CLI Reference

Introduction
Using the CLI
- Command syntax
- Subcommands
- Permissions
- Tips & tricks
config config
- config config sync-list
config endpoint-control
- config endpoint-control fctems
- config endpoint-control client
- config endpoint-control tag
config firewall
- config firewall connlimit
- config firewall connlimit6
- config firewall nat-snat
- config firewall policy
- config firewall policy6
- config firewall qos-filter
- config firewall qos-filter6
- config firewall qos-queue
- config firewall vip
config global
- config log setting global_remote
- config log setting global_faz
- config system vdom-link
config global-dns-server
- config global-dns-server address-group
- config global-dns-server dns64
- config global-dns-server dsset-info-list
- config global-dns-server general
- config global-dns-server policy
- config global-dns-server remote-dns-server
- config global-dns-server response-rate-limit
- config global-dns-server trust-anchor-key
- config global-dns-server zone
config global-load-balance
- config global load balance analytic
- config global-load-balance data-center
- config global-load-balance link
- config global-load-balance servers
- config global-load-balance setting
- config global-load-balance topology
- config global-load-balance virtual-server-pool
- config global-load-balance host
config link-load-balance
- config link-load-balance flow-policy
- config link-load-balance gateway
- config link-load-balance link-group
- config link-load-balance persistence
- config link-load-balance proximity-route
- config link-load-balance virtual-tunnel
config load-balance
- config load-balance auth-policy
- config load-balance caching
- config load-balance captcha-profile
- config load-balance certificate-caching
- config load-balance client-ssl-profile
- config load-balance clone-pool
- config load-balance compression
- config load-balance connection-pool
- config load-balance content-rewriting
- config load-balance content-routing
- config load-balance error-page
- config load-balance geoip-list
- config load-balance http2-profile
- config load-balance ippool
- config load-balance l2-exception-list
- config load-balance method
- config load-balance pagespeed
- config load-balance pagespeed-profile
- config load-balance persistence
- config load-balance pool
- config load-balance profile
- config load-balance real-server-ssl-profile
- config load-balance reputation
- config load-balance reputation-exception
- config load-balance reputation-black-list
- config load-balance schedule-pool
- config load-balance virtual-server
- config load-balance web-category
- config load-balance web-filter-profile
- config load-balance web-sub-category
- config load-balance allowlist
config log
- config log fast_report
- config log report
- config log report email
- config log report_queryset
- config log setting fast_stats
- config log setting local
- config log setting remote
- config log setting fortianalyzer
config router
- config router isp
- config router md5-ospf
- config router ospf
- config router policy
- config router setting
- config router static
config security
- config security antivirus profile
- config security antivirus quarantine
- config security antivirus settings
- config security dos dos-protection-profile
- config security dos http-access-limit
- config security dos http-connection-flood-protection
- config security dos http-request-flood-protection
- config security dos ip-fragmentation-protection
- config security dos tcp-access-flood-protection
- config security dos tcp-slowdata-attack-protection
- config security dos tcp-synflood-protection
- config security ips profile
- config security wad profile
- config security waf api-gateway-policy
- config security waf api-gateway-rule
- config security waf api-gateway-user
- config security waf bot-detection
- config security waf exception
- config security waf heuristic-sql-xss-injection-detection
- config security waf http-protocol-constraint
- config security waf http-header-security
- config security waf action
- config security waf profile
- config security waf input-validation-policy
- config security waf parameter-validation-rule
- config security waf url-protection
- config security waf web-attack-signature
- config security waf json-validation-detection
- config security waf json-schema file
- config security waf xml-schema file
- config security waf xml-validation-detection
- config security waf openapi-schema-file
- config security waf openapi-validation-detection
- config security waf scanner
- config security waf brute-force-login
- config security waf advanced-protection
- config security waf cookie-security
- config security waf data-leak-protection
- config security waf csrf-protection
- config security waf allowed-origin
- config security waf cors-headers
- config security waf cors-protection
- configure security ztna-profile
config system
- config system accprofile
- config system address
- config system address6
- config system addrgrp
- config system addrgrp6
- config system admin
- config system auto backup
- config system azure
- config system azure-lb-backend-ip
- config system certificate ca
- config system certificate ca_group
- config system certificate certificate_verify
- config system certificate crl
- config system certificate intermediate_ca
- config system certificate intermediate_ca_group
- config system certificate local
- config system certificate local_cert_group
- config system certificate remote
- config system certificate ocsp
- config system certificate ocsp_stapling
- config system certificate remote
- config system dns
- config system external-resource
- config system fortiguard
- config system global
- config system ha
- config system health-check
- config system health-check-script
- config system interface
- config system isp-addr
- config system mailserver
- config system one-click-glb-server
- config system overlay-tunnel
- config system password-policy
- config system schedule-group
- config system scripting
- config system sdn-connector
- config system service
- config system servicegrp
- config system setting
- config system snmp community
- config system snmp sysinfo
- config system snmp user
- config system tcpdump
- config system time manual
- config system time ntp
- config system web-filter
- config system fortisandbox
- config system alert
- config system alert-action
- config system alert-policy
- config system alert-email
- config system alert-snmp-trap
- config system central-management
config user
- config user ldap
- config user local
- config user radius
- config user user-group
- config user authentication-relay
- config user oauth
- config user saml-idp
- config user saml-sp
diagnose
- diagnose antivirus quarantine
- diagnose debug cmdb
- diagnose debug enable/disable
- diagnose debug flow
- diagnose debug info
- diagnose debug module
- diagnose debug module kernel
- diagnose debug module fcnacd
- diagnose debug module fnginx
- diagnose debug module httproxy ssl
- diagnose debug module httproxy ztna
- diagnose debug timestamp
- diagnose endpoint-control client list
- diagnose endpoint-control tag list
- diagnose hardware deviceinfo
- diagnose hardware ioport
- diagnose hardware pciconfig
- diagnose hardware sysinfo
- diagnose llb policy list
- diagnose netlink backlog
- diagnose netlink device
- diagnose netlink interface
- diagnose netlink ip/ipv6
- diagnose netlink neighbor/neighbor6
- diagnose netlink route/route6
- diagnose netlink tcp
- diagnose netlink udp
- diagnose server load balance dns-clients
- diagnose server-load-balance persistence
- diagnose server-load-balance session
- diagnose server-load-balance slb_load
- diagnose sniffer packet
- diagnose system top
- diagnose system vm
- diagnose tech-report
execute
- execute backup
- execute caching
- execute certificate ca
- execute certificate crl
- execute certificate local
- execute certificate local import automated
- execute certificate remote
- execute certificate config
- execute checklogdisk
- execute clean
- execute config-sync
- execute date
- execute discovery-glb-virtual-server
- execute dumpsystem
- execute dumpsystem-file
- execute factoryreset
- execute factoryreset2
- execute fixlogdisk
- execute formatlogdisk
- execute geolookup
- execute glb-dprox-lookup
- execute glb-persistence-lookup
- execute ha force transfer-file
- execute ha force sync-config
- execute ha manage
- execute health-check-verify
- execute hwmon
- execute isplookup
- execute log delete-file
- execute log delete-type
- execute log list-type
- execute log rebuild-db
- execute nslookup
- execute packet-capture/packet-capture6
- execute packet-capture-file
- execute ping-option/ping6-option
- execute ping/ping6
- execute reboot
- execute reload
- execute restore
- execute scan-report export
- execute scan-report import
- execute shutdown
- execute ssh
- execute statistics-db
- execute ssli mode
- execute telnet
- execute traceroute
- execute vmware license
- execute web-category-test
- execute SSL client-side session statistics
- execute SSL handshake record statistics
- execute waf block-ip
- execute web vulnerability scan
- execute web-vulnerability-scan mitigate
- execute forticloud create-account
- execute forticloud login
- execute forticloud try
- execute fctems
get
- get router info ospf
- get router info routing-table
- get security waf-signature-status
- get security scan-report
- get security scan-task
- get system ha-status
- get system performance
- get system status
- get system traffic-group
- get system traffic-group status
- get router info bgp all
- get router info bgp ip
- get router info bgp neighbors
- get router info bgp regexp
- get router info bgp summary
- get router info6 bgp all
- get router info6 bgp ip
- get router info6 bgp neighbors
- get router info6 bgp regexp
- get router info6 bgp summary
show
Appendix A: Virtual domains
Change Log

Home FortiADC 7.1.3 CLI Reference

7.1.3

diagnose debug flow

Use this command to debug particular traffic flows. Debug messages for traffic matching the filter and mask are displayed to the terminal screen.

Syntax

diagnose debug flow filter {addr <addr>|saddr <addr>|daddr <addr>|proto <integer>|virtual-server <VS-name>|clear|negate <addr|saddr|daddr|proto>|show}

diagnose debug flow mask {packet|session|persist|drop|layer4-server-loadbalance|all|custom <mask>}

diagnose debug flow show

diagnose debug flow start [<count>]

diagnose debug flow stop

filter	Specify filters. Issue multiple commands to add filters. Use the negate option to define "not in" matching. Filters determine the traffic flows for which the debug logs are written. You can match flows based on host address, source address, destination address, and protocol.
mask	Specify a mask that sets the type of data written to the screen.
show	Show current status, filters, and mask options.
start	Start debugging. The `[<count>]` option specifies a number of debug lines to output.
stop	Stop debugging.

Example

FortiADC-docs # diagnose debug flow ?
filter filter
mask mask
show Stop trace.
start Start trace.
stop Stop trace.

FortiADC-docs # diagnose debug flow stop

FortiADC-VM # diagnose debug flow filter ?
addr IP address.
clear Clear filter.
daddr Destination IP address.
negate negate
proto Protocol number.
saddr Source IP address.
show Show filter configuration.
virtual-server virtual server

FortiADC-docs # diagnose debug flow filter saddr 3.3.3.3
FortiADC-docs # diagnose debug flow filter daddr 4.4.4.4
FortiADC-docs # diagnose debug flow filter proto 1
FortiADC-docs # diagnose debug flow filter virtual-server VS1

FortiADC-VM # diagnose debug flow mask ?
all all debug info.
custom custom flow mask.
ddos ddos protection info.
drop drop packet info.
ips ips protection info.
layer4-server-loadbalance l4 loadbalance debug info.
packet packet info(default is on).
persist-cache persistence cache info.
session session info.

FortiADC-docs # diagnose debug flow mask all

FortiADC-VM # diagnose debug flow start
Start flow debug, set debug info count to 1000000000

FortiADC-VM # diagnose debug flow show
---------running status && config-----------
----flow debug is running, remain count 1000000000
----flow filter-------------
proto: any
host addr: 50.1.0.100-50.1.0.100
Host saddr: any
Host daddr: any
Virtual server : VS1
----flow mask---------------
layer4-server-loadbalance
---------current terminal config-----------
----flow filter-------------
proto: any
host addr: 50.1.0.100-50.1.0.100
Host saddr: any
Host daddr: any
Virtual server: VS1
----flow mask---------------
layer4-server-loadbalance

FortiADC-VM # [03-15 12:56:56] [trace id:1]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] Create session fwd:M c:50.1.0.1:57028 v:50.1.0.100:80 l:50.1.0. 1:57028 d:50.1.2.3:80 conn->flags:80140 conn->refcnt:2
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [S...]
[03-15 12:56:56] TCP input [S...] 50.1.0.1:57028->50.1.2.3:80 state: NONE->SYN_ RECV conn->refcnt:2
[03-15 12:56:56] After DNAT: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] NAT xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [S.A.]
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:2]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] TCP input [..A.] 50.1.0.1:57028->50.1.2.3:80 state: SYN_RECV-> ESTABLISHED conn->refcnt:2
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:3]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [..A.]
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [..A.]
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:4]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:5]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [.FA.]
[03-15 12:56:56] TCP input [.FA.] 50.1.0.1:57028->50.1.2.3:80 state: ESTABLISHE D->CLOSE_WAIT conn->refcnt:2
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] lookup TCP 50.1.2.3:80->50.1.0.1:57028 hit
[03-15 12:56:56] Outgoing packet: TCP 50.1.2.3:80->50.1.0.1:57028
[03-15 12:56:56] TCP source port 80 dst port 57028 flag [.FA.]
[03-15 12:56:56] TCP output [.FA.] 50.1.0.1:57028->50.1.2.3:80 state: CLOSE_WAI T->TIME_WAIT conn->refcnt:2
[03-15 12:56:56] After SNAT: TCP 50.1.0.100:80->50.1.0.1:57028
[03-15 12:56:56] Fast response xmit, send packet to client
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] [trace id:6]ip_vs_out: packet continues traversal as normal
[03-15 12:56:56] lookup TCP 50.1.0.1:57028->50.1.0.100:80 hit
[03-15 12:56:56] Incoming packet: TCP 50.1.0.1:57028->50.1.0.100:80
[03-15 12:56:56] TCP source port 57028 dst port 80 flag [..A.]
[03-15 12:56:56] After FNAT-IN: TCP 50.1.0.1:57028->50.1.2.3:80
[03-15 12:56:56] Fast xmit, send packet to RS
[03-15 12:56:59] Expire session TCP c:50.1.0.1:57028 v:50.1.0.100:80 d:50.1.2.3: 80 fwd:M s:5 conn->flags:80100 conn->refcnt:0 dest->refcnt:2

FortiADC-docs # diagnose debug flow stop