Diagnose commands
Diagnose commands are used for debugging/troubleshooting purposes. These commands are executed from the base context.
Tail: Run this command to display the entries of a specific log file as they are printed in real time. Plugins and/or loggers may need to be enabled prior to running this command for more in-depth data gathering.
Debug Plugin: Debug plugin commands are used for listing, enabling, disabling, and getting performance metrics for the running FortiNAC plugins.
Debug Logger: Debug logger commands are used for listing loggers and setting their log levels.
Available commands
|
Command |
|
||||||
|---|---|---|---|---|---|---|---|
|
|
Display available agents |
||||||
|
|
View and modify alarm mappings (legacy Lost Contact) |
||||||
|
|
Debug and diagnostics
Request an app inventory from the host Disable Debug for the IP Address specified. Send a fake Network Switch to the adapter represented by -mac
Display Persistent Agent Server Performance
Send a poll packet to the IP address specified.
Reinitialize Packet Transports Search Domains Send agent specified by mac its supplicant configuration Validate the security settings on this server. |
||||||
|
|
Passive Agent Logins Start IP Range Disable the specified configuration. Display the specified configuration. Enable the specified configuration. End IP Range Select format to display information Display all configurations. Remove the specified configuration. Display a table of the configured ip ranges. Add or remove ip ranges from the DirectoryAgentServer's configuration. Acceptable values are add|remove Test whether an IP Address is serviced by the configured ip ranges. Display the applicable configuration. (Username must be in <username>@<domain_name> format.) Enable/Disable DirectoryAgentServer debug by username. (NOTE: Requires -userID flag) |
||||||
|
|
When no COMMAND is given, the usage help for the main command is displayed. |
||||||
|
|
Send Message to agents |
||||||
|
|
Display and manage agent packages |
||||||
|
|
Scans |
||||||
|
diagnose agent |
Manage Agent Product Definitions
Options -defUpdate=<defArchive> Absolute path to Product Definition archive. |
||||||
|
|
Transport / Protocol Configuration Max Packet Queue Size |
||||||
|
|
Scan a host |
||||||
|
|
Various settings |
||||||
|
|
Summary of Persistent Agent Hosts |
||||||
|
|
Display supplicant easyconnect policies and profiles |
||||||
|
|
Update persistent agents |
||||||
|
|
USB Disk Detection |
||||||
|
|
Disable plugin debugging |
||||||
|
|
Enable plugin debugging |
||||||
|
|
Show plugin performance |
||||||
|
|
List PCI parameters. |
||||||
|
|
List attributes of Dynamic Client
Options
Select all clients
Select by DBID of the client |
||||||
|
|
Update attributes of Dynamic Client
<dbid> DBID of the client <name> Name of the attribute <value> new value to update the attribute with |
||||||
|
|
Delete the selected host and its adapters |
||||||
|
|
Display usage |
||||||
|
|
Display usage |
||||||
|
|
Display usage |
||||||
|
|
Display usage |
||||||
|
|
Display all Device Profiling host information |
||||||
|
|
Display host device profiling information by profile id |
||||||
|
|
Display host device profiling information by profile name |
||||||
|
|
Display Device Profiling host information for specified rule id |
||||||
|
|
Display Device Profiling host information for specified rule name |
||||||
|
|
Display Device Profiling host information with matching sponsor id |
||||||
|
|
Display Device Profiling host information with matching sponsor username |
||||||
|
|
Display all Device Profiling Rules |
||||||
|
|
Display a device profiling rule by ID |
||||||
|
|
Display device profiling rule by name |
||||||
|
|
Export Device Profiling rules to specified file |
||||||
|
|
Display usage |
||||||
|
|
Import Device Profiling rules from specified file |
||||||
|
|
Scan all rogues |
||||||
|
|
Flush scan queue |
||||||
|
|
Scan a specified MAC address |
||||||
|
|
Display the scan queue size |
||||||
|
|
disable the selected hosts and its adapters. |
||||||
|
|
enable the selected hosts and its adapters. |
||||||
|
|
List host records. |
||||||
|
diagnose network aaa add <server-name> <server-ip> <authentication-port> <accounting-port> <secret> <user> <user-password> |
Add a server definition.
Arguments <server-name> Name of a server definition used for addition. <server-ip> IP address of a server definition used for addition. <authentication-port> Server authentication port. <accounting-port> Server accounting port. <secret> Server secret. <user> Test user name. <user-password> User password. |
||||||
|
|
Delete a server definition.
Arguments <server-name> Name of a server definition used for deletion. |
||||||
|
|
Display information of the AAA Server database.
Options all Choose all servers in table id, <id> Database id of a server definition ip, <ip> IP address of a server definition name=<name> Name of a server definition |
||||||
|
diagnose network aaa modify [accounting-port=<accounting-port>] [authentication-port=<authentication-port>] [secret=<secret>] [server-ip=<server-ip>] [server-name=<server-name>] [user-name=<user-name>] [user-password=<user-password>] <server>
|
Modify a server definition.
Options server-name=<server-name> Name of a server to be modified. server-ip=<server-ip> Server Definition IP Address. authentication-port=<authentication-port> Server authentication port. accounting-port=<accounting-port> Server accounting port. secret=<secret> Server secret. user-name=<user-name> Test user name. user-password=<user-password> Test user password.
Arguments <server> Server(s) available for modification. |
||||||
|
|
Find a specific IP->Mac entry by the IP address |
||||||
|
|
Find a specific IP->Mac entry by the MAC address |
||||||
|
|
List the arp cache for one or all devices |
||||||
|
|
Trigger a real L3 poll for the device(s) in question |
||||||
|
diagnose network device certificate import [--ca-only] |
Import device certificate chain<br>
Options
--ca-only: Import only the CA certificates. By default, all the certificates are imported. |
||||||
|
diagnose network device certificate show |
Show device certificate information |
||||||
|
diagnose network device certificate verify |
Verify if the device certificate can be trusted |
||||||
|
|
Get the device using group name |
||||||
|
|
Get the device using IP Address |
||||||
|
|
Deletes the specified attribute of the device. |
||||||
|
|
Delete the device. |
||||||
|
|
Deletes the specified port attribute for all ports on the device. |
||||||
|
|
Display device model information. |
||||||
|
|
Export all eligible device information. |
||||||
|
|
Gather a debug report for the specified device. |
||||||
|
|
Read the forwarding table for the selected devices. |
||||||
|
|
Sets the specified attribute of selected device. |
||||||
|
|
Sets the cli credential attribute onto the selected device. |
||||||
|
|
set selected device(s) Status to Established. |
||||||
|
|
Set selected device(s) Name. |
||||||
|
|
Set selected device(s) pollable contact status. |
||||||
|
|
Set selected device(s) contact status polling interval. |
||||||
|
|
Sets the specified port attribute for every port on the device |
||||||
|
|
Set selected device's role. |
||||||
diagnose network
device ssh-keys add (ip=<ip> | device-name=<devName> |
group=<group>) <remote-user-name>
<remote-key-id> <ssh-key>
|
Add the specified public key string to the device device-name=<devName> Device name group=<group> Device group name ip, <ip> IP Address of the device <remote-user-name> remote user account name <remote-key-id> remote ssh key id <ssh-key> ssh public key |
||||||
diagnose network device ssh-keys
copy-id (ip=<ip> | device-name=<devName> |
group=<group>) [current-user|nac|ha] <local-key-id>
<remote-key-id> <user-name>
|
Copy the local public key to the specified device device-name=<devName> Device name group=<group> Device group name ip, <ip> IP Address of the device [current-user|nac|ha] "current-user" for your ssh key pair, "nac" for the FortiNAC system's ssh key pair, and "ha" for HA ssh key pair <local-key-id> Local file name of the public key <remote-key-id> Remote key name <user-name> Remote user account name |
||||||
diagnose network device ssh-keys list
(ip=<ip> | device-name=<devName> |
group=<group>) <remote-user-name>
|
List the ssh public keys on a device associated with the specified user device-name=<devName> Device name group=<group> Device group name ip, <ip> IP Address of the device <remote-user-name> User account name |
||||||
diagnose network device ssh-keys remove
(ip=<ip> | device-name=<devName> |
group=<group>) <remote-user-name>
<remote-key-id>...
|
Remove the public key associated with the specified device device-name=<devName> Device name group=<group> Device group name ip, <ip> IP Address of the device <remote-user-name> remote user account name <remote-key-id>... remote ssh key ids |
||||||
|
diagnose network device tail [-adds] [-removes] [-updates] [class=<device-class>] [container-name=<container-name>] [dbid=<dbid>] [ident=<ident>] [ip=<ip>] [mac=<mac>] [name=<name>] [parent=<parent>] [protocol=<protocol>] [role=<role>] [state=<state>] [status=<status>] [attribute-name-list=<attribute-name-list>...]... [attribute-value-list=<attribute-value-list>...]... [type-list=<type-list>...]... |
Display the changes to elements in the element table.
Options -adds Register for notification only when matching entities are added to the system -removes Register for notification only when matching entities are removed (deleted) from the system -updates Register for notification only when matching entities are updated in the system
ip, <ip> IP Address of the device
dbid=<dbid> Database id of the device
ident=<ident> Identification of the device
class=<device-class> Device class of the device
container-name=<container-name> Select device by container name
name=<name> Name of the device
parent=<parent> Parent of the device
mac=<mac> Physical address of the device
type-list=<type-list>... Select the device using typelist
role=<role> Role of the device
protocol=<protocol> Protocol of the device
status=<status> Status of the device
attribute-name-list=<attribute-name-list>... Select the device using attribute name list
attribute-value-list=<attribute-value-list>... Select the device using attribute value list
state=<state> State of the device |
||||||
|
|
Test device(s) snmp credentials. |
||||||
|
|
Returns an Inventory tree of devices, ports, adapters and logged on users |
||||||
|
|
Update the Interfaces on one or all devices |
||||||
|
|
This program will update the version attribute on one or all devices |
||||||
|
|
Display any proactive polling information. |
||||||
|
|
Display MAC Notification Trap handling statistics maintained by the running Network Sentry process. |
||||||
|
|
Returns the Device Type, Telnet MIB file, and MIB ID that will be used for a device. |
||||||
|
|
Clean the device port data |
||||||
|
|
Fix the duplicate interfaces |
||||||
|
|
Set the current VLAN value into the default |
||||||
|
|
Set Display Name |
||||||
|
|
Set IfName |
||||||
|
|
Display ports and their attributes |
||||||
|
|
Disconnect client |
||||||
|
|
VLAN/Role/etc to change for the client using CoA command |
||||||
|
|
Delete Probe Objects for remote hosts connected through remote access devices |
||||||
|
|
List Probe Objects for remote hosts connected through remote access devices |
||||||
|
|
Update Probe Objects for remote hosts connected through remote access devices |
||||||
|
|
Set the value of an OID for a given IP |
||||||
|
|
Provides SNMP Walk data for an OID of a given IP |
||||||
|
diagnose network sso agent list all |
List all the agents session info |
||||||
|
diagnose network sso agent list ip <ip-address> |
Session information of matching agents
Arguments <ip-address> IP address of the matching agent |
||||||
|
diagnose network sso clear <agent-key> |
Clear SSO messages of the agents
Arguments <agent-key> agent key to clear the SSO messages
|
||||||
|
diagnose network sso session-list [-rs] [-init] (ip=<ip> | group=<group>) |
Lists the selected device(s) session info
Options ip, <ip> IP Address of the device
group=<group> Device group name to get session information for the devices in the group
-init initialize sso device
-r, -run Add SSO message synchronization with devices.
-s, -show-address show SSO registered addresses |
||||||
|
|
Change VLAN on a single port for a device |
||||||
|
|
Accepts VLAN as parameter and display ports that are associated with it |
||||||
|
|
Fix ports with bad default |
||||||
|
|
Set the Default VLAN to whatever the current VLAN is on the port |
||||||
|
|
Set the Registration vlan |
||||||
|
|
Update Ports on the device(s). Clears out the PortID attribute of all the port models and set the values afresh based on the latest info from the device. |
||||||
|
|
Update VLANs on the device(s). Refresh the device modeling to represent the most recent device configuration. |
||||||
|
diagnose sql db-size |
Retrieve database size information |
||||||
|
diagnose sql process kill <id> |
Retrieve the database process listing
Arguments <id> ID of process to terminate |
||||||
|
diagnose sql process list [full] |
Retrieve the database process listing
Options full Display full process list |
||||||
|
|
Determines if a VLAN change is warranted for the switch port the specified Client (Host) is connected to, based on the host's state and the port's current VLAN. |
||||||
|
|
Determines if a VLAN change is warranted for the specified port based on the state of the Host(s) currently connected to the port and the port's current VLAN. |
||||||
|
|
Debug logging for the specified network device IP in BridgeManager. If enabled, the log output is appended to output.master. |
||||||
|
|
Enable / Disable MAC Notification Trap debug |
||||||
|
|
Prints out the BridgeManager performance statistics. |
||||||
|
|
Print out entitlements information |
||||||
|
|
Display event information |
||||||
|
|
Display all of the current global options |
||||||
|
|
Display global option by database ID |
||||||
|
|
Display global option by specific name |
||||||
|
|
Set number of days |
||||||
|
|
Set number of hours |
||||||
|
|
Set number of minutes |
||||||
|
|
Set a password |
||||||
|
|
Set a raw value |
||||||
|
|
Set number of seconds |
||||||
|
|
Set a value |
||||||
|
|
Clear valid/inactive times for elements in the specified Host group by id |
||||||
|
|
Clear valid/inactive times for elements in the specified Host group by name |
||||||
|
|
Delete the selected group using database ID |
||||||
|
|
Delete the selected group |
||||||
|
|
Display all groups |
||||||
|
|
Display group information and/or elements using group ID |
||||||
|
|
Display group information and/or elements by group name |
||||||
|
|
Add an element to the selected group |
||||||
|
|
Remove an element referenced by name from the selected group |
||||||
|
|
Delete a scheduled task. |
||||||
|
|
Display summary of all scheduled tasks.
Options
-hidden Show system tasks normally hidden.
Arguments <task-name> Select the task by task name |
||||||
|
|
Display detailed of a scheduled task. |
||||||
|
|
Enable a scheduled task. |
||||||
|
|
Pause a scheduled task. |
||||||
|
|
Run a scheduled task. |
||||||
|
|
Send a Test email to verify Email server config |
||||||
|
diagnose system server-certificates show all |
Shows all the server certificates |
||||||
|
diagnose system server-certificates show sha1 <sha1> |
Shows the certificates by sha1
Arguments <sha1> sha1 fingerprint |
||||||
|
diagnose system server-certificates show type <type> |
Shows the certificates by target type
Arguments <type> Certificate type |
||||||
|
diagnose system trusted-certificates show all |
Shows all the trusted certificates |
||||||
|
diagnose system trusted-certificates show issuer <dn> |
Shows the trusted certificates by issuer
Arguments <dn> Issuer DN name. Full or partial name can also be used. |
||||||
|
diagnose system trusted-certificates show sha1 <sha1> |
Shows the trusted certificates by sha1
Arguments <sha1> sha1 fingerprint |
||||||
|
diagnose system trusted-certificates show subject <dn> |
Shows the trusted certificates by subject
Arguments <dn> Subject DN name. Full or partial name can also be used. |
||||||
|
diagnose system tail-clients adapter [-adds] [-removes] [-updates] [ip=<ip>] [location=<location>] [mac=<mac>]
|
Register for events affecting adapters. Options -adds Register for notification only when matching entities are added to the system -removes Register for notification only when matching entities are removed (deleted) from the system -updates Register for notification only when matching entities are updated in the system mac=<mac> Physical address of the adapter. ip, <ip> IP Address assigned to the adapter. location=<location> Location of the adapter in the network.
|
||||||
|
diagnose system tail-clients host [-adds] [-removes] [-updates] [os=<os>] [role=<role>] [type=<type>]
|
Register for events affecting hosts.
Options -adds Register for notification only when matching entities are added to the system -removes Register for notification only when matching entities are removed (deleted) from the system -updates Register for notification only when matching entities are updated in the system os, <os> Host's operating system role=<role> Role assigned to the host type=<type> The host type
|
||||||
|
diagnose system tail-clients multi [-adds] [-removes] [-updates] <filter-type>
|
Register for events affecting a combination of adapters, hosts and users. -multi requires another argument indicating the primary filter type: [adapter | host | user]
Options -adds Register for notification only when matching entities are added to the system -removes Register for notification only when matching entities are removed (deleted) from the system -updates Register for notification only when matching entities are updated in the system
Arguments <filter-type> adapter, host, user
|
||||||
|
diagnose system tail-clients user [-adds] [-removes] [-updates] [firstname=<firstname>] [lastname=<lastname>] [userrole=<userrole>]
|
Register for events affecting users.
Options -adds Register for notification only when matching entities are added to the system -removes Register for notification only when matching entities are removed (deleted) from the system -updates Register for notification only when matching entities are updated in the system lastname=<lastname> User's last name firstname=<firstname> User's first name userrole=<userrole> Role assigned to the user |
||||||
|
|
Display all Admin Profiles |
||||||
|
|
Display a specified Admin Profile by ID |
||||||
|
|
Display a specified Admin Profile by name |
||||||
|
|
Delete the user record(s). |
||||||
|
|
list guest template information. |
||||||
|
|
List user records. |
||||||
|
|
Display available agents Options -all Display all installed agents -c, <cols> Specify a Column to show. Repeat for more columns. + Example: -c Name Type -columns Display available columns -H, Display Headers -latest Get Latest agent of a given type -legacy Get Latest legacy agent of a given type -platform=<os> Specify an OS to show agents for ( Windows, MacOSX, Linux ) -type=<type> Specify Agent Type -x, Exclude special Agents (None types) |
||||||
|
Tails the specified logfile. Example: diagnose tail -F output.master Tab completion can be used to list the files available to tail. Ctrl-C stops tail. Available options:
|
||||||
|
|
Lists all the loggers available |
||||||
|
|
Set logger log level for a specific log name. Logs should be enabled under the advisement of Support. Log levels: TRACE - Packet capture (Most verbose) DEBUG - Logs DEBUG + INFO + WARN + ERROR messages INFO - Logs INFO + WARN + ERROR messages WARN - Logs WARN + ERROR messages ERROR - Logs error messages (least verbose)
|
||||||
|
|
Unset the specified loggers log level back to INHERIT |
||||||
|
|
Lists all the plugins, their associated loader, and their debug status. Type “q” to return to prompt |
||||||
|
|
Lists all the debug-enabled plugins along with their associated loader |
||||||
|
|
Display the performance metrics for the specified plugin |
||||||
|
|
Enable or disable debug for the specified plugin |
||||||
|
|
Send a Test email to verify Email server configuration. |
||||||
|
|
Display information of all disks. |
||||||
|
diagnose hardware deviceinfo nic [<ifname>] |
Display NIC information. |
||||||
|
|
Display TPM information. |
||||||
|
|
Show hardware info. |
||||||
|
|
List PCI parameters. Option -v : Display verbose output |
||||||
|
diagnose hardware lspci [-tv] |
List PCI parameters.
Options -v, Display PCI parameters with details -t, Display PCI parameters in tree format |
||||||
|
|
Show power supply info |
||||||
|
diagnose hardware sysinfo cpu
|
Display detailed information for all installed CPU(s).
|
||||||
|
diagnose hardware sysinfo interrupts
|
Display system interrupts information.
|
||||||
|
diagnose hardware sysinfo iomem
|
Display memory map of I/O ports.
|
||||||
|
diagnose hardware sysinfo ioports
|
Display address list of I/O ports.
|
||||||
|
diagnose hardware sysinfo memory
|
Display system memory information.
|
||||||
|
diagnose hardware sysinfo mtrr
|
Display memory type range registers.
|
||||||
|
diagnose hardware sysinfo partitions
|
Display disk partitions. == |
||||||
|
diagnose hardware sysinfo slab |
Display memory allocation information. |
||||||
|
diagnose hardware sysinfo systime |
Display system time information. |
||||||
|
|
Show the SMART information. |
||||||
|
|
Show the SMART health status. |
||||||
|
|
Show the SMART error logs. |
||||||
|
|
Show vendor specific SMART attributes. |
||||||
|
|
Show RAID status. |
||||||
|
|
Creates a new scan profile record <name> Name for the new scan profile <script-type> Script Type of the scan profile. Please provide SCRIPT TYPE as one of the following : system, nessus, admin, agent <entity-type> Entity Type of the scan profile. Please provide ENTITY TYPE as one of the following : registered, rogue, client, server, all, group <group-name> Group name for the scan profile to associate with <scan-enable> Status of the scan profile. Please provide if scan profile should be enable as one of the following : enable, disable <scan-delay> The time to wait for the script to finish (in Seconds) |
||||||
|
|
Delete a scan profile with given ID <scan-profile-name> Name of the scan profile to delete |
||||||
|
|
Displays all the existing scan profiles |
||||||
|
|
Reset the performance counters for the SNMP trap handler. |
||||||
|
|
Display summary of all scheduled tasks. -hidden Show system tasks normally hidden. |
||||||
|
|
Display detailed description of a scheduled task. <task-name> Select the task by task name |