Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

diagnose

Use the diagnose commands to help with troubleshooting:

diagnose bpdu-guard display status

Use this command to display the status of the spanning tree protocol (STP) bridge protocol data unit (BPDU) guard:

diagnose bpdu-guard display status

 

To configure STP BPDU guard, see config switch interface.

Example output

Portname             State      Status       Timeout(m)    Count    Last-Event
_________________   _______    _________    ___________    _____   _______________

port1              disabled     -              -             -            -
port2              disabled     -              -             -            -
port3              disabled     -              -             -            -
port4              disabled     -              -             -            -
port5              disabled     -              -             -            -
port6              disabled     -              -             -            -
port9              disabled     -              -             -            -
port10             disabled     -              -             -            -
port11             disabled     -              -             -            -
port12             disabled     -              -             -            -
port13             disabled     -              -             -            -
port14             disabled     -              -             -            -
port15             disabled     -              -             -            -
port16             disabled     -              -             -            -
port17             disabled     -              -             -            -
port18             disabled     -              -             -            -
port19             disabled     -              -             -            -
port20             disabled     -              -             -            -
port21             disabled     -              -             -            -
port22             disabled     -              -             -            -
port23             disabled     -              -             -            -
port24             disabled     -              -             -            -
port25             disabled     -              -             -            -
port26             disabled     -              -             -            -
port27             disabled     -              -             -            -
port28             disabled     -              -             -            -
port29             disabled     -              -             -            -
port30             enabled      -              60            0            -

diagnose certificate all

Use this command to verify all system certificates:

diagnose certificate all

Example output

S548DF5018000776 # diagnose certificate all 

Certificate Authority 
----------------------------------------------------------------------------

Name             : Fortinet_802.1x_CA 
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB 
Serial Number    : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality      : Passed 
Timeliness       : Valid (Expires on 2028-10-22 12:00:00  GMT)

Name             : Fortinet_CA 
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 
Serial Number    : da:f6:36:b4:43:d4:a5:8b
Integrality      : Passed 
Timeliness       : Valid (Expires on 2038-01-19 22:34:39  GMT)

Name             : Fortinet_CA2 
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 
Serial Number    : da:f6:36:b4:43:d4:a5:8b
Integrality      : Passed 
Timeliness       : Valid (Expires on 2038-01-19 22:34:39  GMT)

Name             : Fortinet_fsw_cloud_CA 
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB 
Serial Number    : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality      : Passed 
Timeliness       : Valid (Expires on 2028-10-22 12:00:00  GMT)

Local 
----------------------------------------------------------------------------

Name             : Fortinet_802.1x 
Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63 
Serial Number    : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2022-05-24 12:00:00  GMT)

Name             : Fortinet_Factory 
Fingerprint(MD5) : B1:92:9D:7B:63:4B:9D:F7:57:FF:E6:59:AE:C2:21:2A 
Serial Number    : 19:c1:ea
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Name             : Fortinet_Factory2 
Fingerprint(MD5) : F8:E4:51:61:B6:F0:98:FA:43:1F:4C:FD:C1:5D:B2:62 
Serial Number    : 19:c1:ec
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Name             : Fortinet_Firmware 
Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23 
Serial Number    : 41:1d:d5
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Remote 
----------------------------------------------------------------------------

diagnose certificate ca

Use this command to verify CA certificates:

diagnose certificate ca

Example output

S548DF5018000776 # diagnose certificate ca

Name             : Fortinet_802.1x_CA 
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB 
Serial Number    : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality      : Passed 
Timeliness       : Valid (Expires on 2028-10-22 12:00:00  GMT)

Name             : Fortinet_CA 
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 
Serial Number    : da:f6:36:b4:43:d4:a5:8b
Integrality      : Passed 
Timeliness       : Valid (Expires on 2038-01-19 22:34:39  GMT)

Name             : Fortinet_CA2 
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 
Serial Number    : da:f6:36:b4:43:d4:a5:8b
Integrality      : Passed 
Timeliness       : Valid (Expires on 2038-01-19 22:34:39  GMT)

Name             : Fortinet_fsw_cloud_CA 
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB 
Serial Number    : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality      : Passed 
Timeliness       : Valid (Expires on 2028-10-22 12:00:00  GMT)

diagnose certificate local

Use this command to verify local certificates:

diagnose certificate local

Example output

S548DF5018000776 # diagnose certificate local

Name             : Fortinet_802.1x 
Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63 
Serial Number    : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2022-05-24 12:00:00  GMT)

Name             : Fortinet_Factory 
Fingerprint(MD5) : B1:92:9D:7B:63:4B:9D:F7:57:FF:E6:59:AE:C2:21:2A 
Serial Number    : 19:c1:ea
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Name             : Fortinet_Factory2 
Fingerprint(MD5) : F8:E4:51:61:B6:F0:98:FA:43:1F:4C:FD:C1:5D:B2:62 
Serial Number    : 19:c1:ec
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Name             : Fortinet_Firmware 
Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23 
Serial Number    : 41:1d:d5
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

diagnose certificate remote

Use this command to verify remote certificates:

diagnose certificate remote

diagnose debug application

Use this command to set the debug level for application daemons. Some applications must be set to level 8 or higher to enable output for other diagnose debug commands. If you do not specify the debugging level, the current debugging level is returned.

diagnose debug application <application> [<debugging_level>]

 

The following applications are supported:

  • alertd—Monitor and alert daemon
  • authd—Authentication control daemon
  • bfdd— Bidirectional forwarding detection (BFD) daemon
  • bgpd—Border Gateway Protocol (BGP) daemon
  • ctrld— General FortiSwitch control daemon
  • cu_swtpd—Switch-controller CAPWAP control daemon
  • dhcp6c—DHCPv6 client module
  • dhcpc—DHCP client module
  • dhcprelay—DHCP relay daemon
  • dmid—Diagnostic monitoring interface (DMI) daemon
  • dnsproxy—DNS proxy module
  • eap_proxy—EAP proxy daemon
  • erspan-auto-mgr—ERSPAN-auto mode configuration resolution daemon
  • flcmdd—FortiLink command daemon
  • flow-export—Flow-export
  • fnbamd—FortiGate nonblocking authentication daemon
  • fortilinkd—FortiLink daemon
  • fpmd—Hardware routing daemon
  • fsmgr—FortiSwitch Cloud daemon
  • gratarp—IP conflict gratuitous ARP utility
  • gui—GUI service
  • httpsd—HTTP and HTTPS daemon
  • ip6addrd—IPv6 address utilty
  • ipconflictd— IP conflict detection daemon
  • isisd—Intermediate System to Intermediate System Protocol (IS-IS) daemon
  • l2d—Daemon for layer-2 features
  • l2dbg—Daemon for hardware-related operations needed by layer 2
  • l3—Layer-3 debugging
  • lacpd—Link Aggregation Control Protocol (LACP) daemon
  • libswitchd—FortiSwitch library daemon
  • link-monitor—Link monitor daemon
  • lldpmedd—Link Layer Discovery Protocol-Media Endpoint Discovery (LLPD-MED) daemon
  • mcast-snooping—Multicast-snooping debugging
  • miglogd—Logging daemon
  • mrpd—Media Redundancy Protocol (MRP) daemon
  • ntpd—Network Time Protocol (NTP) daemon
  • nwmcfgd—Daemon for network-monitoring configuration
  • nwmonitord—Packet-handling and parsing daemon for network monitoring
  • ospf6d—Open shortest path first (OSPF IPv6) routing daemon
  • ospfd—Open shortest path first (OSPF IPv4) routing daemon
  • pimd—Protocol Independent Multicast (PIM) daemon
  • portspeedd—Port speed daemon
  • radius_das—RADIUS CoA daemon
  • radiusd—RADIUS daemon
  • radvd—Router advertisement daemon
  • ripd—Routing Information Protocol (RIP) routing daemon
  • ripngd—Routing Information Protocol NG (RIPNG) daemon
  • router-launcher—Daemon for launching the routing system
  • rsyslogd—Remote SYSLOG daemon
  • sflowd—sFlow daemon
  • snmpd—Simple Network Managment Protocol (SNMP) daemon
  • sshd—Secure Sockets Shell (SSH) daemon
  • staticd—Static route daemon
  • statsd—Statistics collection daemon
  • stpd—Spanning Tree Protocol (STP) daemon
  • switch-launcher—Daemon for launching the FortiSwitch system
  • trunkd—Trunk daemon
  • vrrpd—Virtual Router Redundancy Protocol (VRRP) daemon
  • wiredap —Daemon for 802.1x port-based authentication
  • wpa_supp—MACsec Key Agreement (MKA) MACsec daemon
  • zebra—Core router daemon

Example output

S524DF4K15000024 # diagnose debug application flgd

 

flgd debug level is 8 (0x8)

diagnose debug authd

Use these commands to manage the authentication daemon:

diagnose debug authd clear

diagnose debug authd fsso clear-logons

diagnose debug authd fsso filter clear

diagnose debug authd fsso filter group <group_name>

diagnose debug authd fsso filter server <FSSO_agent_name>

diagnose debug authd fsso filter source <IPv4_address> <IPv4_address>

diagnose debug authd fsso filter user <user_name>

diagnose debug authd fsso list

diagnose debug authd fsso refresh-groups

diagnose debug authd fsso refresh-logons

diagnose debug authd fsso server-status

diagnose debug authd fsso summary

 

Variable

Description

clear

Delete internal data structures and keepalive sessions.

fsso clear-logons

Delete Fortinet Single Sign on (FSSO) logon information.

fsso filter clear

Delete all FSSO filters.

fsso filter group <group_name>

List only the logons by the specified FSSO group.

fsso filter server <FSSO_agent_name>

List only the logons for the specified FSSO agent.

fsso filter source <IPv4_address> <IPv4_address>

List only the logons for the specified range of IPv4 addresses.

fsso filter user <user_name>

List only the logons by the specified user.

fsso list

Display the current FSSO logons.

fsso refresh-groups

Refresh the FSSO group mappings.

fsso refresh-logons

Synchronize the FSSO logon database.

fsso server-status

Display the status of the FSSO agent connection.

fsso summary

Display a summary of current FSSO logons.

Example output

diag debug authd fsso server-status

Server Name     Connection Status     Version
-----------     -----------------     -------
fsso            connected             FSSO 5.0.0237
			
diagnose debug authd fsso list
IP: 10.1.1.5  User: ADM_FWCHECK  Groups: FW_OPERATORS/ADMINISTRATORS

diagnose debug bfd

Use this command to enable, show, or disable the debugging level for bidirectional forwarding detection (BFD):

diagnose debug bfd {all | appl | fsm | net | show | zebra } {enable | disable}

diagnose debug bgp

Use this command to enable, show, or disable the debugging level for Border Gateway Protocol (BGP) routing:

diagnose debug bgp {all | appl | as4 | flowspec | keepalives | neighbor-events | nht | normal | show | updates | zebra} {enable | disable}

diagnose debug cli

Use this command to set or find the debug level for the CLI:

diagnose debug cli [<0-8>]

Example output

S524DF4K15000024 # diagnose debug cli

 

Cli debug level is 8

diagnose debug config-error-log

Use this command to display information about the configuration error log:

diagnose debug config-error-log {clear | read}

 

Variable

Description

clear

Clear the configuration error log.

fsso

Display configuration errors on the console.

diagnose debug console

Use these commands to display information about the console:

diagnose debug console no-user-log-msg {enable | disable}

diagnose debug console send <AT command>

diagnose debug console timestamp {enable | disable}

 

Variable

Description

no-user-log-msg {enable | disable}

Enable or disable the display of user log messages on the console.

send <AT command>

Send out the specified modem AT command.

timestamp {enable | disable}

Enable or disable the time stamp.

diagnose debug crashlog

Use this command to display or erase the crash log:

diagnose debug crashlog {clear | get | kill-with-crashlog <process_ID> | read}

 

Variable

Description

clear

Clear the crash log.

get

Display the crash log on the console.

kill-with-crashlog <process_ID>

End the daemon using the specified process ID.

read

Display the crash log on the console in a readable format.

Example output

S524DF4K15000024 # diagnose debug crashlog get
			
Rk9SVP94nDK0NLPUNTTSNTZUMDSzMjCwMjVXSErOjc9IzEvJSY3PTM8tKI5Pzk2x
UvB1dgwO0Q1xdPJx1Q32jHK1MjQwMuECCCAjA0NzXQNLXQMzBUOgZgMrQ0uFkoxU
hezMnJzUFIWUxNTc/DyFzGIF/aTMPP301JKSSiuF4pLEktJiW4MKAy6AAELWb2gF
dIKJKUn6AQIIVb+JmZWpCUn6AQIIWb+RlYGxlbExSfoBAghZv7GVqamVEWn+Bwgg
ZP0mVgYWwCAkST9AAKHqNzQHxR8p+gECCFW/MdALhiToN+ICCCA0/WZWxqTpBwgg
ZP3AwDMGJkGS3A8QQKj6TYBJwIIk/QABhKbfBBiFJLkfIIDQ9JtaGZNivxEXQAAh
6zcDxb8RafEHEECo+oH+NyAt/QMEEKp+UP41Ikk/QADB9ZuD8r+RpRXQIOL1GxsY
cAEEEKoJphakpgCAAELWbwgKQQPSQhAggFD1A3OAMWkhABBAaPotrUxIsx8ggJD1
A0sgU1JzMEAAIesHZl8jICJJP0AAIesHpgBz0koAAy6AAELWb24FTgQk6QcIIFT9
JkD3k5KCDLgAAghNPzD+SbMfIIBQ9ZsaAyshkvQDBBCyfqDlwEKYtBIIIIBQ9QOj
0IS08AcIIDT9ZqSlHyMugABC1W8EDH/SakCAAELVD8w/JMY/QAAh6wcWH0bAJECS
foAAguu3UDAwtzIClmCklB+gEggggJBNsLQCV8MkuQAggND0A+sA0lIQQACh6jcC
1mGklYAAAYSkH1gCGZkCnUCSfoAAQtUPKgFJsx8ggFD1mwBzEGklGEAAoek3AUYi
...
			
S548DF5018000776 # diagnose debug crashlog read 
			
1: 2020-03-13 11:54:15 the killed daemon is /bin/fsmgrd: status=0x0
2: 2020-03-13 16:55:27 the killed daemon is /bin/fsmgrd: status=0x0
3: 2020-03-13 16:59:09 the killed daemon is /bin/fsmgrd: status=0x0
4: 2020-03-13 17:32:56 the killed daemon is /bin/fsmgrd: status=0x0
5: 2020-03-13 18:10:52 the killed daemon is /bin/fsmgrd: status=0x0
6: 2020-03-13 18:45:45 the killed daemon is /bin/fsmgrd: status=0x0
7: 2020-03-13 18:52:24 the killed daemon is /bin/fsmgrd: status=0x0
8: 2020-03-16 11:59:48 restart_reason=SYSTEM SHUTDOWN
9: 2020-03-17 10:16:42 restart_reason=SYSTEM SHUTDOWN
10: 2020-03-23 09:23:22 restart_reason=SYSTEM SHUTDOWN
11: 2020-03-24 08:33:04 restart_reason=SYSTEM SHUTDOWN
12: 2020-03-26 08:11:33 restart_reason=SYSTEM SHUTDOWN
13: 2020-04-10 08:48:25 restart_reason=SYSTEM SHUTDOWN
14: 2020-05-06 10:51:28 the killed daemon is /bin/fsmgrd: status=0x0
15: 2020-05-06 11:47:45 the killed daemon is /bin/fsmgrd: status=0x0
16: 2020-05-06 17:49:04 the killed daemon is /bin/fsmgrd: status=0x0
17: 2020-05-28 08:45:54 restart_reason=SYSTEM SHUTDOWN
18: 2020-05-28 09:09:00 the killed daemon is /bin/fsmgrd: status=0x0
19: 2020-05-28 09:36:23 the killed daemon is /bin/fsmgrd: status=0x0
20: 2020-05-28 18:12:20 the killed daemon is /bin/fsmgrd: status=0x0
21: 2020-05-29 13:31:52 the killed daemon is /bin/fsmgrd: status=0x0
22: 2020-05-29 15:04:20 the killed daemon is /bin/fsmgrd: status=0x0
23: 2020-05-29 16:01:28 the killed daemon is /bin/fsmgrd: status=0x0
24: 2020-05-29 16:27:41 the killed daemon is /bin/fsmgrd: status=0x0
25: 2020-06-01 16:04:11 restart_reason=SYSTEM SHUTDOWN
26: 2020-06-02 09:56:49 the killed daemon is /bin/fsmgrd: status=0x0

diagnose debug disable

Use this command to disable debugging output:

diagnose debug disable

diagnose debug enable

Use this command to enable debugging output:

diagnose debug enable

diagnose debug info

Use this command to display the debugging level:

diagnose debug info

Example output

S524DF4K15000024 # diagnose debug info
debug output:           enable
console timestamp:      disable
console no user log message:    disable
fsmgr debug level:      16 (0x10)
CLI debug level:        8

diagnose debug isis

Use this command to enable, show, or disable the debugging level for Intermediate System to Intermediate System Protocol (IS-IS) routing:

diagnose debug isis {adj-packets | all | appl | bfd | events | flooding | lsp-gen | lsp-sched | packet-dump | route-events | show | snp-packets | spf-events | tx-queue | update-packets} {enable | disable}

diagnose debug kernel level

Use this command to display or set the debugging level for the kernel:

diagnose debug kernel level [<integer>]

Example output

S524DF4K15000024 # diagnose debug kernel level
			
Kernel debug level is 0

diagnose debug ospf

Use this command to enable, show, or disable the debugging level for open shortest path first (OSPF) routing for IPv4 traffic:

diagnose debug ospf {all | appl | event | ism-debug | lsa-debug | nsm-debug | nssa | packet-debug | show | zebra-debug} {enable | disable}

diagnose debug ospf6

Use this command to enable or disable the debugging level for open shortest path first (OSPF) routing for IPv6 traffic:

diagnose debug ospf6 {abr | all | appl | asbr | border-routers | flooding | interface | lsa | lsa-debug | message | neighbor | packet-debug | route | route-debug | spf | zebra} {enable | disable}

diagnose debug packet_test

Use this command to display a report about the specified port for technical support:

diagnose debug packet_test <port_ID>

Example output

S524DF4K15000024 # diagnose debug packet_test 30
			
RX: port:0(tx port 30) len:0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

RX: port:0(tx port 30) len:0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


Send: 2, Recv: 2

diagnose debug pim

Use this command to enable, show, or disable the debugging level for Protocol Independent Multicast (PIM) routing:

diagnose debug pim {all | appl | events | igmp-events | igmp-packets | igmp-trace | mroute | packet-dump | packets | show | static | trace | zebra} {enable | disable}

diagnose debug port-mac

NOTE: This command is available only on FortiSwitch units that have the split-port feature available.

Use this command to display the mapping between MAC addresses and ports:

diagnose debug port-mac {check-mac | list}

 

Variable

Description

check-mac

Check to see if the specified MAC address is valid.

list

List the mapping between MAC addresses and ports.

Example output

S524DF4K15000024 # diagnose debug port-mac check-mac 08:5b:0e:f1:95:e4
Input MAC address 08:5b:0e:f1:95:e4 found in range
08:5b:0e:e5:4f:d6--08:5b:0e:f1:9b:a4
90:6c:ac:30:19:22--90:6c:ac:7b:d6:d0
Allocated split-port MAC for port 32 is  00:00:00:00:00:00.

S524DF4K15000024 # diagnose debug port-mac list
Base MAC: 08:5b:0e:f1:95:e4

Port Name            Port #           Split Port Idx         MAC
==================================================================================
	port1                 1                        0         08:5b:0e:f1:95:e6
	port2                 2                        0         08:5b:0e:f1:95:e7
	port3                 3                        0         08:5b:0e:f1:95:e8
	port4                 4                        0         08:5b:0e:f1:95:e9
	port5                 5                        0         08:5b:0e:f1:95:ea
	port6                 6                        0         08:5b:0e:f1:95:eb
	port7                 7                        0         08:5b:0e:f1:95:ec
	port8                 8                        0         08:5b:0e:f1:95:ed
	port9                 9                        0         08:5b:0e:f1:95:ee
	port10                10                       0         08:5b:0e:f1:95:ef
	port11                11                       0         08:5b:0e:f1:95:f0
	port12                12                       0         08:5b:0e:f1:95:f1
	port13                13                       0         08:5b:0e:f1:95:f2
	port14                14                       0         08:5b:0e:f1:95:f3
	port15                15                       0         08:5b:0e:f1:95:f4
	port16                16                       0         08:5b:0e:f1:95:f5
	port17                17                       0         08:5b:0e:f1:95:f6
	port18                18                       0         08:5b:0e:f1:95:f7
	port19                19                       0         08:5b:0e:f1:95:f8
	port20                20                       0         08:5b:0e:f1:95:f9
	port21                21                       0         08:5b:0e:f1:95:fa
	port22                22                       0         08:5b:0e:f1:95:fb
	port23                23                       0         08:5b:0e:f1:95:fc
	port24                24                       0         08:5b:0e:f1:95:fd
	port25                25                       0         08:5b:0e:f1:95:fe
	port26                26                       0         08:5b:0e:f1:95:ff
	port27                27                       0         08:5b:0e:f1:96:00
	port28                28                       0         08:5b:0e:f1:96:01
	port29                29                       0         08:5b:0e:f1:96:02
	port30                30                       0         08:5b:0e:f1:96:03
       internal              31                       0         08:5b:0e:f1:95:e4

diagnose debug report

Use this command to display a detailed debugging report for technical support:

diagnose debug report

Example output

S524DF4K15000024 # diagnose debug report
			
Version: FortiSwitch-524D-FPOE v3.6.3,build0390,171020 (GA)
Serial-Number: S524DF4K15000024
BIOS version: 04000013
System Part-Number: P18045-04
Burn in MAC: 08:5b:0e:f1:95:e4
Hostname: S524DF4K15000024
Distribution: International
Branch point: 390
System time: Tue Jan  6 13:53:02 1970

----------------------------------------------------------------
Serial Number: S524DF4K15000024   Diagnose output
----------------------------------------------------------------

### get system status

CPU states: 0% user 4% system 0% nice 96% idle
Memory states: 10% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes
Uptime: 5 days,  21 hours,  53 minutes

### get system performance status

config system interface
edit "mgmt"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 33
next
edit "internal"
set type physical
set snmp-index 32
next
end

### show system interface

### show router static

### diagnose ip address list
...'

diagnose debug reset

Use this command to reset all debugging levels to the default levels:

diagnose debug reset

diagnose debug rip

Use this command to enable, show, or disable the debugging level for IPv4 Routing Information Protocol (RIP) routing:

diagnose debug rip {all | appl | events | packet-rx | packet-tx | show | zebra} {enable | disable}

diagnose debug ripng

Use this command to enable, show, or disable the debugging level for IPv6 Routing Information Protocol (RIP) routing:

diagnose debug ripng {all | appl | events | packet-rx | packet-tx | show | zebra} {enable | disable}

diagnose debug static

Use this command to enable or disable the debugging level for static routes:

diagnose debug static {all | appl} {enable | disable}

diagnose debug unit_test

Use this command to enable or disable the debugging of unit tests:

diagnose debug unit_test {enable | disable}

Example output

S524DF4K15000024 # diagnose debug unit_test enable
libsw_unit_test argc 2
cmd =0

diagnose debug zebra

Use this command to enable, show, or disable the debugging level for the core router daemon:

diagnose debug zebra {all | appl | events | fpm | kernel | packet-rx | packet-rx-detail | packet-tx | packet-tx-detail | rib | rib-queue | show} {enable | disable}

diagnose firewall ip clear-counter

Use this command to clear the IPv4 iptables counter:

diagnose firewall ip clear-counter

diagnose firewall ip show

Use this command to show IPv4 iptables:

diagnose firewall ip show

diagnose firewall ipv6 clear-counter

Use this command to clear the IPv6 iptables counter:

diagnose firewall ipv6 clear-counter

diagnose firewall ipv6 show

Use this command to show IPv6 iptables:

diagnose firewall ipv6 show

diagnose flapguard status

Use this command to get flap-guard information for all switch ports:

diagnose flapguard status

Example output

S524DF4K15000024 # diagnose flapguard status Portname State Status Timeout(m) flap-rate flap-duration flaps/duration Last-Event _________________ _______ _________ ___________ _________ ____________ ______________ ___________ port1 disabled - - 5 30 0 - port2 disabled - - 5 30 0 - port3 disabled - - 5 30 0 - port4 disabled - - 5 30 0 - port5 disabled - - 5 30 0 - port6 disabled - - 5 30 0 - port7 disabled - - 5 30 0 - port8 disabled - - 5 30 0 - port9 enabled - 0 5 30 0 - port10 disabled - - 5 30 0 - port11 disabled - - 5 30 0 - port12 disabled - - 5 30 0 - port13 disabled - - 5 30 0 - port14 disabled - - 5 30 0 - port15 disabled - - 5 30 0 - port16 disabled - - 5 30 0 - port17 disabled - - 5 30 0 - port18 disabled - - 5 30 0 - port19 enabled - 30 15 10 0 - port20 disabled - - 5 30 0 - port21 disabled - - 5 30 0 - port22 disabled - - 5 30 0 - port23 disabled - - 5 30 0 - port24 disabled - - 5 30 0 - port25 disabled - - 5 30 0 - port26 disabled - - 5 30 0 - port27 disabled - - 5 30 0 - port28 disabled - - 5 30 0 - port29 disabled - - 5 30 0 - port30.1 disabled - - 5 30 0 - port30.2 disabled - - 5 30 0 - port30.3 disabled - - 5 30 0 - port30.4 disabled - - 5 30 0 -

diagnose hardware

Use these commands to diagnose the hardware. You must be logged in as a super user for these commands.

diagnose hardware certificate

diagnose hardware entropy-status

diagnose hardware ioport {byte <value> | long <arguments> | word <arguments>}

diagnose hardware switchinfo {l3-ecmp-table | l3-egress-table | l3-host-table | l3-intf-table | l3-summary | l3-v6-host-table | routing-table | v6-routing-table}

diagnose hardware sysinfo {bootenv | cpu | interrupts | iomem | memory | slab}

diagnose hardware usb

 

Variable

Description

certificate

Verify which certificates are present on the FortiSwitch unit and that all installed certificates are valid.

entropy-status

Display information about FIPS mode and entropy.

ioport {byte <value> | long <arguments> | word <arguments>}

Read and write data using the input/output port.

switchinfo {l3-ecmp-table | l3-egress-table | l3-host-table | l3-intf-table | l3-summary | l3-v6-host-table | routing-table | v6-routing-table}

Display information about the FortiSwitch hardware.

sysinfo {bootenv | cpu | interrupts | iomem | memory | slab}

Display information about the system.

usb

Display information about the connected USB devices.

Example output

S424EPTF19000004 # diagnose hardware entropy-status

Entropy Seeded:         Yes
Entropy Source:         USB [Vendor: Alea,VendorID= 0X12D8 ]
Entropy Mode:           INIT
Last seeded @:           0 D : 0 H : 0 M ago.


FIPS Status:            2
BIOS OS security level :                1
BIOS FIPS Capabilities :                1
BIOS fips_enabled status:               1

 

S548DF5018000776 # diagnose hardware certificate
Checking Fortinet_CA.cer integrality ........Passed
Checking Fortinet_Factory.cer integrality ........Passed
Checking Fortinet_Factory.cer key-pair integrality ........Passed
Checking Fortinet_Factory.cer Serial-No. ........Passed
Checking Fortinet_Factory.cer timeliness ........Passed
Checking Fortinet_Factory.key integrality ........Passed
Checking Fortinet_CA2.cer integrality ........Passed
Checking Fortinet_Factory2.cer integrality ........Passed
Checking Fortinet_Factory2.cer key-pair integrality ........Passed
Checking Fortinet_Factory2.cer Serial-No. ........Passed
Checking Fortinet_Factory2.cer timeliness ........Passed
Checking Fortinet_Factory2.key integrality ........Passed

 

S424EPTF19000004 # diagnose hardware usb
Alea II TRNG
EHCI Host Controller
Generic Platform OHCI controller

diagnose ip address

Use these commands to manage IP addresses:

diagnose ip address add <interface_name> <IPv4_address> <IP_network_mask>

diagnose ip address delete <interface_name> <IPv4_address>

diagnose ip address flush

diagnose ip address list

 

Variable

Description

add <interface_name> <IPv4_address> <IP_network_mask>

Add an IPv4 address to the specified interface.

delete <interface_name> <IPv4_address>

Delete an IPv4 address from the specified interface.

flush

Delete all IP addresses.

list

List all IP addresses and which interfaces they are assigned to.

Example output

S524DF4K15000024 # diagnose ip address list
			
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=1 devname=lo
IP=192.168.1.99->192.168.1.99/255.255.255.0 index=2 devname=mgmt
IP=10.105.19.3->10.105.19.3/255.255.252.0 index=2 devname=mgmt
IP=170.38.65.1->170.38.65.1/255.255.255.0 index=71 devname=vlan35
IP=180.1.1.1->180.1.1.1/255.255.255.0 index=72 devname=vlan85
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=73 devname=int1
IP=10.10.10.1->10.10.10.1/255.255.255.0 index=74 devname=vlan-8
IP=11.1.1.100->11.1.1.100/255.255.255.255 index=74 devname=vlan-8

diagnose ip arp

Use these commands to manage the Address Resolution Protocol (ARP) table:

diagnose ip arp add <interface_name> <IPv4_address> <MAC_address>

diagnose ip arp delete <interface_name> <IPv4_address>

diagnose ip arp flush <interface_name>

diagnose ip arp list

 

Variable

Description

arp add <interface_name> <IPv4_address>

Add an Address Resolution Protocol (ARP) entry for the IP address on the specified interface.

arp delete <interface_name> <IPv4_address>

Delete an Address Resolution Protocol (ARP) entry for the IP address on the specified interface.

arp flush <interface_name>

Delete the ARP table for the specified interface.

arp list

Display the ARP table.

Example output

S524DF4K15000024 # diagnose ip arp list
			
index=2 ifname=mgmt 10.105.16.1 90:6c:ac:15:2f:94 state=00000002 use=117606 confirm=537 update=67371 ref=1
index=70 ifname=internal 192.168.0.10 state=00000001 use=24 confirm=178601 update=124 ref=1
index=74 ifname=vlan-8 11.1.1.100 00:00:5e:00:01:05 (proxy)

diagnose ip route

Use these commands to manage static routes and the routing table:

diagnose ip route add <interface_name> <IPv4_address> <IP_network_mask>

diagnose ip route delete <interface_name> <IPv4_address>

diagnose ip route flush

diagnose ip route list [<arguments>]

diagnose ip route verify <interface_name> <IPv4_address> <IP_network_mask>

 

 

Variable

Description

add <interface_name> <IPv4_address> <IP_network_mask>

Add a static route to the specified interface.

delete <interface_name> <IPv4_address>

Delete a static route from the specified interface.

flush

Delete the routing table.

list [<arguments>]

Display the routing table.

verify <interface_name> <IPv4_address> <IP_network_mask>

Verify a static route on the specified interface.

Example output

S524DF4K15000024 # diagnose ip route list
			
tab=254 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.105.16.1 dev=2(mgmt)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/24 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.16.0/22 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt)
tab=254 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->39.3.2.0/24 pref=0.0.0.0 gwy=180.1.1.2 dev=72(vlan85)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.0/24 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.0/24 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/24 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/32 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.1/32 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.255/32 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.16.0/32 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.19.3/32 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.19.255/32 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->11.1.1.100/32 pref=11.1.1.100 gwy=0.0.0.0 dev=74(vlan-8)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.0/32 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.1/32 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.255/32 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.0/32 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.1/32 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.255/32 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/32 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.99/32 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.255/32 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt)

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra}

Use these commands to display statistics for bidirectional forwarding detection (BFD), Border Gateway Protocol (BGP) routing, Intermediate System to Intermediate System Protocol (IS-IS) routing, open shortest path first (OSPF) routing for IPv4 traffic, OSPF routing for IPv6 traffic, Protocol Independent Multicast (PIM) routing, Routing Information Protocol (RIP) routing for IPv4 traffic, RIP routing for IPv6 traffic, static routes, and core routing daemon:

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | | ripng | static | zebra} cpu-usage

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} crash-backtrace-clear

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} crash-backtrace-read

diagnose ip router zebra fpm-counters clear

diagnose ip router zebra fpm-counters show

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} memory-usageripng |

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} work-queues

 

Variable

Description

cpu-usage

Display statistics for CPU usage.

crash-backtrace-clear

Delete the crash-backtrace information.

crash-backtrace-read

Display the crash-backtrace information.

fpm-counters clear

Erase the hardware offload counters.

fpm-counters show

Display the hardware offload counters.

memory-usage

Display statistics for memory usage.

work-queues

Display information about work queues.

diagnose ip router command

Use these commands to send commands to various daemons in enable mode (cmd) or in configure terminal mode (cmd-conf-term).:

diagnose ip router command bfd {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command bgp {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command isis {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command ospf {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command ospf6 {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command pim {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command rip {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command static {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command zebra {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router fwd

Use these commands for debugging layer-3 forwarding:

diagnose ip router fwd l3-clear-stats

diagnose ip router fwd l3-disable-ip-tracing

diagnose ip router fwd l3-ecmp

diagnose ip router fwd l3-egress

diagnose ip router fwd l3-enable-ip-tracing <IP_address>

diagnose ip router fwd l3-enable-ip-tracing6 <IPv6_address>

diagnose ip router fwd l3-intf

diagnose ip router fwd l3-stats

 

Variable

Description

l3-clear-stats

Delete layer-3 statistics.

l3-disable-ip-tracing

Disable IP tracing.

l3-ecmp

Display information about equal cost multi-path (ECMP) routing.

l3-egress

Display layer-3 egress information.

l3-enable-ip-tracing <IP_address>

Enable IPv4 host tracing

l3-enable-ip-tracing6 <IPv6_address>

Enable IPv6 host tracing.

l3-intf

Display information about layer-3 interfaces.

l3-stats

Display layer-3 statistics.

diagnose ip router process show

Use this command to display information about the process launch of the core routing daemon, static routing daemon, BGD daemon, OSPF (IPv4 and IPv6) daemons, BFD daemon, RIP daemon, IS-IS daemon, and PIM daemon:

diagnose ip router process show

diagnose ip router terminal-monitor

Use this command to enable or disable the display of router information on the terminal:

diagnose ip router terminal-monitor {enable | disable}

diagnose ip rtcache list

Use this command to list the routing cache:

diagnose ip rtcache list

diagnose ip tcp

Use this command to list or clear the TCP sockets:

diagnose ip tcp {list | flush}

Example

S524DF4K15000024 # diagnose ip tcp list
			
sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                               
0: 00000000:03E8 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 3099 1 e647d300 100 0 0 10 -1       
1: 00000000:0A29 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 1587 1 e647c000 100 0 0 10 -1       
2: 00000000:0A2A 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 3338 1 e647dc80 100 0 0 10 -1       
3: 00000000:03EB 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 3103 1 e647d7c0 100 0 0 10 -1      
...

diagnose ip udp

Use this command to list or clear the UDP sockets:

diagnose ip udp {list | flush}

Example

S524DF4K15000024 # diagnose ip udp list
sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops
24: 00000000:E818 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4097 2 e69e38c0 0
53: 00000000:0035 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1972 2 e6029440 0
67: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 964 2 e5fd2d80 0
67: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 963 2 e5fd2b40 0
68: 00000000:0044 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1961 2 e6029200 0
181: 00000000:90B5 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 7681206 2 e6b94b40 0
350: 00000000:C15E 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3301 2 e69e2b40 0
370: 0100007F:1972 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1793 2 e6028fc0 0
404: 00000000:B994 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 112 2 e5fd2000 0
415: 00000000:859F 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 11905 2 e5fd38c0 0
415: 00000000:C99F 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3113 2 e6029d40 0
450: 00000000:E9C2 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 157 2 e5fd2480 0
520: 00000000:0208 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 2196 2 e5fd3680 0
546: 00000000:CA22 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 2156 2 e5fd3440 0
549: 00000000:9225 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 2057 2 e5fd2fc0 0
653: 00000000:AE8D 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 775 2 e5fd2900 0
654: 00000000:B68E 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1977 2 e6029b00 0
688: 00000000:12B0 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3321 2 e69e2fc0 0
712: 00000000:0EC8 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3320 2 e69e2d80 0
713: 00000000:0EC9 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3322 2 e69e3200 0
763: 00000000:92FB 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 9848617 2 e6ad7200 0
788: 0100007F:0714 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3224 2 e69e2240 0
805: 0100007F:A725 0100007F:0714 01 00000000:00000000 00:00000000 00000000     0        0 3292 2 e69e2900 0
882: 00000000:8372 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1974 2 e60298c0 0
972: 00000000:B7CC 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3260 2 e69e26c0 0
981: 00000000:EBD5 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 39752 2 e69e3b00 0
990: 00000000:BBDE 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4357 2 e69e3d40 0

diagnose ipv6 address

Use these commands to manage IPv6 addresses:

diagnose ipv6 address add <interface_name> <IPv6_address>

diagnose ipv6 address anycast <arguments>

diagnose ipv6 address delete <interface_name> <IPv6_address>

diagnose ipv6 address flush

diagnose ipv6 address list

diagnose ipv6 address multicast <interface_name> <IPv6_address>

 

Variable

Description

add <interface_name> <IPv6_address>

Add an IPv6 address to the specified interface. Use the following format for the IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

anycast <arguments>

Add an IPv6 anycast address.

delete <interface_name> <IPv4_address>

Delete an IPv6 address from the specified interface. Use the following format for the IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

flush

Delete all IPv6 addresses.

list

List all IPv6 addresses and which interfaces they are assigned to.

multicast <interface_name> <IPv6_address>

Add an IPv6 multicast address to the specified interface. Use the following format for the IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

Example output

S524DF4K15000024 # diagnose ipv6 address list
			
dev=1 devname=lo flag=P scope=254 prefix=128 addr=::1 prefered=-1 valid=-1
dev=2 devname=mgmt flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e4 prefered=-1 valid=-1
dev=70 devname=internal flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1
dev=71 devname=vlan35 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1
dev=72 devname=vlan85 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1
dev=74 devname=vlan-8 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1

diagnose ipv6 devconf

Use these commands to configure IPv6 devices:

diagnose ipv6 address devconf accept-dad {0 | 1 | 2}

diagnose ipv6 address devconf disable_ipv6 {0 | 1 }

 

Variable

Description

accept-dad {0 | 1 | 2}

Configure the detection of duplicate IPv6 address:
  • 0 — disable duplicate address detection.
  • 1 — enable duplicate address detection.
  • 2 — enable duplicate address detection and disable IPv6 operation if duplicate MAC-based link-local addresses are found.

disable_ipv6 {0 | 1 }

Configure IPv6 operation:
  • 0 — enable IPv6 operation.
  • 1 — disableIPv6 operation.

diagnose ipv6 ipv6-tunnel

Use these commands to manage IPv6 tunnels:

diagnose ipv6 ipv6-tunnel add <tunnel_name> <interface_name> <source_IPv6_address> <destination_IPv6_address>

diagnose ipv6 ipv6-tunnel delete <tunnel_name>

diagnose ipv6 ipv6-tunnel list

 

Variable

Description

add <tunnel_name> <interface_name> <source_IPv6_address> <destination_IPv6_address>

Create a tunnel between two IPv6 addresses on the specified interface. Use the following format for the IPv6 addresses: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

delete <tunnel_name>

Delete the specified IPv6 tunnel.

delete <interface_name> <IPv4_address>

List all IPv6 tunnels.

Example output

S524DF4K15000024 # diagnose ipv6 ipv6-tunnel list
			
sys_list_tunnel6:233 not implemented

diagnose ipv6 neighbor-cache

Use these commands to manage the IPv6 Address Resolution Protocol (ARP) table:

diagnose ipv6 neighbor-cache add <interface_name> <IPv6_address> <MAC_address>

diagnose ipv6 neighbor-cache delete <interface_name> <IPv4_address>

diagnose ipv6 neighbor-cache flush <interface_name>

diagnose ipv6 neighbor-cache list

 

Variable

Description

add <interface_name> <IPv6_address>

Add an ARP entry for the IPv6 address on the specified interface.

delete <interface_name> <IPv6_address>

Delete an ARP entry for the IPv6 address on the specified interface.

flush <interface_name>

Delete the ARP table for the specified interface.

list

Display the ARP table.

Example output

S524DF4K15000024 # diagnose ipv6 neighbor-cache list
			
ifindex=1 ifname=lo :: 00:00:00:00:00:00 state=00000040 use=1096280 confirm=1102281 update=1096280 ref=6

diagnose ipv6 route

Use these commands to manage the IPv6 routing table:

diagnose ipv6 route flush

diagnose ipv6 route list

 

Variable

Description

flush

Delete the routing table.

list

Display the routing table.

Example output

S524DF4K15000024 # diagnose ipv6 route list
			
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:::1/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e4/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=01 protocol=kernel flag=00000000 oif=70(internal) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=74(vlan-8) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=71(vlan35) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=72(vlan85) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=2(mgmt) dst:fe80::/64 prio=100
type=01 protocol=boot flag=00000000 oif=70(internal) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=74(vlan-8) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=71(vlan35) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=72(vlan85) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=2(mgmt) dst:ff00::/8 prio=100
type=07 protocol=kernel flag=00000000 oif=73(int1) prio=ffffffff

diagnose ipv6 sit-tunnel

Use these commands to manage IPv4 tunnels:

diagnose ipv6 sit-tunnel add <tunnel_name> <interface_name> <source_IPv4_address> <destination_IPv4_address>

diagnose ipv6 sit-tunnel delete <tunnel_name>

diagnose ipv6 sit-tunnel list

 

Variable

Description

add <tunnel_name> <interface_name> <source_IPv4_address> <destination_IPv4_address>

Create a tunnel between two IPv4 addresses on the specified interface. Use the following format for the IPv4 addresses: XXX.XXX.XXX.XXX

delete <tunnel_name>

Delete the specified IPv4 tunnel.

delete <interface_name> <IPv4_address>

List all IPv4 tunnels.

Example output

S524DF4K15000024 # diagnose ipv6 sit-tunnel list
			
sys_list_tunnel6:263 not implemented

diagnose log alertconsole

Use the following commands to manage alert console messages:

diagnose log alertconsole clear

diagnose log alertconsole fgd-retrieve

diagnose log alertconsole list

diagnose log alertconsole test

 

Variable

Description

clear

Clear alert console messages.

fgd-retrieve

Retrieve FortiGuard alert console messages.

list

List current alert console messages.

test

Generate alert console messages.

Example output

S524DF4K15000024 # diagnose log alertconsole list

There are 50 alert console messages:
2017-10-10 13:26:07 Administrator acmin login failed
2017-10-09 15:41:32 Firmware upgraded by admin
2017-09-29 15:14:11 Firmware upgraded by admin
2017-09-28 07:45:38 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-28 07:45:35 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-28 07:45:32 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-26 08:46:09 Firmware upgraded by admin
2017-09-21 16:16:59 Firmware upgraded by admin
2017-09-19 15:21:16 Administrator [3~[3~[3~ login failed
2017-09-12 16:29:22 Administrator get test dnsproxy ? login failed
2017-09-11 15:49:17 Administrator get router prefix-list login failed
2017-09-06 08:37:44 Firmware upgraded by FortiCloud
2017-09-05 16:49:54 Administrator R  1 login failed
2017-09-01 07:30:03 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-01 07:30:00 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-01 07:29:57 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-31 16:56:35 Administrator O  1 login failed
2017-08-31 16:53:34 Administrator R u 1 login failed
2017-08-31 16:20:29 Administrator cinfcon login failed
2017-08-29 08:37:56 Firmware upgraded by FortiCloud
2017-08-25 13:26:49 Administrator sdmin login failed
2017-08-24 11:00:46 Administrator conconfig login failed
2017-08-24 08:29:01 Firmware upgraded by FortiCloud
2017-08-21 09:16:13 Firmware upgraded by unknown
2017-08-21 08:58:20 System shutdown (factory default)
2017-08-16 08:31:31 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-16 08:31:28 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-16 08:31:25 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-15 07:33:29 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-15 07:33:26 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart

diagnose loop-guard status

Use this command to display which ports have loop guard enabled:

diagnose loop-guard status

 

To enable loop guard on a port, see config switch interface.

Example output

S524DF4K15000024 # diagnose loop-guard status


Portname             State     Status     Timeout(m)   MAC-Move   Count    Last-Event
_________________   _______   _________   __________   ________   _____   __________________

port1              disabled    -             -           -         -            -
port2              disabled    -             -           -         -            -
port3              disabled    -             -           -         -            -
port4              disabled    -             -           -         -            -
port5              disabled    -             -           -         -            -
port6              disabled    -             -           -         -            -
port7              disabled    -             -           -         -            -
port10             disabled    -             -           -         -            -
port11             disabled    -             -           -         -            -
port12             enabled     -             45          0         0            -
port13             disabled    -             -           -         -            -
port14             disabled    -             -           -         -            -
port15             disabled    -             -           -         -            -
port16             disabled    -             -           -         -            -
port17             disabled    -             -           -         -            -
port18             disabled    -             -           -         -            -
port19             disabled    -             -           -         -            -
port20             disabled    -             -           -         -            -
port21             enabled     -             45          50        0            -
port22             disabled    -             -           -         -            -
port24             disabled    -             -           -         -            -
port25             disabled    -             -           -         -            -
port26             disabled    -             -           -         -            -
port27             disabled    -             -           -         -            -
port28             disabled    -             -           -         -            -
port29             disabled    -             -           -         -            -
port30.1           disabled    -             -           -         -            -
port30.2           disabled    -             -           -         -            -
port30.3           disabled    -             -           -         -            -
port30.4           disabled    -             -           -         -            -
G100D3G15817028    disabled    -             -           -         -            -

diagnose option82-mapping relay

Use this command to display the option-82 setting for DHCP relay for each valid system interface:

diagnose option82-mapping relay <valid_system_interface>

 

Example output

S524DF4K15000024 # diagnose option82-mapping relay internal

 

Interface Name Remote-ID(hex) Circuit-ID(hex)

internal 085B0EF195E5 00000000

diagnose option82-mapping snooping

Use this command to display the option-82 settings for DHCP snooping for a specific VLAN and FortiSwitch interface:

diagnose option82-mapping snooping <VLAN_ID> <valid_switch_interface>

Example output

S524DF4K15000024 # diagnose option82-mapping snooping 100 port2

 

Interface Name Remote-ID(hex) Circuit-ID(hex)

port2 085B0EF195E5 00640102

diagnose settings

Use these commands to manage diagnostic settings:

diagnose settings info

diagnose settings reset

 

Variable

Description

info

List all diagnostic settings.

reset

Reset all diagnostic settings to their default settings.

Example output

S524DF4K15000024 # diagnose settings info
			
debug output:           disable
console timestamp:      disable
console no user log message:    disable
fsmgr debug level:      16 (0x10)
CLI debug level:        3

diagnose sniffer packet

Use this command to examine packets received on a specific interface:

diagnose sniffer packet <interface_name | any> <logical_filter | none> <verbose | 1-6> <sniffer_count> <timestamp_format>

 

Variable

Description

<interface_name | any>

Enter the name of a network interface or enter any to examine packets received on all interfaces.

<logical_filter | none>

Enter a logical filter or none. Use the following format for the filter:

'[[src|dst] host<IP_address>] [[src|dst] host<IP_address>] [[arp|ip|gre|esp|udp|tcp] [port_number]] [[arp|ip|gre|esp|udp|tcp] [port_number]]'

For example, to examine UDP packets received at port 1812 from host forti1 and host forti2 or forti3:

'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'

To examine TCP packets between two PCs through port 80:

diag sniffer packet internal 'host 192.168.0.130 and 192.168.0.1 and tcp port 80' 1

To examine packets with the RST flag set:

diagnose sniffer packet internal "tcp[13] & 4 != 0"

To examine packets with the destination MAC address of 00:09:0f:89:10:ea:

diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"

<verbose | 1-6>

Set the level of detail for the results:
  • verbose — Display all details.
  • 1 — Include the packet header.
  • 2 — Include the packet header and IP address data.
  • 3 — Include the packet header and Ethernet address data (if available).
  • 4— Include the packet header and interface name.
  • 5 — Include the packet header, interface name, and IP address data.
  • 6 — Include the packet header, interface name, and Ethernet address data (if available).

<sniffer_count>

Enter the number of packets to examine.

<timestamp_format>

Enter a for UTC time (yyyy-mm-dd hh:mm:ss.ms) or enter the number of minutes and seconds after the start of the packet examination (ss.ms).

Example output

S524DF4K15000024 # diagnose sniffer packet any
interfaces=[any]
filters=[none]
0.977537 arp who-has 192.168.0.10 tell 192.168.1.99
0.977755 127.0.0.1 -> 0.0.0.0: icmp: type-#20
1.057565 224.0.0.18 -> 33.5.255.1:  ip-proto-10 (frag 65392:4294967276@1336+)
1.057578 802.1Q vlan#8 P0 -- 224.0.0.18 -> 33.5.255.1:  ip-proto-10 (frag 65392:4294967276@1336+)
1.113131 arp who-has 10.105.16.1 tell 10.105.19.8
1.977047 arp who-has 192.168.0.10 tell 192.168.1.99
1.990059 127.0.0.1 -> 0.0.0.0: icmp: type-#20
...

S524DF4K15000024 # diagnose sniffer packet internal none verbose
interfaces=[internal]
filters=[none]
pcap_lookupnet: internal: no IPv4 address assigned
0.840645 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
1.113149 arp who-has 192.168.0.10 tell 192.168.1.99
1.850162 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
2.109899 arp who-has 192.168.0.10 tell 192.168.1.99
2.859653 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
3.109412 arp who-has 192.168.0.10 tell 192.168.1.99
3.869169 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
4.128948 arp who-has 192.168.0.10 tell 192.168.1.99
...

S524DF4K15000024 # diagnose sniffer packet internal none 3 10 a
interfaces=[internal]
filters=[none]
pcap_lookupnet: internal: no IPv4 address assigned
2017-10-11 16:09:42.393816 arp who-has 192.168.0.10 tell 192.168.1.99
0x0000   ffff ffff ffff 085b 0ef1 95e5 0806 0001        .......[........
0x0010   0800 0604 0001 085b 0ef1 95e5 c0a8 0163        .......[.......c
0x0020   0000 0000 0000 c0a8 000a                       ..........

2017-10-11 16:09:42.483785 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
0x0000   0100 5e00 0012 0000 5e00 0105 8100 0008        ..^.....^.......
0x0010   0800 45c0 0028 8fec 0000 ff70 369c 0a0a        ..E..(.....p6...
0x0020   0a01 e000 0012 2105 ff01 0001 d392 0b01        ......!.........
0x0030   0164 0000 0000 0000 0000                       .d........
...

diagnose snmp

Use these commands to display SNMP information:

diagnose snmp ip frags

diagnose snmp trap send

 

Variable

Description

ip frags

Display fragmentation and reassembly information

trap send

Generate a trap event and send it to the SNMP daemon.

Example output

S524DF4K15000024 # diagnose snmp ip frags
			
ReasmTimeout = 0
ReasmReqds   = 0
ReasmOKs     = 0
ReasmFails   = 0
FragOKs      = 0
FragFails    = 0
FragCreates  = 0

diagnose stp instance list

Use this command to display information about Multiple Spanning Tree Protocol (MSTP) instances:

diagnose stp instance list <STP_ID> <port_number>

 

To create an STP instance, see config switch stp instance.

Variable

Description

<STP_ID>

Enter the STP identifier. If you enter a higher number than the valid range, the results for all STP instances are displayed. If no STP identifier is specified, results for all STP instances are displayed.

<port_number>

Enter the port number. If no port number is specified, results for all physical ports are displayed.

Example output

S524DF4K15000024 # diagnose stp instance list 0 MST Instance Information, primary-Channel: Instance ID 0 (CST) Config Priority 32768 Bridge MAC 085b0ef195e4, MD5 Digest 40d5eca178c657835c83bbcb16723192 Root MAC 085b0ef195e4, Priority 32768, Path Cost 0, Remaining Hops 20 (This bridge is the root) Regional Root MAC 085b0ef195e4, Priority 32768, Path Cost 0 (This bridge is the regional root) Active Times Forward Time 15, Max Age 20, Remaining Hops 20 TCN Events Triggered 1 (1d 0h 19m 56s ago), Received 0 (1d 0h 19m 56s ago) Port Speed Cost Priority Role State HelloTime Flags ________________ ______ _________ _________ ___________ __________ _________ ______________ port1 - 200000000 128 DISABLED DISCARDING 2 EN ED port3 - 200000000 128 DISABLED DISCARDING 2 EN ED port4 - 200000000 128 DISABLED DISCARDING 2 EN ED port5 - 200000000 128 DISABLED DISCARDING 2 EN ED port6 - 200000000 128 DISABLED DISCARDING 2 EN ED port7 - 200000000 128 DISABLED DISCARDING 2 EN ED port8 - 200000000 128 DISABLED DISCARDING 2 EN ED port9 - 200000000 128 DISABLED DISCARDING 2 EN ED port10 - 200000000 128 DISABLED DISCARDING 2 EN ED port11 - 200000000 128 DISABLED DISCARDING 2 EN ED port12 - 200000000 128 DISABLED DISCARDING 2 EN ED port13 - 200000000 128 DISABLED DISCARDING 2 EN ED port14 - 200000000 128 DISABLED DISCARDING 2 EN ED port17 - 200000000 128 DISABLED DISCARDING 2 EN ED port18 - 200000000 128 DISABLED DISCARDING 2 EN ED port19 - 200000000 128 DISABLED DISCARDING 2 EN ED port20 - 200000000 128 DISABLED DISCARDING 2 EN ED port21 - 200000000 128 DISABLED DISCARDING 2 EN ED port22 - 200000000 128 DISABLED DISCARDING 2 EN ED port23 - 200000000 128 DISABLED DISCARDING 2 EN ED port24 - 200000000 128 DISABLED DISCARDING 2 EN ED port25 - 200000000 128 DISABLED DISCARDING 2 EN ED port26 - 200000000 128 DISABLED DISCARDING 2 EN ED port27 - 200000000 128 DISABLED DISCARDING 2 EN ED port28 - 200000000 128 DISABLED DISCARDING 2 EN ED port29 - 200000000 128 DISABLED DISCARDING 2 EN ED port30 - 200000000 128 DISABLED DISCARDING 2 EN ED internal 1G 20000 128 DESIGNATED FORWARDING 2 ED Mclag-icl-trunk - 200000000 128 DISABLED DISCARDING 2 ED first-mclag - 200000000 128 DISABLED DISCARDING 2 EN ED Flags: EN(STP enable), ED(Edge), LP(Loop Protection), RG(Root Guard Triggered), BG(BPDU Guard Triggered)

diagnose stp mst-config list

Use this command to display the MSTP configuration:

diagnose snmp mst-config list

 

To configure an MSTP instance, see config switch stp settings.

Example output

S524DF4K15000024 # diagnose stp mst-config list

MST Configuration Identification Information

Unit: primary
MST Configuration Name: region1
MST Configuration Revision: 1
MST Configuration Digest: ac36177f50283cd4b83821d8ab26de62

Instance ID      Mapped VLANs     Priority
____________________________________________________
	0                           32768
	1                            8192

diagnose stp rapid-pvst-port

Use these commands to diagnose the interoperation with per-VLAN RSTP (Rapid PVST+ or RPVST+):

diagnose stp rapid-pvst-port clear [<port_name>]

diagnose stp rapid-pvst-port list [<port_name>]

Variable

Description

clear [<port_name>]

Clear all flags and timers on the RPVST+ port.

list [<port_name>]

Show the status of one port or all ports. If any of the ports is in the “IC” state, the command output gives the reason: VLAN priority inconsistent, VLAN configuration mismatch, or both.

diagnose stp vlan list

Use this command to display the MSTP information for a specific VLAN:

diagnose stp vlan list <VLAN_ID>

Variable

Description

<VLAN_ID>

Enter the VLAN identifier. The value range is 1-4095.

Example output

S524DF4K15000024 # diagnose stp vlan list 10 MST Instance Information, primary-Channel: Instance ID : 0 Switch Priority : 32768 Root MAC Address : 085b0ef195e4 Root Priority: 32768 Root Pathcost: 0 Regional Root MAC Address : 085b0ef195e4 Regional Root Priority: 32768 Regional Root Path Cost: 0 Remaining Hops: 20 This Bridge MAC Address : 085b0ef195e4 This bridge is the root Port Speed Cost Priority Role State Edge STP-Status Loop Protection ________________ ______ _________ _________ ___________ __________ ____ __________ ________ port1 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port2 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port3 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port4 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port5 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port6 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port9 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port10 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port11 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port12 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port13 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port14 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port15 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port16 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port17 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port18 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port19 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port20 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port21 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port22 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port23 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port24 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port25 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port26 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port27 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port28 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port29 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port30 - 200000000 128 DISABLED DISCARDING YES ENABLED NO internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO

diagnose switch 802-1x status

Use this command to display the status of a port using IEEE 802.1x authentication:

diagnose switch 802-1x status [<port_name>]

 

Variable

Description

[<port_name>]

Enter the port name. If the port is not specified, the status of all 802.1x-authenticated ports is returned. In the output, the value in the “Traffic-Vlan” column is the VLAN where the client was successfully authenticated.

To enable IEEE 802.1x authentication on a port, see config switch interface.

Example output

S548DF4K15000195 # diagnose switch 802-1x status

	port3 : Mode: mac-based (mac-by-pass disable)
		Link: Link up
		Port State: authorized: ( )
		EAP pass-through : Enable
		EAP auto-untagged-vlans : Disable
		Quarantine VLAN (4093) detection : Enable
		Native Vlan : 10
		Allowed Vlan list: 10,15
		Untagged Vlan list: 10
		Guest VLAN :
		Auth-Fail Vlan :

		Switch sessions 2/240, Local port sessions:2/20
		Client MAC Type                 Traffic-Vlan         Dynamic-Vlan
		94:10:3e:b9:12:65 802.1x             10                   0
		cc:5a:53:5f:d5:16 802.1x             10                   15

Sessions info:
94:10:3e:b9:12:65 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=8 params:reAuth=3600
cc:5a:53:5f:d5:16 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=7 params:reAuth=3600

diagnose switch acl counter

Use these commands to display information about access control lists (ACLs):

diagnose switch acl counter all

diagnose switch acl counter app <name>

diagnose switch acl counter id <policy_ID>

diagnose switch acl counter list-apps

Variable

Description

all

List all applications using ACL counters.

app <name>

List ACL counters for this application.

id <policy_ID>

List the ACL counter for this ACL policy identifier.

list-apps

List application names that use ACL counters.

Example output

S524DF4K15000024 # diagnose switch acl counter list-apps
			
Application              Policy ID Range
_______________________________________________

loop-gaurd                (2049-2049)
l3-arp-req                (2050-2050)
l3-arp-reply              (2051-2051)
dst-mac                   (2052-2052)
bfd-single-hop            (2053-2053)
bfd-multi-hop             (2054-2054)
ospf                      (2055-2055)
rip                       (2056-2056)
mclag                     (2057-2057)
mclag-l3-arp-req          (2058-2058)
mclag-l3-arp-reply        (2059-2059)
mclag-bfd-single-hop      (2060-2060)
mclag-bfd-multi-hop       (2061-2061)
mclag-ospf                (2062-2062)
mclag-rip                 (2063-2063)
fortilink                 (2064-2064)
fortilink-1               (2065-2065)
mclag-fortilink           (2066-2066)
mclag-icl                 (2067-2067)
mac-sa-mcast              (2068-2068)
forti-trunk               (2069-2069)
vwire                     (2304-2367)
vwire-acl                 (2368-133503)
dhcp-snooping             (133504-141695)
arp-snooping              (141696-145792)
access-vlan               (145793-149889)
network-monitor           (149890-149930)

diagnose switch acl hw-entry-index

NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

Use this command to find the hardware mapping for the specified ACL policy identifier:

diagnose switch acl hw-entry-index <id>

Variable

Description

<id>

Enter the ACL policy identifier.

Example output

S124EP4N17000016 # diagnose switch acl hw-entry-index 1

ID HW-INDEX AGG CNTR-IDX
_________________________________________

000001 896 n 7

diagnose switch acl schedule

Use this command to list ACL policies with a schedule:

diagnose switch acl schedule egress

diagnose switch acl schedule ingress

diagnose switch acl schedule prelookup

Variable

Description

egress

List all ACL egress policies with a schedule.

ingress

List all ACL ingress policies with a schedule.

prelookup

List all ACL prelookup policies with a schedule.

Example output

S524DF4K15000024 # diagnose switch acl schedule ingress
ACL Ingress Name
1	In Schedule

diagnose switch arp-inspection stats clear

Use this command to delete dynamic ARP inspection statistics:

diagnose switch arp-inspection stats clear <VLAN_ID>

Variable

Description

<VLAN_ID>

Enter a single VLAN identifier or a range of VLAN identifiers separated by commas. For example: 1,3-4,6,7,9-100

To enable dynamic ARP inspection on a VLAN, see config switch vlan.

diagnose switch cpuq

NOTES:

  • Be careful about changing the CPU queue rate because the change is made directly to the hardware.
  • After the switch is rebooted, the CPU queue rate returns to the default value.
  • For the FS-108E and FS-124E families, the configured CPU queue rate has a 16-kbps granularity. Use the diagnose switch cpuq show command to see the actual queue rate.
  • For the FS-108E and FS-124E families, the CPU queue rate is more accurate with larger packets.

Use this command to display the CPU queue rate on the FSR-112D-POE, FS-1xxE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx, and FS-3xxx families:

diagnose switch cpuq show

Use this command to change the CPU queue rate on the FSR-112D-POE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx, and FS-3xxx families:

diagnose switch cpuq rate <queue_number> <new_pps_rate>

Use this command to change the CPU queue rate on the FS-108E and FS-124E families:

diagnose switch cpuq rate <queue_number> <new_Kbps_rate>

Variable

Description

show

Display the CPU queue rate for all queues.

rate <queue_number> <new_pps_rate>

Change the CPU queue rate for the specified queue to the new packets-per-second (PPS) rate.

diagnose switch cpuq rate <queue_number> <new_Kbps_rate>

Change the CPU queue rate for the specified queue to the new Kbps rate.

Example output (FS-548)

NOTE: The number of queues, queue classifications, and default CPU queue rates can differ among the FortiSwitch platforms.

S548DF5018000776 # diagnose switch cpuq show 
  Queue  |  Rate(pps) 
----------------------
  17        2000       (MIRROR/SFLOW)
  18        500        (L3_DEST_MISS)
  19        5000       (ARP_REQ)
  20        10000      (DEFAULT)
  21        1000       (NHOP)
  22        8000       (DHCP/OSPF/BFD/RIP/IGMP/FORTLINK_VLAN)
  23        6000       (ARP_REPLY)
  24        5000       (FORTILINK/MCLAG)
  25        1500       (BPDU/LOOPGUARD)

diagnose switch egress list

Use this command to display the port egress map:

diagnose switch egress list <port_name>

Variable

Description

<port_name>

Enter the port name.

Example output

S524DF4K15000024 # diagnose switch egress list port1

Switch Interface Egress Map, primary-Channel
Port Map: Name(Id):

port1(1)            port2(2)            port3(3)
port4(4)            port5(5)            port6(6)
port7(7)            port8(8)            port9(9)
port10(10)          port11(11)          port12(12)
port13(13)          port14(14)          port15(15)
port16(16)          port17(17)          port18(18)
port19(19)          port20(20)          port21(21)
port22(22)          port23(23)          port24(24)
port25(25)          port26(26)          port27(27)
port28(28)          port29(29)          port30(30)
internal(31)
cpu0(31)

Source Interface  Destination Ports
________________  ___________________________________
port1             1-6,9-31

diagnose switch ip-mac-binding entry

Use this command to display the counters for an IP-MAC binding entry:

diagnose switch ip-mac-binding entry <entry_ID>

Variable

Description

<entry_ID>

Enter an IP-MAC binding entry identifier.

To enable IP-MAC binding, see config switch global.

Example output

S524DF4K15000024 # diagnose switch ip-mac-binding entry 1

Binding Entry: 1
Binding IP: 1.20.168.172 255.255.255.255
Binding MAC: 00:21:CC:D2:76:72
Status: Enabled
Statistic:
Permit packets: 0x00
Drop packets: 0x00
-----------------------------------------------------

diagnose switch ip-source-guard hardware entry filter

Use these commands to select which IP source-guard entries to display:

diagnose switch ip-source-guard hardware entry filter clear

diagnose switch ip-source-guard hardware entry filter interface <interface_name>

diagnose switch ip-source-guard hardware entry filter ip <IPv4_address>

diagnose switch ip-source-guard hardware entry filter mac <MAC_address>

diagnose switch ip-source-guard hardware entry filter print

Variable

Description

clear

Remove the current filter.

interface <port_name>

Display entries for the specified port.

ip <IPv4_address>

Display entries for the specified IPv4 address.

mac <MAC_address> <mask>

Delete entries for the specified MAC address and mask.

print

Display the current filter.

diagnose switch ip-source-guard hardware entry list

Use this command to display all IP source-guard entries. Static entries were manually added by the config switch ip-source-guard command. Dynamic entries were added by DHCP snooping.

diagnose switch ip-source-guard hardware entry list

diagnose switch mac-address

Use these commands to manage the MAC address table:

diagnose switch mac-address delete {all | entry <xx:xx:xx:xx:xx:xx>}

diagnose switch mac-address filter clear

diagnose switch mac-address filter flags <flag bit pattern>

diagnose switch mac-address filter port-id-map <port-ID list>

diagnose switch mac-address filter show

diagnose switch mac-address filter trunk-id-map <trunk-ID list>

diagnose switch mac-address filter vlan-map <VLAN_list>

diagnose switch mac-address list

diagnose switch mac-address switch-port-macs-db

Variable

Description

delete {all | entry <xx:xx:xx:xx:xx:xx>}

Delete all MAC address entries or a specific MAC address entry.

filter clear

Delete the filter for the MAC address table list.

filter flags <flag bit pattern>

Specify the flag bit pattern to match. Use this pattern to mask important bits. This value is hexadecimal.

filter port-id-map <port-ID list>

List the port identifiers to display MAC addresses for. Separate the port identifiers with commas. For example: 1,3,5-17,19

filter show

Display the filter for the MAC address table list.

filter trunk-id-map <trunk-ID list>

List the trunk identifiers to display MAC addresses for. Separate the trunk identifiers with commas. For example: 1,2-4,77

filter vlan-map <VLAN_list>

List the VLAN identifiers to display MAC addresses for. Separate the VLAN identifiers with commans. For example: 1,2-4,77

list

List the MAC address entries and the total number of entries.

switch-port-macs-db

List which MAC addresses are assigned to local ports.

Example output

S524DF4K15000024 # diagnose switch mac-address filter show

flag bit pattern: 0x00000000
flag bit Mask:    0x00000000
vlan map: 0-4095
port-id map: 1,64
trunk-id map: 0-127

S524DF4K15000024 # diagnose switch mac-address list

MAC: 08:5b:0e:f1:95:e5  VLAN: 4094 Port: internal(port-id 31)
Flags: 0x00010460 [ static hit src-hit native ]

MAC: d6:dd:25:be:2c:43  VLAN: 1 Port: port1(port-id 1)
Flags: 0x00000020 [ static ]

Total Displayed: 2

S524DF4K15000024 # diagnose switch mac-address switch-port-macs-db

Total MACs : 30

MAC-1   : 08:5b:0e:f1:95:e6
MAC-2   : 08:5b:0e:f1:95:e8
MAC-3   : 08:5b:0e:f1:95:ea
MAC-4   : 08:5b:0e:f1:95:ec
MAC-5   : 08:5b:0e:f1:95:ee
MAC-6   : 08:5b:0e:f1:95:f0
MAC-7   : 08:5b:0e:f1:95:f2
MAC-8   : 08:5b:0e:f1:95:f4
MAC-9   : 08:5b:0e:f1:95:f6
MAC-10  : 08:5b:0e:f1:95:f8
MAC-11  : 08:5b:0e:f1:95:fa
MAC-12  : 08:5b:0e:f1:95:fc
MAC-13  : 08:5b:0e:f1:95:fe
MAC-14  : 08:5b:0e:f1:96:00
MAC-15  : 08:5b:0e:f1:96:02
MAC-16  : 08:5b:0e:f1:95:e7
MAC-17  : 08:5b:0e:f1:95:e9
MAC-18  : 08:5b:0e:f1:95:eb
MAC-19  : 08:5b:0e:f1:95:ed
MAC-20  : 08:5b:0e:f1:95:ef
MAC-21  : 08:5b:0e:f1:95:f1
MAC-22  : 08:5b:0e:f1:95:f3
MAC-23  : 08:5b:0e:f1:95:f5
MAC-24  : 08:5b:0e:f1:95:f7
MAC-25  : 08:5b:0e:f1:95:f9
MAC-26  : 08:5b:0e:f1:95:fb
MAC-27  : 08:5b:0e:f1:95:fd
MAC-28  : 08:5b:0e:f1:95:ff
MAC-29  : 08:5b:0e:f1:96:01
MAC-30  : 08:5b:0e:f1:96:03

diagnose switch macsec statistics

Use this command to display MACsec traffic statistics for the specified port. If no port is specified, statistics for all ports are returned.

diagnose switch macsec statistics [<port_name>]

diagnose switch macsec status

Use this command to display the MACsec status of the specified port. If no port is specified, the status for all ports is returned.

diagnose switch macsec status [<port_name>]

diagnose switch managed-switch

Use this command to display information about the FortiSwitch unit when it is managed by a FortiGate unit:

diagnose switch managed-switch dump xlate-vlan

diagnose switch mclag

Use these commands to manage information about MCLAGs:

diagnose switch mclag clear-stats {all | icl | mclag <trunk_name>}

diagnose switch mclag icl

diagnose switch mclag list <trunk_name>

Variable

Description

clear-stats {all | icl | mclag}

Delete statistics for all MCLAGs, delete MCLAG ICLs, or delete the statistics for the MCLAG with the specified trunk.

icl

List all inter-chassis links (ICLs).

list <trunk_name>

Display statistics for the MCLAG with the specified trunk.

To set up an MCLAG, see config switch trunk.

Example output

S524DF4K15000024 # diagnose switch mclag icl
			
MCLAG-ICL-trunk
	icl-ports            port15 port16
	egress-block-ports   none
	interface-mac        08:5b:0e:f1:95:e5
	lacp-serial-number   S524DF4K15000024
	peer-info            N/A
	keepalive interval   1
	keepalive timeout    30

Counters

diagnose switch mirror auto-config

Use these commands to manage switch mirroring using ERSPAN encapsulation with automatically configured header contents:

diagnose switch mirror auto-config restart

diagnose switch mirror auto-config status

Variable

Description

restart

Restart the ERSPAN mirroring daemon.

status

Display the status of the ERSPAN mirroring.

Example output

S524DF4K15000024 # diagnose switch mirror auto-config status 
Session name: 
Last update: never
Error msg: 
State: None
Flags: 0x00000000 ()
 
Config:
	Last good config update: never
 
Route Lookup:
	Last good route update: never
	Collector IP: 0.0.0.0
	Nexthop IP: 0.0.0.0
	SVI name: 
	SVI devindex: 0
	SVI source MAC: 00:00:00:00:00:00
	SVI VLAN: 0
	SVI source IP: 0.0.0.0
 
Nexthop ARP resolution:
	Last good ARP update: never
	Nexthop MAC: 00:00:00:00:00:00
 
Switching table resolution:
	Last good update: never
	L2 result: MAC: 00:00:00:00:00:00 VLAN: 0
			port-id: 0 Flags: 0x00000000
	Switch interface: 
	Switch interface VLAN 0: untagged
 
Hardware updates:
	Last good update: never
	Last failed update: never
	Last update return: 0:Success.
 
Resolved/Running state:
	Last entered: never
	Last left: never

diagnose switch mirror hardware status

Use this command to display information about the driver-level and hardware-level switch mirroring:

diagnose switch mirror hardware status

Example output

S524DF4K15000024 # diagnose switch mirror hardware status
			 
[flink.sniffer]===========================
  Installed           : no (  inactive)

diagnose switch modules

Use these commands to display information about physical layer (PHY) modules:

diagnose switch modules eeprom <physical_port_name>

diagnose switch modules state-machine <physical_port_name>

Variable

Description

eeprom

Display fragmentation and reassembly information

trap send

Generate a trap event and send it to the SNMP daemon.

Example output

S524DF4K15000024 # diagnose switch modules state-machine port10

DMI Status
----------------------------------
monitor_interval   10 minutes
next_monitor_in    0:44
dmi_trace          0
alarm_trap_enabled 0
num_ports          30
mod_pres           0x0000000000000000
mod_rxlos          0x0000000000000000
state_runs         62380
state_transitions  6

	    Module Summary            |              |    Alarm - Warning Flags    |
			 	  DMI |    Module    |Temp | Vcc |TxBia|TxPwr|RxPwr|
port | curr state | prev state | -IC | Type | State |Hi|Lo|Hi|Lo|Hi|Lo|Hi|Lo|Hi|Lo|
----------------------------------------------------------------------------------
 1 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 2 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 3 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 4 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 5 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 6 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 7 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 8 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 9 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
10 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
11 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
12 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
13 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
14 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
15 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
16 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
17 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
18 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
19 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
20 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
21 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
22 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
23 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
24 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
25 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
26 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
27 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
28 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
29 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
30 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|

diagnose switch mrp

Use these commands to display information about the Media Redundancy Protocol (MRP):

diagnose switch mrp clear

diagnose switch mrp stats

diagnose switch mrp status

Variable

Description

clear

Delete the MRP statistics for the manager node.

stats

Display the Manager MRP statistics for the manager node.

status

Display the current MRP status.

diagnose switch network-monitor

Use these commands to manage information produced by network monitoring:

diagnose switch network-monitor cfg-stats

diagnose switch network-monitor clear-db

diagnose switch network-monitor dump-l2-db

diagnose switch network-monitor dump-l3-db

diagnose switch network-monitor dump-monitors

diagnose switch network-monitor parser-stats

Variable

Description

cfg-stats

Display network-monitoring configuration statistics.

clear-db

Delete all network-monitoring database entries.

dump-l2-db

List all detected devices from the layer-2 database.

dump-l3-db

List all detected devices from the layer-3 database.

dump-monitors

List the monitors used for survey-mode network monitoring.

parser-stats

List the network-monitoring parser statistics.

Example output

S524DF4K15000024 # diagnose switch network-monitor cfg-stats
Network Monitor Configuration Statistics:
----------------------------------
Adds         : 1
Deletes      : 0
Free Entries : 19
			
S524DF4K15000024 # diagnose switch network-monitor dump-monitors
Entry ID       Monitor Type       Monitor MAC      Packet-count
=================================================================
1               directed-mode   00:25:00:61:64:6d       0
2               survey-mode     08:5b:0e:f1:95:e5       0
3               survey-mode     08:5b:0e:f1:95:e5       0
4               survey-mode     08:5b:0e:f1:95:e5       0
5               survey-mode     00:00:5e:00:01:05       0
6               survey-mode     08:5b:0e:f1:95:e5       0
7               survey-mode     00:21:cc:d2:76:72       0

S524DF4K15000024 # diagnose switch network-monitor parser-stats
Network Monitor Parser Statistics:
----------------------------------
Arp         : 0
Ip          : 0
Udp         : 0
Tcp         : 0
Dhcp        : 0
Eapol       : 0
Unsupported : 0

diagnose switch pdu-counters

Use these commands to manage information from switch packet PDU counters:

diagnose switch pdu-counters clear

diagnose switch pdu-counters list

Variable

Description

clear

Clear switch packet PDU counters.

list

List nonzero switch packet PDU counters.

Example output

S548DN5018000377 # diagnose switch pdu-counters list 
primary CPU counters:
	packet receive error : 0
	Non-zero port counters:
	port1:
		IGMP Membership Report : 45
		IGMP Membership Leave : 3
		IGMPv3 Membership Report : 69002
	port13:
		IGMP Query packet : 50794
		IGMPv3 Membership Report : 50794
	port47:
		LACP packet : 15474
		STP packet : 237919
		LLDP packet : 168194
		IGMP Query packet : 50757
		IGMP Membership Report : 29
		IGMP Membership Leave : 1
	port48:
		LACP packet : 15475
		STP packet : 6
		LLDP packet : 168192
	port51:
		IGMP Membership Report : 19
		IGMP Membership Leave : 4
		IGMPv3 Membership Report : 4

diagnose switch physical-ports cable-diag

Use this command to display the results of a time-domain reflectometer (TDR) diagnostic test on the specified port.

diagnose switch physical-ports cable-diag <port_name>

Example output

S524DF4K15000024 # diagnose switch physical-ports cable-diag port1
port1:  cable (4 pairs, length +/- 10 meters)
	pair A Open, length 0 meters
	pair B Open, length 0 meters
	pair C Open, length 0 meters
	pair D Open, length 0 meters

diagnose switch physical-ports datarate

Use this command to display the number of packets received and transmitted on the specified ports as well as the data rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.

diagnose switch physical-ports datarate [<port_list>]

Example output

S524DF4K15000024 # diagnose switch physical-ports datarate 1,3,4-6
Rate Display Mode: DATA_RATE
Port       |  TX Packets     |  TX Rate        ||  RX Packets |  RX Rate      |
----------------------------------------------------------------------------------
	port1 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
	port3 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
	port4 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
	port5 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
	port6 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
----------------------------------------------------------------------------------
			|     0.0000 Mbps ||             |   0.0000 Mbps |
			
ctrl-c to stop

diagnose switch physical-ports eee-status

Use this command to display whether the specified port has energy-efficient Ethernet (EEE) enabled. If the port is not specified, the status of all ports is displayed.

diagnose switch physical-ports eee-status [<port_name>]

Example output

S524DF4K15000024 # diagnose switch physical-ports eee-status port9

Portname  State     RX-LPI-Status  TX-LPI-Status  TX(ms)  RX(ms)  TX-Resolved(ms)  RX-Resolved(ms)
--------------------------------------------------------------------------------------------------
port9     Enabled   Inactive       Inactive            0       0                0                0

diagnose switch physical-ports hw-counter

Use these commands to display information about counters:

diagnose switch physical-ports hw-counter add {rx | tx} <counter_id> <counter|counter|counter...>

diagnose switch physical-ports hw-counter clear {rx | tx} <counter_id>

diagnose switch physical-ports hw-counter info

diagnose switch physical-ports hw-counter remove {rx | tx} <counter_id> <counter|counter|counter...>

diagnose switch physical-ports hw-counter search <port_name> <interval_seconds> <counter|counter|counter...>

diagnose switch physical-ports hw-counter search-cancel

diagnose switch physical-ports hw-counter search-results

diagnose switch physical-ports hw-counter show {rx | tx | all} <port_name>

Variable

Description

hw-counter add {rx | tx} <counter_id> <counter|counter|counter...>

Add trigger flags to a specified counter.

hw-counter clear {rx | tx} <counter_id>

Clear a specific counter.

hw-counter info

Display the supported trigger flags (RX and TX).

hw-counter remove {rx | tx} <counter_id> <counter|counter|counter...>

Remove trigger flags from the specified counters.

hw-counter search <port_name> <interval_seconds> <counter|counter|counter...>

Retrieve the data for the specified triggers on a specified port within the interval in seconds.

hw-counter search-cancel

Cancel the currently running search.

hw-counter search-results

Display the last search results.

hw-counter show {rx | tx | all} <port_name>

Show all trigger flags and statistics on a specified port.

Example output

S524DF4K15000024 # diagnose switch physical-ports hw-counter show all port9 
----------------------------------------------------------------------------------
|                              Counter Statistics (port:9)                        
----------------------------------------------------------------------------------
|Type|Counter ID|       Value        |           Trigger Flags Enabled     
----------------------------------------------------------------------------------
| Rx |         0|                   0|RIPD4 RIPD6 RDISC RPORTD PDISC     
|    |          |                    | RFILDR RDROP VLANDR               
----------------------------------------------------------------------------------
| Rx |         1|                   0|IMBP                               
----------------------------------------------------------------------------------
| Rx |         2|                   0|RIMDR                              
----------------------------------------------------------------------------------
| Tx |         0|                   0|TGIP6 TGIPMC6                      
----------------------------------------------------------------------------------
| Tx |         1|                   0|TIPD6 TIPMCD6                      
----------------------------------------------------------------------------------
| Tx |         2|                   0|TGIPMC6                            
----------------------------------------------------------------------------------
| Tx |         3|                   0|TPKTD                              
----------------------------------------------------------------------------------
| Tx |         4|                   0|TGIP4 TGIP6                        
----------------------------------------------------------------------------------
| Tx |         5|                   0|TIPMCD4 TIPMCD6                    
----------------------------------------------------------------------------------
| Tx |         6|                   0|THIGIG2                            
----------------------------------------------------------------------------------

diagnose switch physical-ports io-stats

Use these commands to display information about input/output packet statistics:

diagnose switch physical-ports io-stats clear-local <port_list>

diagnose switch physical-ports io-stats cumulative

diagnose switch physical-ports io-stats list [<port_list>]

Variable

Description

io-stats clear-local <port_list>

Delete the statistics for input and output packets for the specified ports. Use commas to separate ports. For example: 1,3,4-6

io-stats cumulative

Display the cumulative statistics for input and output packets for all ports.

io-stats list [<port_list>]

List the statistics for input and output packets for the specified ports. If the ports are not specified, the statistics for all ports are displayed.

Example output

S524DF4K15000024 # diagnose switch physical-ports io-stats cumulative
Cumulative IO Stats:
RX PacketsBpdu                             69035
RX PacketsL3RxCpu                          1020
RX PacketsRxAll                            112157
RX PacketsFlpOrIGMP                        39831
----------------------------------------------------------------------------------

diagnose switch physical-ports led-flash

Use this command to flash all port LEDs on and off for a specified number of minutes so that a particular switch can be identified. Valid times are 5, 15, 30, or 60 minutes. Use disable to stop the LEDs from flashing.

diagnose switch physical-ports led-flash disable

diagnose switch physical-ports led-flash {5 | 15 | 30 | 60}

diagnose switch physical-ports linerate

Use this command to display the number of packets received and transmitted on the specified ports as well as the line rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.

diagnose switch physical-ports linerate [<port_list>]

Example output

S524DF4K15000024 # diagnose switch physical-ports linerate 1,3,4-6
Rate Display Mode: LINE_RATE
Port      |  TX Packets    |  TX Rate        ||  RX Packets    |  RX Rate        |
----------------------------------------------------------------------------------
port1 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
port3 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
port4 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
port5 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
port6 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
----------------------------------------------------------------------------------
|     0.0000 Mbps ||                |     0.0000 Mbps |	
			
ctrl-c to stop

diagnose switch physical-ports list

Use this command to display the details for the specified port. If the port is not specified, the details for all ports are displayed.

diagnose switch physical-ports list [<port_name>]

Example output

S524DF4K15000024 # diagnose switch physical-ports list port1

Port(port1) is Admin up, line protocol is down
Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes)
Address is 08:5B:0E:F1:95:E6, loopback is not set
MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II
half-duplex, 0 Mb/s, link type is auto
input  : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns
output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts
0 fragments, 0 undersizes, 0 collisions, 0 jabbers

diagnose switch physical-ports mapping

Use this command to display which drivers are associated with which ports:

diagnose switch physical-ports mapping

Example output

S524DF4K15000024 # diagnose switch physical-ports mapping
Unmapped port IDs:
Userspace         |           Driver
Port Name            PortID | Unit   Port   Driver Name
-------------------- ------ | ------ ------ ----------------
port1                     1 |      0      2 ge1
port2                     2 |      0      1 ge0
port3                     3 |      0      3 ge2
port4                     4 |      0      4 ge3
port5                     5 |      0      6 ge5
port6                     6 |      0      5 ge4
port7                     7 |      0      7 ge6
port8                     8 |      0      8 ge7
port9                     9 |      0     10 ge9
port10                   10 |      0      9 ge8
port11                   11 |      0     11 ge10
port12                   12 |      0     12 ge11
port13                   13 |      0     14 ge13
port14                   14 |      0     13 ge12
port15                   15 |      0     15 ge14
port16                   16 |      0     16 ge15
port17                   17 |      0     18 ge17
port18                   18 |      0     17 ge16
port19                   19 |      0     19 ge18
port20                   20 |      0     20 ge19
port21                   21 |      0     22 ge21
port22                   22 |      0     21 ge20
port23                   23 |      0     23 ge22
port24                   24 |      0     24 ge23
port25                   25 |      0     42 xe0
port26                   26 |      0     43 xe1
port27                   27 |      0     44 xe2
port28                   28 |      0     45 xe3
port29                   29 |      0     46 xe4
port30                   30 |      0     50 xe8
internal                 31 |      0      0 cpu0

diagnose switch physical-ports mdix-status

Use this command to display whether a specified port is a medium-dependent interface crossover (MDIX) port:

diagnose switch physical-ports mdix-status <port_name>

Example output

S524DF4K15000024 # diagnose switch physical-ports mdix-status port1
port1:  MDIX(Crossover)	

diagnose switch physical-ports port-stats

Use these commands to list port statistics for the specified ports or list port statistics that are not zero. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.

diagnose switch physical-ports port-stats [<port_list> | non-zero]

Example output

S524DF4K15000024 # diagnose switch physical-ports port-stats 1
			
port1 Port Stats:

Rx Bytes:                                             0
Rx Packets:                                           0
Rx Unicasts:                                          0
Rx NUnicasts:                                         0
Rx Multicasts:                                        0
Rx Broadcasts:                                        0
Rx Discards:                                          0
Rx Errors:                                            0
Rx Oversize:                                          0
Rx Pauses:                                            0
Rx IPMC Dropped:                                      0
Rx 64 Octets Packets:                                 0
Rx 65-127 Octets Packets:                             0
Rx 128-255 Octets Packets:                            0
Rx 256-511 Octets Packets:                            0
Rx 512-1023 Octets Packets:                           0
Rx 1024-1518 OctetsPackets:                           0
Rx 1519-2047 Octets Packets:                          0
Rx 2048-4095 Octets Packets:                          0
Rx 4096-9216 Octets Packets:                          0
Rx 9217-16383 Octets Packets:                         0
Rx L3 Packets:                                        0

Tx Bytes:                                             0
Tx Packets:                                           0
Tx Unicasts:                                          0
Tx NUnicasts:                                         0
Tx Multicasts:                                        0
Tx Broadcasts:                                        0
Tx Discards:                                          0
Tx Errors:                                            0
Tx Oversize:                                          0
Tx Pauses:                                            0
Tx IPMC Dropped:                                      0
Tx 64 Octets Packets:                                 0
Tx 65-127 Octets Packets:                             0
Tx 128-255 Octets Packets:                            0
Tx 256-511 Octets Packets:                            0
Tx 512-1023 Octets Packets:                           0
Tx 1024-1518 Octets Packets:                          0
Tx 1519-2047 Octets Packets:                          0
Tx 2048-4095 Octets Packets:                          0
Tx 4096-9216 Octets Packets:                          0
Tx 9217-16383 Octets Packets:                         0

Fragments:                                            0
Undersize:                                            0
Jabbers:                                              0
Collisions:                                           0
CRC Alignment Errors:                                 0
IPMC Bridged:                                         0
IPMC Routed:                                          0

----------------------------------------------------------------------------------

diagnose switch physical-ports qos-rates

Use these commands to display real-time egress QoS queue rates, including the data rate, line rate, and drop rate:

diagnose switch physical-ports qos-rates clear <port_list>

diagnose switch physical-ports qos-rates list [<port_list>]

diagnose switch physical-ports qos-rates non-zero

Variable

Description

qos-rates clear <port_list>

Delete the QoS statistics for the specified ports. If the ports are not specified, the statistics for all ports are deleted.

qos-rates list [<port_list>]

Display the real-time egress QoS queue rates for the specified ports. If the ports are not specified, the rates for all ports are displayed. Press Ctrl+c to stop the output.

qos-stats non-zero

Display only the real-time egress QoS queue rates that are not zero. Press Ctrl+c to stop the output.

Example output

S548DF5018000776 # diagnose switch physical-ports qos-rates non-zero

----------------------------  ---------------------------------------------
----------------------------  ---------------------------------------------
---------------------------  ---------------------------------------------

ctrl-c to 
port6 QoS Rates:  

queue |         PPS  | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |
---------------------------------------------------------------------------
    7 |       0.0000 |     0.0000 |     0.0000 |     0.0000 |     0.0000 |
----------------------------  ---------------------------------------------

port28 QoS Rates:  

queue |         PPS  | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |
---------------------------------------------------------------------------
    7 |       0.8466 |     0.0008 |     0.0010 |     0.0000 |     0.0000 |
----------------------------  ---------------------------------------------

internal QoS Rates:  

queue |         PPS  | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |
---------------------------------------------------------------------------
   25 |       0.8472 |     0.0009 |     0.0010 |     0.0000 |     0.0000 |
----------------------------  ---------------------------------------------
			
ctrl-c to stop
^C

diagnose switch physical-ports qos-stats

Use these commands to display QoS statistics:

diagnose switch physical-ports qos-stats clear <port_list>

diagnose switch physical-ports qos-stats list [<port_list>]

diagnose switch physical-ports qos-stats non-zero

diagnose switch physical-ports qos-stats set-qos-counter-revert [<port_list>]

diagnose switch physical-ports qos-stats set-qos-counter-zero [<port_list>]

Variable

Description

qos-stats clear [<port_list>]

Delete the QoS statistics for the specified ports. If the ports are not specified, the statistics for all ports are deleted.

qos-stats list [<port_list>]

Display the QoS statistics for the specified ports. If the ports are not specified, the statistics for all ports are displayed.

qos-stats non-zero

List only QoS statistics that are not zero.

qos-stats set-qos-counter-revert [<port_list> ]

Restore QoS counters to direct hardware values for the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.

qos-stats set-qos-counter-zero [<port_list>]

Clear QoS counters (applies to all applications except SNMP) for the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.

Example output

S524DF4K15000024 # diagnose switch physical-ports qos-stats list 1

port1 QoS Stats:

queue |     unicast pkts |    unicast bytes |   multicast pkts |  multicast bytes
----------------------------------------------------------------------------------
0 |                0 |                0 |                0 |                0
1 |                0 |                0 |                0 |                0
2 |                0 |                0 |                0 |                0
3 |                0 |                0 |                0 |                0
4 |                0 |                0 |                0 |                0
5 |                0 |                0 |                0 |                0
6 |                0 |                0 |                0 |                0
7 |                0 |                0 |                0 |                0

queue |  ucast drop pkts | ucast drop bytes |  mcast drop pkts | mcast drop bytes
----------------------------------------------------------------------------------
0 |                0 |                0 |                0 |                0
1 |                0 |                0 |                0 |                0
2 |                0 |                0 |                0 |                0
3 |                0 |                0 |                0 |                0
4 |                0 |                0 |                0 |                0
5 |                0 |                0 |                0 |                0
6 |                0 |                0 |                0 |                0
7 |                0 |                0 |                0 |                0
----------------------------------------------------------------------------------

diagnose switch physical-ports queue-bandwidth-setting

Use these commands to display the bandwidth setting (kbps or percentage) for the egress queues. If the ports are not specified, the bandwidth setting for all egress queues are displayed.

diagnose switch physical-ports queue-bandwidth-setting [<port_list>]

Example output

S524DF4K15000024 # diagnose switch physical-ports queue-bandwidth-setting port23

port23 cosq bandwidth setting: (0: disabled)

port | q | KbpsMin  | KbpsMax
-------+---+----------+----------+
port23 | 0 |        0 |        0
port23 | 1 |        0 |        0
port23 | 2 |        0 |        0
port23 | 3 |        0 |        0
port23 | 4 |        0 |        0
port23 | 5 |        0 |        0
port23 | 6 |        0 |        0
port23 | 7 |        0 |        0

diagnose switch physical-ports set-counter-revert

Use this command to restore hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.

diagnose switch physical-ports set-counter-revert [<port_list>]

diagnose switch physical-ports set-counter-zero

Use this command to clear all hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.

diagnose switch physical-ports set-counter-zero [<port_list>]

diagnose switch physical-ports split-status

Use this command to display information about split ports:

diagnose switch physical-ports split-status

Example output

S524DF4K15000024 # diagnose switch physical-ports split-status
Port Name        Split Phy Name         Port Index       Child Index
---------------- ----- ---------------- ---------------- ----------
port29           No    -                29               -
port30.1         Yes   port30           30               0
port30.2         Yes   port30           32               1
port30.3         Yes   port30           33               2
port30.4         Yes   port30           34               3

diagnose switch physical-ports stats

Use these commands to display counter statistics:

diagnose switch physical-ports stats clear-local <port_list>

diagnose switch physical-ports stats list [<port_list>]

diagnose switch physical-ports stats non-zero

Variable

Description

stats clear-local <port_list>

Delete the statistics for received and transmitted packets for the specified ports for only the local session. Use commas to separate ports. For example: 1,3,4-6

stats list [<port_list>]

List the statistics for received and transmitted packets for the specified ports. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.

stats non-zero

List the statistics for counters that are not zero.

Example output

S524DF4K15000024 # diagnose switch physical-ports stats list
Port     | TX Packets |  TX bytes   || RX Packets |  RX Bytes  | RX L3 Packets |
----------------------------------------------------------------------------------
port1 |          0 |          0 ||           0 |          0 |             0 |
port2 |          0 |          0 ||           0 |          0 |             0 |
port3 |          0 |          0 ||           0 |          0 |             0 |
port4 |          0 |          0 ||           0 |          0 |             0 |
port5 |          0 |          0 ||           0 |          0 |             0 |
port6 |          0 |          0 ||           0 |          0 |             0 |
port7 |          0 |          0 ||           0 |          0 |             0 |
port8 |          0 |          0 ||           0 |          0 |             0 |
port9 |          0 |          0 ||           0 |          0 |             0 |
port10 |          0 |          0 ||           0 |          0 |             0 |
port11 |          0 |          0 ||           0 |          0 |             0 |
port12 |          0 |          0 ||           0 |          0 |             0 |
port13 |          0 |          0 ||           0 |          0 |             0 |
port14 |          0 |          0 ||           0 |          0 |             0 |
port15 |          0 |          0 ||           0 |          0 |             0 |
port16 |          0 |          0 ||           0 |          0 |             0 |
port17 |          0 |          0 ||           0 |          0 |             0 |
port18 |          0 |          0 ||           0 |          0 |             0 |
port19 |          0 |          0 ||           0 |          0 |             0 |
port20 |          0 |          0 ||           0 |          0 |             0 |
port21 |          0 |          0 ||           0 |          0 |             0 |
port22 |          0 |          0 ||           0 |          0 |             0 |
port23 |          0 |          0 ||           0 |          0 |             0 |
port24 |          0 |          0 ||           0 |          0 |             0 |
port25 |          0 |          0 ||           0 |          0 |             0 |
port26 |          0 |          0 ||           0 |          0 |             0 |
port27 |          0 |          0 ||           0 |          0 |             0 |
port28 |          0 |          0 ||           0 |          0 |             0 |
port29 |          0 |          0 ||           0 |          0 |             0 |
port30 |          0 |          0 ||           0 |          0 |             0 |
internal |        393 |    9343000 ||           0 |          0 |             0 |

diagnose switch physical-ports summary

Use this command to display a summary about the specified physcial port. If the port is not specified, summaries for all ports are displayed.

diagnose switch physical-ports summary [<port_name>]

Example output

S524DF4K15000024 # diagnose switch physical-ports summary port1

Portname    Status  Tpid  Vlan  Duplex  Speed  Flags       Discard
__________  ______  ____  ____  ______  _____  __________  _________

port1       down    8100  1     half    -        ,  ,      none

Flags: QS(802.1Q) QE(802.1Q-in-Q,external) QI(802.1Q-in-Q,internal)
TS(static trunk) TF(forti trunk) TL(lacp trunk); MD(mirror dst)
MI(mirror ingress) ME(mirror egress) MB(mirror ingress and egress) CF (Combo Fiber), CC (Combo Copper)

diagnose switch physical-ports virtual-wire list

Use this command to list all virtual wires:

diagnose switch physical-ports virtual-wire list

Example output

S524DF4K15000024 # diagnose switch physical-ports virtual-wire list
port7(7) to port8(8) TPID: 0xdee5 VLAN: 70

diagnose switch poe status

Use this command to display power over Ethernet (PoE) information for a specific port:

diagnose switch poe status <physicial_port_name>

Variable

Description

<physicial_port_name>

Enter the port name.

Example output

S524DF4K15000024 # diagnose switch poe status port1

Port(1) Power:0.00W,    Power-Status: Searching
Power-Up Mode: Normal Mode
Remote Power Device Type: PD None
Power Class: 0
Defined Max Power: 0.00W, Priority: Low.
Voltage: 54.90V
Current: 0mA

diagnose switch ptp port add-link-delay

Use this command to add an estimated link delay in nanosecods to the specified poort. Adding a link delay helps with debugging, and the setting is cleared when the switch is rebooted:

diagnose switch ptp port add-link-delay <port_name> <estimated_link_delay>

Example output

S548DN4K15000008 # diagnose switch ptp port add-link-delay port49 500
Adding port49's link_delay 500(ns).

diagnose switch ptp port get-link-delay

Use this command to display link-delay information for the specified port:

diagnose switch ptp port get-link-delay <port_name>

Example output

S548DN4K15000008 # diagnose switch ptp port get-link-delay port49

Portname     Speed  Link-Delay
__________   _____  ___________

port49       10G     500ns

diagnose switch qnq dtag-cfg

Use this command to display information about the VLAN stacking (QinQ) configuation:

diagnose switch qnq dtag-cfg

Example output

S548DF5018000776 # diagnose switch qnq dtag-cfg 

Port Name  | QinQ Mode       | Add Inner-Tag   | Remove Inner-Tag  | Priority      | Ether-Type 
======================================================================================
port39     | customer        | add (vid 456)   | enable            | follow-s-tag  | 0x8100

diagnose switch trunk list

Use this command to display link aggregation information:

diagnose switch trunk list [<trunk_name>]

Variable

Description

[<trunk_name>]

Display link aggregation information for the specified trunk. If the trunk is not specified, link aggregation information for all trunks is displayed.

Example output

S524DF4K15000024 # diagnose switch trunk list trunk1

Switch Trunk Information, primary-Channel

Trunk Name:  trunk1
Mode:  fortinet-trunk
Port Selection Algorithm:  N/A - Trunk Down
Trunk MAC: 08:5B:0E:F1:95:E6

Active Port  Up  Time
___________  _________________________

Non-Active Port  Status
_______________  ____________________

port1            BLOCK
port2            BLOCK
			
S524DF4K15000024 # diagnose switch trunk list

Switch Trunk Information, primary-Channel

Trunk Name:  Mclag-icl-trunk
Mode:  lacp-active (mclag-icl)
Port Selection Algorithm:  N/A - Trunk Down
Trunk MAC: 08:5B:0E:F1:95:F4

Active Port  Up  Time
___________  _________________________

Non-Active Port  Status
_______________  ____________________

port15           BLOCK
port16           BLOCK

LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: down
ports: 2
LACP mode: active
LACP speed: slow
aggregator ID: 1
actor key: 0
actor MAC address: 08:5b:0e:f1:95:f4
partner key: 1
partner MAC address: 00:00:00:00:00:00

slave: port15
status: down
link failure count: 0
permanent MAC addr: 08:5b:0e:f1:95:f4
actor state: ASAIDD
partner state: PSIODD
aggregator ID: 1

slave: port16
status: down
link failure count: 0
permanent MAC addr: 08:5b:0e:f1:95:f5
actor state: ASAODD
partner state: PSIODD
aggregator ID: 2

Trunk Name:  first-mclag
Mode:  static (mclag)
Port Selection Algorithm:  N/A - Trunk Down
Trunk MAC: 08:5B:0E:F1:95:E7

Active Port  Up  Time
___________  _________________________


Non-Active Port  Status
_______________  ____________________

port2            BLOCK

diagnose switch trunk summary

Use this command to display a summary of the link aggregation information:

diagnose switch trunk summary [<trunk_name>]

Variable

Description

[<trunk_name>]

Display a summary of the link aggregation information for the specified trunk. If the trunk is not specified, a summary for all trunks is displayed.

Example output

S524DF4K15000024 # diagnose switch trunk summary Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________ Mclag-icl-trunk lacp-active(mclag-icl) N/A 08:5B:0E:F1:95:F4 down(0/2) N/A first-mclag static(mclag) N/A 08:5B:0E:F1:95:E7 down(0/1) N/A 8DN3X16000001-0 lacp-active(auto-isl) src-dst-ip 08:5B:0E:F0:9B:90 up(1/1) 0 days,0 hours,1 mins,35 secs S524DF4K15000024 # diagnose switch trunk summary first-mclag Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________ first-mclag static(mclag) N/A 08:5B:0E:F1:95:E7 down(0/1) N/A

diagnose switch vlan

Use these commands to display information about virtual LANs:

diagnose switch vlan assignment capabilities

diagnose switch vlan assignment ether-proto flush

diagnose switch vlan assignment ether-proto list [{sorted-by-protocol | sorted-by-vlan}]

diagnose switch vlan assignment ipv4 flush

diagnose switch vlan assignment ipv4 list [{sorted-by-address | sorted-by-vlan}]

diagnose switch vlan assignment ipv6 flush

diagnose switch vlan assignment ipv6 list [{sorted-by-address | sorted-by-vlan}]

diagnose switch vlan assignment mac flush

diagnose switch vlan assignment mac list [{sorted-by-mac | sorted-by-vlan}]

diagnose switch vlan info cache <VLAN_ID>

diagnose switch vlan info dump

diagnose switch vlan list [<VLAN_ID>]

Variable

Description

assignment capabilities

Display information about hardware capabilities for VLAN assignments.

assignment ether-proto flush

Delete all VLAN entries assigned by Ethernet frame type and protocol.

assignment ether-proto list [{sorted-by-protocol | sorted-by-vlan}]

Display VLAN assignments by Ethernet frame type and protocol. Use sorted-by-protocol to list VLAN entries by protocol. Use sorted-by-vlan to list VLAN entries by the VLAN identifier.

assignment ipv4 flush

Delete all VLAN entries assigned by IPv4 address or subnet.

assignment ipv4 list [{sorted-by-address | sorted-by-vlan}]

Display VLAN assignments by IPv4 address or subnet. Use sorted-by-address to list VLAN entries by the mask length and IP address. Use sorted-by-vlan to list VLAN entries by the VLAN identifier.

assignment ipv6 flush

Delete all VLAN entries assigned by IPv6 address or subnet.

assignment ipv6 list [{sorted-by-address | sorted-by-vlan}]

Display VLAN assignments by IPv6 address or subnet. Use sorted-by-address to list VLAN entries by the mask length and IP address. Use sorted-by-vlan to list VLAN entries by the VLAN identifier.

assignment mac flush

Delete all VLAN entries assigned by MAC address.

assignment mac list [{sorted-by-mac | sorted-by-vlan}]

Display VLAN assignments by MAC address. Use sorted-by-mac to list VLAN entries by the MAC address. Use sorted-by-vlan to list VLAN entries by the VLAN identifier.

info cache <VLAN_ID>

Display information about the VLAN cache.

info dump

Display VLAN-related information.

list [<VLAN_ID>]

Display which ports are assigned to the specified VLAN identifier. If the VLAN identifier is not specified, the information for all VLAN identifiers is displayed.

Example output

S524DF4K15000024 # diagnose switch vlan assignment capabilities
Assignment modes supported:
Port based assignment
IPv4 address/subnet based assignment
IPv6 address/subnet based assignment
MAC address based assignment
Ethernet Protocol based assignment

S524DF4K15000024 # diagnose switch vlan info dump
Ports:
[   port1] Force[disabled]
[   port2] Force[disabled]
[   port3] Force[disabled]
[   port4] Force[disabled]
[   port5] Force[disabled]
[   port6] Force[disabled]
[   port7] Force[disabled]
[   port8] Force[disabled]
[   port9] Force[disabled]
[  port10] Force[disabled]
[  port11] Force[disabled]
[  port12] Force[disabled]
[  port13] Force[disabled]
[  port14] Force[disabled]
[  port15] Force[disabled]
[  port16] Force[disabled]
[  port17] Force[disabled]
[  port18] Force[disabled]
[  port19] Force[disabled]
[  port20] Force[disabled]
[  port21] Force[disabled]
[  port22] Force[disabled]
[  port23] Force[disabled]
[  port24] Force[disabled]
[  port25] Force[disabled]
[  port26] Force[disabled]
[  port27] Force[disabled]
[  port28] Force[disabled]
[  port29] Force[disabled]
[  port30] Force[disabled]
[internal] Force[disabled]

Private-VLANs:

S524DF4K15000024 # diagnose switch vlan list
VlanId  Ports
______  ___________________________________________________
1       port1 port2 port3 port4 port5 port6 port7 port8 port9
		port10 port11 port12 port13 port14 port15 port16 port17
		port18 port19 port20 port21 port22 port23 port24 port25
		port26 port27 port28 port29 port30
4094    internal

diagnose switch vlan-mapping egress hardware-entry

Use the following command to check the VLAN mapping on an interface for the egress direction:

diagnose switch vlan-mapping egress hardware-entry

diagnose switch vlan-mapping ingress hardware-entry

Use the following command to check the VLAN mapping on an interface for the ingress direction:

diagnose switch vlan-mapping ingress hardware-entry

diagnose sys checkused

Use the following command to check which tables are using the entry:

diagnose sys checkused <path.object.mkey>

Variable

Description

<path.object.mkey>

Display which tables use this entry.

Example output

S524DF4K15000024 # diagnose sys checkused switch.physical-port.name
			
may be used by table switch.trunk.members.member-name
may be used by table switch.mirror.dst
may be used by table switch.mirror.src-ingress.name
may be used by table switch.mirror.src-egress.name
may be used by table switch.acl.policy.ingress-interface.member-name
may be used by table switch.acl.policy.action.mirror
may be used by table switch.acl.policy.action.redirect
may be used by table switch.acl.policy.action.redirect-physical-port.member-name
may be used by table switch.acl.policy.action.egress-mask.member-name
may be used by table switch.virtual-wire.first-member
may be used by table switch.virtual-wire.second-member
may be used by table switch.auto-isl-port-group.members.member-name
may be used by table system.admin.dashboard.interface

diagnose sys cpuset

Use this command to display information about which CPU set uses a specific process:

diagnose sys cpuset <process_ID> <CPU_set_mask>

Variable

Description

<process_ID> <CPU_set_mask>

Specify the process identifier and CPU set mask to find out which CPU set uses the process.

diagnose sys dayst-info

Use this command to display information about daylight saving time:

diagnose sys dayst-info

Example output

S524DF4K15000024 # diagnose sys dayst-info
The current timezone '(GMT-8:00)Pacific Time(US&Canada).' daylight saving time starts at Sun Mar  8 02:00:00 1970, ends at Sun Nov  1 01:00:00 1970

diagnose sys fan status

Use this command to display fan information:

diagnose sys fan status

Example output

S524DF4K15000024 # diagnose sys fan status

Module    Status
___________________________________
Fan      OK
Fan speed is set to 50.0%.

diagnose sys fips error-mode

NOTE: This command is available only when the switch is in FIPS mode

Use this command put the switch in FIPS error mode. After entering FIPS error mode, the switch halts, and the user cannot perform any action. To exit error mode, you must turn the switch off and then on again and have access to the console.

diagnose sys fips error-mode

diagnose sys fips kat-error

NOTE: This command is available only when the switch is in FIPS mode

Use this command if you want to run a Known Answer Test (KAT) in error mode. The switch will halt after restarting. To exit error mode, you must turn the switch off and then on again and have access to the console.

diagnose sys fips <KAT_name>

The tests listed in the following table are available.

KAT name Description
AES Advanced Encryption Standard (AES) self-test
RBG-instantiate Random bit generator (RBG)-instantiate known answer test
RBG-reseed RBG-reseed known answer test
RBG-generate RBG-generate known answer test
RSA Rivest, Shamir, and Adleman Algorithm (RSA) known answer test
SHA1-HMAC SHA1-HMAC known answer tests
SHA256-HMAC SHA256-HMAC known answer tests
SHA384-HMAC SHA384-HMAC known answer tests
SHA512-HMAC SHA512-HMAC known answer tests
DHE DHE known answer test
ECDHE ECDHE known answer test
Configuration Configure file integrity test
Firmware-integrity Firmware integrity test

diagnose sys flash

Use these commands to manage flash memory:

diagnose sys flash format

diagnose sys flash list [<file>]

Variable

Description

format

Format the shared data partition (flash partition 2).

list [<file>]

Display statistics for a file or directory in flash memory. If no file or directory is specified, statistics for all flash memory are returned.

Example output

S524DF4K15000024 # diagnose sys flash list
Partition  Image                             TotalSize(KB)  Used(KB)  Use%  Active
(*) 1      S524DF-3.6.3-FW-build0390-171020          53248     22922   43%  Yes
						       4096       448   11%  Yes
2                                                    53248         0    0%  No

Flag * : next-boot partition
Image build at Oct 20 2017 17:10:54 for b0390

diagnose sys flow-export

Use these commands to manage flow-export data:

diagnose sys flow-export delete-flows-all

diagnose sys flow-export expire-flows-all

Variable

Description

delete-flows-all

Delete all flow-export data.

expire-flows-all

Expire all flow-export data.

diagnose sys fsw-cloud-mgr

Use these commands to manage the SSL tunnel for FortiSwitch cloud management:

diagnose sys fsw-cloud-mgr close-access-socket

diagnose sys fsw-cloud-mgr shutdown-ssl

Variable

Description

close-access-socket

Restart the SSL tunnel between a FortiSwitch and FortiSwitch cloud management by closing the socket.

shutdown-ssl

Restart the SSL tunnel between a FortiSwitch and FortiSwitch cloud management by sending a SSL_SHUTDOWN request.

diagnose sys kill

Use this command to end a specified process:

diagnose sys kill <signal_number> <process_ID>

Variable

Description

<signal_number> <process_ID>

End the process with the specified signal.

To find out which processes are currently running, see diagnose sys vlan list.

diagnose sys link-monitor

Use these commands to manage the link monitor:

diagnose sys link-monitor interface <entry>

diagnose sys link-monitor launch <entry>

diagnose sys link-monitor status {entry | all}

 

To configure the link health monitor, see config system link-monitor .

Variable

Description

interface <entry>

Display information about the specified link-monitor entry.

launch <entry>

Manually launch the specified link-monitor entry.

status {entry | all}

Display information about a specified link-monitor entry or all link-monitor entries.

diagnose sys mpstat

Use this command to display information about CPU use:

diagnose sys mpstat <delay> <loops>

Variable

Description

<delay> <loops>

Display information about the CPU use after the specified number of seconds (default is 5) and for the specified number of loops (default is 1,000,000). If the values for <delay> <loops> are not specified, there is no delay, and the output continues until a key is pressed.

Example output

S524DF4K15000024 # diagnose sys mpstat
			
Gathering data, wait 5 sec, press any key to quit.
..0..1..2..3..4
TIME          CPU    %usr   %nice    %sys  %idle
04:02:59 PM   all    0.00    0.00    5.73   94.27
		 0    0.00    0.00   10.87   89.13
		 1    0.00    0.00    0.59   99.41
04:02:59 PM          0.00    0.00    0.00    0.00

TIME          CPU    %usr   %nice    %sys  %idle
04:03:04 PM   all    0.00    0.00    6.87   93.13
		 0    0.00    0.00   12.75   87.25
		 1    0.00    0.00    1.00   99.00
04:03:04 PM          0.00    0.00    0.00    0.00

diagnose sys ntp status

Use this command to display the configuration of the Network Time Protocol (NTP) servers:

diagnose sys ntp status

To configure the NTP servers, see config system ntp.

diagnose sys pcb temp

Use this command to display the printed circuit board (PCB) temperature:

diagnose sys pcb temp

Example output

S524DF4K15000024 # diagnose sys pcb temp

Module    Status
__________________________________
Sensor1   42.0 C

diagnose sys process

Use this command to display information about a specific process:

diagnose sys process <process_ID>

Variable

Description

<process_ID>

Display information about the specified process identifier.

To find out which processes are currently running, see diagnose sys vlan list.

diagnose sys psu status

Use this command to display information about the power supply unit (PSU):

diagnose sys psu status

Example output

S524DF4K15000024 # diagnose sys psu status
			
PSU1 is OK.
PSU2 is not present.

diagnose sys top

Use this command to list the processes currently running on your FortiSwitch unit:

diagnose sys top <delay> <lines>

Variable

Description

<delay> <lines>

Enter the number of seconds to delay (the default is 5) and the maximum lines of output (the default is 20).

In the output, the codes displayed on the second output line mean the following:

  • U is % of user space applications using CPU. In the example, 0U means 0% of the user space applications are using CPU.
  • S is % of system processes (or kernel processes) using CPU. In the example, 0S means 0% of the system processes are using the CPU.
  • I is % of idle CPU. In the example, 98I means the CPU is 98% idle.
  • T is the total FortiOS system memory in Mb. In the example, 123T means there are 123 Mb of system memory.
  • F is free memory in Mb. In the example, 25F means there is 25 Mb of free memory.

Each additional line of the command output displays the following information for each of the processes running on the FortiSwitch (from left to right):

  • Process name
  • Process identifier
  • State that the process is running in. The process state can be:
    • R for running
    • S for sleep
    • Z for zombie
    • D for disk sleep
  • Amount of CPU that the process is using. CPU usage can range from 0.0 for a process that is sleeping to higher values for a process that is taking a lot of CPU time.
  • Amount of memory that the process is using. Memory usage can range from 0.1 to 5.5 and higher.

Example output

S524DF4K15000024 # diagnose sys top 5 5
			
Run Time:  3 days, 0 hours and 40 minutes
0U, 6S, 94I; 1978T, 1744F
pyfcgid      695      S       0.0     0.7
pyfcgid      791      S       0.0     0.7
pyfcgid      792      S       0.0     0.7
httpsd       696      S       0.0     0.6
cmdbsvr      611      S       0.0     0.6

diagnose sys vlan list

Use these commands to display information about configured VLANs:

diagnose syst vlan list

To configure a VLAN, see config switch vlan.

diagnose test application

Use these commands to test specific daemons:

diagnose test application dnsproxy <test_level>

diagnose test application fpmd <test_level>

diagnose test application radiusd <test_level>

diagnose test application sflowd <test_level>

diagnose test application snmpd <test_level>

Variable

Description

dnsproxy <test_level>

Specify the test level for the DNS proxy daemon:
  1. Clear DNS cache.
  2. Show statistics.
  3. Dump DNS setting.
  4. Reload the fully qualified domain name (FQDN).
  5. Requery the FQDN.
  6. Dump the FQDN.

fpmd <test_level>

Specify the test level for the hardware offload daemon.

radiusd <test_level>

Specify the test level for the RADIUS daemon:
  • 2: Clear the RADIUS server database.
  • 3: Show the RADIUS server database.
  • 33: Show the RADIUS server database (with start time).
  • 4: Show the RADIUS server database information.
  • 9: Check the high availability (HA) context table checksums.
  • 11: Show the HA synchronization connection status.
  • 20: Show the RADIUS server configuration cache.
  • 21: Show the RADIUS server interface configuration cache.
  • 99: Restart.

sflowd <test_level>

Specify the test level for the sFlow daemon:
  • 1: Show collector setting.
  • 2: Show state.

snmpd <test_level>

Specify the test level for the SNMP daemon:
  • 1: Display daemon process identifier.
  • 2: Display SNMP statistics.
  • 3: Clear SNMP statistics.
  • 4: Generate test trap.
  • 99: Restart daemon.
  • 101: Reset the msgAuthoritativeEngineBoots attribute to 0 and restart the daemon.

Example output

S524DF4K15000024 # diagnose test application dnsproxy 2
config: alloc=1
DNS_CACHE: alloc=0
DNS UDP: req=6680, res=0, fwd=26720, hits=0, alloc=0
cur=90 v6_cur=0
DNS TCP: req=0, alloc=0

S524DF4K15000024 # diagnose test application fpmd 2
L3 egr obj Num: 0 Max: 8192 LastFoundEgrId: 0
Valid: 0 Gw: 0.0.0.0 IfIndex: 0 RefCount: 0 EgrObj: 0 Status: 0

diagnose test authserver

Use these commands to test the authentication server:

diagnose test authserver cert <arguments>

diagnose test authserver ldap <server_name> <user_name> <password>

diagnose test authserver ldap-digest <arguments>

diagnose test authserver ldap-direct <arguments>

diagnose test authserver ldap-search <arguments>

diagnose test authserver local <arguments>

diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <user_name> <password>

diagnose test authserver radius-direct <server_name _or_IP_address> <port_number> <secret>

diagnose test authserver tacacs+ <server_name> <user_name> <password>

diagnose test authserver tacacs+-direct <arguments>

Variable

Description

cert <arguments>

Test the certificate authentication.

ldap <server_name> <user_name> <password>

Test the connection to an LDAP server. For the server_name, use the name of the LDAP object, not the LDAP server name. Use credentials that you have used in the LDAP object itself.

ldap-digest <arguments>

Test the LDAP HA1 password query.

ldap-direct <arguments>

Test the connection to an LDAP server.

ldap-search <arguments>

Search for an LDAP server.

local <arguments>

Test the local user.

radius <server_name> <chap | pap | mschap | mschap2> <user_name> <password>

Test the connection to the RADIUS server.

radius-direct <server_name _or_IP_address> <port_number> <secret>

Test the connection to the RADIUS server. For the port number, enter -1 to use the default port. Otherwise, enter the port number to check.

tacacs+ <server_name> <user_name> <password>

Test the connection to the TACACS+ server.

tacacs+-direct <arguments>

Test the connection to the TACACS+ server.

diagnose user radius coa

Use this command to display information about RADIUS authentication and RADIUS accounting:

diagnose user radius coa

To configure RADIUS authentication and RADIUS accounting, see config user radius.

diagnose

Use the diagnose commands to help with troubleshooting:

diagnose bpdu-guard display status

Use this command to display the status of the spanning tree protocol (STP) bridge protocol data unit (BPDU) guard:

diagnose bpdu-guard display status

 

To configure STP BPDU guard, see config switch interface.

Example output

Portname             State      Status       Timeout(m)    Count    Last-Event
_________________   _______    _________    ___________    _____   _______________

port1              disabled     -              -             -            -
port2              disabled     -              -             -            -
port3              disabled     -              -             -            -
port4              disabled     -              -             -            -
port5              disabled     -              -             -            -
port6              disabled     -              -             -            -
port9              disabled     -              -             -            -
port10             disabled     -              -             -            -
port11             disabled     -              -             -            -
port12             disabled     -              -             -            -
port13             disabled     -              -             -            -
port14             disabled     -              -             -            -
port15             disabled     -              -             -            -
port16             disabled     -              -             -            -
port17             disabled     -              -             -            -
port18             disabled     -              -             -            -
port19             disabled     -              -             -            -
port20             disabled     -              -             -            -
port21             disabled     -              -             -            -
port22             disabled     -              -             -            -
port23             disabled     -              -             -            -
port24             disabled     -              -             -            -
port25             disabled     -              -             -            -
port26             disabled     -              -             -            -
port27             disabled     -              -             -            -
port28             disabled     -              -             -            -
port29             disabled     -              -             -            -
port30             enabled      -              60            0            -

diagnose certificate all

Use this command to verify all system certificates:

diagnose certificate all

Example output

S548DF5018000776 # diagnose certificate all 

Certificate Authority 
----------------------------------------------------------------------------

Name             : Fortinet_802.1x_CA 
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB 
Serial Number    : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality      : Passed 
Timeliness       : Valid (Expires on 2028-10-22 12:00:00  GMT)

Name             : Fortinet_CA 
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 
Serial Number    : da:f6:36:b4:43:d4:a5:8b
Integrality      : Passed 
Timeliness       : Valid (Expires on 2038-01-19 22:34:39  GMT)

Name             : Fortinet_CA2 
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 
Serial Number    : da:f6:36:b4:43:d4:a5:8b
Integrality      : Passed 
Timeliness       : Valid (Expires on 2038-01-19 22:34:39  GMT)

Name             : Fortinet_fsw_cloud_CA 
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB 
Serial Number    : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality      : Passed 
Timeliness       : Valid (Expires on 2028-10-22 12:00:00  GMT)

Local 
----------------------------------------------------------------------------

Name             : Fortinet_802.1x 
Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63 
Serial Number    : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2022-05-24 12:00:00  GMT)

Name             : Fortinet_Factory 
Fingerprint(MD5) : B1:92:9D:7B:63:4B:9D:F7:57:FF:E6:59:AE:C2:21:2A 
Serial Number    : 19:c1:ea
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Name             : Fortinet_Factory2 
Fingerprint(MD5) : F8:E4:51:61:B6:F0:98:FA:43:1F:4C:FD:C1:5D:B2:62 
Serial Number    : 19:c1:ec
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Name             : Fortinet_Firmware 
Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23 
Serial Number    : 41:1d:d5
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Remote 
----------------------------------------------------------------------------

diagnose certificate ca

Use this command to verify CA certificates:

diagnose certificate ca

Example output

S548DF5018000776 # diagnose certificate ca

Name             : Fortinet_802.1x_CA 
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB 
Serial Number    : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality      : Passed 
Timeliness       : Valid (Expires on 2028-10-22 12:00:00  GMT)

Name             : Fortinet_CA 
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 
Serial Number    : da:f6:36:b4:43:d4:a5:8b
Integrality      : Passed 
Timeliness       : Valid (Expires on 2038-01-19 22:34:39  GMT)

Name             : Fortinet_CA2 
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 
Serial Number    : da:f6:36:b4:43:d4:a5:8b
Integrality      : Passed 
Timeliness       : Valid (Expires on 2038-01-19 22:34:39  GMT)

Name             : Fortinet_fsw_cloud_CA 
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB 
Serial Number    : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality      : Passed 
Timeliness       : Valid (Expires on 2028-10-22 12:00:00  GMT)

diagnose certificate local

Use this command to verify local certificates:

diagnose certificate local

Example output

S548DF5018000776 # diagnose certificate local

Name             : Fortinet_802.1x 
Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63 
Serial Number    : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2022-05-24 12:00:00  GMT)

Name             : Fortinet_Factory 
Fingerprint(MD5) : B1:92:9D:7B:63:4B:9D:F7:57:FF:E6:59:AE:C2:21:2A 
Serial Number    : 19:c1:ea
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Name             : Fortinet_Factory2 
Fingerprint(MD5) : F8:E4:51:61:B6:F0:98:FA:43:1F:4C:FD:C1:5D:B2:62 
Serial Number    : 19:c1:ec
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

Name             : Fortinet_Firmware 
Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23 
Serial Number    : 41:1d:d5
Integrality      : Passed 
Key-pair         : Passed 
Timeliness       : Valid (Expires on 2038-01-19 03:14:07  GMT)

diagnose certificate remote

Use this command to verify remote certificates:

diagnose certificate remote

diagnose debug application

Use this command to set the debug level for application daemons. Some applications must be set to level 8 or higher to enable output for other diagnose debug commands. If you do not specify the debugging level, the current debugging level is returned.

diagnose debug application <application> [<debugging_level>]

 

The following applications are supported:

  • alertd—Monitor and alert daemon
  • authd—Authentication control daemon
  • bfdd— Bidirectional forwarding detection (BFD) daemon
  • bgpd—Border Gateway Protocol (BGP) daemon
  • ctrld— General FortiSwitch control daemon
  • cu_swtpd—Switch-controller CAPWAP control daemon
  • dhcp6c—DHCPv6 client module
  • dhcpc—DHCP client module
  • dhcprelay—DHCP relay daemon
  • dmid—Diagnostic monitoring interface (DMI) daemon
  • dnsproxy—DNS proxy module
  • eap_proxy—EAP proxy daemon
  • erspan-auto-mgr—ERSPAN-auto mode configuration resolution daemon
  • flcmdd—FortiLink command daemon
  • flow-export—Flow-export
  • fnbamd—FortiGate nonblocking authentication daemon
  • fortilinkd—FortiLink daemon
  • fpmd—Hardware routing daemon
  • fsmgr—FortiSwitch Cloud daemon
  • gratarp—IP conflict gratuitous ARP utility
  • gui—GUI service
  • httpsd—HTTP and HTTPS daemon
  • ip6addrd—IPv6 address utilty
  • ipconflictd— IP conflict detection daemon
  • isisd—Intermediate System to Intermediate System Protocol (IS-IS) daemon
  • l2d—Daemon for layer-2 features
  • l2dbg—Daemon for hardware-related operations needed by layer 2
  • l3—Layer-3 debugging
  • lacpd—Link Aggregation Control Protocol (LACP) daemon
  • libswitchd—FortiSwitch library daemon
  • link-monitor—Link monitor daemon
  • lldpmedd—Link Layer Discovery Protocol-Media Endpoint Discovery (LLPD-MED) daemon
  • mcast-snooping—Multicast-snooping debugging
  • miglogd—Logging daemon
  • mrpd—Media Redundancy Protocol (MRP) daemon
  • ntpd—Network Time Protocol (NTP) daemon
  • nwmcfgd—Daemon for network-monitoring configuration
  • nwmonitord—Packet-handling and parsing daemon for network monitoring
  • ospf6d—Open shortest path first (OSPF IPv6) routing daemon
  • ospfd—Open shortest path first (OSPF IPv4) routing daemon
  • pimd—Protocol Independent Multicast (PIM) daemon
  • portspeedd—Port speed daemon
  • radius_das—RADIUS CoA daemon
  • radiusd—RADIUS daemon
  • radvd—Router advertisement daemon
  • ripd—Routing Information Protocol (RIP) routing daemon
  • ripngd—Routing Information Protocol NG (RIPNG) daemon
  • router-launcher—Daemon for launching the routing system
  • rsyslogd—Remote SYSLOG daemon
  • sflowd—sFlow daemon
  • snmpd—Simple Network Managment Protocol (SNMP) daemon
  • sshd—Secure Sockets Shell (SSH) daemon
  • staticd—Static route daemon
  • statsd—Statistics collection daemon
  • stpd—Spanning Tree Protocol (STP) daemon
  • switch-launcher—Daemon for launching the FortiSwitch system
  • trunkd—Trunk daemon
  • vrrpd—Virtual Router Redundancy Protocol (VRRP) daemon
  • wiredap —Daemon for 802.1x port-based authentication
  • wpa_supp—MACsec Key Agreement (MKA) MACsec daemon
  • zebra—Core router daemon

Example output

S524DF4K15000024 # diagnose debug application flgd

 

flgd debug level is 8 (0x8)

diagnose debug authd

Use these commands to manage the authentication daemon:

diagnose debug authd clear

diagnose debug authd fsso clear-logons

diagnose debug authd fsso filter clear

diagnose debug authd fsso filter group <group_name>

diagnose debug authd fsso filter server <FSSO_agent_name>

diagnose debug authd fsso filter source <IPv4_address> <IPv4_address>

diagnose debug authd fsso filter user <user_name>

diagnose debug authd fsso list

diagnose debug authd fsso refresh-groups

diagnose debug authd fsso refresh-logons

diagnose debug authd fsso server-status

diagnose debug authd fsso summary

 

Variable

Description

clear

Delete internal data structures and keepalive sessions.

fsso clear-logons

Delete Fortinet Single Sign on (FSSO) logon information.

fsso filter clear

Delete all FSSO filters.

fsso filter group <group_name>

List only the logons by the specified FSSO group.

fsso filter server <FSSO_agent_name>

List only the logons for the specified FSSO agent.

fsso filter source <IPv4_address> <IPv4_address>

List only the logons for the specified range of IPv4 addresses.

fsso filter user <user_name>

List only the logons by the specified user.

fsso list

Display the current FSSO logons.

fsso refresh-groups

Refresh the FSSO group mappings.

fsso refresh-logons

Synchronize the FSSO logon database.

fsso server-status

Display the status of the FSSO agent connection.

fsso summary

Display a summary of current FSSO logons.

Example output

diag debug authd fsso server-status

Server Name     Connection Status     Version
-----------     -----------------     -------
fsso            connected             FSSO 5.0.0237
			
diagnose debug authd fsso list
IP: 10.1.1.5  User: ADM_FWCHECK  Groups: FW_OPERATORS/ADMINISTRATORS

diagnose debug bfd

Use this command to enable, show, or disable the debugging level for bidirectional forwarding detection (BFD):

diagnose debug bfd {all | appl | fsm | net | show | zebra } {enable | disable}

diagnose debug bgp

Use this command to enable, show, or disable the debugging level for Border Gateway Protocol (BGP) routing:

diagnose debug bgp {all | appl | as4 | flowspec | keepalives | neighbor-events | nht | normal | show | updates | zebra} {enable | disable}

diagnose debug cli

Use this command to set or find the debug level for the CLI:

diagnose debug cli [<0-8>]

Example output

S524DF4K15000024 # diagnose debug cli

 

Cli debug level is 8

diagnose debug config-error-log

Use this command to display information about the configuration error log:

diagnose debug config-error-log {clear | read}

 

Variable

Description

clear

Clear the configuration error log.

fsso

Display configuration errors on the console.

diagnose debug console

Use these commands to display information about the console:

diagnose debug console no-user-log-msg {enable | disable}

diagnose debug console send <AT command>

diagnose debug console timestamp {enable | disable}

 

Variable

Description

no-user-log-msg {enable | disable}

Enable or disable the display of user log messages on the console.

send <AT command>

Send out the specified modem AT command.

timestamp {enable | disable}

Enable or disable the time stamp.

diagnose debug crashlog

Use this command to display or erase the crash log:

diagnose debug crashlog {clear | get | kill-with-crashlog <process_ID> | read}

 

Variable

Description

clear

Clear the crash log.

get

Display the crash log on the console.

kill-with-crashlog <process_ID>

End the daemon using the specified process ID.

read

Display the crash log on the console in a readable format.

Example output

S524DF4K15000024 # diagnose debug crashlog get
			
Rk9SVP94nDK0NLPUNTTSNTZUMDSzMjCwMjVXSErOjc9IzEvJSY3PTM8tKI5Pzk2x
UvB1dgwO0Q1xdPJx1Q32jHK1MjQwMuECCCAjA0NzXQNLXQMzBUOgZgMrQ0uFkoxU
hezMnJzUFIWUxNTc/DyFzGIF/aTMPP301JKSSiuF4pLEktJiW4MKAy6AAELWb2gF
dIKJKUn6AQIIVb+JmZWpCUn6AQIIWb+RlYGxlbExSfoBAghZv7GVqamVEWn+Bwgg
ZP0mVgYWwCAkST9AAKHqNzQHxR8p+gECCFW/MdALhiToN+ICCCA0/WZWxqTpBwgg
ZP3AwDMGJkGS3A8QQKj6TYBJwIIk/QABhKbfBBiFJLkfIIDQ9JtaGZNivxEXQAAh
6zcDxb8RafEHEECo+oH+NyAt/QMEEKp+UP41Ikk/QADB9ZuD8r+RpRXQIOL1GxsY
cAEEEKoJphakpgCAAELWbwgKQQPSQhAggFD1A3OAMWkhABBAaPotrUxIsx8ggJD1
A0sgU1JzMEAAIesHZl8jICJJP0AAIesHpgBz0koAAy6AAELWb24FTgQk6QcIIFT9
JkD3k5KCDLgAAghNPzD+SbMfIIBQ9ZsaAyshkvQDBBCyfqDlwEKYtBIIIIBQ9QOj
0IS08AcIIDT9ZqSlHyMugABC1W8EDH/SakCAAELVD8w/JMY/QAAh6wcWH0bAJECS
foAAguu3UDAwtzIClmCklB+gEggggJBNsLQCV8MkuQAggND0A+sA0lIQQACh6jcC
1mGklYAAAYSkH1gCGZkCnUCSfoAAQtUPKgFJsx8ggFD1mwBzEGklGEAAoek3AUYi
...
			
S548DF5018000776 # diagnose debug crashlog read 
			
1: 2020-03-13 11:54:15 the killed daemon is /bin/fsmgrd: status=0x0
2: 2020-03-13 16:55:27 the killed daemon is /bin/fsmgrd: status=0x0
3: 2020-03-13 16:59:09 the killed daemon is /bin/fsmgrd: status=0x0
4: 2020-03-13 17:32:56 the killed daemon is /bin/fsmgrd: status=0x0
5: 2020-03-13 18:10:52 the killed daemon is /bin/fsmgrd: status=0x0
6: 2020-03-13 18:45:45 the killed daemon is /bin/fsmgrd: status=0x0
7: 2020-03-13 18:52:24 the killed daemon is /bin/fsmgrd: status=0x0
8: 2020-03-16 11:59:48 restart_reason=SYSTEM SHUTDOWN
9: 2020-03-17 10:16:42 restart_reason=SYSTEM SHUTDOWN
10: 2020-03-23 09:23:22 restart_reason=SYSTEM SHUTDOWN
11: 2020-03-24 08:33:04 restart_reason=SYSTEM SHUTDOWN
12: 2020-03-26 08:11:33 restart_reason=SYSTEM SHUTDOWN
13: 2020-04-10 08:48:25 restart_reason=SYSTEM SHUTDOWN
14: 2020-05-06 10:51:28 the killed daemon is /bin/fsmgrd: status=0x0
15: 2020-05-06 11:47:45 the killed daemon is /bin/fsmgrd: status=0x0
16: 2020-05-06 17:49:04 the killed daemon is /bin/fsmgrd: status=0x0
17: 2020-05-28 08:45:54 restart_reason=SYSTEM SHUTDOWN
18: 2020-05-28 09:09:00 the killed daemon is /bin/fsmgrd: status=0x0
19: 2020-05-28 09:36:23 the killed daemon is /bin/fsmgrd: status=0x0
20: 2020-05-28 18:12:20 the killed daemon is /bin/fsmgrd: status=0x0
21: 2020-05-29 13:31:52 the killed daemon is /bin/fsmgrd: status=0x0
22: 2020-05-29 15:04:20 the killed daemon is /bin/fsmgrd: status=0x0
23: 2020-05-29 16:01:28 the killed daemon is /bin/fsmgrd: status=0x0
24: 2020-05-29 16:27:41 the killed daemon is /bin/fsmgrd: status=0x0
25: 2020-06-01 16:04:11 restart_reason=SYSTEM SHUTDOWN
26: 2020-06-02 09:56:49 the killed daemon is /bin/fsmgrd: status=0x0

diagnose debug disable

Use this command to disable debugging output:

diagnose debug disable

diagnose debug enable

Use this command to enable debugging output:

diagnose debug enable

diagnose debug info

Use this command to display the debugging level:

diagnose debug info

Example output

S524DF4K15000024 # diagnose debug info
debug output:           enable
console timestamp:      disable
console no user log message:    disable
fsmgr debug level:      16 (0x10)
CLI debug level:        8

diagnose debug isis

Use this command to enable, show, or disable the debugging level for Intermediate System to Intermediate System Protocol (IS-IS) routing:

diagnose debug isis {adj-packets | all | appl | bfd | events | flooding | lsp-gen | lsp-sched | packet-dump | route-events | show | snp-packets | spf-events | tx-queue | update-packets} {enable | disable}

diagnose debug kernel level

Use this command to display or set the debugging level for the kernel:

diagnose debug kernel level [<integer>]

Example output

S524DF4K15000024 # diagnose debug kernel level
			
Kernel debug level is 0

diagnose debug ospf

Use this command to enable, show, or disable the debugging level for open shortest path first (OSPF) routing for IPv4 traffic:

diagnose debug ospf {all | appl | event | ism-debug | lsa-debug | nsm-debug | nssa | packet-debug | show | zebra-debug} {enable | disable}

diagnose debug ospf6

Use this command to enable or disable the debugging level for open shortest path first (OSPF) routing for IPv6 traffic:

diagnose debug ospf6 {abr | all | appl | asbr | border-routers | flooding | interface | lsa | lsa-debug | message | neighbor | packet-debug | route | route-debug | spf | zebra} {enable | disable}

diagnose debug packet_test

Use this command to display a report about the specified port for technical support:

diagnose debug packet_test <port_ID>

Example output

S524DF4K15000024 # diagnose debug packet_test 30
			
RX: port:0(tx port 30) len:0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

RX: port:0(tx port 30) len:0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


Send: 2, Recv: 2

diagnose debug pim

Use this command to enable, show, or disable the debugging level for Protocol Independent Multicast (PIM) routing:

diagnose debug pim {all | appl | events | igmp-events | igmp-packets | igmp-trace | mroute | packet-dump | packets | show | static | trace | zebra} {enable | disable}

diagnose debug port-mac

NOTE: This command is available only on FortiSwitch units that have the split-port feature available.

Use this command to display the mapping between MAC addresses and ports:

diagnose debug port-mac {check-mac | list}

 

Variable

Description

check-mac

Check to see if the specified MAC address is valid.

list

List the mapping between MAC addresses and ports.

Example output

S524DF4K15000024 # diagnose debug port-mac check-mac 08:5b:0e:f1:95:e4
Input MAC address 08:5b:0e:f1:95:e4 found in range
08:5b:0e:e5:4f:d6--08:5b:0e:f1:9b:a4
90:6c:ac:30:19:22--90:6c:ac:7b:d6:d0
Allocated split-port MAC for port 32 is  00:00:00:00:00:00.

S524DF4K15000024 # diagnose debug port-mac list
Base MAC: 08:5b:0e:f1:95:e4

Port Name            Port #           Split Port Idx         MAC
==================================================================================
	port1                 1                        0         08:5b:0e:f1:95:e6
	port2                 2                        0         08:5b:0e:f1:95:e7
	port3                 3                        0         08:5b:0e:f1:95:e8
	port4                 4                        0         08:5b:0e:f1:95:e9
	port5                 5                        0         08:5b:0e:f1:95:ea
	port6                 6                        0         08:5b:0e:f1:95:eb
	port7                 7                        0         08:5b:0e:f1:95:ec
	port8                 8                        0         08:5b:0e:f1:95:ed
	port9                 9                        0         08:5b:0e:f1:95:ee
	port10                10                       0         08:5b:0e:f1:95:ef
	port11                11                       0         08:5b:0e:f1:95:f0
	port12                12                       0         08:5b:0e:f1:95:f1
	port13                13                       0         08:5b:0e:f1:95:f2
	port14                14                       0         08:5b:0e:f1:95:f3
	port15                15                       0         08:5b:0e:f1:95:f4
	port16                16                       0         08:5b:0e:f1:95:f5
	port17                17                       0         08:5b:0e:f1:95:f6
	port18                18                       0         08:5b:0e:f1:95:f7
	port19                19                       0         08:5b:0e:f1:95:f8
	port20                20                       0         08:5b:0e:f1:95:f9
	port21                21                       0         08:5b:0e:f1:95:fa
	port22                22                       0         08:5b:0e:f1:95:fb
	port23                23                       0         08:5b:0e:f1:95:fc
	port24                24                       0         08:5b:0e:f1:95:fd
	port25                25                       0         08:5b:0e:f1:95:fe
	port26                26                       0         08:5b:0e:f1:95:ff
	port27                27                       0         08:5b:0e:f1:96:00
	port28                28                       0         08:5b:0e:f1:96:01
	port29                29                       0         08:5b:0e:f1:96:02
	port30                30                       0         08:5b:0e:f1:96:03
       internal              31                       0         08:5b:0e:f1:95:e4

diagnose debug report

Use this command to display a detailed debugging report for technical support:

diagnose debug report

Example output

S524DF4K15000024 # diagnose debug report
			
Version: FortiSwitch-524D-FPOE v3.6.3,build0390,171020 (GA)
Serial-Number: S524DF4K15000024
BIOS version: 04000013
System Part-Number: P18045-04
Burn in MAC: 08:5b:0e:f1:95:e4
Hostname: S524DF4K15000024
Distribution: International
Branch point: 390
System time: Tue Jan  6 13:53:02 1970

----------------------------------------------------------------
Serial Number: S524DF4K15000024   Diagnose output
----------------------------------------------------------------

### get system status

CPU states: 0% user 4% system 0% nice 96% idle
Memory states: 10% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes
Uptime: 5 days,  21 hours,  53 minutes

### get system performance status

config system interface
edit "mgmt"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 33
next
edit "internal"
set type physical
set snmp-index 32
next
end

### show system interface

### show router static

### diagnose ip address list
...'

diagnose debug reset

Use this command to reset all debugging levels to the default levels:

diagnose debug reset

diagnose debug rip

Use this command to enable, show, or disable the debugging level for IPv4 Routing Information Protocol (RIP) routing:

diagnose debug rip {all | appl | events | packet-rx | packet-tx | show | zebra} {enable | disable}

diagnose debug ripng

Use this command to enable, show, or disable the debugging level for IPv6 Routing Information Protocol (RIP) routing:

diagnose debug ripng {all | appl | events | packet-rx | packet-tx | show | zebra} {enable | disable}

diagnose debug static

Use this command to enable or disable the debugging level for static routes:

diagnose debug static {all | appl} {enable | disable}

diagnose debug unit_test

Use this command to enable or disable the debugging of unit tests:

diagnose debug unit_test {enable | disable}

Example output

S524DF4K15000024 # diagnose debug unit_test enable
libsw_unit_test argc 2
cmd =0

diagnose debug zebra

Use this command to enable, show, or disable the debugging level for the core router daemon:

diagnose debug zebra {all | appl | events | fpm | kernel | packet-rx | packet-rx-detail | packet-tx | packet-tx-detail | rib | rib-queue | show} {enable | disable}

diagnose firewall ip clear-counter

Use this command to clear the IPv4 iptables counter:

diagnose firewall ip clear-counter

diagnose firewall ip show

Use this command to show IPv4 iptables:

diagnose firewall ip show

diagnose firewall ipv6 clear-counter

Use this command to clear the IPv6 iptables counter:

diagnose firewall ipv6 clear-counter

diagnose firewall ipv6 show

Use this command to show IPv6 iptables:

diagnose firewall ipv6 show

diagnose flapguard status

Use this command to get flap-guard information for all switch ports:

diagnose flapguard status

Example output

S524DF4K15000024 # diagnose flapguard status Portname State Status Timeout(m) flap-rate flap-duration flaps/duration Last-Event _________________ _______ _________ ___________ _________ ____________ ______________ ___________ port1 disabled - - 5 30 0 - port2 disabled - - 5 30 0 - port3 disabled - - 5 30 0 - port4 disabled - - 5 30 0 - port5 disabled - - 5 30 0 - port6 disabled - - 5 30 0 - port7 disabled - - 5 30 0 - port8 disabled - - 5 30 0 - port9 enabled - 0 5 30 0 - port10 disabled - - 5 30 0 - port11 disabled - - 5 30 0 - port12 disabled - - 5 30 0 - port13 disabled - - 5 30 0 - port14 disabled - - 5 30 0 - port15 disabled - - 5 30 0 - port16 disabled - - 5 30 0 - port17 disabled - - 5 30 0 - port18 disabled - - 5 30 0 - port19 enabled - 30 15 10 0 - port20 disabled - - 5 30 0 - port21 disabled - - 5 30 0 - port22 disabled - - 5 30 0 - port23 disabled - - 5 30 0 - port24 disabled - - 5 30 0 - port25 disabled - - 5 30 0 - port26 disabled - - 5 30 0 - port27 disabled - - 5 30 0 - port28 disabled - - 5 30 0 - port29 disabled - - 5 30 0 - port30.1 disabled - - 5 30 0 - port30.2 disabled - - 5 30 0 - port30.3 disabled - - 5 30 0 - port30.4 disabled - - 5 30 0 -

diagnose hardware

Use these commands to diagnose the hardware. You must be logged in as a super user for these commands.

diagnose hardware certificate

diagnose hardware entropy-status

diagnose hardware ioport {byte <value> | long <arguments> | word <arguments>}

diagnose hardware switchinfo {l3-ecmp-table | l3-egress-table | l3-host-table | l3-intf-table | l3-summary | l3-v6-host-table | routing-table | v6-routing-table}

diagnose hardware sysinfo {bootenv | cpu | interrupts | iomem | memory | slab}

diagnose hardware usb

 

Variable

Description

certificate

Verify which certificates are present on the FortiSwitch unit and that all installed certificates are valid.

entropy-status

Display information about FIPS mode and entropy.

ioport {byte <value> | long <arguments> | word <arguments>}

Read and write data using the input/output port.

switchinfo {l3-ecmp-table | l3-egress-table | l3-host-table | l3-intf-table | l3-summary | l3-v6-host-table | routing-table | v6-routing-table}

Display information about the FortiSwitch hardware.

sysinfo {bootenv | cpu | interrupts | iomem | memory | slab}

Display information about the system.

usb

Display information about the connected USB devices.

Example output

S424EPTF19000004 # diagnose hardware entropy-status

Entropy Seeded:         Yes
Entropy Source:         USB [Vendor: Alea,VendorID= 0X12D8 ]
Entropy Mode:           INIT
Last seeded @:           0 D : 0 H : 0 M ago.


FIPS Status:            2
BIOS OS security level :                1
BIOS FIPS Capabilities :                1
BIOS fips_enabled status:               1

 

S548DF5018000776 # diagnose hardware certificate
Checking Fortinet_CA.cer integrality ........Passed
Checking Fortinet_Factory.cer integrality ........Passed
Checking Fortinet_Factory.cer key-pair integrality ........Passed
Checking Fortinet_Factory.cer Serial-No. ........Passed
Checking Fortinet_Factory.cer timeliness ........Passed
Checking Fortinet_Factory.key integrality ........Passed
Checking Fortinet_CA2.cer integrality ........Passed
Checking Fortinet_Factory2.cer integrality ........Passed
Checking Fortinet_Factory2.cer key-pair integrality ........Passed
Checking Fortinet_Factory2.cer Serial-No. ........Passed
Checking Fortinet_Factory2.cer timeliness ........Passed
Checking Fortinet_Factory2.key integrality ........Passed

 

S424EPTF19000004 # diagnose hardware usb
Alea II TRNG
EHCI Host Controller
Generic Platform OHCI controller

diagnose ip address

Use these commands to manage IP addresses:

diagnose ip address add <interface_name> <IPv4_address> <IP_network_mask>

diagnose ip address delete <interface_name> <IPv4_address>

diagnose ip address flush

diagnose ip address list

 

Variable

Description

add <interface_name> <IPv4_address> <IP_network_mask>

Add an IPv4 address to the specified interface.

delete <interface_name> <IPv4_address>

Delete an IPv4 address from the specified interface.

flush

Delete all IP addresses.

list

List all IP addresses and which interfaces they are assigned to.

Example output

S524DF4K15000024 # diagnose ip address list
			
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=1 devname=lo
IP=192.168.1.99->192.168.1.99/255.255.255.0 index=2 devname=mgmt
IP=10.105.19.3->10.105.19.3/255.255.252.0 index=2 devname=mgmt
IP=170.38.65.1->170.38.65.1/255.255.255.0 index=71 devname=vlan35
IP=180.1.1.1->180.1.1.1/255.255.255.0 index=72 devname=vlan85
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=73 devname=int1
IP=10.10.10.1->10.10.10.1/255.255.255.0 index=74 devname=vlan-8
IP=11.1.1.100->11.1.1.100/255.255.255.255 index=74 devname=vlan-8

diagnose ip arp

Use these commands to manage the Address Resolution Protocol (ARP) table:

diagnose ip arp add <interface_name> <IPv4_address> <MAC_address>

diagnose ip arp delete <interface_name> <IPv4_address>

diagnose ip arp flush <interface_name>

diagnose ip arp list

 

Variable

Description

arp add <interface_name> <IPv4_address>

Add an Address Resolution Protocol (ARP) entry for the IP address on the specified interface.

arp delete <interface_name> <IPv4_address>

Delete an Address Resolution Protocol (ARP) entry for the IP address on the specified interface.

arp flush <interface_name>

Delete the ARP table for the specified interface.

arp list

Display the ARP table.

Example output

S524DF4K15000024 # diagnose ip arp list
			
index=2 ifname=mgmt 10.105.16.1 90:6c:ac:15:2f:94 state=00000002 use=117606 confirm=537 update=67371 ref=1
index=70 ifname=internal 192.168.0.10 state=00000001 use=24 confirm=178601 update=124 ref=1
index=74 ifname=vlan-8 11.1.1.100 00:00:5e:00:01:05 (proxy)

diagnose ip route

Use these commands to manage static routes and the routing table:

diagnose ip route add <interface_name> <IPv4_address> <IP_network_mask>

diagnose ip route delete <interface_name> <IPv4_address>

diagnose ip route flush

diagnose ip route list [<arguments>]

diagnose ip route verify <interface_name> <IPv4_address> <IP_network_mask>

 

 

Variable

Description

add <interface_name> <IPv4_address> <IP_network_mask>

Add a static route to the specified interface.

delete <interface_name> <IPv4_address>

Delete a static route from the specified interface.

flush

Delete the routing table.

list [<arguments>]

Display the routing table.

verify <interface_name> <IPv4_address> <IP_network_mask>

Verify a static route on the specified interface.

Example output

S524DF4K15000024 # diagnose ip route list
			
tab=254 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.105.16.1 dev=2(mgmt)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/24 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.16.0/22 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt)
tab=254 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->39.3.2.0/24 pref=0.0.0.0 gwy=180.1.1.2 dev=72(vlan85)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.0/24 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.0/24 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/24 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/32 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.1/32 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.255/32 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.16.0/32 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.19.3/32 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.19.255/32 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->11.1.1.100/32 pref=11.1.1.100 gwy=0.0.0.0 dev=74(vlan-8)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.0/32 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.1/32 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.255/32 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.0/32 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.1/32 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.255/32 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/32 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.99/32 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt)
tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.255/32 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt)

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra}

Use these commands to display statistics for bidirectional forwarding detection (BFD), Border Gateway Protocol (BGP) routing, Intermediate System to Intermediate System Protocol (IS-IS) routing, open shortest path first (OSPF) routing for IPv4 traffic, OSPF routing for IPv6 traffic, Protocol Independent Multicast (PIM) routing, Routing Information Protocol (RIP) routing for IPv4 traffic, RIP routing for IPv6 traffic, static routes, and core routing daemon:

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | | ripng | static | zebra} cpu-usage

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} crash-backtrace-clear

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} crash-backtrace-read

diagnose ip router zebra fpm-counters clear

diagnose ip router zebra fpm-counters show

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} memory-usageripng |

diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} work-queues

 

Variable

Description

cpu-usage

Display statistics for CPU usage.

crash-backtrace-clear

Delete the crash-backtrace information.

crash-backtrace-read

Display the crash-backtrace information.

fpm-counters clear

Erase the hardware offload counters.

fpm-counters show

Display the hardware offload counters.

memory-usage

Display statistics for memory usage.

work-queues

Display information about work queues.

diagnose ip router command

Use these commands to send commands to various daemons in enable mode (cmd) or in configure terminal mode (cmd-conf-term).:

diagnose ip router command bfd {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command bgp {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command isis {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command ospf {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command ospf6 {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command pim {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command rip {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command static {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router command zebra {cmd <arguments>| cmd-conf-term <arguments>}

diagnose ip router fwd

Use these commands for debugging layer-3 forwarding:

diagnose ip router fwd l3-clear-stats

diagnose ip router fwd l3-disable-ip-tracing

diagnose ip router fwd l3-ecmp

diagnose ip router fwd l3-egress

diagnose ip router fwd l3-enable-ip-tracing <IP_address>

diagnose ip router fwd l3-enable-ip-tracing6 <IPv6_address>

diagnose ip router fwd l3-intf

diagnose ip router fwd l3-stats

 

Variable

Description

l3-clear-stats

Delete layer-3 statistics.

l3-disable-ip-tracing

Disable IP tracing.

l3-ecmp

Display information about equal cost multi-path (ECMP) routing.

l3-egress

Display layer-3 egress information.

l3-enable-ip-tracing <IP_address>

Enable IPv4 host tracing

l3-enable-ip-tracing6 <IPv6_address>

Enable IPv6 host tracing.

l3-intf

Display information about layer-3 interfaces.

l3-stats

Display layer-3 statistics.

diagnose ip router process show

Use this command to display information about the process launch of the core routing daemon, static routing daemon, BGD daemon, OSPF (IPv4 and IPv6) daemons, BFD daemon, RIP daemon, IS-IS daemon, and PIM daemon:

diagnose ip router process show

diagnose ip router terminal-monitor

Use this command to enable or disable the display of router information on the terminal:

diagnose ip router terminal-monitor {enable | disable}

diagnose ip rtcache list

Use this command to list the routing cache:

diagnose ip rtcache list

diagnose ip tcp

Use this command to list or clear the TCP sockets:

diagnose ip tcp {list | flush}

Example

S524DF4K15000024 # diagnose ip tcp list
			
sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                               
0: 00000000:03E8 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 3099 1 e647d300 100 0 0 10 -1       
1: 00000000:0A29 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 1587 1 e647c000 100 0 0 10 -1       
2: 00000000:0A2A 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 3338 1 e647dc80 100 0 0 10 -1       
3: 00000000:03EB 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 3103 1 e647d7c0 100 0 0 10 -1      
...

diagnose ip udp

Use this command to list or clear the UDP sockets:

diagnose ip udp {list | flush}

Example

S524DF4K15000024 # diagnose ip udp list
sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops
24: 00000000:E818 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4097 2 e69e38c0 0
53: 00000000:0035 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1972 2 e6029440 0
67: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 964 2 e5fd2d80 0
67: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 963 2 e5fd2b40 0
68: 00000000:0044 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1961 2 e6029200 0
181: 00000000:90B5 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 7681206 2 e6b94b40 0
350: 00000000:C15E 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3301 2 e69e2b40 0
370: 0100007F:1972 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1793 2 e6028fc0 0
404: 00000000:B994 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 112 2 e5fd2000 0
415: 00000000:859F 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 11905 2 e5fd38c0 0
415: 00000000:C99F 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3113 2 e6029d40 0
450: 00000000:E9C2 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 157 2 e5fd2480 0
520: 00000000:0208 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 2196 2 e5fd3680 0
546: 00000000:CA22 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 2156 2 e5fd3440 0
549: 00000000:9225 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 2057 2 e5fd2fc0 0
653: 00000000:AE8D 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 775 2 e5fd2900 0
654: 00000000:B68E 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1977 2 e6029b00 0
688: 00000000:12B0 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3321 2 e69e2fc0 0
712: 00000000:0EC8 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3320 2 e69e2d80 0
713: 00000000:0EC9 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3322 2 e69e3200 0
763: 00000000:92FB 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 9848617 2 e6ad7200 0
788: 0100007F:0714 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3224 2 e69e2240 0
805: 0100007F:A725 0100007F:0714 01 00000000:00000000 00:00000000 00000000     0        0 3292 2 e69e2900 0
882: 00000000:8372 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 1974 2 e60298c0 0
972: 00000000:B7CC 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 3260 2 e69e26c0 0
981: 00000000:EBD5 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 39752 2 e69e3b00 0
990: 00000000:BBDE 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4357 2 e69e3d40 0

diagnose ipv6 address

Use these commands to manage IPv6 addresses:

diagnose ipv6 address add <interface_name> <IPv6_address>

diagnose ipv6 address anycast <arguments>

diagnose ipv6 address delete <interface_name> <IPv6_address>

diagnose ipv6 address flush

diagnose ipv6 address list

diagnose ipv6 address multicast <interface_name> <IPv6_address>

 

Variable

Description

add <interface_name> <IPv6_address>

Add an IPv6 address to the specified interface. Use the following format for the IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

anycast <arguments>

Add an IPv6 anycast address.

delete <interface_name> <IPv4_address>

Delete an IPv6 address from the specified interface. Use the following format for the IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

flush

Delete all IPv6 addresses.

list

List all IPv6 addresses and which interfaces they are assigned to.

multicast <interface_name> <IPv6_address>

Add an IPv6 multicast address to the specified interface. Use the following format for the IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

Example output

S524DF4K15000024 # diagnose ipv6 address list
			
dev=1 devname=lo flag=P scope=254 prefix=128 addr=::1 prefered=-1 valid=-1
dev=2 devname=mgmt flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e4 prefered=-1 valid=-1
dev=70 devname=internal flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1
dev=71 devname=vlan35 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1
dev=72 devname=vlan85 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1
dev=74 devname=vlan-8 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1

diagnose ipv6 devconf

Use these commands to configure IPv6 devices:

diagnose ipv6 address devconf accept-dad {0 | 1 | 2}

diagnose ipv6 address devconf disable_ipv6 {0 | 1 }

 

Variable

Description

accept-dad {0 | 1 | 2}

Configure the detection of duplicate IPv6 address:
  • 0 — disable duplicate address detection.
  • 1 — enable duplicate address detection.
  • 2 — enable duplicate address detection and disable IPv6 operation if duplicate MAC-based link-local addresses are found.

disable_ipv6 {0 | 1 }

Configure IPv6 operation:
  • 0 — enable IPv6 operation.
  • 1 — disableIPv6 operation.

diagnose ipv6 ipv6-tunnel

Use these commands to manage IPv6 tunnels:

diagnose ipv6 ipv6-tunnel add <tunnel_name> <interface_name> <source_IPv6_address> <destination_IPv6_address>

diagnose ipv6 ipv6-tunnel delete <tunnel_name>

diagnose ipv6 ipv6-tunnel list

 

Variable

Description

add <tunnel_name> <interface_name> <source_IPv6_address> <destination_IPv6_address>

Create a tunnel between two IPv6 addresses on the specified interface. Use the following format for the IPv6 addresses: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

delete <tunnel_name>

Delete the specified IPv6 tunnel.

delete <interface_name> <IPv4_address>

List all IPv6 tunnels.

Example output

S524DF4K15000024 # diagnose ipv6 ipv6-tunnel list
			
sys_list_tunnel6:233 not implemented

diagnose ipv6 neighbor-cache

Use these commands to manage the IPv6 Address Resolution Protocol (ARP) table:

diagnose ipv6 neighbor-cache add <interface_name> <IPv6_address> <MAC_address>

diagnose ipv6 neighbor-cache delete <interface_name> <IPv4_address>

diagnose ipv6 neighbor-cache flush <interface_name>

diagnose ipv6 neighbor-cache list

 

Variable

Description

add <interface_name> <IPv6_address>

Add an ARP entry for the IPv6 address on the specified interface.

delete <interface_name> <IPv6_address>

Delete an ARP entry for the IPv6 address on the specified interface.

flush <interface_name>

Delete the ARP table for the specified interface.

list

Display the ARP table.

Example output

S524DF4K15000024 # diagnose ipv6 neighbor-cache list
			
ifindex=1 ifname=lo :: 00:00:00:00:00:00 state=00000040 use=1096280 confirm=1102281 update=1096280 ref=6

diagnose ipv6 route

Use these commands to manage the IPv6 routing table:

diagnose ipv6 route flush

diagnose ipv6 route list

 

Variable

Description

flush

Delete the routing table.

list

Display the routing table.

Example output

S524DF4K15000024 # diagnose ipv6 route list
			
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:::1/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e4/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=01 protocol=kernel flag=00000000 oif=70(internal) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=74(vlan-8) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=71(vlan35) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=72(vlan85) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=2(mgmt) dst:fe80::/64 prio=100
type=01 protocol=boot flag=00000000 oif=70(internal) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=74(vlan-8) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=71(vlan35) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=72(vlan85) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=2(mgmt) dst:ff00::/8 prio=100
type=07 protocol=kernel flag=00000000 oif=73(int1) prio=ffffffff

diagnose ipv6 sit-tunnel

Use these commands to manage IPv4 tunnels:

diagnose ipv6 sit-tunnel add <tunnel_name> <interface_name> <source_IPv4_address> <destination_IPv4_address>

diagnose ipv6 sit-tunnel delete <tunnel_name>

diagnose ipv6 sit-tunnel list

 

Variable

Description

add <tunnel_name> <interface_name> <source_IPv4_address> <destination_IPv4_address>

Create a tunnel between two IPv4 addresses on the specified interface. Use the following format for the IPv4 addresses: XXX.XXX.XXX.XXX

delete <tunnel_name>

Delete the specified IPv4 tunnel.

delete <interface_name> <IPv4_address>

List all IPv4 tunnels.

Example output

S524DF4K15000024 # diagnose ipv6 sit-tunnel list
			
sys_list_tunnel6:263 not implemented

diagnose log alertconsole

Use the following commands to manage alert console messages:

diagnose log alertconsole clear

diagnose log alertconsole fgd-retrieve

diagnose log alertconsole list

diagnose log alertconsole test

 

Variable

Description

clear

Clear alert console messages.

fgd-retrieve

Retrieve FortiGuard alert console messages.

list

List current alert console messages.

test

Generate alert console messages.

Example output

S524DF4K15000024 # diagnose log alertconsole list

There are 50 alert console messages:
2017-10-10 13:26:07 Administrator acmin login failed
2017-10-09 15:41:32 Firmware upgraded by admin
2017-09-29 15:14:11 Firmware upgraded by admin
2017-09-28 07:45:38 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-28 07:45:35 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-28 07:45:32 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-26 08:46:09 Firmware upgraded by admin
2017-09-21 16:16:59 Firmware upgraded by admin
2017-09-19 15:21:16 Administrator [3~[3~[3~ login failed
2017-09-12 16:29:22 Administrator get test dnsproxy ? login failed
2017-09-11 15:49:17 Administrator get router prefix-list login failed
2017-09-06 08:37:44 Firmware upgraded by FortiCloud
2017-09-05 16:49:54 Administrator R  1 login failed
2017-09-01 07:30:03 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-01 07:30:00 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-01 07:29:57 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-31 16:56:35 Administrator O  1 login failed
2017-08-31 16:53:34 Administrator R u 1 login failed
2017-08-31 16:20:29 Administrator cinfcon login failed
2017-08-29 08:37:56 Firmware upgraded by FortiCloud
2017-08-25 13:26:49 Administrator sdmin login failed
2017-08-24 11:00:46 Administrator conconfig login failed
2017-08-24 08:29:01 Firmware upgraded by FortiCloud
2017-08-21 09:16:13 Firmware upgraded by unknown
2017-08-21 08:58:20 System shutdown (factory default)
2017-08-16 08:31:31 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-16 08:31:28 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-16 08:31:25 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-15 07:33:29 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-08-15 07:33:26 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart

diagnose loop-guard status

Use this command to display which ports have loop guard enabled:

diagnose loop-guard status

 

To enable loop guard on a port, see config switch interface.

Example output

S524DF4K15000024 # diagnose loop-guard status


Portname             State     Status     Timeout(m)   MAC-Move   Count    Last-Event
_________________   _______   _________   __________   ________   _____   __________________

port1              disabled    -             -           -         -            -
port2              disabled    -             -           -         -            -
port3              disabled    -             -           -         -            -
port4              disabled    -             -           -         -            -
port5              disabled    -             -           -         -            -
port6              disabled    -             -           -         -            -
port7              disabled    -             -           -         -            -
port10             disabled    -             -           -         -            -
port11             disabled    -             -           -         -            -
port12             enabled     -             45          0         0            -
port13             disabled    -             -           -         -            -
port14             disabled    -             -           -         -            -
port15             disabled    -             -           -         -            -
port16             disabled    -             -           -         -            -
port17             disabled    -             -           -         -            -
port18             disabled    -             -           -         -            -
port19             disabled    -             -           -         -            -
port20             disabled    -             -           -         -            -
port21             enabled     -             45          50        0            -
port22             disabled    -             -           -         -            -
port24             disabled    -             -           -         -            -
port25             disabled    -             -           -         -            -
port26             disabled    -             -           -         -            -
port27             disabled    -             -           -         -            -
port28             disabled    -             -           -         -            -
port29             disabled    -             -           -         -            -
port30.1           disabled    -             -           -         -            -
port30.2           disabled    -             -           -         -            -
port30.3           disabled    -             -           -         -            -
port30.4           disabled    -             -           -         -            -
G100D3G15817028    disabled    -             -           -         -            -

diagnose option82-mapping relay

Use this command to display the option-82 setting for DHCP relay for each valid system interface:

diagnose option82-mapping relay <valid_system_interface>

 

Example output

S524DF4K15000024 # diagnose option82-mapping relay internal

 

Interface Name Remote-ID(hex) Circuit-ID(hex)

internal 085B0EF195E5 00000000

diagnose option82-mapping snooping

Use this command to display the option-82 settings for DHCP snooping for a specific VLAN and FortiSwitch interface:

diagnose option82-mapping snooping <VLAN_ID> <valid_switch_interface>

Example output

S524DF4K15000024 # diagnose option82-mapping snooping 100 port2

 

Interface Name Remote-ID(hex) Circuit-ID(hex)

port2 085B0EF195E5 00640102

diagnose settings

Use these commands to manage diagnostic settings:

diagnose settings info

diagnose settings reset

 

Variable

Description

info

List all diagnostic settings.

reset

Reset all diagnostic settings to their default settings.

Example output

S524DF4K15000024 # diagnose settings info
			
debug output:           disable
console timestamp:      disable
console no user log message:    disable
fsmgr debug level:      16 (0x10)
CLI debug level:        3

diagnose sniffer packet

Use this command to examine packets received on a specific interface:

diagnose sniffer packet <interface_name | any> <logical_filter | none> <verbose | 1-6> <sniffer_count> <timestamp_format>

 

Variable

Description

<interface_name | any>

Enter the name of a network interface or enter any to examine packets received on all interfaces.

<logical_filter | none>

Enter a logical filter or none. Use the following format for the filter:

'[[src|dst] host<IP_address>] [[src|dst] host<IP_address>] [[arp|ip|gre|esp|udp|tcp] [port_number]] [[arp|ip|gre|esp|udp|tcp] [port_number]]'

For example, to examine UDP packets received at port 1812 from host forti1 and host forti2 or forti3:

'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'

To examine TCP packets between two PCs through port 80:

diag sniffer packet internal 'host 192.168.0.130 and 192.168.0.1 and tcp port 80' 1

To examine packets with the RST flag set:

diagnose sniffer packet internal "tcp[13] & 4 != 0"

To examine packets with the destination MAC address of 00:09:0f:89:10:ea:

diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"

<verbose | 1-6>

Set the level of detail for the results:
  • verbose — Display all details.
  • 1 — Include the packet header.
  • 2 — Include the packet header and IP address data.
  • 3 — Include the packet header and Ethernet address data (if available).
  • 4— Include the packet header and interface name.
  • 5 — Include the packet header, interface name, and IP address data.
  • 6 — Include the packet header, interface name, and Ethernet address data (if available).

<sniffer_count>

Enter the number of packets to examine.

<timestamp_format>

Enter a for UTC time (yyyy-mm-dd hh:mm:ss.ms) or enter the number of minutes and seconds after the start of the packet examination (ss.ms).

Example output

S524DF4K15000024 # diagnose sniffer packet any
interfaces=[any]
filters=[none]
0.977537 arp who-has 192.168.0.10 tell 192.168.1.99
0.977755 127.0.0.1 -> 0.0.0.0: icmp: type-#20
1.057565 224.0.0.18 -> 33.5.255.1:  ip-proto-10 (frag 65392:4294967276@1336+)
1.057578 802.1Q vlan#8 P0 -- 224.0.0.18 -> 33.5.255.1:  ip-proto-10 (frag 65392:4294967276@1336+)
1.113131 arp who-has 10.105.16.1 tell 10.105.19.8
1.977047 arp who-has 192.168.0.10 tell 192.168.1.99
1.990059 127.0.0.1 -> 0.0.0.0: icmp: type-#20
...

S524DF4K15000024 # diagnose sniffer packet internal none verbose
interfaces=[internal]
filters=[none]
pcap_lookupnet: internal: no IPv4 address assigned
0.840645 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
1.113149 arp who-has 192.168.0.10 tell 192.168.1.99
1.850162 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
2.109899 arp who-has 192.168.0.10 tell 192.168.1.99
2.859653 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
3.109412 arp who-has 192.168.0.10 tell 192.168.1.99
3.869169 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
4.128948 arp who-has 192.168.0.10 tell 192.168.1.99
...

S524DF4K15000024 # diagnose sniffer packet internal none 3 10 a
interfaces=[internal]
filters=[none]
pcap_lookupnet: internal: no IPv4 address assigned
2017-10-11 16:09:42.393816 arp who-has 192.168.0.10 tell 192.168.1.99
0x0000   ffff ffff ffff 085b 0ef1 95e5 0806 0001        .......[........
0x0010   0800 0604 0001 085b 0ef1 95e5 c0a8 0163        .......[.......c
0x0020   0000 0000 0000 c0a8 000a                       ..........

2017-10-11 16:09:42.483785 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18:  ip-proto-112 20
0x0000   0100 5e00 0012 0000 5e00 0105 8100 0008        ..^.....^.......
0x0010   0800 45c0 0028 8fec 0000 ff70 369c 0a0a        ..E..(.....p6...
0x0020   0a01 e000 0012 2105 ff01 0001 d392 0b01        ......!.........
0x0030   0164 0000 0000 0000 0000                       .d........
...

diagnose snmp

Use these commands to display SNMP information:

diagnose snmp ip frags

diagnose snmp trap send

 

Variable

Description

ip frags

Display fragmentation and reassembly information

trap send

Generate a trap event and send it to the SNMP daemon.

Example output

S524DF4K15000024 # diagnose snmp ip frags
			
ReasmTimeout = 0
ReasmReqds   = 0
ReasmOKs     = 0
ReasmFails   = 0
FragOKs      = 0
FragFails    = 0
FragCreates  = 0

diagnose stp instance list

Use this command to display information about Multiple Spanning Tree Protocol (MSTP) instances:

diagnose stp instance list <STP_ID> <port_number>

 

To create an STP instance, see config switch stp instance.

Variable

Description

<STP_ID>

Enter the STP identifier. If you enter a higher number than the valid range, the results for all STP instances are displayed. If no STP identifier is specified, results for all STP instances are displayed.

<port_number>

Enter the port number. If no port number is specified, results for all physical ports are displayed.

Example output

S524DF4K15000024 # diagnose stp instance list 0 MST Instance Information, primary-Channel: Instance ID 0 (CST) Config Priority 32768 Bridge MAC 085b0ef195e4, MD5 Digest 40d5eca178c657835c83bbcb16723192 Root MAC 085b0ef195e4, Priority 32768, Path Cost 0, Remaining Hops 20 (This bridge is the root) Regional Root MAC 085b0ef195e4, Priority 32768, Path Cost 0 (This bridge is the regional root) Active Times Forward Time 15, Max Age 20, Remaining Hops 20 TCN Events Triggered 1 (1d 0h 19m 56s ago), Received 0 (1d 0h 19m 56s ago) Port Speed Cost Priority Role State HelloTime Flags ________________ ______ _________ _________ ___________ __________ _________ ______________ port1 - 200000000 128 DISABLED DISCARDING 2 EN ED port3 - 200000000 128 DISABLED DISCARDING 2 EN ED port4 - 200000000 128 DISABLED DISCARDING 2 EN ED port5 - 200000000 128 DISABLED DISCARDING 2 EN ED port6 - 200000000 128 DISABLED DISCARDING 2 EN ED port7 - 200000000 128 DISABLED DISCARDING 2 EN ED port8 - 200000000 128 DISABLED DISCARDING 2 EN ED port9 - 200000000 128 DISABLED DISCARDING 2 EN ED port10 - 200000000 128 DISABLED DISCARDING 2 EN ED port11 - 200000000 128 DISABLED DISCARDING 2 EN ED port12 - 200000000 128 DISABLED DISCARDING 2 EN ED port13 - 200000000 128 DISABLED DISCARDING 2 EN ED port14 - 200000000 128 DISABLED DISCARDING 2 EN ED port17 - 200000000 128 DISABLED DISCARDING 2 EN ED port18 - 200000000 128 DISABLED DISCARDING 2 EN ED port19 - 200000000 128 DISABLED DISCARDING 2 EN ED port20 - 200000000 128 DISABLED DISCARDING 2 EN ED port21 - 200000000 128 DISABLED DISCARDING 2 EN ED port22 - 200000000 128 DISABLED DISCARDING 2 EN ED port23 - 200000000 128 DISABLED DISCARDING 2 EN ED port24 - 200000000 128 DISABLED DISCARDING 2 EN ED port25 - 200000000 128 DISABLED DISCARDING 2 EN ED port26 - 200000000 128 DISABLED DISCARDING 2 EN ED port27 - 200000000 128 DISABLED DISCARDING 2 EN ED port28 - 200000000 128 DISABLED DISCARDING 2 EN ED port29 - 200000000 128 DISABLED DISCARDING 2 EN ED port30 - 200000000 128 DISABLED DISCARDING 2 EN ED internal 1G 20000 128 DESIGNATED FORWARDING 2 ED Mclag-icl-trunk - 200000000 128 DISABLED DISCARDING 2 ED first-mclag - 200000000 128 DISABLED DISCARDING 2 EN ED Flags: EN(STP enable), ED(Edge), LP(Loop Protection), RG(Root Guard Triggered), BG(BPDU Guard Triggered)

diagnose stp mst-config list

Use this command to display the MSTP configuration:

diagnose snmp mst-config list

 

To configure an MSTP instance, see config switch stp settings.

Example output

S524DF4K15000024 # diagnose stp mst-config list

MST Configuration Identification Information

Unit: primary
MST Configuration Name: region1
MST Configuration Revision: 1
MST Configuration Digest: ac36177f50283cd4b83821d8ab26de62

Instance ID      Mapped VLANs     Priority
____________________________________________________
	0                           32768
	1                            8192

diagnose stp rapid-pvst-port

Use these commands to diagnose the interoperation with per-VLAN RSTP (Rapid PVST+ or RPVST+):

diagnose stp rapid-pvst-port clear [<port_name>]

diagnose stp rapid-pvst-port list [<port_name>]

Variable

Description

clear [<port_name>]

Clear all flags and timers on the RPVST+ port.

list [<port_name>]

Show the status of one port or all ports. If any of the ports is in the “IC” state, the command output gives the reason: VLAN priority inconsistent, VLAN configuration mismatch, or both.

diagnose stp vlan list

Use this command to display the MSTP information for a specific VLAN:

diagnose stp vlan list <VLAN_ID>

Variable

Description

<VLAN_ID>

Enter the VLAN identifier. The value range is 1-4095.

Example output

S524DF4K15000024 # diagnose stp vlan list 10 MST Instance Information, primary-Channel: Instance ID : 0 Switch Priority : 32768 Root MAC Address : 085b0ef195e4 Root Priority: 32768 Root Pathcost: 0 Regional Root MAC Address : 085b0ef195e4 Regional Root Priority: 32768 Regional Root Path Cost: 0 Remaining Hops: 20 This Bridge MAC Address : 085b0ef195e4 This bridge is the root Port Speed Cost Priority Role State Edge STP-Status Loop Protection ________________ ______ _________ _________ ___________ __________ ____ __________ ________ port1 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port2 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port3 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port4 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port5 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port6 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port9 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port10 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port11 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port12 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port13 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port14 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port15 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port16 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port17 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port18 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port19 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port20 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port21 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port22 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port23 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port24 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port25 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port26 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port27 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port28 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port29 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port30 - 200000000 128 DISABLED DISCARDING YES ENABLED NO internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO

diagnose switch 802-1x status

Use this command to display the status of a port using IEEE 802.1x authentication:

diagnose switch 802-1x status [<port_name>]

 

Variable

Description

[<port_name>]

Enter the port name. If the port is not specified, the status of all 802.1x-authenticated ports is returned. In the output, the value in the “Traffic-Vlan” column is the VLAN where the client was successfully authenticated.

To enable IEEE 802.1x authentication on a port, see config switch interface.

Example output

S548DF4K15000195 # diagnose switch 802-1x status

	port3 : Mode: mac-based (mac-by-pass disable)
		Link: Link up
		Port State: authorized: ( )
		EAP pass-through : Enable
		EAP auto-untagged-vlans : Disable
		Quarantine VLAN (4093) detection : Enable
		Native Vlan : 10
		Allowed Vlan list: 10,15
		Untagged Vlan list: 10
		Guest VLAN :
		Auth-Fail Vlan :

		Switch sessions 2/240, Local port sessions:2/20
		Client MAC Type                 Traffic-Vlan         Dynamic-Vlan
		94:10:3e:b9:12:65 802.1x             10                   0
		cc:5a:53:5f:d5:16 802.1x             10                   15

Sessions info:
94:10:3e:b9:12:65 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=8 params:reAuth=3600
cc:5a:53:5f:d5:16 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=7 params:reAuth=3600

diagnose switch acl counter

Use these commands to display information about access control lists (ACLs):

diagnose switch acl counter all

diagnose switch acl counter app <name>

diagnose switch acl counter id <policy_ID>

diagnose switch acl counter list-apps

Variable

Description

all

List all applications using ACL counters.

app <name>

List ACL counters for this application.

id <policy_ID>

List the ACL counter for this ACL policy identifier.

list-apps

List application names that use ACL counters.

Example output

S524DF4K15000024 # diagnose switch acl counter list-apps
			
Application              Policy ID Range
_______________________________________________

loop-gaurd                (2049-2049)
l3-arp-req                (2050-2050)
l3-arp-reply              (2051-2051)
dst-mac                   (2052-2052)
bfd-single-hop            (2053-2053)
bfd-multi-hop             (2054-2054)
ospf                      (2055-2055)
rip                       (2056-2056)
mclag                     (2057-2057)
mclag-l3-arp-req          (2058-2058)
mclag-l3-arp-reply        (2059-2059)
mclag-bfd-single-hop      (2060-2060)
mclag-bfd-multi-hop       (2061-2061)
mclag-ospf                (2062-2062)
mclag-rip                 (2063-2063)
fortilink                 (2064-2064)
fortilink-1               (2065-2065)
mclag-fortilink           (2066-2066)
mclag-icl                 (2067-2067)
mac-sa-mcast              (2068-2068)
forti-trunk               (2069-2069)
vwire                     (2304-2367)
vwire-acl                 (2368-133503)
dhcp-snooping             (133504-141695)
arp-snooping              (141696-145792)
access-vlan               (145793-149889)
network-monitor           (149890-149930)

diagnose switch acl hw-entry-index

NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

Use this command to find the hardware mapping for the specified ACL policy identifier:

diagnose switch acl hw-entry-index <id>

Variable

Description

<id>

Enter the ACL policy identifier.

Example output

S124EP4N17000016 # diagnose switch acl hw-entry-index 1

ID HW-INDEX AGG CNTR-IDX
_________________________________________

000001 896 n 7

diagnose switch acl schedule

Use this command to list ACL policies with a schedule:

diagnose switch acl schedule egress

diagnose switch acl schedule ingress

diagnose switch acl schedule prelookup

Variable

Description

egress

List all ACL egress policies with a schedule.

ingress

List all ACL ingress policies with a schedule.

prelookup

List all ACL prelookup policies with a schedule.

Example output

S524DF4K15000024 # diagnose switch acl schedule ingress
ACL Ingress Name
1	In Schedule

diagnose switch arp-inspection stats clear

Use this command to delete dynamic ARP inspection statistics:

diagnose switch arp-inspection stats clear <VLAN_ID>

Variable

Description

<VLAN_ID>

Enter a single VLAN identifier or a range of VLAN identifiers separated by commas. For example: 1,3-4,6,7,9-100

To enable dynamic ARP inspection on a VLAN, see config switch vlan.

diagnose switch cpuq

NOTES:

  • Be careful about changing the CPU queue rate because the change is made directly to the hardware.
  • After the switch is rebooted, the CPU queue rate returns to the default value.
  • For the FS-108E and FS-124E families, the configured CPU queue rate has a 16-kbps granularity. Use the diagnose switch cpuq show command to see the actual queue rate.
  • For the FS-108E and FS-124E families, the CPU queue rate is more accurate with larger packets.

Use this command to display the CPU queue rate on the FSR-112D-POE, FS-1xxE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx, and FS-3xxx families:

diagnose switch cpuq show

Use this command to change the CPU queue rate on the FSR-112D-POE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx, and FS-3xxx families:

diagnose switch cpuq rate <queue_number> <new_pps_rate>

Use this command to change the CPU queue rate on the FS-108E and FS-124E families:

diagnose switch cpuq rate <queue_number> <new_Kbps_rate>

Variable

Description

show

Display the CPU queue rate for all queues.

rate <queue_number> <new_pps_rate>

Change the CPU queue rate for the specified queue to the new packets-per-second (PPS) rate.

diagnose switch cpuq rate <queue_number> <new_Kbps_rate>

Change the CPU queue rate for the specified queue to the new Kbps rate.

Example output (FS-548)

NOTE: The number of queues, queue classifications, and default CPU queue rates can differ among the FortiSwitch platforms.

S548DF5018000776 # diagnose switch cpuq show 
  Queue  |  Rate(pps) 
----------------------
  17        2000       (MIRROR/SFLOW)
  18        500        (L3_DEST_MISS)
  19        5000       (ARP_REQ)
  20        10000      (DEFAULT)
  21        1000       (NHOP)
  22        8000       (DHCP/OSPF/BFD/RIP/IGMP/FORTLINK_VLAN)
  23        6000       (ARP_REPLY)
  24        5000       (FORTILINK/MCLAG)
  25        1500       (BPDU/LOOPGUARD)

diagnose switch egress list

Use this command to display the port egress map:

diagnose switch egress list <port_name>

Variable

Description

<port_name>

Enter the port name.

Example output

S524DF4K15000024 # diagnose switch egress list port1

Switch Interface Egress Map, primary-Channel
Port Map: Name(Id):

port1(1)            port2(2)            port3(3)
port4(4)            port5(5)            port6(6)
port7(7)            port8(8)            port9(9)
port10(10)          port11(11)          port12(12)
port13(13)          port14(14)          port15(15)
port16(16)          port17(17)          port18(18)
port19(19)          port20(20)          port21(21)
port22(22)          port23(23)          port24(24)
port25(25)          port26(26)          port27(27)
port28(28)          port29(29)          port30(30)
internal(31)
cpu0(31)

Source Interface  Destination Ports
________________  ___________________________________
port1             1-6,9-31

diagnose switch ip-mac-binding entry

Use this command to display the counters for an IP-MAC binding entry:

diagnose switch ip-mac-binding entry <entry_ID>

Variable

Description

<entry_ID>

Enter an IP-MAC binding entry identifier.

To enable IP-MAC binding, see config switch global.

Example output

S524DF4K15000024 # diagnose switch ip-mac-binding entry 1

Binding Entry: 1
Binding IP: 1.20.168.172 255.255.255.255
Binding MAC: 00:21:CC:D2:76:72
Status: Enabled
Statistic:
Permit packets: 0x00
Drop packets: 0x00
-----------------------------------------------------

diagnose switch ip-source-guard hardware entry filter

Use these commands to select which IP source-guard entries to display:

diagnose switch ip-source-guard hardware entry filter clear

diagnose switch ip-source-guard hardware entry filter interface <interface_name>

diagnose switch ip-source-guard hardware entry filter ip <IPv4_address>

diagnose switch ip-source-guard hardware entry filter mac <MAC_address>

diagnose switch ip-source-guard hardware entry filter print

Variable

Description

clear

Remove the current filter.

interface <port_name>

Display entries for the specified port.

ip <IPv4_address>

Display entries for the specified IPv4 address.

mac <MAC_address> <mask>

Delete entries for the specified MAC address and mask.

print

Display the current filter.

diagnose switch ip-source-guard hardware entry list

Use this command to display all IP source-guard entries. Static entries were manually added by the config switch ip-source-guard command. Dynamic entries were added by DHCP snooping.

diagnose switch ip-source-guard hardware entry list

diagnose switch mac-address

Use these commands to manage the MAC address table:

diagnose switch mac-address delete {all | entry <xx:xx:xx:xx:xx:xx>}

diagnose switch mac-address filter clear

diagnose switch mac-address filter flags <flag bit pattern>

diagnose switch mac-address filter port-id-map <port-ID list>

diagnose switch mac-address filter show

diagnose switch mac-address filter trunk-id-map <trunk-ID list>

diagnose switch mac-address filter vlan-map <VLAN_list>

diagnose switch mac-address list

diagnose switch mac-address switch-port-macs-db

Variable

Description

delete {all | entry <xx:xx:xx:xx:xx:xx>}

Delete all MAC address entries or a specific MAC address entry.

filter clear

Delete the filter for the MAC address table list.

filter flags <flag bit pattern>

Specify the flag bit pattern to match. Use this pattern to mask important bits. This value is hexadecimal.

filter port-id-map <port-ID list>

List the port identifiers to display MAC addresses for. Separate the port identifiers with commas. For example: 1,3,5-17,19

filter show

Display the filter for the MAC address table list.

filter trunk-id-map <trunk-ID list>

List the trunk identifiers to display MAC addresses for. Separate the trunk identifiers with commas. For example: 1,2-4,77

filter vlan-map <VLAN_list>

List the VLAN identifiers to display MAC addresses for. Separate the VLAN identifiers with commans. For example: 1,2-4,77

list

List the MAC address entries and the total number of entries.

switch-port-macs-db

List which MAC addresses are assigned to local ports.

Example output

S524DF4K15000024 # diagnose switch mac-address filter show

flag bit pattern: 0x00000000
flag bit Mask:    0x00000000
vlan map: 0-4095
port-id map: 1,64
trunk-id map: 0-127

S524DF4K15000024 # diagnose switch mac-address list

MAC: 08:5b:0e:f1:95:e5  VLAN: 4094 Port: internal(port-id 31)
Flags: 0x00010460 [ static hit src-hit native ]

MAC: d6:dd:25:be:2c:43  VLAN: 1 Port: port1(port-id 1)
Flags: 0x00000020 [ static ]

Total Displayed: 2

S524DF4K15000024 # diagnose switch mac-address switch-port-macs-db

Total MACs : 30

MAC-1   : 08:5b:0e:f1:95:e6
MAC-2   : 08:5b:0e:f1:95:e8
MAC-3   : 08:5b:0e:f1:95:ea
MAC-4   : 08:5b:0e:f1:95:ec
MAC-5   : 08:5b:0e:f1:95:ee
MAC-6   : 08:5b:0e:f1:95:f0
MAC-7   : 08:5b:0e:f1:95:f2
MAC-8   : 08:5b:0e:f1:95:f4
MAC-9   : 08:5b:0e:f1:95:f6
MAC-10  : 08:5b:0e:f1:95:f8
MAC-11  : 08:5b:0e:f1:95:fa
MAC-12  : 08:5b:0e:f1:95:fc
MAC-13  : 08:5b:0e:f1:95:fe
MAC-14  : 08:5b:0e:f1:96:00
MAC-15  : 08:5b:0e:f1:96:02
MAC-16  : 08:5b:0e:f1:95:e7
MAC-17  : 08:5b:0e:f1:95:e9
MAC-18  : 08:5b:0e:f1:95:eb
MAC-19  : 08:5b:0e:f1:95:ed
MAC-20  : 08:5b:0e:f1:95:ef
MAC-21  : 08:5b:0e:f1:95:f1
MAC-22  : 08:5b:0e:f1:95:f3
MAC-23  : 08:5b:0e:f1:95:f5
MAC-24  : 08:5b:0e:f1:95:f7
MAC-25  : 08:5b:0e:f1:95:f9
MAC-26  : 08:5b:0e:f1:95:fb
MAC-27  : 08:5b:0e:f1:95:fd
MAC-28  : 08:5b:0e:f1:95:ff
MAC-29  : 08:5b:0e:f1:96:01
MAC-30  : 08:5b:0e:f1:96:03

diagnose switch macsec statistics

Use this command to display MACsec traffic statistics for the specified port. If no port is specified, statistics for all ports are returned.

diagnose switch macsec statistics [<port_name>]

diagnose switch macsec status

Use this command to display the MACsec status of the specified port. If no port is specified, the status for all ports is returned.

diagnose switch macsec status [<port_name>]

diagnose switch managed-switch

Use this command to display information about the FortiSwitch unit when it is managed by a FortiGate unit:

diagnose switch managed-switch dump xlate-vlan

diagnose switch mclag

Use these commands to manage information about MCLAGs:

diagnose switch mclag clear-stats {all | icl | mclag <trunk_name>}

diagnose switch mclag icl

diagnose switch mclag list <trunk_name>

Variable

Description

clear-stats {all | icl | mclag}

Delete statistics for all MCLAGs, delete MCLAG ICLs, or delete the statistics for the MCLAG with the specified trunk.

icl

List all inter-chassis links (ICLs).

list <trunk_name>

Display statistics for the MCLAG with the specified trunk.

To set up an MCLAG, see config switch trunk.

Example output

S524DF4K15000024 # diagnose switch mclag icl
			
MCLAG-ICL-trunk
	icl-ports            port15 port16
	egress-block-ports   none
	interface-mac        08:5b:0e:f1:95:e5
	lacp-serial-number   S524DF4K15000024
	peer-info            N/A
	keepalive interval   1
	keepalive timeout    30

Counters

diagnose switch mirror auto-config

Use these commands to manage switch mirroring using ERSPAN encapsulation with automatically configured header contents:

diagnose switch mirror auto-config restart

diagnose switch mirror auto-config status

Variable

Description

restart

Restart the ERSPAN mirroring daemon.

status

Display the status of the ERSPAN mirroring.

Example output

S524DF4K15000024 # diagnose switch mirror auto-config status 
Session name: 
Last update: never
Error msg: 
State: None
Flags: 0x00000000 ()
 
Config:
	Last good config update: never
 
Route Lookup:
	Last good route update: never
	Collector IP: 0.0.0.0
	Nexthop IP: 0.0.0.0
	SVI name: 
	SVI devindex: 0
	SVI source MAC: 00:00:00:00:00:00
	SVI VLAN: 0
	SVI source IP: 0.0.0.0
 
Nexthop ARP resolution:
	Last good ARP update: never
	Nexthop MAC: 00:00:00:00:00:00
 
Switching table resolution:
	Last good update: never
	L2 result: MAC: 00:00:00:00:00:00 VLAN: 0
			port-id: 0 Flags: 0x00000000
	Switch interface: 
	Switch interface VLAN 0: untagged
 
Hardware updates:
	Last good update: never
	Last failed update: never
	Last update return: 0:Success.
 
Resolved/Running state:
	Last entered: never
	Last left: never

diagnose switch mirror hardware status

Use this command to display information about the driver-level and hardware-level switch mirroring:

diagnose switch mirror hardware status

Example output

S524DF4K15000024 # diagnose switch mirror hardware status
			 
[flink.sniffer]===========================
  Installed           : no (  inactive)

diagnose switch modules

Use these commands to display information about physical layer (PHY) modules:

diagnose switch modules eeprom <physical_port_name>

diagnose switch modules state-machine <physical_port_name>

Variable

Description

eeprom

Display fragmentation and reassembly information

trap send

Generate a trap event and send it to the SNMP daemon.

Example output

S524DF4K15000024 # diagnose switch modules state-machine port10

DMI Status
----------------------------------
monitor_interval   10 minutes
next_monitor_in    0:44
dmi_trace          0
alarm_trap_enabled 0
num_ports          30
mod_pres           0x0000000000000000
mod_rxlos          0x0000000000000000
state_runs         62380
state_transitions  6

	    Module Summary            |              |    Alarm - Warning Flags    |
			 	  DMI |    Module    |Temp | Vcc |TxBia|TxPwr|RxPwr|
port | curr state | prev state | -IC | Type | State |Hi|Lo|Hi|Lo|Hi|Lo|Hi|Lo|Hi|Lo|
----------------------------------------------------------------------------------
 1 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 2 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 3 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 4 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 5 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 6 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 7 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 8 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
 9 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
10 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
11 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
12 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
13 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
14 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
15 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
16 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
17 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
18 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
19 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
20 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
21 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
22 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
23 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
24 | INVALID    | INVALID    | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
25 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
26 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
27 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
28 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
29 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|
30 | EMPTY      | EMPTY      | 0-0 | NONE |EMPTY  |..|..|..|..|..|..|..|..|..|..|

diagnose switch mrp

Use these commands to display information about the Media Redundancy Protocol (MRP):

diagnose switch mrp clear

diagnose switch mrp stats

diagnose switch mrp status

Variable

Description

clear

Delete the MRP statistics for the manager node.

stats

Display the Manager MRP statistics for the manager node.

status

Display the current MRP status.

diagnose switch network-monitor

Use these commands to manage information produced by network monitoring:

diagnose switch network-monitor cfg-stats

diagnose switch network-monitor clear-db

diagnose switch network-monitor dump-l2-db

diagnose switch network-monitor dump-l3-db

diagnose switch network-monitor dump-monitors

diagnose switch network-monitor parser-stats

Variable

Description

cfg-stats

Display network-monitoring configuration statistics.

clear-db

Delete all network-monitoring database entries.

dump-l2-db

List all detected devices from the layer-2 database.

dump-l3-db

List all detected devices from the layer-3 database.

dump-monitors

List the monitors used for survey-mode network monitoring.

parser-stats

List the network-monitoring parser statistics.

Example output

S524DF4K15000024 # diagnose switch network-monitor cfg-stats
Network Monitor Configuration Statistics:
----------------------------------
Adds         : 1
Deletes      : 0
Free Entries : 19
			
S524DF4K15000024 # diagnose switch network-monitor dump-monitors
Entry ID       Monitor Type       Monitor MAC      Packet-count
=================================================================
1               directed-mode   00:25:00:61:64:6d       0
2               survey-mode     08:5b:0e:f1:95:e5       0
3               survey-mode     08:5b:0e:f1:95:e5       0
4               survey-mode     08:5b:0e:f1:95:e5       0
5               survey-mode     00:00:5e:00:01:05       0
6               survey-mode     08:5b:0e:f1:95:e5       0
7               survey-mode     00:21:cc:d2:76:72       0

S524DF4K15000024 # diagnose switch network-monitor parser-stats
Network Monitor Parser Statistics:
----------------------------------
Arp         : 0
Ip          : 0
Udp         : 0
Tcp         : 0
Dhcp        : 0
Eapol       : 0
Unsupported : 0

diagnose switch pdu-counters

Use these commands to manage information from switch packet PDU counters:

diagnose switch pdu-counters clear

diagnose switch pdu-counters list

Variable

Description

clear

Clear switch packet PDU counters.

list

List nonzero switch packet PDU counters.

Example output

S548DN5018000377 # diagnose switch pdu-counters list 
primary CPU counters:
	packet receive error : 0
	Non-zero port counters:
	port1:
		IGMP Membership Report : 45
		IGMP Membership Leave : 3
		IGMPv3 Membership Report : 69002
	port13:
		IGMP Query packet : 50794
		IGMPv3 Membership Report : 50794
	port47:
		LACP packet : 15474
		STP packet : 237919
		LLDP packet : 168194
		IGMP Query packet : 50757
		IGMP Membership Report : 29
		IGMP Membership Leave : 1
	port48:
		LACP packet : 15475
		STP packet : 6
		LLDP packet : 168192
	port51:
		IGMP Membership Report : 19
		IGMP Membership Leave : 4
		IGMPv3 Membership Report : 4

diagnose switch physical-ports cable-diag

Use this command to display the results of a time-domain reflectometer (TDR) diagnostic test on the specified port.

diagnose switch physical-ports cable-diag <port_name>

Example output

S524DF4K15000024 # diagnose switch physical-ports cable-diag port1
port1:  cable (4 pairs, length +/- 10 meters)
	pair A Open, length 0 meters
	pair B Open, length 0 meters
	pair C Open, length 0 meters
	pair D Open, length 0 meters

diagnose switch physical-ports datarate

Use this command to display the number of packets received and transmitted on the specified ports as well as the data rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.

diagnose switch physical-ports datarate [<port_list>]

Example output

S524DF4K15000024 # diagnose switch physical-ports datarate 1,3,4-6
Rate Display Mode: DATA_RATE
Port       |  TX Packets     |  TX Rate        ||  RX Packets |  RX Rate      |
----------------------------------------------------------------------------------
	port1 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
	port3 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
	port4 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
	port5 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
	port6 |               0 |     0.0000 Mbps ||           0 |   0.0000 Mbps |
----------------------------------------------------------------------------------
			|     0.0000 Mbps ||             |   0.0000 Mbps |
			
ctrl-c to stop

diagnose switch physical-ports eee-status

Use this command to display whether the specified port has energy-efficient Ethernet (EEE) enabled. If the port is not specified, the status of all ports is displayed.

diagnose switch physical-ports eee-status [<port_name>]

Example output

S524DF4K15000024 # diagnose switch physical-ports eee-status port9

Portname  State     RX-LPI-Status  TX-LPI-Status  TX(ms)  RX(ms)  TX-Resolved(ms)  RX-Resolved(ms)
--------------------------------------------------------------------------------------------------
port9     Enabled   Inactive       Inactive            0       0                0                0

diagnose switch physical-ports hw-counter

Use these commands to display information about counters:

diagnose switch physical-ports hw-counter add {rx | tx} <counter_id> <counter|counter|counter...>

diagnose switch physical-ports hw-counter clear {rx | tx} <counter_id>

diagnose switch physical-ports hw-counter info

diagnose switch physical-ports hw-counter remove {rx | tx} <counter_id> <counter|counter|counter...>

diagnose switch physical-ports hw-counter search <port_name> <interval_seconds> <counter|counter|counter...>

diagnose switch physical-ports hw-counter search-cancel

diagnose switch physical-ports hw-counter search-results

diagnose switch physical-ports hw-counter show {rx | tx | all} <port_name>

Variable

Description

hw-counter add {rx | tx} <counter_id> <counter|counter|counter...>

Add trigger flags to a specified counter.

hw-counter clear {rx | tx} <counter_id>

Clear a specific counter.

hw-counter info

Display the supported trigger flags (RX and TX).

hw-counter remove {rx | tx} <counter_id> <counter|counter|counter...>

Remove trigger flags from the specified counters.

hw-counter search <port_name> <interval_seconds> <counter|counter|counter...>

Retrieve the data for the specified triggers on a specified port within the interval in seconds.

hw-counter search-cancel

Cancel the currently running search.

hw-counter search-results

Display the last search results.

hw-counter show {rx | tx | all} <port_name>

Show all trigger flags and statistics on a specified port.

Example output

S524DF4K15000024 # diagnose switch physical-ports hw-counter show all port9 
----------------------------------------------------------------------------------
|                              Counter Statistics (port:9)                        
----------------------------------------------------------------------------------
|Type|Counter ID|       Value        |           Trigger Flags Enabled     
----------------------------------------------------------------------------------
| Rx |         0|                   0|RIPD4 RIPD6 RDISC RPORTD PDISC     
|    |          |                    | RFILDR RDROP VLANDR               
----------------------------------------------------------------------------------
| Rx |         1|                   0|IMBP                               
----------------------------------------------------------------------------------
| Rx |         2|                   0|RIMDR                              
----------------------------------------------------------------------------------
| Tx |         0|                   0|TGIP6 TGIPMC6                      
----------------------------------------------------------------------------------
| Tx |         1|                   0|TIPD6 TIPMCD6                      
----------------------------------------------------------------------------------
| Tx |         2|                   0|TGIPMC6                            
----------------------------------------------------------------------------------
| Tx |         3|                   0|TPKTD                              
----------------------------------------------------------------------------------
| Tx |         4|                   0|TGIP4 TGIP6                        
----------------------------------------------------------------------------------
| Tx |         5|                   0|TIPMCD4 TIPMCD6                    
----------------------------------------------------------------------------------
| Tx |         6|                   0|THIGIG2                            
----------------------------------------------------------------------------------

diagnose switch physical-ports io-stats

Use these commands to display information about input/output packet statistics:

diagnose switch physical-ports io-stats clear-local <port_list>

diagnose switch physical-ports io-stats cumulative

diagnose switch physical-ports io-stats list [<port_list>]

Variable

Description

io-stats clear-local <port_list>

Delete the statistics for input and output packets for the specified ports. Use commas to separate ports. For example: 1,3,4-6

io-stats cumulative

Display the cumulative statistics for input and output packets for all ports.

io-stats list [<port_list>]

List the statistics for input and output packets for the specified ports. If the ports are not specified, the statistics for all ports are displayed.

Example output

S524DF4K15000024 # diagnose switch physical-ports io-stats cumulative
Cumulative IO Stats:
RX PacketsBpdu                             69035
RX PacketsL3RxCpu                          1020
RX PacketsRxAll                            112157
RX PacketsFlpOrIGMP                        39831
----------------------------------------------------------------------------------

diagnose switch physical-ports led-flash

Use this command to flash all port LEDs on and off for a specified number of minutes so that a particular switch can be identified. Valid times are 5, 15, 30, or 60 minutes. Use disable to stop the LEDs from flashing.

diagnose switch physical-ports led-flash disable

diagnose switch physical-ports led-flash {5 | 15 | 30 | 60}

diagnose switch physical-ports linerate

Use this command to display the number of packets received and transmitted on the specified ports as well as the line rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.

diagnose switch physical-ports linerate [<port_list>]

Example output

S524DF4K15000024 # diagnose switch physical-ports linerate 1,3,4-6
Rate Display Mode: LINE_RATE
Port      |  TX Packets    |  TX Rate        ||  RX Packets    |  RX Rate        |
----------------------------------------------------------------------------------
port1 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
port3 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
port4 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
port5 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
port6 |              0 |     0.0000 Mbps ||              0 |     0.0000 Mbps |
----------------------------------------------------------------------------------
|     0.0000 Mbps ||                |     0.0000 Mbps |	
			
ctrl-c to stop

diagnose switch physical-ports list

Use this command to display the details for the specified port. If the port is not specified, the details for all ports are displayed.

diagnose switch physical-ports list [<port_name>]

Example output

S524DF4K15000024 # diagnose switch physical-ports list port1

Port(port1) is Admin up, line protocol is down
Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes)
Address is 08:5B:0E:F1:95:E6, loopback is not set
MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II
half-duplex, 0 Mb/s, link type is auto
input  : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns
output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts
0 fragments, 0 undersizes, 0 collisions, 0 jabbers

diagnose switch physical-ports mapping

Use this command to display which drivers are associated with which ports:

diagnose switch physical-ports mapping

Example output

S524DF4K15000024 # diagnose switch physical-ports mapping
Unmapped port IDs:
Userspace         |           Driver
Port Name            PortID | Unit   Port   Driver Name
-------------------- ------ | ------ ------ ----------------
port1                     1 |      0      2 ge1
port2                     2 |      0      1 ge0
port3                     3 |      0      3 ge2
port4                     4 |      0      4 ge3
port5                     5 |      0      6 ge5
port6                     6 |      0      5 ge4
port7                     7 |      0      7 ge6
port8                     8 |      0      8 ge7
port9                     9 |      0     10 ge9
port10                   10 |      0      9 ge8
port11                   11 |      0     11 ge10
port12                   12 |      0     12 ge11
port13                   13 |      0     14 ge13
port14                   14 |      0     13 ge12
port15                   15 |      0     15 ge14
port16                   16 |      0     16 ge15
port17                   17 |      0     18 ge17
port18                   18 |      0     17 ge16
port19                   19 |      0     19 ge18
port20                   20 |      0     20 ge19
port21                   21 |      0     22 ge21
port22                   22 |      0     21 ge20
port23                   23 |      0     23 ge22
port24                   24 |      0     24 ge23
port25                   25 |      0     42 xe0
port26                   26 |      0     43 xe1
port27                   27 |      0     44 xe2
port28                   28 |      0     45 xe3
port29                   29 |      0     46 xe4
port30                   30 |      0     50 xe8
internal                 31 |      0      0 cpu0

diagnose switch physical-ports mdix-status

Use this command to display whether a specified port is a medium-dependent interface crossover (MDIX) port:

diagnose switch physical-ports mdix-status <port_name>

Example output

S524DF4K15000024 # diagnose switch physical-ports mdix-status port1
port1:  MDIX(Crossover)	

diagnose switch physical-ports port-stats

Use these commands to list port statistics for the specified ports or list port statistics that are not zero. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.

diagnose switch physical-ports port-stats [<port_list> | non-zero]

Example output

S524DF4K15000024 # diagnose switch physical-ports port-stats 1
			
port1 Port Stats:

Rx Bytes:                                             0
Rx Packets:                                           0
Rx Unicasts:                                          0
Rx NUnicasts:                                         0
Rx Multicasts:                                        0
Rx Broadcasts:                                        0
Rx Discards:                                          0
Rx Errors:                                            0
Rx Oversize:                                          0
Rx Pauses:                                            0
Rx IPMC Dropped:                                      0
Rx 64 Octets Packets:                                 0
Rx 65-127 Octets Packets:                             0
Rx 128-255 Octets Packets:                            0
Rx 256-511 Octets Packets:                            0
Rx 512-1023 Octets Packets:                           0
Rx 1024-1518 OctetsPackets:                           0
Rx 1519-2047 Octets Packets:                          0
Rx 2048-4095 Octets Packets:                          0
Rx 4096-9216 Octets Packets:                          0
Rx 9217-16383 Octets Packets:                         0
Rx L3 Packets:                                        0

Tx Bytes:                                             0
Tx Packets:                                           0
Tx Unicasts:                                          0
Tx NUnicasts:                                         0
Tx Multicasts:                                        0
Tx Broadcasts:                                        0
Tx Discards:                                          0
Tx Errors:                                            0
Tx Oversize:                                          0
Tx Pauses:                                            0
Tx IPMC Dropped:                                      0
Tx 64 Octets Packets:                                 0
Tx 65-127 Octets Packets:                             0
Tx 128-255 Octets Packets:                            0
Tx 256-511 Octets Packets:                            0
Tx 512-1023 Octets Packets:                           0
Tx 1024-1518 Octets Packets:                          0
Tx 1519-2047 Octets Packets:                          0
Tx 2048-4095 Octets Packets:                          0
Tx 4096-9216 Octets Packets:                          0
Tx 9217-16383 Octets Packets:                         0

Fragments:                                            0
Undersize:                                            0
Jabbers:                                              0
Collisions:                                           0
CRC Alignment Errors:                                 0
IPMC Bridged:                                         0
IPMC Routed:                                          0

----------------------------------------------------------------------------------

diagnose switch physical-ports qos-rates

Use these commands to display real-time egress QoS queue rates, including the data rate, line rate, and drop rate:

diagnose switch physical-ports qos-rates clear <port_list>

diagnose switch physical-ports qos-rates list [<port_list>]

diagnose switch physical-ports qos-rates non-zero

Variable

Description

qos-rates clear <port_list>

Delete the QoS statistics for the specified ports. If the ports are not specified, the statistics for all ports are deleted.

qos-rates list [<port_list>]

Display the real-time egress QoS queue rates for the specified ports. If the ports are not specified, the rates for all ports are displayed. Press Ctrl+c to stop the output.

qos-stats non-zero

Display only the real-time egress QoS queue rates that are not zero. Press Ctrl+c to stop the output.

Example output

S548DF5018000776 # diagnose switch physical-ports qos-rates non-zero

----------------------------  ---------------------------------------------
----------------------------  ---------------------------------------------
---------------------------  ---------------------------------------------

ctrl-c to 
port6 QoS Rates:  

queue |         PPS  | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |
---------------------------------------------------------------------------
    7 |       0.0000 |     0.0000 |     0.0000 |     0.0000 |     0.0000 |
----------------------------  ---------------------------------------------

port28 QoS Rates:  

queue |         PPS  | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |
---------------------------------------------------------------------------
    7 |       0.8466 |     0.0008 |     0.0010 |     0.0000 |     0.0000 |
----------------------------  ---------------------------------------------

internal QoS Rates:  

queue |         PPS  | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |
---------------------------------------------------------------------------
   25 |       0.8472 |     0.0009 |     0.0010 |     0.0000 |     0.0000 |
----------------------------  ---------------------------------------------
			
ctrl-c to stop
^C

diagnose switch physical-ports qos-stats

Use these commands to display QoS statistics:

diagnose switch physical-ports qos-stats clear <port_list>

diagnose switch physical-ports qos-stats list [<port_list>]

diagnose switch physical-ports qos-stats non-zero

diagnose switch physical-ports qos-stats set-qos-counter-revert [<port_list>]

diagnose switch physical-ports qos-stats set-qos-counter-zero [<port_list>]

Variable

Description

qos-stats clear [<port_list>]

Delete the QoS statistics for the specified ports. If the ports are not specified, the statistics for all ports are deleted.

qos-stats list [<port_list>]

Display the QoS statistics for the specified ports. If the ports are not specified, the statistics for all ports are displayed.

qos-stats non-zero

List only QoS statistics that are not zero.

qos-stats set-qos-counter-revert [<port_list> ]

Restore QoS counters to direct hardware values for the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.

qos-stats set-qos-counter-zero [<port_list>]

Clear QoS counters (applies to all applications except SNMP) for the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.

Example output

S524DF4K15000024 # diagnose switch physical-ports qos-stats list 1

port1 QoS Stats:

queue |     unicast pkts |    unicast bytes |   multicast pkts |  multicast bytes
----------------------------------------------------------------------------------
0 |                0 |                0 |                0 |                0
1 |                0 |                0 |                0 |                0
2 |                0 |                0 |                0 |                0
3 |                0 |                0 |                0 |                0
4 |                0 |                0 |                0 |                0
5 |                0 |                0 |                0 |                0
6 |                0 |                0 |                0 |                0
7 |                0 |                0 |                0 |                0

queue |  ucast drop pkts | ucast drop bytes |  mcast drop pkts | mcast drop bytes
----------------------------------------------------------------------------------
0 |                0 |                0 |                0 |                0
1 |                0 |                0 |                0 |                0
2 |                0 |                0 |                0 |                0
3 |                0 |                0 |                0 |                0
4 |                0 |                0 |                0 |                0
5 |                0 |                0 |                0 |                0
6 |                0 |                0 |                0 |                0
7 |                0 |                0 |                0 |                0
----------------------------------------------------------------------------------

diagnose switch physical-ports queue-bandwidth-setting

Use these commands to display the bandwidth setting (kbps or percentage) for the egress queues. If the ports are not specified, the bandwidth setting for all egress queues are displayed.

diagnose switch physical-ports queue-bandwidth-setting [<port_list>]

Example output

S524DF4K15000024 # diagnose switch physical-ports queue-bandwidth-setting port23

port23 cosq bandwidth setting: (0: disabled)

port | q | KbpsMin  | KbpsMax
-------+---+----------+----------+
port23 | 0 |        0 |        0
port23 | 1 |        0 |        0
port23 | 2 |        0 |        0
port23 | 3 |        0 |        0
port23 | 4 |        0 |        0
port23 | 5 |        0 |        0
port23 | 6 |        0 |        0
port23 | 7 |        0 |        0

diagnose switch physical-ports set-counter-revert

Use this command to restore hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.

diagnose switch physical-ports set-counter-revert [<port_list>]

diagnose switch physical-ports set-counter-zero

Use this command to clear all hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.

diagnose switch physical-ports set-counter-zero [<port_list>]

diagnose switch physical-ports split-status

Use this command to display information about split ports:

diagnose switch physical-ports split-status

Example output

S524DF4K15000024 # diagnose switch physical-ports split-status
Port Name        Split Phy Name         Port Index       Child Index
---------------- ----- ---------------- ---------------- ----------
port29           No    -                29               -
port30.1         Yes   port30           30               0
port30.2         Yes   port30           32               1
port30.3         Yes   port30           33               2
port30.4         Yes   port30           34               3

diagnose switch physical-ports stats

Use these commands to display counter statistics:

diagnose switch physical-ports stats clear-local <port_list>

diagnose switch physical-ports stats list [<port_list>]

diagnose switch physical-ports stats non-zero

Variable

Description

stats clear-local <port_list>

Delete the statistics for received and transmitted packets for the specified ports for only the local session. Use commas to separate ports. For example: 1,3,4-6

stats list [<port_list>]

List the statistics for received and transmitted packets for the specified ports. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.

stats non-zero

List the statistics for counters that are not zero.

Example output

S524DF4K15000024 # diagnose switch physical-ports stats list
Port     | TX Packets |  TX bytes   || RX Packets |  RX Bytes  | RX L3 Packets |
----------------------------------------------------------------------------------
port1 |          0 |          0 ||           0 |          0 |             0 |
port2 |          0 |          0 ||           0 |          0 |             0 |
port3 |          0 |          0 ||           0 |          0 |             0 |
port4 |          0 |          0 ||           0 |          0 |             0 |
port5 |          0 |          0 ||           0 |          0 |             0 |
port6 |          0 |          0 ||           0 |          0 |             0 |
port7 |          0 |          0 ||           0 |          0 |             0 |
port8 |          0 |          0 ||           0 |          0 |             0 |
port9 |          0 |          0 ||           0 |          0 |             0 |
port10 |          0 |          0 ||           0 |          0 |             0 |
port11 |          0 |          0 ||           0 |          0 |             0 |
port12 |          0 |          0 ||           0 |          0 |             0 |
port13 |          0 |          0 ||           0 |          0 |             0 |
port14 |          0 |          0 ||           0 |          0 |             0 |
port15 |          0 |          0 ||           0 |          0 |             0 |
port16 |          0 |          0 ||           0 |          0 |             0 |
port17 |          0 |          0 ||           0 |          0 |             0 |
port18 |          0 |          0 ||           0 |          0 |             0 |
port19 |          0 |          0 ||           0 |          0 |             0 |
port20 |          0 |          0 ||           0 |          0 |             0 |
port21 |          0 |          0 ||           0 |          0 |             0 |
port22 |          0 |          0 ||           0 |          0 |             0 |
port23 |          0 |          0 ||           0 |          0 |             0 |
port24 |          0 |          0 ||           0 |          0 |             0 |
port25 |          0 |          0 ||           0 |          0 |             0 |
port26 |          0 |          0 ||           0 |          0 |             0 |
port27 |          0 |          0 ||           0 |          0 |             0 |
port28 |          0 |          0 ||           0 |          0 |             0 |
port29 |          0 |          0 ||           0 |          0 |             0 |
port30 |          0 |          0 ||           0 |          0 |             0 |
internal |        393 |    9343000 ||           0 |          0 |             0 |

diagnose switch physical-ports summary

Use this command to display a summary about the specified physcial port. If the port is not specified, summaries for all ports are displayed.

diagnose switch physical-ports summary [<port_name>]

Example output

S524DF4K15000024 # diagnose switch physical-ports summary port1

Portname    Status  Tpid  Vlan  Duplex  Speed  Flags       Discard
__________  ______  ____  ____  ______  _____  __________  _________

port1       down    8100  1     half    -        ,  ,      none

Flags: QS(802.1Q) QE(802.1Q-in-Q,external) QI(802.1Q-in-Q,internal)
TS(static trunk) TF(forti trunk) TL(lacp trunk); MD(mirror dst)
MI(mirror ingress) ME(mirror egress) MB(mirror ingress and egress) CF (Combo Fiber), CC (Combo Copper)

diagnose switch physical-ports virtual-wire list

Use this command to list all virtual wires:

diagnose switch physical-ports virtual-wire list

Example output

S524DF4K15000024 # diagnose switch physical-ports virtual-wire list
port7(7) to port8(8) TPID: 0xdee5 VLAN: 70

diagnose switch poe status

Use this command to display power over Ethernet (PoE) information for a specific port:

diagnose switch poe status <physicial_port_name>

Variable

Description

<physicial_port_name>

Enter the port name.

Example output

S524DF4K15000024 # diagnose switch poe status port1

Port(1) Power:0.00W,    Power-Status: Searching
Power-Up Mode: Normal Mode
Remote Power Device Type: PD None
Power Class: 0
Defined Max Power: 0.00W, Priority: Low.
Voltage: 54.90V
Current: 0mA

diagnose switch ptp port add-link-delay

Use this command to add an estimated link delay in nanosecods to the specified poort. Adding a link delay helps with debugging, and the setting is cleared when the switch is rebooted:

diagnose switch ptp port add-link-delay <port_name> <estimated_link_delay>

Example output

S548DN4K15000008 # diagnose switch ptp port add-link-delay port49 500
Adding port49's link_delay 500(ns).

diagnose switch ptp port get-link-delay

Use this command to display link-delay information for the specified port:

diagnose switch ptp port get-link-delay <port_name>

Example output

S548DN4K15000008 # diagnose switch ptp port get-link-delay port49

Portname     Speed  Link-Delay
__________   _____  ___________

port49       10G     500ns

diagnose switch qnq dtag-cfg

Use this command to display information about the VLAN stacking (QinQ) configuation:

diagnose switch qnq dtag-cfg

Example output

S548DF5018000776 # diagnose switch qnq dtag-cfg 

Port Name  | QinQ Mode       | Add Inner-Tag   | Remove Inner-Tag  | Priority      | Ether-Type 
======================================================================================
port39     | customer        | add (vid 456)   | enable            | follow-s-tag  | 0x8100

diagnose switch trunk list

Use this command to display link aggregation information:

diagnose switch trunk list [<trunk_name>]

Variable

Description

[<trunk_name>]

Display link aggregation information for the specified trunk. If the trunk is not specified, link aggregation information for all trunks is displayed.

Example output

S524DF4K15000024 # diagnose switch trunk list trunk1

Switch Trunk Information, primary-Channel

Trunk Name:  trunk1
Mode:  fortinet-trunk
Port Selection Algorithm:  N/A - Trunk Down
Trunk MAC: 08:5B:0E:F1:95:E6

Active Port  Up  Time
___________  _________________________

Non-Active Port  Status
_______________  ____________________

port1            BLOCK
port2            BLOCK
			
S524DF4K15000024 # diagnose switch trunk list

Switch Trunk Information, primary-Channel

Trunk Name:  Mclag-icl-trunk
Mode:  lacp-active (mclag-icl)
Port Selection Algorithm:  N/A - Trunk Down
Trunk MAC: 08:5B:0E:F1:95:F4

Active Port  Up  Time
___________  _________________________

Non-Active Port  Status
_______________  ____________________

port15           BLOCK
port16           BLOCK

LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: down
ports: 2
LACP mode: active
LACP speed: slow
aggregator ID: 1
actor key: 0
actor MAC address: 08:5b:0e:f1:95:f4
partner key: 1
partner MAC address: 00:00:00:00:00:00

slave: port15
status: down
link failure count: 0
permanent MAC addr: 08:5b:0e:f1:95:f4
actor state: ASAIDD
partner state: PSIODD
aggregator ID: 1

slave: port16
status: down
link failure count: 0
permanent MAC addr: 08:5b:0e:f1:95:f5
actor state: ASAODD
partner state: PSIODD
aggregator ID: 2

Trunk Name:  first-mclag
Mode:  static (mclag)
Port Selection Algorithm:  N/A - Trunk Down
Trunk MAC: 08:5B:0E:F1:95:E7

Active Port  Up  Time
___________  _________________________


Non-Active Port  Status
_______________  ____________________

port2            BLOCK

diagnose switch trunk summary

Use this command to display a summary of the link aggregation information:

diagnose switch trunk summary [<trunk_name>]

Variable

Description

[<trunk_name>]

Display a summary of the link aggregation information for the specified trunk. If the trunk is not specified, a summary for all trunks is displayed.

Example output

S524DF4K15000024 # diagnose switch trunk summary Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________ Mclag-icl-trunk lacp-active(mclag-icl) N/A 08:5B:0E:F1:95:F4 down(0/2) N/A first-mclag static(mclag) N/A 08:5B:0E:F1:95:E7 down(0/1) N/A 8DN3X16000001-0 lacp-active(auto-isl) src-dst-ip 08:5B:0E:F0:9B:90 up(1/1) 0 days,0 hours,1 mins,35 secs S524DF4K15000024 # diagnose switch trunk summary first-mclag Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________ first-mclag static(mclag) N/A 08:5B:0E:F1:95:E7 down(0/1) N/A

diagnose switch vlan

Use these commands to display information about virtual LANs:

diagnose switch vlan assignment capabilities

diagnose switch vlan assignment ether-proto flush

diagnose switch vlan assignment ether-proto list [{sorted-by-protocol | sorted-by-vlan}]

diagnose switch vlan assignment ipv4 flush

diagnose switch vlan assignment ipv4 list [{sorted-by-address | sorted-by-vlan}]

diagnose switch vlan assignment ipv6 flush

diagnose switch vlan assignment ipv6 list [{sorted-by-address | sorted-by-vlan}]

diagnose switch vlan assignment mac flush

diagnose switch vlan assignment mac list [{sorted-by-mac | sorted-by-vlan}]

diagnose switch vlan info cache <VLAN_ID>

diagnose switch vlan info dump

diagnose switch vlan list [<VLAN_ID>]

Variable

Description

assignment capabilities

Display information about hardware capabilities for VLAN assignments.

assignment ether-proto flush

Delete all VLAN entries assigned by Ethernet frame type and protocol.

assignment ether-proto list [{sorted-by-protocol | sorted-by-vlan}]

Display VLAN assignments by Ethernet frame type and protocol. Use sorted-by-protocol to list VLAN entries by protocol. Use sorted-by-vlan to list VLAN entries by the VLAN identifier.

assignment ipv4 flush

Delete all VLAN entries assigned by IPv4 address or subnet.

assignment ipv4 list [{sorted-by-address | sorted-by-vlan}]

Display VLAN assignments by IPv4 address or subnet. Use sorted-by-address to list VLAN entries by the mask length and IP address. Use sorted-by-vlan to list VLAN entries by the VLAN identifier.

assignment ipv6 flush

Delete all VLAN entries assigned by IPv6 address or subnet.

assignment ipv6 list [{sorted-by-address | sorted-by-vlan}]

Display VLAN assignments by IPv6 address or subnet. Use sorted-by-address to list VLAN entries by the mask length and IP address. Use sorted-by-vlan to list VLAN entries by the VLAN identifier.

assignment mac flush

Delete all VLAN entries assigned by MAC address.

assignment mac list [{sorted-by-mac | sorted-by-vlan}]

Display VLAN assignments by MAC address. Use sorted-by-mac to list VLAN entries by the MAC address. Use sorted-by-vlan to list VLAN entries by the VLAN identifier.

info cache <VLAN_ID>

Display information about the VLAN cache.

info dump

Display VLAN-related information.

list [<VLAN_ID>]

Display which ports are assigned to the specified VLAN identifier. If the VLAN identifier is not specified, the information for all VLAN identifiers is displayed.

Example output

S524DF4K15000024 # diagnose switch vlan assignment capabilities
Assignment modes supported:
Port based assignment
IPv4 address/subnet based assignment
IPv6 address/subnet based assignment
MAC address based assignment
Ethernet Protocol based assignment

S524DF4K15000024 # diagnose switch vlan info dump
Ports:
[   port1] Force[disabled]
[   port2] Force[disabled]
[   port3] Force[disabled]
[   port4] Force[disabled]
[   port5] Force[disabled]
[   port6] Force[disabled]
[   port7] Force[disabled]
[   port8] Force[disabled]
[   port9] Force[disabled]
[  port10] Force[disabled]
[  port11] Force[disabled]
[  port12] Force[disabled]
[  port13] Force[disabled]
[  port14] Force[disabled]
[  port15] Force[disabled]
[  port16] Force[disabled]
[  port17] Force[disabled]
[  port18] Force[disabled]
[  port19] Force[disabled]
[  port20] Force[disabled]
[  port21] Force[disabled]
[  port22] Force[disabled]
[  port23] Force[disabled]
[  port24] Force[disabled]
[  port25] Force[disabled]
[  port26] Force[disabled]
[  port27] Force[disabled]
[  port28] Force[disabled]
[  port29] Force[disabled]
[  port30] Force[disabled]
[internal] Force[disabled]

Private-VLANs:

S524DF4K15000024 # diagnose switch vlan list
VlanId  Ports
______  ___________________________________________________
1       port1 port2 port3 port4 port5 port6 port7 port8 port9
		port10 port11 port12 port13 port14 port15 port16 port17
		port18 port19 port20 port21 port22 port23 port24 port25
		port26 port27 port28 port29 port30
4094    internal

diagnose switch vlan-mapping egress hardware-entry

Use the following command to check the VLAN mapping on an interface for the egress direction:

diagnose switch vlan-mapping egress hardware-entry

diagnose switch vlan-mapping ingress hardware-entry

Use the following command to check the VLAN mapping on an interface for the ingress direction:

diagnose switch vlan-mapping ingress hardware-entry

diagnose sys checkused

Use the following command to check which tables are using the entry:

diagnose sys checkused <path.object.mkey>

Variable

Description

<path.object.mkey>

Display which tables use this entry.

Example output

S524DF4K15000024 # diagnose sys checkused switch.physical-port.name
			
may be used by table switch.trunk.members.member-name
may be used by table switch.mirror.dst
may be used by table switch.mirror.src-ingress.name
may be used by table switch.mirror.src-egress.name
may be used by table switch.acl.policy.ingress-interface.member-name
may be used by table switch.acl.policy.action.mirror
may be used by table switch.acl.policy.action.redirect
may be used by table switch.acl.policy.action.redirect-physical-port.member-name
may be used by table switch.acl.policy.action.egress-mask.member-name
may be used by table switch.virtual-wire.first-member
may be used by table switch.virtual-wire.second-member
may be used by table switch.auto-isl-port-group.members.member-name
may be used by table system.admin.dashboard.interface

diagnose sys cpuset

Use this command to display information about which CPU set uses a specific process:

diagnose sys cpuset <process_ID> <CPU_set_mask>

Variable

Description

<process_ID> <CPU_set_mask>

Specify the process identifier and CPU set mask to find out which CPU set uses the process.

diagnose sys dayst-info

Use this command to display information about daylight saving time:

diagnose sys dayst-info

Example output

S524DF4K15000024 # diagnose sys dayst-info
The current timezone '(GMT-8:00)Pacific Time(US&Canada).' daylight saving time starts at Sun Mar  8 02:00:00 1970, ends at Sun Nov  1 01:00:00 1970

diagnose sys fan status

Use this command to display fan information:

diagnose sys fan status

Example output

S524DF4K15000024 # diagnose sys fan status

Module    Status
___________________________________
Fan      OK
Fan speed is set to 50.0%.

diagnose sys fips error-mode

NOTE: This command is available only when the switch is in FIPS mode

Use this command put the switch in FIPS error mode. After entering FIPS error mode, the switch halts, and the user cannot perform any action. To exit error mode, you must turn the switch off and then on again and have access to the console.

diagnose sys fips error-mode

diagnose sys fips kat-error

NOTE: This command is available only when the switch is in FIPS mode

Use this command if you want to run a Known Answer Test (KAT) in error mode. The switch will halt after restarting. To exit error mode, you must turn the switch off and then on again and have access to the console.

diagnose sys fips <KAT_name>

The tests listed in the following table are available.

KAT name Description
AES Advanced Encryption Standard (AES) self-test
RBG-instantiate Random bit generator (RBG)-instantiate known answer test
RBG-reseed RBG-reseed known answer test
RBG-generate RBG-generate known answer test
RSA Rivest, Shamir, and Adleman Algorithm (RSA) known answer test
SHA1-HMAC SHA1-HMAC known answer tests
SHA256-HMAC SHA256-HMAC known answer tests
SHA384-HMAC SHA384-HMAC known answer tests
SHA512-HMAC SHA512-HMAC known answer tests
DHE DHE known answer test
ECDHE ECDHE known answer test
Configuration Configure file integrity test
Firmware-integrity Firmware integrity test

diagnose sys flash

Use these commands to manage flash memory:

diagnose sys flash format

diagnose sys flash list [<file>]

Variable

Description

format

Format the shared data partition (flash partition 2).

list [<file>]

Display statistics for a file or directory in flash memory. If no file or directory is specified, statistics for all flash memory are returned.

Example output

S524DF4K15000024 # diagnose sys flash list
Partition  Image                             TotalSize(KB)  Used(KB)  Use%  Active
(*) 1      S524DF-3.6.3-FW-build0390-171020          53248     22922   43%  Yes
						       4096       448   11%  Yes
2                                                    53248         0    0%  No

Flag * : next-boot partition
Image build at Oct 20 2017 17:10:54 for b0390

diagnose sys flow-export

Use these commands to manage flow-export data:

diagnose sys flow-export delete-flows-all

diagnose sys flow-export expire-flows-all

Variable

Description

delete-flows-all

Delete all flow-export data.

expire-flows-all

Expire all flow-export data.

diagnose sys fsw-cloud-mgr

Use these commands to manage the SSL tunnel for FortiSwitch cloud management:

diagnose sys fsw-cloud-mgr close-access-socket

diagnose sys fsw-cloud-mgr shutdown-ssl

Variable

Description

close-access-socket

Restart the SSL tunnel between a FortiSwitch and FortiSwitch cloud management by closing the socket.

shutdown-ssl

Restart the SSL tunnel between a FortiSwitch and FortiSwitch cloud management by sending a SSL_SHUTDOWN request.

diagnose sys kill

Use this command to end a specified process:

diagnose sys kill <signal_number> <process_ID>

Variable

Description

<signal_number> <process_ID>

End the process with the specified signal.

To find out which processes are currently running, see diagnose sys vlan list.

diagnose sys link-monitor

Use these commands to manage the link monitor:

diagnose sys link-monitor interface <entry>

diagnose sys link-monitor launch <entry>

diagnose sys link-monitor status {entry | all}

 

To configure the link health monitor, see config system link-monitor .

Variable

Description

interface <entry>

Display information about the specified link-monitor entry.

launch <entry>

Manually launch the specified link-monitor entry.

status {entry | all}

Display information about a specified link-monitor entry or all link-monitor entries.

diagnose sys mpstat

Use this command to display information about CPU use:

diagnose sys mpstat <delay> <loops>

Variable

Description

<delay> <loops>

Display information about the CPU use after the specified number of seconds (default is 5) and for the specified number of loops (default is 1,000,000). If the values for <delay> <loops> are not specified, there is no delay, and the output continues until a key is pressed.

Example output

S524DF4K15000024 # diagnose sys mpstat
			
Gathering data, wait 5 sec, press any key to quit.
..0..1..2..3..4
TIME          CPU    %usr   %nice    %sys  %idle
04:02:59 PM   all    0.00    0.00    5.73   94.27
		 0    0.00    0.00   10.87   89.13
		 1    0.00    0.00    0.59   99.41
04:02:59 PM          0.00    0.00    0.00    0.00

TIME          CPU    %usr   %nice    %sys  %idle
04:03:04 PM   all    0.00    0.00    6.87   93.13
		 0    0.00    0.00   12.75   87.25
		 1    0.00    0.00    1.00   99.00
04:03:04 PM          0.00    0.00    0.00    0.00

diagnose sys ntp status

Use this command to display the configuration of the Network Time Protocol (NTP) servers:

diagnose sys ntp status

To configure the NTP servers, see config system ntp.

diagnose sys pcb temp

Use this command to display the printed circuit board (PCB) temperature:

diagnose sys pcb temp

Example output

S524DF4K15000024 # diagnose sys pcb temp

Module    Status
__________________________________
Sensor1   42.0 C

diagnose sys process

Use this command to display information about a specific process:

diagnose sys process <process_ID>

Variable

Description

<process_ID>

Display information about the specified process identifier.

To find out which processes are currently running, see diagnose sys vlan list.

diagnose sys psu status

Use this command to display information about the power supply unit (PSU):

diagnose sys psu status

Example output

S524DF4K15000024 # diagnose sys psu status
			
PSU1 is OK.
PSU2 is not present.

diagnose sys top

Use this command to list the processes currently running on your FortiSwitch unit:

diagnose sys top <delay> <lines>

Variable

Description

<delay> <lines>

Enter the number of seconds to delay (the default is 5) and the maximum lines of output (the default is 20).

In the output, the codes displayed on the second output line mean the following:

  • U is % of user space applications using CPU. In the example, 0U means 0% of the user space applications are using CPU.
  • S is % of system processes (or kernel processes) using CPU. In the example, 0S means 0% of the system processes are using the CPU.
  • I is % of idle CPU. In the example, 98I means the CPU is 98% idle.
  • T is the total FortiOS system memory in Mb. In the example, 123T means there are 123 Mb of system memory.
  • F is free memory in Mb. In the example, 25F means there is 25 Mb of free memory.

Each additional line of the command output displays the following information for each of the processes running on the FortiSwitch (from left to right):

  • Process name
  • Process identifier
  • State that the process is running in. The process state can be:
    • R for running
    • S for sleep
    • Z for zombie
    • D for disk sleep
  • Amount of CPU that the process is using. CPU usage can range from 0.0 for a process that is sleeping to higher values for a process that is taking a lot of CPU time.
  • Amount of memory that the process is using. Memory usage can range from 0.1 to 5.5 and higher.

Example output

S524DF4K15000024 # diagnose sys top 5 5
			
Run Time:  3 days, 0 hours and 40 minutes
0U, 6S, 94I; 1978T, 1744F
pyfcgid      695      S       0.0     0.7
pyfcgid      791      S       0.0     0.7
pyfcgid      792      S       0.0     0.7
httpsd       696      S       0.0     0.6
cmdbsvr      611      S       0.0     0.6

diagnose sys vlan list

Use these commands to display information about configured VLANs:

diagnose syst vlan list

To configure a VLAN, see config switch vlan.

diagnose test application

Use these commands to test specific daemons:

diagnose test application dnsproxy <test_level>

diagnose test application fpmd <test_level>

diagnose test application radiusd <test_level>

diagnose test application sflowd <test_level>

diagnose test application snmpd <test_level>

Variable

Description

dnsproxy <test_level>

Specify the test level for the DNS proxy daemon:
  1. Clear DNS cache.
  2. Show statistics.
  3. Dump DNS setting.
  4. Reload the fully qualified domain name (FQDN).
  5. Requery the FQDN.
  6. Dump the FQDN.

fpmd <test_level>

Specify the test level for the hardware offload daemon.

radiusd <test_level>

Specify the test level for the RADIUS daemon:
  • 2: Clear the RADIUS server database.
  • 3: Show the RADIUS server database.
  • 33: Show the RADIUS server database (with start time).
  • 4: Show the RADIUS server database information.
  • 9: Check the high availability (HA) context table checksums.
  • 11: Show the HA synchronization connection status.
  • 20: Show the RADIUS server configuration cache.
  • 21: Show the RADIUS server interface configuration cache.
  • 99: Restart.

sflowd <test_level>

Specify the test level for the sFlow daemon:
  • 1: Show collector setting.
  • 2: Show state.

snmpd <test_level>

Specify the test level for the SNMP daemon:
  • 1: Display daemon process identifier.
  • 2: Display SNMP statistics.
  • 3: Clear SNMP statistics.
  • 4: Generate test trap.
  • 99: Restart daemon.
  • 101: Reset the msgAuthoritativeEngineBoots attribute to 0 and restart the daemon.

Example output

S524DF4K15000024 # diagnose test application dnsproxy 2
config: alloc=1
DNS_CACHE: alloc=0
DNS UDP: req=6680, res=0, fwd=26720, hits=0, alloc=0
cur=90 v6_cur=0
DNS TCP: req=0, alloc=0

S524DF4K15000024 # diagnose test application fpmd 2
L3 egr obj Num: 0 Max: 8192 LastFoundEgrId: 0
Valid: 0 Gw: 0.0.0.0 IfIndex: 0 RefCount: 0 EgrObj: 0 Status: 0

diagnose test authserver

Use these commands to test the authentication server:

diagnose test authserver cert <arguments>

diagnose test authserver ldap <server_name> <user_name> <password>

diagnose test authserver ldap-digest <arguments>

diagnose test authserver ldap-direct <arguments>

diagnose test authserver ldap-search <arguments>

diagnose test authserver local <arguments>

diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <user_name> <password>

diagnose test authserver radius-direct <server_name _or_IP_address> <port_number> <secret>

diagnose test authserver tacacs+ <server_name> <user_name> <password>

diagnose test authserver tacacs+-direct <arguments>

Variable

Description

cert <arguments>

Test the certificate authentication.

ldap <server_name> <user_name> <password>

Test the connection to an LDAP server. For the server_name, use the name of the LDAP object, not the LDAP server name. Use credentials that you have used in the LDAP object itself.

ldap-digest <arguments>

Test the LDAP HA1 password query.

ldap-direct <arguments>

Test the connection to an LDAP server.

ldap-search <arguments>

Search for an LDAP server.

local <arguments>

Test the local user.

radius <server_name> <chap | pap | mschap | mschap2> <user_name> <password>

Test the connection to the RADIUS server.

radius-direct <server_name _or_IP_address> <port_number> <secret>

Test the connection to the RADIUS server. For the port number, enter -1 to use the default port. Otherwise, enter the port number to check.

tacacs+ <server_name> <user_name> <password>

Test the connection to the TACACS+ server.

tacacs+-direct <arguments>

Test the connection to the TACACS+ server.

diagnose user radius coa

Use this command to display information about RADIUS authentication and RADIUS accounting:

diagnose user radius coa

To configure RADIUS authentication and RADIUS accounting, see config user radius.