FortiAnalyzer

Cheat Sheet FortiManager

for version 7.0

The cheat sheet from BOLL. Here FortiAnalyzer Logging

you can find all important CLI ADOM Operation
commands for the operation and config system global ADOM settings
set adom-status [en/dis] Enable or disable ADOM mode
troubleshooting of FortiAnalyzer and config system global Set ADOM mode to normal or
FortiManager for version 7.0. set adom-mode [normal/adv] advanced (for VDOMs)
config system global Displays ADOM window after
set adom-select [en/dis] login
diag dvm adom list Enabled and configured ADOMs
General Currently registered and un-
diag dvm device list
Default Device Information registered devices and VDOMs

admin / no password Default login Currently registered and un-

diag test appl oftpd 3
registered devices and VDOMs
Default IP on port1 or
192.168.1.99 execute sql-local rebuild-adom
management port Rebuild ADOM database
<ADOM-name>
9600/8-N-1
Default serial console settings
hardware flow control disabled
Log Forwarding
Reset Information config system log-forward
Forwarding logs to FortiAnalyzer
edit <id>
Erases the configuration on / Syslog / CEF
exec reset all-settings set mode <realtime, aggr, dis>
flash, containing IP and routes
conf sys log-forward-service Configure the FortiAnalyzer that
Erases the configuration but set accept-aggregation enable receives logs
exec reset all-except-ip leaves the settings for IP and
routes
Log Backup
exec format disk Formats Log disk
exec backup logs <device
exec reset adom-settings name|all> <ftp|sftp|scp>
Reset the ADOM version to 6.4 Backup logs to external storage
<ADOM name> 6 4 0 <serverip> <user> <password>
<location on server>
Server Information exec restore <options> Restore commands
get system status General device status
get system performance Performance statistics Log Encryption
diag system print [option] View different server information config log fortianalyzer setting
set enc-algorithm FortiGate’s encryption level
Hardware statistics for CPU,
diag hardware info {default*|high|low|disable}
memory, disk and RAID
config sys global
FortiAnalyzer’s encryption level
set enc-alg {high | med | low}
Network
config system global Configure FAZ to record log file
exec ping [host] Ping utility
set log-checksum {md5|md5- hash value, timestamp and
exec traceroute [host] Traceroute utility auth|none} authentication code
diag sniffer packet <interface>
Packet sniffer
<filter> <level> <timestamp> Log Settings on FortiGate
config sys fortiview settings Resolve IP address to config log fortianalyzer setting Logging commands on
set resolve-ip enable hostname config log fortianalyzer filter FortiGate
Generates dummy log
diag log test
Disk / RAID / Virtual Disk messages
config sys locallog disk setting diag test appl miglogd 6 Dumps statistics for log daemon
What happens with oldest logs
set diskfull nolog/overwrite diag log kernel-stats Sent and failed log statistics
diag system raid [option] status, exec log fortianalyzer
RAID information Test connection to FortiAnalyzer
hwinfo, alarms test-connectivity
diag system disk [option] info,
Disk information
health, errors, attr Log Troubleshooting
provides a list of available diag sniff packet any ‘port 514’ 4 Sniffer for Syslog Traffic
exec lvm info
disks (VM)
diag test appl oftpd 8 Daemon for receiving logs
exec lvm extend <disk nr.> Add disk (VM)
diag test appl logfiled 2 Log file-related activities
Check and repair file system
diag sys fsck harddisk diag log device Used disk space per ADOM
after crash or power loss
diag system print df Logs and system files on drive
Process Information diag fortilogd lograte Log receive rate per second
get system performance status General performance infos diag fortilogd msgrate Message rate per second
diag debug crashlog history Crash statistics diag fortilogd msgrate-total Message rate in total
diag debug crashlog read Crash log diag fortilogd msgrate-device Message rate per devicee
CPU/Memory intense processes diag fortilogd msgrate-type Message rate for each log type
exec top
Sort with P (CPU) / M (Memory)
exec iotop Processes with high I/O

v1.2 page 1
 FortiAnalyzer
Cheat Sheet FortiManager
for version 7.0

FortiAnalyzer Reporting
Hard Cache Management Settings on FortiGate
SQL query conn and hcache conf system central-management
diag sql status sqlreportd FortiGate configuration for
status set type fortimanager linking FGT to model-device
diag sql show hcache-size Hcache size on the file system set fmg <FortiManager IP>

diag test application sqlrptcached exec central-mgmt register-

State of the hcache Run on FGT to link model
<level> device <fmg-serial-no> <fmg-
device to real device
register-password>
diag test appl sqlreportd 2 Diagnose hcache creation
exec sql-report hcache-build
<ADOM-name> <schedule- Rebuild hcache Troubleshooting FortiGuard
name> <start-time> <end-time> FDS (fdslinkd) FortiGate AV/IPS
exec sql-report list-schedule View report grouping FGD (fgdlinkd) FortiGate Web-/Email filter
<ADOM-name> information FCT (fctlinkd) FortiClient AV/IPS
FGC (fgclinkd) Forticlient Web-/Email filter
FDN FortiGuard Distribution Network
Database
diag fmupdate view-serverlist Show list of available update
diag sql process list Current SQL processes running [fds|fct|fgd|fgc|fmtr] servers per service
diag sql status sqlplugind SQL insertion status diag fmupdate dbcontract
Verify FortiGate contract
[<optional fds|fgd> <optional
information on FMG
FortiAnalyzer HA device serial number>]
show system fortiguard-service Shows version, last update,
HA status contract expiration date
diag ha status / stats Show HA status / statistics diag debug application update -1 Show realtime output of update
diag ha failover Run on master, force failover diag debug enable process and details on
exec update-now downloading updates from FMG
diag ha load-balance Shows HA load balance status
diag ha force-cfg-resync Force HA to resync config Troubleshooting ADOM Databases
Run on master, restart HA initial exec fmpolicy print-adom-
diag ha restart-init-sync Troubleshoot provisioning
sync package <adom> < template
templates
type> <package> <category>
exec fmpolicy print-device-
FortiManager database <adom> <device >
Display device configuration

Configuration exec fmpolicy print-device-object

Display individual object
<adom> <device> <vdom>
Currently registered and configuration
diag dvm device list <category>
unregistered devices / VDOMs
exec fmpolicy print-adom-
config system admin setting Display entire ADOM database
Set FMG NAT-IP if setup is database <adom_output_file>
set mgmt-addr <FMG NATed IP behind a firewall / NAT device
address> exec fmpolicy print-adom-
package <adom> Display firewall policies on
config system dm Adjust FGFM tunnel timeouts <policy/template> <package> policy package
set fmfm-sock-timeout <sec> and ttl as well as enable FGT- <category> <object>
set fgfm_keepalive_itvl <sec> reboot recovery logic on tunnel
disconnect exec fmpolicy print-adom-object
set rollback-allow-reboot enable Display individual ADOM object
<adom> <category>
config system global
Enable workspace or workflow
set workspace-mode [enabled / session based administration Troubleshooting
normal / workflow]
diag sniff packet any ‘port 541’ 4 Sniffer for management traffic

Replacement of devices Verify tunnel uptime, display

diag fgfm session-list connecting IP and link-level
exec device replace sn addresses.
Replace device with new device
<devname> <new serialnum>
diag sys admin-session list Show currently logged-in
exec fgfm reclaim-dev-tunnel diag sys admin-session kill admins and kill command to
Reclaim tunnel (optional)
<optional device name> <session_id> delete admin with “session_id”
exec device replace pw <device ADOM upgrade debugging:
(optional) diag debug service cdb 255
name> <password> generates realtime log entries
diag debug enable
during upgrade
Backup FortiManager exec fmprofile [export-profile /
diag dvm check-integrity import-profile] <ADOM name> Perform profile related actions.
diag cdb check adom-integrity <profile name> <output file>
diag cdb check adom-revision real-time info of FGT being
Logoff all admins, unlock diag deb appl devmanager 255
diag cdb check policy-package added in Add-Device-Wizard
ADOMs and create FMG diag debug enable
diag cdb check update-devinfo and debug script execution
backup before executing
diag dvm lock → check for
database checks Delete scripts which are
unexpected, locked proceses exec fmscript clean-sched
diag dvm proc list → check for a assigned to deleted devices
stuck process or task
config system admin setting
Enable TCL scripts to be
check for unexpected, locked set show_tcl_script enable
diag dvm lock executed on FMG
proceses end
diag dvm proc list check for stuck process or task diag test deploymanager Shows info about config reload
reloadconf <devid> to update device-level db

v1.2 page 2