CLI troubleshooting cheat sheet Command Description

If keepvmlicense is specified (VM

This reference lists some important command line interface (CLI) commands models only), the VM license is
that can be used for log gathering, analysis, and troubleshooting. retained after reset.
diagnose debug config-error-log Show errors in the configuration file.
It provides a basic understanding of CLI usage for users with different skill read
levels. Exploring additional commands beyond the ones listed here to gain a
diagnose snmp ip frags Show fragmentation and reassembly
comprehensive understanding of the CLI is recommended.
information.
Enable/Disable debugging diagnose sys process dump <PID> Show essential process related
diagnose sys process pstack <PID> information for a particular process
diagnose sys process trace <PID> PID.
Command Description
diagnose debug reset Stop all the prior debugs that were diagnose sys mpstat {n} Show CPU usage every n seconds.
enabled and running in the foreground diagnose hardware sysinfo memory Show system memory information.
or background. diagnose firewall packet Show packet distribution statistics.
diagnose debug enable Start printing debugs in the console. distribution
diagnose debug disable Stop printing debugs in the console. execute reboot Reboot the device.
The debugs are still running in the
background; use diagnose debug Hardware
reset to completely stop them.
diagnose debug duration 0 Start debugging for infinite duration. By Command Description
default, debug is set for 30 minutes. diagnose hardware sysinfo Show hardware interrupts statistics.
interrupts
System Execute a hardware diagnostic test,
diagnose hardware test suite all
also known as an HQIP test.
Command Description diagnose hardware deviceinfo disk Show disk information.
get system status Show system information. diagnose sys flash list Show flash partitions.
execute time Show current system time. execute disk list Show available mounted disks.
get system performance status Show CPU and memory utilization. execute disk format <partition ref> Format the referenced partition.
execute tac report Execute TAC report used to open a diagnose disktest device <device> Execute a disk check to check if disk is
support ticket with Fortinet Support. diagnose disktest block <block> faulty.
diagnose disktest size <mb> l <device>: Device to test
diagnose sys top {s} {n} {i} Show a list of the first n processes
diagnose disk test run
every s seconds for i iterations. l <block>: Block size of each

l Shift +C: Sort by highest CPU read/write operation.

l Shift + M: Sort by highest memory l <mb>: Test size limit for each

diagnose debug crashlog read Show system and application crashes. cycle
diagnose sys process pidof <daemon> Show PID of the daemon that is execute formatlogdisk Format the log disk.
running. The names of currently diagnose hardware sysinfo cpu Show CPU information.
running daemons can be found using diagnose sys modem detect Detect the modem and start real-time
diagnose sys top. diagnose debug application modemd - debugging of the modem daemon.
For example: diagnose sys 1
diagnose debug enable
process pidof httpsd
diagnose sys kill 11 <pid> Kill the PID with signal 11.
FortiGuard
diagnose sys session stat Show session statistics.
diagnose sys session exp-stat Show expectation session statistics. Command Description
diagnose sys vd list Show virtual domain information and diagnose webfilter fortiguard Show rating cache and daemon
system statistics. statistics statistics.
diagnose sys cmdb info Show information about the latest diagnose debug rating Show web filter rating server
configuration change performed by the information.
daemon.
diagnose debug application update - Start debugging for updated daemon to
execute factoryreset Immediately reset to factory defaults 1 troubleshoot FortiGuard update issues.
[keepvmlicense] and reboot. diagnose debug enable
If keepvmlicense is specified (VM execute update-now Execute the FortiGuard update
models only), the VM license is manually.
retained after reset. diagnose autoupdate status Show license information.
execute factoryreset-shutdown Immediately reset to factory defaults diagnose autoupdate versions
[keepvmlicense] and shutdown.
If keepvmlicense is specified (VM Session table
models only), the VM license is
retained after reset. Command Description
execute factoryreset2 Reset to factory default, except system diagnose sys session filter Set session table filters.
[keepvmlicense] settings, system interfaces, VDOMs, <filter>
static routes, and virtual switches. diagnose sys session filter Show session filters, if set.

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 01-760-1051988-20241216

Command Description UTM
diagnose sys session list Show session table after filtering.
Command Description
diagnose sys session clear Clear the session table for the
specified filter. diagnose debug urlfilter <filter> Start real-time debugging for web filter
diagnose debug application traffic.
diagnose firewall iprope list Show FortiGate’s internal firewall table. urlfilter -1
diagnose debug enable
Network diagnostics diagnose debug enable List the web filter debug outputs.
diagnose test application urlfilter
Command Description diagnose test application urlfilter Show the web filter debug output for
execute ping-options {options} Ping IP address <x.x.x.x> using the <option> the specified option.
execute ping <x.x.x.x> specified options. diagnose debug application dnsproxy Start real-time debugging for DNS
execute ssh-options {options} SSH to IP address <x.x.x.x> using the -1 proxy. DNS proxy is responsible for
execute ssh <x.x.x.x> specified options. diagnose debug enable DNS filter, DNS translation, DNS
execute traceroute-options Traceroute IP address <x.x.x.x> using resolution etc.
{options} the specified options. diagnose debug enable List the DNS proxy debug outputs.
execute traceroute <x.x.x.x> diagnose test application dnsproxy
get system arp Show ARP entries. diagnose test application dnsproxy Show the DNS proxy debug output for
diagnose ip arp list <option> the specified option.
diagnose netlink brctl list Show the names of all of the switches diagnose ips filter set "host Start IPS engine debugs for
on the FortiGate. <x.x.x.x> and port <port>" Application Control and IPS Security
diagnose netlink brctl name host Show the switching table of the diagnose ips debug enable all profile
<switch-name> specified switch. diagnose debug enable

get system interface Show a summary of interface details, diagnose ips debug enable av Start real-time debugging for antivirus
get sys interface physical diagnose ips debug status show profile when antivirus profile is
including IP address information.
diagnose sys scanunit debug all configured in flow mode.
diagnose ip address list Show IP address information. enable
diagnose hardware deviceinfo nic Show detailed interface information. diagnose sys scanunit debug level
<interface> verbose
get hardware nic <interface> diagnose sys scanunit debug show
diagnose debug enable
get sys interface transceiver Show connected transceivers.
diagnose wad debug enable category Start real time debugging for antivirus
scan profile when antivirus profile is
Packet sniffer diagnose wad stream-scan av-test configured in proxy mode.
"debug enable"
Command Description diagnose wad stream-scan av-test
diagnose sniffer packet <interface> Execute the inbuilt packet sniffer, "debug all:debug"
<'filter'> <verbose> <count> filtered on a particular interface with the diagnose sys scanunit debug all
<a|l> enable
specified filter. For more information,
diagnose sys scanunit debug level
see Performing a sniffer trace or
verbose
packet capture. diagnose sys scanunit debug show
diagnose debug enable
Debug flow
IPS engine
Command Description
The IPS engine handles traffic related to flow-based processing.
diagnose debug reset Stop all the prior debugs that were
enabled and running in the foreground
or background. Real-time debugs are CPU intensive tasks. Running real-time
IPS engine debugs with proper filters can result in high CPU
diagnose debug flow filter clear Clear any IPv4 debug flow filters.
usage.
diagnose debug flow filter6 clear Clear any IPv6 debug flow filters.
diagnose debug flow filter <filter> Set a filter for running IPv4 traffic
debug flows. Command Description
diagnose debug flow filter6 Set a filter for running IPv6 traffic diagnose test application Show IPS engine information
<filter> debug flows. ipsmonitor 1

diagnose debug flow show function- Show the function name of the code diagnose test application Set the IPS engine enable/disable
name enable ipsmonitor 2 status.
that the traffic accesses.
diagnose debug flow show iprope Show which internal firewall policy that diagnose test application Restart all IPS engines and monitor.
enable ipsmonitor 99
the traffic is going through.
diagnose test application Start all IPS engines.
diagnose debug console timestamp Start printing timestamps on debugs. ipsmonitor 97
enable
diagnose debug flow trace start <n> Show n lines of IPv4 debugs.
diagnose test application Stop all IPS engines.
ipsmonitor 98
diagnose debug flow trace start6 Show n lines of IPv6 debugs. diagnose ips session list Show the IPS sessions in each
<n>
diagnose test application engine's memory space.
diagnose debug enable Start printing debugs in the console. ipsmonitor 13
diagnose ips filter set "host Show IPS engine debugs for the traffic
<x.x.x.x> and port <port>" specified by the filter.
For more detailed debug flow filter information, see Technical diagnose ips debug enable all
Tip: Using filters to review traffic traversing the FortiGate. diagnose debug enable

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 2

WAD Command Description
The WAD daemon handles proxy related processing. get router info6 ospf status
get router info ospf neighbor Show OSPF neighbors for IPv4 and
get router info6 ospf neighbor IPv6.
Real-time debugs are CPU intensive tasks. Running real-time get router info ospf database brief Show OSPF database in brief.
WAD debugs with proper filters can result in high CPU usage.
get router info bfd neighbor Show BFD neighbors for IPv4 and
get router info6 bfd neighbor IPv6.
Command Description
diagnose test application bfd 1 Show BFD statistics.
diagnose test application bfd 2
diagnose test application wad 1000 Show all WAD processes. diagnose test application bfd 3
diagnose test application wad 2 Show total memory usage. diagnose debug application bfdd Start real-time BFD debugging .
diagnose test application wad 99 Restart all WAD processes. <debug level>
diagnose debug enable
diagnose wad debug display pid Start real-time debugging of the traffic
enable processed by WAD daemon.
get router info bgp summary Show BGP summary for IPv4 and
diagnose wad filter <filter> get router info6 bgp summary IPv6.
diagnose wad filter list get router info bgp neighbors Show BGP peer and the advertised
diagnose wad debug enable level get router info6 bgp neighbors and received routes from the BGP
<level> get router info bgp neighbors peer.
diagnose wad debug enable category <x.x.x.x> advertised-routes l Substitute <x.x.x.x> with IPv4
<category> get router info6 bgp neighbors
diagnose debug enable address of the peer.
<x:x::x:x/m> advertised-routes
l Substitute <x:x::x:x/m> with IPv6
diagnose wad filter <filter> Set the filter for the WAD debugs. get router info bgp neighbors
<x.x.x.x> received-routes address of the peer.
diagnose wad filter list Show all the filters that have been set get router info6 bgp neighbors
for debugging. <x:x::x:x/m> received-routes
diagnose wad filter clear Clear the WAD filter settings. get router info bgp neighbors
diagnose wad debug enable level Set the verbosity level of the debugs. <x.x.x.x> routes
<level> get router info6 bgp neighbors
<x:x::x:x/m> routes
diagnose wad debug enable category Set the traffic category.
<category> diagnose ip router bgp all enable Start real-time BGP debugging.
diagnose ip router bgp level info
diagnose wad debug display pid Show the WAS worker PID in debugs diagnose debug enable
enable that handle the session request.
execute router clear bgp {all | as Execute a hard reset based on the
diagnose debug enable Start printing debugs in the console. <ASN> | ip x.x.x.x | ipv6 specified parameters:
y:y:y:y:y:y:y:y} l all: all BGP peers
CPU profiling as <ASN>: BGP peers specified
l

by AS number
Command Description l ip x.x.x.x: BGP peer
diagnose sys profile cpumask <cpu_ Set the CPU core to profile. specified by IPv4 address
id> (x.x.x.x)
diagnose sys profile start Start CPU profiling and wait for one to l ipv6 y:y:y:y:y:y:y:y: BGP

two minutes to stop. peer specified by IPv6 address

diagnose sys profile stop Stop CPU profiling. (y:y:y:y:y:y:y:y)
diagnose sys profile module Show the applied kernel modules. execute router clear bgp {all | ip Executea soft reset based on the
x.x.x.x | ipv6 y:y:y:y:y:y:y:y} specified parameter:
diagnose sys profile show detail Show the CPU profiling result for the soft {in|out} l all: all BGP peers
diagnose sys profile show order respective core.
l ip x.x.x.x: BGP peer

specified by IPv4 address

Tree
(x.x.x.x)
l ipv6 y:y:y:y:y:y:y:y: BGP
Command Description
peer specified by IPv6 address
tree Show the entire command tree. (y:y:y:y:y:y:y:y)
tree execute Show the execute command tree. l in: received BGP routes only

tree diagnose Show the diagnose command tree. l out: advertised BGP routes only

A soft reset will occur in both

IPv4 and IPv6 routing directions if neither in nor out is
specified.
Command Description get router info ospf status Show OSPF status for IPv4 and IPv6.
get router info6 ospf status
get router info routing-table all Show routing table. get router info ospf interface Show OSPF running on interface for
get router info routing-table Show IPv4 and IPv6 routing database get router info6 ospf interface IPv4 and IPv6.
database information.
get router info6 routing-table
get router info ospf neighbor all Show OSFP neighbor information for
get router info6 ospf neighbor all IPv4 and IPv6.
database
diagnose ip route list Show the IPv4 and IPv6 kernel routing get router info ospf database brief Show OSPF database in brief for IPv4
get router info kernel get router info6 ospf database and IPv6.
table.
diagnose ipv6 route list brief
get router info6 kernel diagnose ip router ospf all enable Start real-time OSPF debugging.
get router info protocols Show routing protocol information for diagnose ip router ospf level info
get router info6 protocols diagnose debug enable
IPv4 and IPv6.
execute router restart Restart the routing daemon
get router info ospf status Show OSPF status for IPv4 and IPv6.

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 3

Multicast routing Command Description
Caution: The password is visible in
Command Description clear text; be careful when capture this
get router info multicast igmp Show IGMP statistics for an interface. command to a log file.
interface diagnose test authserver ldap Test user authentication using an
get router info multicast igmp Show multicast groups subscribed to <server_name> <user> <password> LDAP server.
groups with IGMP. Caution: The password is visible in
diagnose ip multicast get-igmp- Show maximum IGMP states. clear text; be careful when capture this
limit command to a log file.
diagnose ip router igmp decode Start real-time debugging of IGMP diagnose test authserver radius Test user authentication using a
enable daemon. <server_name> <auth_type> <user> Radius server.
diagnose ip router igmp level info <password>
diagnose debug console timestamp Caution: The password is visible in
enable clear text; be careful when capture this
diagnose debug enable command to a log file.
execute mrouter clear igmp- Clear all IGMP entries from one diagnose debug fsso-polling detail Show information about the polls from
interface <interface> interface. diagnose debug fsso-polling summary FortiGate to DC.
execute mrouter clear igmp-group Clear all IGMP entries for one or all diagnose debug fsso-polling user Show FSSO logged on users when
<group-address> groups. diagnose debug authd fsso list Fortigate polls the DC.
get router info multicast pim Show sparse-mode interface diagnose debug application fssod -1 Start real-time debugging when the
sparse-mode <interface>. information. diagnose debug application smbcd -1 FortiGate is used for FSSO polling.
diagnose debug enable
get router info multicast pim Show sparse-mode neighbor
sparse-mode <neighbor> information. diagnose debug fsso-polling Refresh the current logged on FSSO
refresh-user users and refresh the list.
get router info multicast pim Show RP to group mapping execute fsso refresh
sparse-mode rp-mapping information. Caution: This command can cause an
outage, use it carefully.
get router info multicast pim Show sparse-mode routing table.
sparse-mode table diagnose debug authd fsso server- Show current status of connection
status between FortiGate and the collector
diagnose ip router pim-sm events Start real-time debugging of PIM
enable sparse mode. agent.
diagnose ip router pim-sm all diagnose debug application authd Start real-time debugging for the
enable 8256 connection between FortiGate and the
diagnose ip router pim-sm level diagnose debug enable collector agent.
info
diagnose debug authd fsso refresh- Resend the logged-on users list to
diagnose debug enable
logons FortiGate from the collector agent.
SD-WAN diagnose debug application authd Start real-time debugging for the
8256 connection between FortiGate and the
diagnose debug enable collector agent.
Command Description
diagnose debug application samld -1 Start real-time SAML debugging.
diagnose sys sdwan health-check Show SD-WAN health check statistics. diagnose debug enable
status
diagnose sys sdwan service4 Show SD-WAN rules in control plane. IPsec
diagnose sys sdwan service6
diagnose sys sdwan member Show SD-WAN members.
Command Description
diagnose firewall proute list Show SDWAN rule and policy routes in
diagnose vpn ike gateway list Show IPsec phase 1 information.
the data plane.
diagnose vpn tunnel list Show IPsec phase 2 information.
diagnose sys link-monitor status Show link monitoring statistics.
diagnose sys link-monitor interface get vpn ipsec tunnel summary Show summary and detailed
<interface> get vpn ipsec tunnel details information about IPsec tunnels.
diagnose debug application link- Start real-time link monitor debugging. diagnose vpn ipsec status Show information about encryption
monitor -1 counters.
diagnose debug enable
diagnose vpn ike log filter Set a filter for IKE daemon debugs.
diagnose test application lnkmtd 1 Show link monitoring statistics. <filter>
diagnose test application lnkmtd 2
diagnose debug application ike -1 Start real-time debugging of IKE
diagnose test application lnkmtd 3
diagnose debug enable daemon with the filter set.
Authentication
diagnose vpn ike restart Restart the IKE process.
diagnose vpn ike counts Show other information, such as IKE
diagnose vpn ike routes counts, routes, errors, and statistics.
Command Description
diagnose vpn ike errors
diagnose firewall auth filter Set the filter used to list entries. diagnose vpn ike stats
<filter> diagnose vpn ike status
diagnose firewall auth list List filtered, authenticated IPv4 users. diagnose vpn ike crypto
diagnose wad user list List current users authenticated by
proxy (wad daemon). SSL VPN
diagnose debug application fnbamd - Start real-time debugging for remote
1 and local authentication. Command Description
diagnose debug application authd -1 diagnose vpn ssl debug-filter list Show any filters that are set for SSL
diagnose debug enable VPN debug.
diagnose test authserver <auth_ Test authentication directly from the diagnose vpn ssl debug-filter clear Clear any filters that are set for SSL
protocol> <server_name> <user> CLI. VPN daemon debug.
<password>

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 4

Command Description Command Description
diagnose vpn ssl debug-filter Set a filter for SSL VPN debugs. diagnose switch-controller switch- Show managed FortiSwitch DHCP
<filter> info option82-mapping option 82 mapping information.
diagnose debug application sslvpn - Start SSL VPN debugs for traffic that diagnose switch-controller switch- Show managed FortiSwitch port
1 the filter is applied to. info 802.1X 802.1X status.
diagnose debug enable
diagnose switch-controller switch- Show managed FortiSwitch port
diagnose vpn ssl list Show the current SSL VPN sessions info 802.1X-dacl 802.1X dynamic ACL status.
get vpn ssl monitor for both web and tunnel mode.
execute vpn sslvpn list diagnose switch-controller switch- Show managed FortiSwitch violated
info mac-limit-violations MACs information.
diagnose vpn ssl statistics Show the SSL VPN statistics.
diagnose vpn ssl mux-stat diagnose switch-controller switch- Show managed FortiSwitch flow
info flow-tracking information.
execute vpn sslvpn list Show all SSL VPN web and tunnel
mode connections. diagnose switch-controller switch- Show managed FortiSwitch mirror
execute vpn sslvpn del-tunnel Disconnect the users from tunnel mode info mirror information.
SSL VPN connection. diagnose switch-controller switch- Show managed FortiSwitch source
info ip-source-guard guard information in hardware.
execute vpn sslvpn del-web Disconnect the users from web mode
SSL VPN connection. diagnose switch-controller switch- Show managed FortiSwitch STP port
info rpvst information when inter-operating with
Managed FortiSwitches rapid PVST network.
execute switch-controller get-conn- Show FortiSwitch connection status.
The successful execution of commands for managed status <FortiSwitch-SN>
FortiSwitches requires that the feature is available on the execute switch-controller get- Show FortiLink connectivity graph.
FortiSwitch device itself. See the FortiSwitchOS Feature physical-conn standard
Matrix. <FortiSwitch-SN>
execute switch-controller diagnose- Show FortiSwitch connection
connection <FortiSwitch-SN> diagnostics.
Enter ? to view additional options or parameters required to
obtain the required information in the diagnose switch-
controller switch-info commands. Managed FortiAPs

Command Description
Command Description diagnose wireless-controller wlac - Show information about the FortiAP
diagnose switch-controller switch- Show managed FortiSwitch MAC c wtp devices.
info mac-table address list. diagnose wireless-controller wlac -
d wtp
diagnose switch-controller switch- Show managed FortiSwitch port
info port-stats diagnose wireless-controller wlac - Show information about the wireless
statistics.
c sta clients connected to the FortiAP
diagnose switch-controller switch- Show managed FortiSwitch trunk diagnose wireless-controller wlac - devices.
info trunk status information. d sta
diagnose switch-controller switch- Show MCLAG related information from diagnose wireless-controller wlac Show a list of debug options available
info mclag FortiSwitch. help for the wireless controller.
diagnose switch-controller switch- Show POE-related information. diagnose wireless-controller wlac Start real-time debugging of a wireless
info poe sta_filter client/station that connects to the
diagnose switch-controller switch- Show LLDP-related information. diagnose wireless-controller wlac FortiAP.
info lldp sta_filter clear l <aa:bb:cc:dd:ee:ff>: MAC
diagnose switch-controller switch- Show managed FortiSwitch port diagnose wireless-controller wlac
address of endpoint/station
info port-properties sta_filter <aa:bb:cc:dd:ee:ff>
properties.
255
diagnose switch-controller switch- Show managed FortiSwitch port ACL diagnose debug enable
info acl-counters counters information. diagnose wireless-controller wlac - Show virtual access point information,
diagnose switch-controller switch- Show managed FortiSwitch pdu- c vap including its MAC address, BSSID,
info pdu-counters-list counters information. SSID, the interface name, and the
diagnose switch-controller switch- Show managed FortiSwitch flapguard IP address of the APs that are
info flapguard information. broadcasting it.
diagnose switch-controller switch- Show managed FortiSwitch QoS diagnose wireless-controller wlac Show the wireless termination point
info qos-stats statistics. wtp_filter (WTP), or FortiAP, debugging on the
diagnose wireless-controller wlac wireless controller if FortiAP is failing to
diagnose switch-controller switch- Show modules related information
wtp_filter clear connect to FortiGate.
info modules from FortiSwitch. diagnose wireless-controller wlac
l <FAP-SN>: FortiAP serial
diagnose switch-controller switch- Show managed FortiSwitch STP wtp_filter <FAP-SN> 0-
info stp number
instance status. <x.x.x.x>:5246 255
l <x.x.x.x>: FortiAP IP address
diagnose switch-controller switch- Show managed FortiSwitch STP diagnose debug application cw_acd
info bpdu-guard-status 0x7ff
BPDU guard status.
diagnose switch-controller switch- Show managed FortiSwitch IGMP
info igmp-snooping High availability
snooping information.
diagnose switch-controller switch- Show managed FortiSwitch loop-guard
Command Description
info loop-guard status.
diagnose system ha status Show HA status and information.
diagnose switch-controller switch- Show managed FortiSwitch DHCP
get system ha status
info dhcp-snooping snooping interface list.
execute ha manage <index> Log into and manage a specific HA
diagnose switch-controller switch- Show managed FortiSwitch ARP <username> member.
info arp-inspection inspection interface list.

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 5

Command Description Command Description
diagnose sys ha checksum cluster Show checksum information of all exec log display Show filtered logs.
cluster members. execute log delete Delete filtered logs.
diagnose sys ha checksum show Show detailed checksum information diagnose debug application miglogd Start real-time debugging of logging
<vdom> for a VDOM. -1 process miglogd.
diagnose sys ha checksum Recalculate HA checksums. diagnose debug enable
recalculate execute log fortianalyzer test- Test connectivity between FortiGate
diagnose sys ha recalculate- Recalculate HA external files connectivity and FortiAnalyzer.
extfile-signature signatures.
diagnose sys ha reset-uptime Reset the HA uptime. This is used to Traffic shaping
test failover.
diagnose debug application hatalk - Start real-time debugging of HA Command Description
1 daemons. diagnose firewall shaper traffic- Show configured traffic shapers.
diagnose debug application hasync - shaper list
1
diagnose firewall shaper traffic- Show traffic shaper statistics.
diagnose debug application harelay
shaper stats list
-1
diagnose debug enable
SIP session helper
diagnose sys ha history read Show HA history.
execute ha synchronize stop Manually start and stop HA Command Description
execute ha synchronize start synchronization.
diagnose sys sip status Show SIP status.
ZTNA diagnose sys sip mapping list Show SIP mapping list.
diagnose sys sip dialog list Show SIP dialogue list.
The WAD daemon handles proxy related processing. diagnose debug application sip -1 Start real-time SIP debugging.
The FortiClient NAC daemon (fcnacd) handles FortiGate to diagnose debug enable
EMS connectivity.
SIP ALG
Command Description Command Description
diagnose endpoint fctems test- Verify FortiGate to FortiClient EMS diagnose sys sip-proxy calls list Show list of active SIP proxy calls.
connectivity <EMS> connectivity. diagnose sys sip-proxy stats Show SIP proxy statistics.
execute fctems verify <EMS> Verify the FortiClient EMS’s certificate. diagnose sys sip-proxy session list Show SIP proxy session list.
diagnose test application fcnacd 2 Dump the EMS connectivity
diagnose debug application sip -1 Start real-time SIP debugging.
information. diagnose debug enable
diagnose debug app fcnacd -1 Run real-time FortiClient NAC daemon
diagnose debug enable debugs.
diagnose endpoint ec-shm list <ip> Show the endpoint record list.
<mac> <EMS_serial_number> <EMS_ Optionally, add filters.
tenant_id>
diagnose endpoint lls-comm send Query endpoints by client UID, EMS
ztna find-uid <uid> <EMS_serial_ serial number, and EMS tenant ID.
number> <EMS_tenant_id>
diagnose endpoint lls-comm send Query endpoints by the client IP-
ztna find-ip-vdom <ip> <vdom> VDOM pair.
diagnose wad dev query-by uid <uid> Query from WAD diagnose command
<EMS_serial_number> <EMS_tenant_ by UID, EMS serial number, and EMS
id> tenant ID.
diagnose wad dev query-by ipv4 <ip> Query from WAD diagnose command
by IP address.
diagnose firewall dynamic list List EMS security posture tags and all
dynamic IP and MAC addresses.
diagnose test application fcnacd 7 Check the FortiClient NAC daemon
diagnose test application fcnacd 8 ZTNA and route cache.
diagnose wad worker policy list Display statistics associated with
application gateway rules.
diagnose wad debug enable category Run real-time WAD debugs.
all
diagnose wad debug enable level
verbose
diagnose debug enable
diagnose debug reset Reset debugs when completed

Logging

Command Description
diagnose log test Generate logs for testing.
execute log filter <filter> Set log filters.
execute log filter Show log filters.

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 6