01
查看 FortiGate API 调用日志
bash
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application httpsd 255
02
查看 Link Monitor 状态
bash
diagnose sys link-monitor status
03
系统性问题 Debug
bash
get system performance status
get system status
diag sys top-mem
diagnose hard sysinfo memory
diagnose hard sysinfo slab
diagnose hard sysinfo conserve
diagnose autoupdate versions
diagnose debug crashlog read
# SSH Debug
diag debug app sshd -1
diag debug console timestamp enable
diag debug enable
diag debug disable
04
LLDP / FQDN / 应用库信息
LLDP 邻居信息
bash
diag lldprx neighbor summaryFQDN 解析
bash
diag firewall fqdn list-ip | grep -A 5 pan.baidu.com
diag firewall fqdn list-ip | grep -A 5 colorshop.ig1.bnrf-prd-01.bnrf-mutu-prod-fo2z.decathlon.io飞塔应用库对应 IP(SD-WAN)
bash
diagnose sys sdwan internet-service-app-ctrl-list 42662
05
SSL VPN Debug
bash
diag debug console timestamp enable
diag debug application sslvpn -1
diag debug application saml -1
diag vpn ssl debug-filter src-addr4 114.93.166.199
diag debug enable
diag debug disable
06
IPSec Debug
方式一:使用 ike 应用级调试
bash
diag debug application ike -1
diag debug enable
diag debug disable方式二:使用日志过滤器精确调试
bash
diag debug console timestamp enable
diag vpn ike log-filter dst-addr4 40.73.67.154
diag debug enable
diag debug disable
07
Debug Flow 详解
💡
Debug Flow 通常用于定位调试穿过或访问 FortiGate 数据流的处理过程。如果不通,使用 Debug Flow 协助定位是非常好用的数据流分析工具。
基础命令解析
bash
# 过滤某个 IP
diagnose debug flow filter addr x.x.x.x
# 显示功能模块名称
diagnose debug flow show function-name enable
# 开启 debug flow trace,显示 999 条信息
diagnose debug flow trace start 999
# 开启 debug 命令
diagnose debug enable
# 关闭
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug disable
# 重置所有 debug 命令
diagnose debug reset常用过滤条件
| 条件 | 命令 | 说明 |
|---|---|---|
| ICMP | diagnose debug flow filter proto 1 | 协议号 1 |
| TCP | diagnose debug flow filter proto 6 | 协议号 6 |
| UDP | diagnose debug flow filter proto 17 | 协议号 17 |
| 源端口 | diagnose debug flow filter sport 80 | 过滤源端口 80 |
| 目的端口 | diagnose debug flow filter dport 25 | 过滤目的端口 25 |
| 源 IP | diagnose debug flow filter saddr x.x.x.x | 过滤源 IP |
| 目的 IP | diagnose debug flow filter daddr y.y.y.y | 过滤目的 IP |
| 端口 | diagnose debug flow filter port 8080 | 过滤端口 8080 |
使用示例
示例 1:抓取某 IP 且为 ICMP 的流量
bash
diagnose debug flow filter addr 101.231.244.193
diagnose debug flow filter proto 1
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable示例 2:抓取某 IP 且 TCP 端口为 10443 的流量
bash
diagnose debug flow filter addr 10.10.10.100
diagnose debug flow filter proto 6
diagnose debug flow filter port 10443
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable示例 3:抓取某 IP 且 UDP 端口为 500 的流量
bash
diagnose debug flow filter addr 10.10.10.100
diagnose debug flow filter proto 17
diagnose debug flow filter port 500
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
08
HA 手动同步
在主备机都运行以下命令:
bash
execute ha synchronize stop
diag debug reset
diag debug enable
diag debug console timestamp enable
diag debug application hasync -1
diag debug application hatalk -1
execute ha synchronize start
09
判断 FortiClient 用户防病毒状态
使用 PowerShell 查询:
powershell
# 方法一(WMI)
Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct | Select-Object displayName, productState
# 方法二(CIM)
Get-CimInstance -Namespace "root\SecurityCenter2" -ClassName AntiVirusProduct | Select-Object displayName, productState
10
Debug Flow 快捷脚本
📋
以下为实际排障中积累的 Debug Flow 脚本片段,可直接复制使用。
抓取 ICMP 流量(例:10.3.10.1)
bash
diagnose sys session filter dst 10.3.10.1
diagnose sys session filter proto 1
diagnose sys session clear
diagnose debug flow filter addr 10.3.10.1
diagnose debug flow filter proto 1
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable抓取 TCP 443 流量(例:10.255.16.114)
bash
diagnose sys session filter dst 10.255.16.114
diagnose sys session clear
diagnose debug flow filter addr 10.255.16.114
diagnose debug flow filter proto 6
diagnose debug flow filter port 443
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable抓取 UDP 53(DNS)流量
bash
diagnose debug flow filter port 53
diagnose debug flow filter proto 17抓取 TCP 80 流量
bash
diagnose debug flow filter port 80
diagnose debug flow filter proto 6抓取指定 IP + 端口流量
bash
diagnose debug flow filter addr 103.17.88.71
diagnose debug flow filter proto 6
diagnose debug flow filter port 57720
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable抓取 UDP 161(SNMP)流量
bash
diagnose sys session filter src 172.40.1.252
diagnose sys session clear
diagnose debug flow filter addr 124.89.90.125
diagnose debug flow filter proto 17
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable抓取 TCP 3134 流量
bash
diagnose sys session filter dst 116.90.243.115
diagnose sys session clear
diagnose debug flow filter addr 222.92.132.166
diagnose debug flow filter proto 6
diagnose debug flow filter port 3134
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 6
diagnose debug enable抓取 UDP 流量(例:192.168.1.1)
bash
diagnose debug flow filter addr 192.168.1.1
diagnose debug flow filter proto 17
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 6
diagnose debug enable按策略 ID 查会话
bash
diagnose sys session filter src 172.40.1.252
diagnose sys session clear
diagnose sys session filter policy 5
diagnose sys session list抓取 UDP 161 流量
bash
diagnose debug flow filter addr 58.18.31.148
diagnose debug flow filter proto 17
diagnose debug flow filter port 161
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable
⚠️
排查完成后,务必执行以下命令关闭 Debug,避免影响设备性能:
bash
diag debug disable
diag debug reset