Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.2.13 Administration Guide
    7.2.13
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Black box for FortiGate New

    Black box for FortiGate New

    The black-box feature allows supported FortiGate models to capture and save information about the system at a regular interval inside encrypted debug logs stored on an NVMe drive on the FortiGate. The debug logs capture system statuses, which can be used to troubleshoot unexpected problems, if they occur. The logs are encrypted with AES256 using a generated symmetric key that is stored in the TPM.

    In order to decrypt the debug logs, you must export from FortiGate an encrypted version of the symmetric key, which is encrypted with the factory private key of the FortiGate. Only Fortinet Technical Support can decrypt the symmetric key using the public key known to Fortinet.

    This feature is available only on FortiGate models with an NVMe drive and TPM, such as the FortiGate 700G.

    CLI syntax

    config system global
  set black-box {enable* | disable}
  set black-box-interval <interval>
end

    Option

    Description

    black-box {enable* | disable}

    Enable or disable the black-box feature (default = enabled).

    black-box-interval <interval>

    Black-box recording interval, in seconds (default = 20).
    To check if the black box is running:
    # diagnose debug black-box info 
    Black box status: running
    Black box recording interval: 20 seconds.
    To upload black-box logs through TFTP:
    # diagnose debug black-box upload tftp <ip address> <log date> <log time>

    Where:

    • ip address: Address of the TFTP server

    • log date: date in the format YYYYMMDD. For example, 2025/04/12 is 20250412

    • log time: the hour of the log. For example, 10:00am is 10.

    To export the black-box key:
    # diagnose debug black-box get-key
    To reset the black box:

    Resetting the black-box deletes all files generated by the black box.

    1. Disable the black box.

      config system global
  set black-box disable
end

    2. Reset the black box.

      # diagnose debug black-box reset
    To format the black-box log partition:

    Format the black-box log partition if the file system is corrupt.

    1. Disable the black box.

      config system global
  set black-box disable
end

    2. Reset the black box.

      # diagnose debug black-box format

    Example

    This example shows how you can collect black-box information and provide it to Fortinet Technical Support for decryption and further analysis when you encounter the following issues:

    • Occasional high CPU utilization

    • Network speed slowdown

    • Issues happening at irregular intervals

    To collect black-box information:

    1. Ensure the black-box feature is enabled and configured to a preferred interval:.

      config system global
    set black-box enable
    set black-box-interval 20
end

    2. Check that the black box is running: 

      # diagnose debug black-box info 
Black box status: running
Black box recording interval: 20 seconds.

      When the black box is running, FortiGate records debug logs to its NVMe drive at the regular interval. Logs are encrypted with AES256 encryption. Files are stored in a folder by date and rolled over every hour into a new file.

      For example, debugs recorded on 2025/04/12 are stored in the 20250412/ folder with log files named:

      -rw-r--r--    1 0        0       Sat Apr 12 01:00:27 2025          5945090 20250412-00.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 02:00:21 2025          5905150 20250412-01.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 10:10:08 2025          5388410 20250412-02.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 11:00:27 2025         13612383 20250412-10.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 12:00:20 2025          5894165 20250412-11.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 13:00:14 2025          5891399 20250412-12.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 14:00:08 2025          5896160 20250412-13.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 15:00:28 2025          5940129 20250412-14.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 16:00:22 2025          5893402 20250412-15.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 17:00:16 2025          5898253 20250412-16.log.gz
...

    3. If an issue occurs, estimate the approximate date and time that the issue occurred, and back up the black-box debug logs to the TFTP server.

      In this example, the logs for 2025/04/12 10:00 am are backed up to the TFTP server: 

      # diagnose debug black-box upload tftp 192.168.1.58 20250412 10 
Uploading file 20250412-10.log.gz...
#############
Send file to tftp server OK.

    4. Generate an encrypted version of the FortiGate symmetric key and provide it to Fortinet Technical Support.

      Fortinet Technical Support requires the symmetric key to decrypt the debug logs. The symmetric key is protected by the FortiGate's TPM. Technical Support will use an internal tool to decrypt the generated key, which will then be used to decrypt and open the log files. 

      # diagnose debug black-box get-key 
    d2gil8gVP1gUYfC8HVgrH5L3Bz0wPhhnsajDeRQ0DL40AY6qPH+b+EmujHPxVjSu
    7cllGnGykCQQCkibvG9yU/3py6BedUqFGygJMhFHZ6jTpzlgkwgUoO/a/MhW9GP1
    Ph3s9PTB0+73lJMMdacwWzoVa4/DgeR5aGdzZFUGYzLCZezh4PixD8rREPVO5Alm
    +zo3W3ImZVhflIG2hCHJZWhDPGNdM+2PZSkMKd7O/VS7m8xTY3W9tTvF8kV9pPUK
    OozzUWSEGw3zZYtEW/kfRSKJi2grE2F79mG2FKWVsqAGJ5z9sjmKM+Q/p4si6H7S
    oYDwJriXP6dPYeXTBhsGGRf8WumDtCVxFGwOy3TV2yI+Mxmxc+X1BkLWEcbEWg5v
    ERa6HAJqBgWOfG0/S2n2juovLyWiVsJ6inKYAdbk0kLENHlkpqvVZ0TrWkv42hzU
    aYYD2DqnnpCYhJ1/Oer/8xZzazY4jxpN/Yw9ks9Ia+ua7dCUosiG50/3N7WHnUW9
    X9A7VbsO+++GyA2xaigDH9+/vqslcT8e9KXeuzaX/mVDev1MNHKqXu+D0jBiGIlK
    /SODP6rEsP9xAXnRx+sE1XEHl1GwTVla8lOInfYk1e6wXGRxn47EcEJw+lYV7dTM
    ksirrzBuMJz5fNsrF3MGrYWo6g4OAGPkxq8JS2CRUHU=
    Previous
    Next

    Black box for FortiGate New

    Black box for FortiGate New

    The black-box feature allows supported FortiGate models to capture and save information about the system at a regular interval inside encrypted debug logs stored on an NVMe drive on the FortiGate. The debug logs capture system statuses, which can be used to troubleshoot unexpected problems, if they occur. The logs are encrypted with AES256 using a generated symmetric key that is stored in the TPM.

    In order to decrypt the debug logs, you must export from FortiGate an encrypted version of the symmetric key, which is encrypted with the factory private key of the FortiGate. Only Fortinet Technical Support can decrypt the symmetric key using the public key known to Fortinet.

    This feature is available only on FortiGate models with an NVMe drive and TPM, such as the FortiGate 700G.

    CLI syntax

    config system global
  set black-box {enable* | disable}
  set black-box-interval <interval>
end

    Option

    Description

    black-box {enable* | disable}

    Enable or disable the black-box feature (default = enabled).

    black-box-interval <interval>

    Black-box recording interval, in seconds (default = 20).
    To check if the black box is running:
    # diagnose debug black-box info 
    Black box status: running
    Black box recording interval: 20 seconds.
    To upload black-box logs through TFTP:
    # diagnose debug black-box upload tftp <ip address> <log date> <log time>

    Where:

    • ip address: Address of the TFTP server

    • log date: date in the format YYYYMMDD. For example, 2025/04/12 is 20250412

    • log time: the hour of the log. For example, 10:00am is 10.

    To export the black-box key:
    # diagnose debug black-box get-key
    To reset the black box:

    Resetting the black-box deletes all files generated by the black box.

    1. Disable the black box.

      config system global
  set black-box disable
end

    2. Reset the black box.

      # diagnose debug black-box reset
    To format the black-box log partition:

    Format the black-box log partition if the file system is corrupt.

    1. Disable the black box.

      config system global
  set black-box disable
end

    2. Reset the black box.

      # diagnose debug black-box format

    Example

    This example shows how you can collect black-box information and provide it to Fortinet Technical Support for decryption and further analysis when you encounter the following issues:

    • Occasional high CPU utilization

    • Network speed slowdown

    • Issues happening at irregular intervals

    To collect black-box information:

    1. Ensure the black-box feature is enabled and configured to a preferred interval:.

      config system global
    set black-box enable
    set black-box-interval 20
end

    2. Check that the black box is running: 

      # diagnose debug black-box info 
Black box status: running
Black box recording interval: 20 seconds.

      When the black box is running, FortiGate records debug logs to its NVMe drive at the regular interval. Logs are encrypted with AES256 encryption. Files are stored in a folder by date and rolled over every hour into a new file.

      For example, debugs recorded on 2025/04/12 are stored in the 20250412/ folder with log files named:

      -rw-r--r--    1 0        0       Sat Apr 12 01:00:27 2025          5945090 20250412-00.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 02:00:21 2025          5905150 20250412-01.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 10:10:08 2025          5388410 20250412-02.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 11:00:27 2025         13612383 20250412-10.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 12:00:20 2025          5894165 20250412-11.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 13:00:14 2025          5891399 20250412-12.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 14:00:08 2025          5896160 20250412-13.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 15:00:28 2025          5940129 20250412-14.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 16:00:22 2025          5893402 20250412-15.log.gz
-rw-r--r--    1 0        0       Sat Apr 12 17:00:16 2025          5898253 20250412-16.log.gz
...

    3. If an issue occurs, estimate the approximate date and time that the issue occurred, and back up the black-box debug logs to the TFTP server.

      In this example, the logs for 2025/04/12 10:00 am are backed up to the TFTP server: 

      # diagnose debug black-box upload tftp 192.168.1.58 20250412 10 
Uploading file 20250412-10.log.gz...
#############
Send file to tftp server OK.

    4. Generate an encrypted version of the FortiGate symmetric key and provide it to Fortinet Technical Support.

      Fortinet Technical Support requires the symmetric key to decrypt the debug logs. The symmetric key is protected by the FortiGate's TPM. Technical Support will use an internal tool to decrypt the generated key, which will then be used to decrypt and open the log files. 

      # diagnose debug black-box get-key 
    d2gil8gVP1gUYfC8HVgrH5L3Bz0wPhhnsajDeRQ0DL40AY6qPH+b+EmujHPxVjSu
    7cllGnGykCQQCkibvG9yU/3py6BedUqFGygJMhFHZ6jTpzlgkwgUoO/a/MhW9GP1
    Ph3s9PTB0+73lJMMdacwWzoVa4/DgeR5aGdzZFUGYzLCZezh4PixD8rREPVO5Alm
    +zo3W3ImZVhflIG2hCHJZWhDPGNdM+2PZSkMKd7O/VS7m8xTY3W9tTvF8kV9pPUK
    OozzUWSEGw3zZYtEW/kfRSKJi2grE2F79mG2FKWVsqAGJ5z9sjmKM+Q/p4si6H7S
    oYDwJriXP6dPYeXTBhsGGRf8WumDtCVxFGwOy3TV2yI+Mxmxc+X1BkLWEcbEWg5v
    ERa6HAJqBgWOfG0/S2n2juovLyWiVsJ6inKYAdbk0kLENHlkpqvVZ0TrWkv42hzU
    aYYD2DqnnpCYhJ1/Oer/8xZzazY4jxpN/Yw9ks9Ia+ua7dCUosiG50/3N7WHnUW9
    X9A7VbsO+++GyA2xaigDH9+/vqslcT8e9KXeuzaX/mVDev1MNHKqXu+D0jBiGIlK
    /SODP6rEsP9xAXnRx+sE1XEHl1GwTVla8lOInfYk1e6wXGRxn47EcEJw+lYV7dTM
    ksirrzBuMJz5fNsrF3MGrYWo6g4OAGPkxq8JS2CRUHU=
    Previous
    Next