Sstrutt: /* Change Priority */ typo

2018-12-19T12:44:53Z

Change Priority: typo

← Older revision		Revision as of 12:44, 19 December 2018
Line 102:		Line 102:
	You need to override on both master and slave firewalls...		You need to override on both master and slave firewalls...
	<pre>		<pre>
	~~CDS-~~PROD-FW01 # config system ha		PROD-FW01 # config system ha
	~~CDS-~~PROD-FW01 (ha) # set override enable		PROD-FW01 (ha) # set override enable
	~~CDS-~~PROD-FW01 (ha) # end		PROD-FW01 (ha) # end
	</pre>		</pre>

Sstrutt: Initial creation

2018-12-19T12:44:27Z

Initial creation

New page

== Basic Commands ==
=== Ping / Trace Route ===
execute ping 10.10.1.10
execute traceroute 10.52.56.20

=== Shutdown / Restart ===
execute shutdown
execute reboot

=== Process Management ===
* Show top processes, refresh every 2 secs
** <code> diagnose sys top 2 </code>
* Kill a process
** <code> diagnose sys kill 9 <PID> </code>
** Most processes will restart, but use with caution!
** <code> diagnose sys kill 11 <PID> </code>
*** <code>kill 11</code> supposedly restarts a process

Killing off processes can cause unexpected results, so only perform if service through the firewall is being impacted (you may drop all existing connections through the firewall, or cause all IPsec tunnels to drop, if the process you are killing is responsible for those functions, for example). Its common for other processes to briefly show high CPU after you've killed a CPU hogging process, give it 30 secs or so to calm down.

Some discussion groups mention an issue when killing off <code>cmdbsvr</code> as it manages the config, and killing caused config corruption. It can be killed off, but may cause the loss/corruption of any recently edited config.

== VPN ==
=== IPsec (Site 2 Site) ===
Show status of a tunnel, using Phase 1 name, <code>sa=0</code> means no security associations, ie no connection
diagnose vpn tunnel list name P1-NAME

Bring a phase 2 up or down
diag vpn tunnel up P2-NAME P1-NAME
diag vpn tunnel down P2-NAME P1-NAME

Note that the below only debugs Phase 2 problems
<pre>
diag debug reset
diagnose vpn ike log-filter name VPN-NAME
diagnose debug enable
diagnose debug application ike -1
</pre>

The <code>diagnose vpn ike log-filter name VPN-NAME</code> line is optional, but if there's more than one VPN in operation the screen will be filled with output. You need a quick copy and paste into notepad when there's something interesting whizzing up the screen! Replace <code>VPN-NAME</code> with the name of the Phase 1.

Run <code>diag debug reset</code> once complete

=== SSL (User) ===
<pre>
diag debug reset
diag debug enable
diag debug application fnbamd -1
diag debug appl sslvpn -1
</pre>

Run <code>diag debug reset</code> once complete

== High Availability ==
{| class="wikitable"
|-
! Command !! Action
|-
| <code> show system ha </code> || Show HA config
|-
| <code> get system ha status </code> || Show master/slave status
|-
| <code> execute ha manage 1 </code> || Change console to master/slave
|-
| <code> diagnose sys ha dump-by all-vcluster </code> || Show HA cluster status
|-
| <code> diagnose sys ha reset-uptime </code> || Reset HA uptime timer - causes failover to standby as that will have the higher uptime
|}

=== Console to Slave ===
Once SSH'ed to the master firewall, its possible to jump onto the slave (to run diag stats, reboot etc)
# <code> get system ha status </code>
#* Gives output as shown below
# <code> execute ha manage 0 </code>
#* Normally 0 or 1, 0 in example below to switch to primary

<pre>
Model: 200
Mode: a-p
Group: 40
Debug: 0
ses_pickup: enable, ses_pickup_delay=disable
Master: 90 PROD-FW01 FG200C4151018656 1
Slave : 50 PROD-FW02 FG200C4151018713 0 <-- ID to use in "execute ha manage"
number of vcluster: 1
vcluster 1: work 169.254.0.2
Master:0 FG200C4151018656
Slave :1 FG200C4151018713
</pre>

=== Change Heartbeat ports ===
This needs to be done on both firewalls! The command sets the ports and their priorities.
<pre>
config system ha
set hbdev "port1" 50 "port2" 60
end
</pre>

=== Change Priority ===
By default a FortiGate only fails over during a problem, but you can override so that the higher priority is always active. Therefore you can force fail-overs

You need to override on both master and slave firewalls...
<pre>
CDS-PROD-FW01 # config system ha
CDS-PROD-FW01 (ha) # set override enable
CDS-PROD-FW01 (ha) # end
</pre>

=== Check Master/Slave Config Replication ===
The configuration should replicate from the master to the slave, to ensure this is running correctly, run the following command and ensure the checksum's match between the units
diagnose sys ha cluster-csum

=== Force Failover ===
HA will put the unit with longest uptime live, therefore if you reset the timer on the master unit, it will failover to the standby

diagnose sys ha reset-uptime

[[Category:Fortigate]]

Troubleshooting (Fortigate) - Revision history

Sstrutt: /* Change Priority */ typo

Sstrutt: Initial creation