schema
to display the entire schema.
Enter diagnose web-ui cli-schema <branch-name>
to display just a single branch of the tree. For example, enter diagnose web-ui cli-schema firewall policy
to dipslay the firewall policy schema.
New NP4 DDR diagnose command (261258)
Use the diagnose np4 ddr
command to debug NP4 DDR settings.
diagnose npu np4 dqs-write
diagnosis npu np4 dqs-read <dev-id>
diagnosis npu np4 crps-write <dev-id> <CRPS>
diagnosis npu np4 crps-read <dev-id>
Ekahau site survey information to diagnose wireless wlac command (267384)
The output of the diagnose wireless wlac
command includes information about Ehahau site survey results.
Port kernel profiling (237984)
Use the diagnose sys profile {start | stop | show | sysmap | cpumask | module}
command to display port kernel profiling information.
start
start kernel profiling data
stop
copy kernel profiling data
show
show kernel profiling result
sysmap
show kernel sysmap
cpumask
profile which CPUs
module
show kernel module
Use the following steps:
- set cpu mask first
- run start command
- run stop command to read the profiling data and analyze
- run show command to show the result
- set cpu mask 00 to stop profiling
List the most recently modified files (254827)
Use the diagnose sys last-modified-files {path | number}
command to list the last (by default 10) modified files in a given directory.
path
file system path from which to list modified files (default = /data).
number
number of files to list (default = 10).
LTE modem diagnose command (279545)
dia test application lted <id>
Where <id>
can be:
1. Show device info
2. Show data session connection status
3. Test connection
4. Test disconnection
5. Get signal strength
6. Get IP address
7. Get IP address and DNS server
8. Get SIM card status
9. Restart LTE device
10. Show LTED status
11. Resync LTED status
12. Check USB LTE/WiMAX configuration conflict
13. Stop monitor
14. Start monitor
15. List supported AT commands
16. Disable RF(Should stop monitor first)
17. Enable RF(Should start monitor first)
18. Get MIP information
19. Show current network service mode
20. Show current Channel/Bandclass
21. Show activation status
22. Show SIM status
23. Show registration status
24. Get IMEI
25. Get ICCID
New diagnose sys botnet command
Use the diagnose sys botnet {stat | list | find | flush | reload | file} command to display information about botnet information in the kernel and to flush and reload botnet information into the kernel.
stat
the number of botnet entries in the kernel.
list
list the botnet entries.
find
find a botnet entry by ip address, port number, protocol etc.
flush
flush botnet entries from the kernel.
reload
reload botnet file into the kernel
file
botnet file diagnostics.
Example command output:
diagnose sys botnet list
Read 10 botnet entry:
0. proto=TCP ip=0.175.57.24, port=80, name_id=8, rule_id=48
1. proto=UDP ip=1.22.117.135, port=16470, name_id=0, rule_id=32
2. proto=UDP ip=1.22.177.28, port=16465, name_id=0, rule_id=32
3. proto=UDP ip=1.22.213.38, port=16465, name_id=0, rule_id=32
4. proto=UDP ip=1.23.81.128, port=16465, name_id=0, rule_id=32
5. proto=UDP ip=1.23.82.125, port=16465, name_id=0, rule_id=32
6. proto=UDP ip=1.23.83.46, port=16465, name_id=0, rule_id=32
7. proto=UDP ip=1.23.83.138, port=16465, name_id=0, rule_id=32
8. proto=UDP ip=1.23.89.60, port=16465, name_id=0, rule_id=32
9. proto=UDP ip=1.23.128.18, port=16470, name_id=0, rule_id=32
Unquarantine all quarantined FortiClient devices (284146)
You can use the diagnose endpoint registration unquarantine all
command to unquarantine all quarantined FortiClient devices.
Port HQIP to FortiOS using standard diagnose CLI (290272)
On FortiGate E series models, instead of downloading a special HQIP image to run hardware tests you can use the following command .
diagnose hardware test
, followed by one of the following options:
bios
- perform BIOS related tests.system
- perform system related tests.usb
- perform USB related tests.button
- perform button related tests.cpu
- perform CPU related tests.memory
- perform memory related tests.network
- perform network related tests.disk
- perform disk related tests.led
- perform LED related tests.wifi
- perform wifi related tests.suite
- runthe HQIP test suite.setting
- change test settings.info
- show test parameters.
Access Control List (ACL) diagnose command (0293399)
Use the diagnose firewall acl {counter | counter6 | clearcounter | clearcounter6}
command to display information about the access control list feature:
counter
Show number of packets dropped by ACL.
counter6
Show number of packets dropped by IPv6 ACL.
clearcounter
Clear ACL packet counter.
clearcounter6
Clear the IPv6 ACL packet counter.
New traffic test functionality (279363)
diagnose traffictest {show | run -h arg | server-intf | client-intf | port | proto}
Where -h arg can be
-f, --format [kmgKMG] format to report: Kbits, Mbits, KBytes, MBytes
-i, --interval # seconds between periodic bandwidth reports
-F, --file name xmit/recv the specified file
-A, --affinity n/n,m set CPU affinity
-V, --verbose more detailed output
-J, --json output in JSON format
-d, --debug emit debugging output
-v, --version show version information and quit
-h, --help show this message and quit
-b, --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited) (default %d Mbit/sec for UDP, unlimited for TCP) (optional slash and packet count for burst mode)
-t, --time # time in seconds to transmit for (default %d secs)
-n, --bytes #[KMG] number of bytes to transmit (instead of -t)
-k, --blockcount #[KMG] number of blocks (packets) to transmit (instead of -t or -n)
-l, --len #[KMG] length of buffer to read or write (default %d KB for TCP, %d KB for UDP)
-P, --parallel # number of parallel client streams to run
-R, --reverse run in reverse mode (server sends, client receives)
-w, --window #[KMG] TCP window size (socket buffer size)
-C, --linux-congestion <algo> set TCP congestion control algorithm (Linux only)
-M, --set-mss # set TCP maximum segment size (MTU - 40 bytes)
-N, --nodelay set TCP no delay, disabling Nagle's Algorithm
-4, --version4 only use IPv4
-6, --version6 only use IPv6
-S, --tos N set the IP 'type of service'
-L, --flowlabel N set the IPv6 flow label (only supported on Linux)
-Z, --zerocopy use a 'zero copy' method of sending data
-O, --omit N omit the first n seconds
-T, --title str prefix every output line with this string
--get-server-output get results from server
[KMG] indicates options that support a K/M/G suffix for kilo-, mega-, or giga-
New switch error counters for diagnose hardware deviceinfo nic command (285730)
New diag hardware deviceinfo flash command (300119)
To display flashprogram/erase count on 30D/60D/30E/50E/51E Platforms.