diagnose
Use the diagnose commands to help with troubleshooting:
- diagnose bpdu-guard display status
- diagnose certificate all
- diagnose certificate ca
- diagnose certificate local
- diagnose certificate remote
- diagnose debug application
- diagnose debug authd
- diagnose debug bfd
- diagnose debug bgp
- diagnose debug cli
- diagnose debug config-error-log
- diagnose debug console
- diagnose debug crashlog
- diagnose debug disable
- diagnose debug enable
- diagnose debug info
- diagnose debug isis
- diagnose debug kernel level
- diagnose debug ospf
- diagnose debug ospf6
- diagnose debug packet_test
- diagnose debug pbr
- diagnose debug pim
- diagnose debug port-mac
- diagnose debug report
- diagnose debug reset
- diagnose debug rip
- diagnose debug ripng
- diagnose debug static
- diagnose debug unit_test
- diagnose debug zebra
- diagnose firewall ip clear-counter
- diagnose firewall ip show
- diagnose firewall ipv6 clear-counter
- diagnose firewall ipv6 show
- diagnose flapguard status
- diagnose hardware
- diagnose ip address
- diagnose ip arp
- diagnose ip route
- diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | pbr | rip | ripng | static | zebra}
- diagnose ip router command
- diagnose ip router fwd
- diagnose ip router process show
- diagnose ip router terminal-monitor
- diagnose ip rules list
- diagnose ip rtcache list
- diagnose ip tcp
- diagnose ip udp
- diagnose ipv6 address
- diagnose ipv6 devconf
- diagnose ipv6 ipv6-tunnel
- diagnose ipv6 neighbor-cache
- diagnose ipv6 route
- diagnose ipv6 sit-tunnel
- diagnose log alertconsole
- diagnose loop-guard status
- diagnose option82-mapping relay
- diagnose option82-mapping snooping
- diagnose settings
- diagnose sniffer packet
- diagnose snmp
- diagnose stp instance list
- diagnose stp mst-config list
- diagnose stp rapid-pvst-port
- diagnose stp vlan list
- diagnose switch 802-1x status
- diagnose switch 802-1x status-dacl
- diagnose switch acl counter
- diagnose switch acl hw-entry-index
- diagnose switch acl schedule
- diagnose switch arp-inspection stats clear
- diagnose switch cpuq
- diagnose switch egress list
- diagnose switch ip-mac-binding entry
- diagnose switch ip-source-guard hardware entry filter
- diagnose switch ip-source-guard hardware entry list
- diagnose switch mac-address
- diagnose switch macsec statistics
- diagnose switch macsec status
- diagnose switch managed-switch
- diagnose switch mclag
- diagnose switch mirror auto-config
- diagnose switch mirror hardware status
- diagnose switch modules
- diagnose switch mrp
- diagnose switch network-monitor
- diagnose switch pdu-counters
- diagnose switch physical-ports cable-diag
- diagnose switch physical-ports datarate
- diagnose switch physical-ports eee-status
- diagnose switch physical-ports hw-counter
- diagnose switch physical-ports io-stats
- diagnose switch physical-ports led-flash
- diagnose switch physical-ports linerate
- diagnose switch physical-ports list
- diagnose switch physical-ports list
- diagnose switch physical-ports mdix-status
- diagnose switch physical-ports port-stats
- diagnose switch physical-ports qos-rates
- diagnose switch physical-ports qos-stats
- diagnose switch physical-ports list
- diagnose switch physical-ports set-counter-revert
- diagnose switch physical-ports list
- diagnose switch physical-ports list
- diagnose switch physical-ports list
- diagnose switch physical-ports summary
- diagnose switch physical-ports cable-diag
- diagnose switch poe status
- diagnose switch cpuq
- diagnose switch ptp port get-link-delay
- diagnose switch qnq dtag-cfg
- diagnose switch trunk list
- diagnose switch trunk summary
- diagnose switch vlan
- diagnose switch vlan-mapping egress hardware-entry
- diagnose switch vlan-mapping ingress hardware-entry
- diagnose switch vxlan mac-address list
- diagnose sys checkused
- diagnose sys cpuset
- diagnose sys dayst-info
- diagnose sys fan status
- diagnose sys flan-cloud-mgr
- diagnose sys flash
- diagnose sys flow-export
- diagnose sys kill
- diagnose sys link-monitor
- diagnose sys mpstat
- diagnose sys ntp status
- diagnose sys pcb temp
- diagnose sys permission list
- diagnose sys permission list-by-accprofile
- diagnose sys permission list-cli
- diagnose sys process
- diagnose sys psu status
- diagnose sys remote assistance
- diagnose sys sniffer-profile
- diagnose sys soc temp
- diagnose sys top
- diagnose sys vlan list
- diagnose test application
- diagnose test authserver
- diagnose user radius coa
diagnose automation test
Use this command to test the specified automation stitch:
diagnose automation test <automation-stitch-name> [<log_ID>]
Example output
S224ENTF18000826 # diagnose automation test teststitch 0 automation test is done. stitch:teststitch
diagnose bpdu-guard display status
Use this command to display the status of the spanning tree protocol (STP) bridge protocol data unit (BPDU) guard:
diagnose bpdu-guard display status
To configure STP BPDU guard, see config switch interface.
Example output
Portname State Status Timeout(m) Count Last-Event _________________ _______ _________ ___________ _____ _______________ port1 disabled - - - - port2 disabled - - - - port3 disabled - - - - port4 disabled - - - - port5 disabled - - - - port6 disabled - - - - port9 disabled - - - - port10 disabled - - - - port11 disabled - - - - port12 disabled - - - - port13 disabled - - - - port14 disabled - - - - port15 disabled - - - - port16 disabled - - - - port17 disabled - - - - port18 disabled - - - - port19 disabled - - - - port20 disabled - - - - port21 disabled - - - - port22 disabled - - - - port23 disabled - - - - port24 disabled - - - - port25 disabled - - - - port26 disabled - - - - port27 disabled - - - - port28 disabled - - - - port29 disabled - - - - port30 enabled - 60 0 -
diagnose certificate all
Use this command to verify all system certificates:
diagnose certificate all
Example output
S148EN5919002268 # diagnose certificate all Certificate Authority ---------------------------------------------------------------------------- Name : Fortinet_802.1x_CA Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB Serial Number : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f Integrality : Passed Timeliness : Valid (Expires on 2028-10-22 12:00:00 GMT) Name : Fortinet_CA Fingerprint(MD5) : 86:40:5C:F4:C2:A6:0B:96:82:9E:5F:E7:4F:D9:51:22 Serial Number : 00 Integrality : Passed Timeliness : Valid (Expires on 2056-05-27 20:27:39 GMT) Name : Fortinet_CA2 Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 Serial Number : da:f6:36:b4:43:d4:a5:8b Integrality : Passed Timeliness : Valid (Expires on 2038-01-19 22:34:39 GMT) Name : Fortinet_Sub_CA2 Fingerprint(MD5) : 2E:36:70:82:7F:1E:21:CE:94:20:82:01:62:5E:30:DD Serial Number : 20:01 Integrality : Passed Timeliness : Valid (Expires on 2056-05-27 20:48:33 GMT) Name : Fortinet_fsw_cloud_CA Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB Serial Number : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f Integrality : Passed Timeliness : Valid (Expires on 2028-10-22 12:00:00 GMT) Local ---------------------------------------------------------------------------- Name : Fortinet_802.1x Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63 Serial Number : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe Integrality : Passed Key-pair : Passed Timeliness : Valid (Expires on 2022-05-24 12:00:00 GMT) Name : Fortinet_Factory Fingerprint(MD5) : A0:20:10:10:17:D5:13:E5:9D:93:72:F4:FB:37:10:57 Serial Number : 0e:98:f9 Integrality : Passed Key-pair : Passed Timeliness : Valid (Expires on 2056-01-19 03:14:07 GMT) Name : Fortinet_Factory2 Fingerprint(MD5) : 3B:73:EC:E9:6E:F1:39:12:32:16:A5:16:79:E4:04:0C Serial Number : 4b:6e:10 Integrality : Passed Key-pair : Passed Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT) Name : Fortinet_Firmware Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23 Serial Number : 41:1d:d5 Integrality : Passed Key-pair : Passed Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT) Remote ----------------------------------------------------------------------------
diagnose certificate ca
Use this command to verify CA certificates:
diagnose certificate ca
Example output
S148EN5919002268 # diagnose certificate ca Name : Fortinet_802.1x_CA Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB Serial Number : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f Integrality : Passed Timeliness : Valid (Expires on 2028-10-22 12:00:00 GMT) Name : Fortinet_CA Fingerprint(MD5) : 86:40:5C:F4:C2:A6:0B:96:82:9E:5F:E7:4F:D9:51:22 Serial Number : 00 Integrality : Passed Timeliness : Valid (Expires on 2056-05-27 20:27:39 GMT) Name : Fortinet_CA2 Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9 Serial Number : da:f6:36:b4:43:d4:a5:8b Integrality : Passed Timeliness : Valid (Expires on 2038-01-19 22:34:39 GMT) Name : Fortinet_Sub_CA2 Fingerprint(MD5) : 2E:36:70:82:7F:1E:21:CE:94:20:82:01:62:5E:30:DD Serial Number : 20:01 Integrality : Passed Timeliness : Valid (Expires on 2056-05-27 20:48:33 GMT) Name : Fortinet_fsw_cloud_CA Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB Serial Number : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f Integrality : Passed Timeliness : Valid (Expires on 2028-10-22 12:00:00 GMT)
diagnose certificate local
Use this command to verify local certificates:
diagnose certificate local
Example output
S548DF5018000776 # diagnose certificate local Name : Fortinet_802.1x Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63 Serial Number : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe Integrality : Passed Key-pair : Passed Timeliness : Valid (Expires on 2022-05-24 12:00:00 GMT) Name : Fortinet_Factory Fingerprint(MD5) : B1:92:9D:7B:63:4B:9D:F7:57:FF:E6:59:AE:C2:21:2A Serial Number : 19:c1:ea Integrality : Passed Key-pair : Passed Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT) Name : Fortinet_Factory2 Fingerprint(MD5) : F8:E4:51:61:B6:F0:98:FA:43:1F:4C:FD:C1:5D:B2:62 Serial Number : 19:c1:ec Integrality : Passed Key-pair : Passed Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT) Name : Fortinet_Firmware Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23 Serial Number : 41:1d:d5 Integrality : Passed Key-pair : Passed Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT)
diagnose certificate remote
Use this command to verify remote certificates:
diagnose certificate remote
diagnose debug application
Use this command to set the debug level for application daemons. Some applications must be set to level 8 or higher to enable output for other diagnose debug commands. If you do not specify the debugging level, the current debugging level is returned.
diagnose debug application <application> [<debugging_level>]
The following applications are supported:
alertd—Monitor and alert daemonauthd—Authentication control daemonauto-script—Automation scriptautod—Automation stitchbfdd—Bidirectional forwarding detection (BFD) daemonbgpd—Border Gateway Protocol (BGP) daemonctrld—General FortiSwitch control daemoncu_swtpd—Switch-controller CAPWAP control daemondhcp6c—DHCPv6 client moduledhcpc—DHCP client moduledhcprelay—DHCP relay daemondmid—Diagnostic monitoring interface (DMI) daemondnsproxy—DNS proxy moduleeap_proxy—EAP proxy daemonemail-server—Email servererspan-auto-mgr—ERSPAN-auto mode configuration resolution daemonflcmdd—FortiLink command daemonflow-export—Flow-exportfnbamd—FortiGate nonblocking authentication daemonfortilinkd—FortiLink daemonfpmd—Hardware routing daemonflan-mgr—FortiLAN Cloud daemongratarp—IP conflict gratuitous ARP utilitygui—GUI servicehttpsd—HTTP and HTTPS daemonip6addrd—IPv6 address utiltyipconflictd—IP conflict detection daemonisisd—Intermediate System to Intermediate System Protocol (IS-IS) daemonl2d—Daemon for layer-2 featuresl2dbg—Daemon for hardware-related operations needed by layer 2l3—Layer-3 debugginglacpd—Link Aggregation Control Protocol (LACP) daemonlibswitchd—FortiSwitch library daemonlink-monitor—Link monitor daemonlldpmedd—Link Layer Discovery Protocol-Media Endpoint Discovery (LLPD-MED) daemonmcast-snooping—Multicast-snooping debuggingmiglogd—Logging daemonmrpd—Media Redundancy Protocol (MRP) daemonntpd—Network Time Protocol (NTP) daemonnwmcfgd—Daemon for network-monitoring configurationnwmonitord—Packet-handling and parsing daemon for network monitoringospf6d—Open shortest path first (OSPF IPv6) routing daemonospfd—Open shortest path first (OSPF IPv4) routing daemonpbrd—Policy-based routing (PBR) daemonpimd—Protocol Independent Multicast (PIM) daemonportspeedd—Port speed daemonradius_das—RADIUS CoA daemonradiusd—RADIUS daemonradvd—Router advertisement daemonripd—Routing Information Protocol (RIP) routing daemonripngd—Routing Information Protocol NG (RIPNG) daemonrouter-launcher—Daemon for launching the routing systemrsyslogd—Remote SYSLOG daemonsflowd—sFlow daemonsnmpd—Simple Network Managment Protocol (SNMP) daemonsshd—Secure Sockets Shell (SSH) daemonstaticd—Static route daemonstatsd—Statistics collection daemonstpd—Spanning Tree Protocol (STP) daemonswitch-launcher—Daemon for launching the FortiSwitch systemtrunkd—Trunk daemonvrrpd—Virtual Router Redundancy Protocol (VRRP) daemonwiredap—Daemon for 802.1x port-based authenticationwpa_supp—MACsec Key Agreement (MKA) MACsec daemonzebra—Core router daemon
Example output
S524DF4K15000024 # diagnose debug application flgd
flgd debug level is 8 (0x8)
diagnose debug authd
Use these commands to manage the authentication daemon:
diagnose debug authd clear
diagnose debug authd fsso clear-logons
diagnose debug authd fsso filter clear
diagnose debug authd fsso filter group <group_name>
diagnose debug authd fsso filter server <FSSO_agent_name>
diagnose debug authd fsso filter source <IPv4_address> <IPv4_address>
diagnose debug authd fsso filter user <user_name>
diagnose debug authd fsso list
diagnose debug authd fsso refresh-groups
diagnose debug authd fsso refresh-logons
diagnose debug authd fsso server-status
diagnose debug authd fsso summary
|
Variable |
Description |
|
clear |
Delete internal data structures and keepalive sessions. |
|
fsso clear-logons |
Delete Fortinet Single Sign on (FSSO) logon information. |
|
fsso filter clear |
Delete all FSSO filters. |
|
fsso filter group <group_name> |
List only the logons by the specified FSSO group. |
|
fsso filter server <FSSO_agent_name> |
List only the logons for the specified FSSO agent. |
|
fsso filter source <IPv4_address> <IPv4_address> |
List only the logons for the specified range of IPv4 addresses. |
|
fsso filter user <user_name> |
List only the logons by the specified user. |
|
fsso list |
Display the current FSSO logons. |
|
fsso refresh-groups |
Refresh the FSSO group mappings. |
|
fsso refresh-logons |
Synchronize the FSSO logon database. |
|
fsso server-status |
Display the status of the FSSO agent connection. |
|
fsso summary |
Display a summary of current FSSO logons. |
Example output
diag debug authd fsso server-status Server Name Connection Status Version ----------- ----------------- ------- fsso connected FSSO 5.0.0237 diagnose debug authd fsso list IP: 10.1.1.5 User: ADM_FWCHECK Groups: FW_OPERATORS/ADMINISTRATORS
diagnose debug bfd
Use this command to enable, show, or disable the debugging level for bidirectional forwarding detection (BFD):
diagnose debug bfd {all | appl | fsm | net | show | zebra } {enable | disable}
diagnose debug bgp
Use this command to enable, show, or disable the debugging level for Border Gateway Protocol (BGP) routing:
diagnose debug bgp {all | appl | as4 | flowspec | keepalives | neighbor-events | nht | normal | show | updates | zebra} {enable | disable}
diagnose debug cli
Use this command to set or find the debug level for the CLI:
diagnose debug cli [<0-8>]
Example output
S524DF4K15000024 # diagnose debug cli
Cli debug level is 8
diagnose debug config-error-log
Use this command to display information about the configuration error log:
diagnose debug config-error-log {clear | read}
|
Variable |
Description |
|
clear |
Clear the configuration error log. |
|
fsso |
Display configuration errors on the console. |
diagnose debug console
Use these commands to display information about the console:
diagnose debug console no-user-log-msg {enable | disable}
diagnose debug console send <AT command>
diagnose debug console timestamp {enable | disable}
|
Variable |
Description |
|
no-user-log-msg {enable | disable} |
Enable or disable the display of user log messages on the console. |
|
send <AT command> |
Send out the specified modem AT command. |
|
timestamp {enable | disable} |
Enable or disable the time stamp. |
diagnose debug crashlog
Use this command to display or erase the crash log:
diagnose debug crashlog {clear | get | kill-with-crashlog <process_ID> | read}
|
Variable |
Description |
|
clear |
Clear the crash log. |
|
get |
Display the crash log on the console. |
|
kill-with-crashlog <process_ID> |
End the daemon using the specified process ID. |
|
read |
Display the crash log on the console in a readable format. |
Example output
S524DF4K15000024 # diagnose debug crashlog get Rk9SVP94nDK0NLPUNTTSNTZUMDSzMjCwMjVXSErOjc9IzEvJSY3PTM8tKI5Pzk2x UvB1dgwO0Q1xdPJx1Q32jHK1MjQwMuECCCAjA0NzXQNLXQMzBUOgZgMrQ0uFkoxU hezMnJzUFIWUxNTc/DyFzGIF/aTMPP301JKSSiuF4pLEktJiW4MKAy6AAELWb2gF dIKJKUn6AQIIVb+JmZWpCUn6AQIIWb+RlYGxlbExSfoBAghZv7GVqamVEWn+Bwgg ZP0mVgYWwCAkST9AAKHqNzQHxR8p+gECCFW/MdALhiToN+ICCCA0/WZWxqTpBwgg ZP3AwDMGJkGS3A8QQKj6TYBJwIIk/QABhKbfBBiFJLkfIIDQ9JtaGZNivxEXQAAh 6zcDxb8RafEHEECo+oH+NyAt/QMEEKp+UP41Ikk/QADB9ZuD8r+RpRXQIOL1GxsY cAEEEKoJphakpgCAAELWbwgKQQPSQhAggFD1A3OAMWkhABBAaPotrUxIsx8ggJD1 A0sgU1JzMEAAIesHZl8jICJJP0AAIesHpgBz0koAAy6AAELWb24FTgQk6QcIIFT9 JkD3k5KCDLgAAghNPzD+SbMfIIBQ9ZsaAyshkvQDBBCyfqDlwEKYtBIIIIBQ9QOj 0IS08AcIIDT9ZqSlHyMugABC1W8EDH/SakCAAELVD8w/JMY/QAAh6wcWH0bAJECS foAAguu3UDAwtzIClmCklB+gEggggJBNsLQCV8MkuQAggND0A+sA0lIQQACh6jcC 1mGklYAAAYSkH1gCGZkCnUCSfoAAQtUPKgFJsx8ggFD1mwBzEGklGEAAoek3AUYi ... S548DF5018000776 # diagnose debug crashlog read 1: 2020-03-13 11:54:15 the killed daemon is /bin/fsmgrd: status=0x0 2: 2020-03-13 16:55:27 the killed daemon is /bin/fsmgrd: status=0x0 3: 2020-03-13 16:59:09 the killed daemon is /bin/fsmgrd: status=0x0 4: 2020-03-13 17:32:56 the killed daemon is /bin/fsmgrd: status=0x0 5: 2020-03-13 18:10:52 the killed daemon is /bin/fsmgrd: status=0x0 6: 2020-03-13 18:45:45 the killed daemon is /bin/fsmgrd: status=0x0 7: 2020-03-13 18:52:24 the killed daemon is /bin/fsmgrd: status=0x0 8: 2020-03-16 11:59:48 restart_reason=SYSTEM SHUTDOWN 9: 2020-03-17 10:16:42 restart_reason=SYSTEM SHUTDOWN 10: 2020-03-23 09:23:22 restart_reason=SYSTEM SHUTDOWN 11: 2020-03-24 08:33:04 restart_reason=SYSTEM SHUTDOWN 12: 2020-03-26 08:11:33 restart_reason=SYSTEM SHUTDOWN 13: 2020-04-10 08:48:25 restart_reason=SYSTEM SHUTDOWN 14: 2020-05-06 10:51:28 the killed daemon is /bin/fsmgrd: status=0x0 15: 2020-05-06 11:47:45 the killed daemon is /bin/fsmgrd: status=0x0 16: 2020-05-06 17:49:04 the killed daemon is /bin/fsmgrd: status=0x0 17: 2020-05-28 08:45:54 restart_reason=SYSTEM SHUTDOWN 18: 2020-05-28 09:09:00 the killed daemon is /bin/fsmgrd: status=0x0 19: 2020-05-28 09:36:23 the killed daemon is /bin/fsmgrd: status=0x0 20: 2020-05-28 18:12:20 the killed daemon is /bin/fsmgrd: status=0x0 21: 2020-05-29 13:31:52 the killed daemon is /bin/fsmgrd: status=0x0 22: 2020-05-29 15:04:20 the killed daemon is /bin/fsmgrd: status=0x0 23: 2020-05-29 16:01:28 the killed daemon is /bin/fsmgrd: status=0x0 24: 2020-05-29 16:27:41 the killed daemon is /bin/fsmgrd: status=0x0 25: 2020-06-01 16:04:11 restart_reason=SYSTEM SHUTDOWN 26: 2020-06-02 09:56:49 the killed daemon is /bin/fsmgrd: status=0x0
diagnose debug disable
Use this command to disable debugging output:
diagnose debug disable
diagnose debug enable
Use this command to enable debugging output:
diagnose debug enable
diagnose debug info
Use this command to display the debugging level:
diagnose debug info
Example output
S524DF4K15000024 # diagnose debug info debug output: enable console timestamp: disable console no user log message: disable fsmgr debug level: 16 (0x10) CLI debug level: 8
diagnose debug isis
Use this command to enable, show, or disable the debugging level for Intermediate System to Intermediate System Protocol (IS-IS) routing:
diagnose debug isis {adj-packets | all | appl | bfd | events | flooding | lsp-gen | lsp-sched | packet-dump | route-events | show | snp-packets | spf-events | tx-queue | update-packets} {enable | disable}
diagnose debug kernel level
Use this command to display or set the debugging level for the kernel:
diagnose debug kernel level [<integer>]
Example output
S524DF4K15000024 # diagnose debug kernel level Kernel debug level is 0
diagnose debug ospf
Use this command to enable, show, or disable the debugging level for open shortest path first (OSPF) routing for IPv4 traffic:
diagnose debug ospf {all | appl | event | ism-debug | lsa-debug | nsm-debug | nssa | packet-debug | show | zebra-debug} {enable | disable}
diagnose debug ospf6
Use this command to enable or disable the debugging level for open shortest path first (OSPF) routing for IPv6 traffic:
diagnose debug ospf6 {abr | all | appl | asbr | border-routers | flooding | interface | lsa | lsa-debug | message | neighbor | packet-debug | route | route-debug | spf | zebra} {enable | disable}
diagnose debug packet_test
Use this command to display a report about the specified port for technical support:
diagnose debug packet_test <port_ID>
Example output
S524DF4K15000024 # diagnose debug packet_test 30 RX: port:0(tx port 30) len:0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RX: port:0(tx port 30) len:0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Send: 2, Recv: 2
diagnose debug pbr
Use this command to enable, show, or disable the debugging level for policy-based routing (PBR):
diagnose debug pbr {all | appl | events | map | nht | show | zebra} {enable | disable}
diagnose debug pim
Use this command to enable, show, or disable the debugging level for Protocol Independent Multicast (PIM) routing:
diagnose debug pim {all | appl | events | igmp-events | igmp-packets | igmp-trace | mroute | packet-dump | packets | show | static | trace | zebra} {enable | disable}
diagnose debug port-mac
NOTE: This command is available only on FortiSwitch units that have the split-port feature available.
Use this command to display the mapping between MAC addresses and ports:
diagnose debug port-mac {check-mac | list}
|
Variable |
Description |
|
check-mac |
Check to see if the specified MAC address is valid. |
|
list |
List the mapping between MAC addresses and ports. |
Example output
S524DF4K15000024 # diagnose debug port-mac check-mac 08:5b:0e:f1:95:e4
Input MAC address 08:5b:0e:f1:95:e4 found in range
08:5b:0e:e5:4f:d6--08:5b:0e:f1:9b:a4
90:6c:ac:30:19:22--90:6c:ac:7b:d6:d0
Allocated split-port MAC for port 32 is 00:00:00:00:00:00.
S524DF4K15000024 # diagnose debug port-mac list
Base MAC: 08:5b:0e:f1:95:e4
Port Name Port # Split Port Idx MAC
==================================================================================
port1 1 0 08:5b:0e:f1:95:e6
port2 2 0 08:5b:0e:f1:95:e7
port3 3 0 08:5b:0e:f1:95:e8
port4 4 0 08:5b:0e:f1:95:e9
port5 5 0 08:5b:0e:f1:95:ea
port6 6 0 08:5b:0e:f1:95:eb
port7 7 0 08:5b:0e:f1:95:ec
port8 8 0 08:5b:0e:f1:95:ed
port9 9 0 08:5b:0e:f1:95:ee
port10 10 0 08:5b:0e:f1:95:ef
port11 11 0 08:5b:0e:f1:95:f0
port12 12 0 08:5b:0e:f1:95:f1
port13 13 0 08:5b:0e:f1:95:f2
port14 14 0 08:5b:0e:f1:95:f3
port15 15 0 08:5b:0e:f1:95:f4
port16 16 0 08:5b:0e:f1:95:f5
port17 17 0 08:5b:0e:f1:95:f6
port18 18 0 08:5b:0e:f1:95:f7
port19 19 0 08:5b:0e:f1:95:f8
port20 20 0 08:5b:0e:f1:95:f9
port21 21 0 08:5b:0e:f1:95:fa
port22 22 0 08:5b:0e:f1:95:fb
port23 23 0 08:5b:0e:f1:95:fc
port24 24 0 08:5b:0e:f1:95:fd
port25 25 0 08:5b:0e:f1:95:fe
port26 26 0 08:5b:0e:f1:95:ff
port27 27 0 08:5b:0e:f1:96:00
port28 28 0 08:5b:0e:f1:96:01
port29 29 0 08:5b:0e:f1:96:02
port30 30 0 08:5b:0e:f1:96:03
internal 31 0 08:5b:0e:f1:95:e4
diagnose debug report
Use this command to display a detailed debugging report for technical support:
diagnose debug report
Example output
S524DF4K15000024 # diagnose debug report Version: FortiSwitch-524D-FPOE v3.6.3,build0390,171020 (GA) Serial-Number: S524DF4K15000024 BIOS version: 04000013 System Part-Number: P18045-04 Burn in MAC: 08:5b:0e:f1:95:e4 Hostname: S524DF4K15000024 Distribution: International Branch point: 390 System time: Tue Jan 6 13:53:02 1970 ---------------------------------------------------------------- Serial Number: S524DF4K15000024 Diagnose output ---------------------------------------------------------------- ### get system status CPU states: 0% user 4% system 0% nice 96% idle Memory states: 10% used Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes Uptime: 5 days, 21 hours, 53 minutes ### get system performance status config system interface edit "mgmt" set ip 192.168.1.99 255.255.255.0 set allowaccess ping https ssh set type physical set snmp-index 33 next edit "internal" set type physical set snmp-index 32 next end ### show system interface ### show router static ### diagnose ip address list ...'
diagnose debug reset
Use this command to reset all debugging levels to the default levels:
diagnose debug reset
diagnose debug rip
Use this command to enable, show, or disable the debugging level for IPv4 Routing Information Protocol (RIP) routing:
diagnose debug rip {all | appl | events | packet-rx | packet-tx | show | zebra} {enable | disable}
diagnose debug ripng
Use this command to enable, show, or disable the debugging level for IPv6 Routing Information Protocol (RIP) routing:
diagnose debug ripng {all | appl | events | packet-rx | packet-tx | show | zebra} {enable | disable}
diagnose debug static
Use this command to enable or disable the debugging level for static routes:
diagnose debug static {all | appl} {enable | disable}
diagnose debug unit_test
Use this command to enable or disable the debugging of unit tests:
diagnose debug unit_test {enable | disable}
Example output
S524DF4K15000024 # diagnose debug unit_test enable libsw_unit_test argc 2 cmd =0
diagnose debug zebra
Use this command to enable, show, or disable the debugging level for the core router daemon:
diagnose debug zebra {all | appl | events | fpm | kernel | packet-rx | packet-rx-detail | packet-tx | packet-tx-detail | rib | rib-queue | show} {enable | disable}
diagnose firewall ip clear-counter
Use this command to clear the IPv4 iptables counter:
diagnose firewall ip clear-counter
diagnose firewall ip show
Use this command to show IPv4 iptables:
diagnose firewall ip show
diagnose firewall ipv6 clear-counter
Use this command to clear the IPv6 iptables counter:
diagnose firewall ipv6 clear-counter
diagnose firewall ipv6 show
Use this command to show IPv6 iptables:
diagnose firewall ipv6 show
diagnose flapguard status
Use this command to get flap-guard information for all switch ports:
diagnose flapguard status
Example output
S524DF4K15000024 # diagnose flapguard status Portname State Status Timeout(m) flap-rate flap-duration flaps/duration Last-Event _________________ _______ _________ ___________ _________ ____________ ______________ ___________ port1 disabled - - 5 30 0 - port2 disabled - - 5 30 0 - port3 disabled - - 5 30 0 - port4 disabled - - 5 30 0 - port5 disabled - - 5 30 0 - port6 disabled - - 5 30 0 - port7 disabled - - 5 30 0 - port8 disabled - - 5 30 0 - port9 enabled - 0 5 30 0 - port10 disabled - - 5 30 0 - port11 disabled - - 5 30 0 - port12 disabled - - 5 30 0 - port13 disabled - - 5 30 0 - port14 disabled - - 5 30 0 - port15 disabled - - 5 30 0 - port16 disabled - - 5 30 0 - port17 disabled - - 5 30 0 - port18 disabled - - 5 30 0 - port19 enabled - 30 15 10 0 - port20 disabled - - 5 30 0 - port21 disabled - - 5 30 0 - port22 disabled - - 5 30 0 - port23 disabled - - 5 30 0 - port24 disabled - - 5 30 0 - port25 disabled - - 5 30 0 - port26 disabled - - 5 30 0 - port27 disabled - - 5 30 0 - port28 disabled - - 5 30 0 - port29 disabled - - 5 30 0 - port30.1 disabled - - 5 30 0 - port30.2 disabled - - 5 30 0 - port30.3 disabled - - 5 30 0 - port30.4 disabled - - 5 30 0 -
diagnose hardware
Use these commands to diagnose the hardware. You must be logged in as a super user for these commands.
diagnose hardware certificate
diagnose hardware ioport {byte <value> | long <arguments> | word <arguments>}
diagnose hardware switchinfo {l2-station-table | l3-ecmp-table | l3-egress-table | l3-host-table | l3-intf-table | l3-ip-mapping-table | l3-pbr-mapping-table | l3-pbr-nhop-group-table | l3-routing-table | l3-summary | l3-v6-host-table | l3-v6-routing-table | multicast-groups}
diagnose hardware sysinfo {bootenv | cpu | interrupts | iomem | memory | slab}
diagnose hardware usb
|
Variable |
Description |
|
certificate |
Verify which certificates are present on the FortiSwitch unit and that all installed certificates are valid. |
|
ioport {byte <value> | long <arguments> | word <arguments>} |
Read and write data using the input/output port. |
|
{l2-station-table | l3-ecmp-table | l3-egress-table | l3-host-table | l3-intf-table | l3-ip-mapping-table | l3-pbr-mapping-table | l3-pbr-nhop-group-table | l3-routing-table | l3-summary | l3-v6-host-table | l3-v6-routing-table | multicast-groups} |
Display information about the FortiSwitch hardware. |
|
sysinfo {bootenv | cpu | interrupts | iomem | memory | slab} |
Display information about the system. |
|
usb |
Display information about the connected USB devices. |
Example output
S548DF5018000776 # diagnose hardware certificate Checking Fortinet_CA.cer integrality ........Passed Checking Fortinet_Factory.cer integrality ........Passed Checking Fortinet_Factory.cer key-pair integrality ........Passed Checking Fortinet_Factory.cer Serial-No. ........Passed Checking Fortinet_Factory.cer timeliness ........Passed Checking Fortinet_Factory.key integrality ........Passed Checking Fortinet_CA2.cer integrality ........Passed Checking Fortinet_Factory2.cer integrality ........Passed Checking Fortinet_Factory2.cer key-pair integrality ........Passed Checking Fortinet_Factory2.cer Serial-No. ........Passed Checking Fortinet_Factory2.cer timeliness ........Passed Checking Fortinet_Factory2.key integrality ........Passed
S524DF4K15000024 # diagnose hardware switchinfo l3-ip-mapping-table Ip Addr Intf EgressObj Mac Static-ARP VRF 111.222.1.1 39 100005 00:00:00:00:00:00 0 0
S524DF4K15000024 # diagnose hardware switchinfo l3-egress-table L3 Egress entries: Max: 16384 Existing 6 Entry Mac Vlan INTF PORT MOD MPLS_LABEL ToCpu Drop RefCount L3MC 100002 00:00:00:00:00:00 4095 0 0 0 -1 yes no 1 no 100003 00:00:00:00:00:00 4092 1 0 0 -1 yes no 1 no 100004 00:00:00:00:00:00 4094 2 0 0 -1 yes no 1 no 100005 04:d5:90:97:e1:16 4094 2 0t 0 -1 no no 1 no 100006 00:00:00:00:00:00 10 3 0 0 -1 yes no 1 no
S424EPTF19000004 # diagnose hardware usb Alea II TRNG EHCI Host Controller Generic Platform OHCI controller
FS1E483Z17000008 # diagnose hardware switchinfo l2-station-table Priority Mac Vlan SrcPort Flags 0 70:4c:a5:53:ca:a8 4095 0x8000001 0x1c 0 70:4c:a5:53:ca:d2 4095 0x800002b 0x1c 0 70:4c:a5:53:ca:ce 4095 0xc000000 0x1c 0 70:4c:a5:53:ca:ae 4095 0x8000007 0x1c 0 70:4c:a5:53:ca:cc 4095 0x8000025 0x1c 0 70:4c:a5:53:ca:be 4095 0x8000017 0x1c
FS1E483Z17000008 # diagnose hardware switchinfo multicast-groups Group 0x1000000 (L2) port ge0, encap -1 port xe0, encap -1 port ge1, encap -1 port ge2, encap -1 port xe1, encap -1 port xe2, encap -1 port ge3, encap -1 port xe3, encap -1 port xe4, encap -1 port xe5, encap -1 port xe6, encap -1 port xe7, encap -1 port xe8, encap -1 port xe9, encap -1 port ge4, encap -1 port xe10, encap -1 port xe11, encap -1 port xe12, encap -1 port xe13, encap -1 port xe14, encap -1 port xe15, encap -1 port xe16, encap -1 port ge5, encap -1 port xe17, encap -1 port ge6, encap -1 port xe18, encap -1 port xe19, encap -1 port xe20, encap -1 port xe21, encap -1 port xe22, encap -1 port xe23, encap -1 port xe24, encap -1 port xe25, encap -1 port xe26, encap -1 port xe27, encap -1 port xe28, encap -1 port ge7, encap -1 port xe29, encap -1 port ge8, encap -1 port ge9, encap -1 port xe30, encap -1 port xe31, encap -1 port ge10, encap -1 port xe32, encap -1 port xe33, encap -1 port xe34, encap -1 port xe35, encap -1 port xe36, encap -1 port ce0, encap -1 port ce1, encap -1 port ce2, encap -1 port ce3, encap -1 Group 0x7000002 (VLAN) port cpu0, encap -1 Group 0x2000003 (L3) port ge0, encap -1 port ge3, encap -1 port ge5, encap -1 port ge7, encap -1 port ge8, encap -1 port ge9, encap -1 port ge10, encap -1
diagnose ip address
Use these commands to manage IP addresses:
diagnose ip address add <interface_name> <IPv4_address> <IP_network_mask>
diagnose ip address delete <interface_name> <IPv4_address>
diagnose ip address flush
diagnose ip address list
|
Variable |
Description |
|
add <interface_name> <IPv4_address> <IP_network_mask> |
Add an IPv4 address to the specified interface. |
|
delete <interface_name> <IPv4_address> |
Delete an IPv4 address from the specified interface. |
|
flush |
Delete all IP addresses. |
|
list |
List all IP addresses and which interfaces they are assigned to. |
Example output
S524DF4K15000024 # diagnose ip address list IP=127.0.0.1->127.0.0.1/255.0.0.0 index=1 devname=lo IP=192.168.1.99->192.168.1.99/255.255.255.0 index=2 devname=mgmt IP=10.105.19.3->10.105.19.3/255.255.252.0 index=2 devname=mgmt IP=170.38.65.1->170.38.65.1/255.255.255.0 index=71 devname=vlan35 IP=180.1.1.1->180.1.1.1/255.255.255.0 index=72 devname=vlan85 IP=127.0.0.1->127.0.0.1/255.0.0.0 index=73 devname=int1 IP=10.10.10.1->10.10.10.1/255.255.255.0 index=74 devname=vlan-8 IP=11.1.1.100->11.1.1.100/255.255.255.255 index=74 devname=vlan-8
diagnose ip arp
Use these commands to manage the Address Resolution Protocol (ARP) table:
diagnose ip arp add <interface_name> <IPv4_address> <MAC_address>
diagnose ip arp delete <interface_name> <IPv4_address>
diagnose ip arp flush <interface_name>
diagnose ip arp list
|
Variable |
Description |
|
arp add <interface_name> <IPv4_address> |
Add an Address Resolution Protocol (ARP) entry for the IP address on the specified interface. |
|
arp delete <interface_name> <IPv4_address> |
Delete an Address Resolution Protocol (ARP) entry for the IP address on the specified interface. |
|
arp flush <interface_name> |
Delete the ARP table for the specified interface. |
|
arp list |
Display the ARP table. |
Example output
S524DF4K15000024 # diagnose ip arp list index=2 ifname=mgmt 10.105.16.1 90:6c:ac:15:2f:94 state=00000002 use=117606 confirm=537 update=67371 ref=1 index=70 ifname=internal 192.168.0.10 state=00000001 use=24 confirm=178601 update=124 ref=1 index=74 ifname=vlan-8 11.1.1.100 00:00:5e:00:01:05 (proxy)
diagnose ip route
Use these commands to manage static routes and the routing table:
diagnose ip route add <interface_name> <IPv4_address> <IP_network_mask>
diagnose ip route delete <interface_name> <IPv4_address>
diagnose ip route flush
diagnose ip route list [<arguments>]
diagnose ip route verify <interface_name> <IPv4_address> <IP_network_mask>
|
Variable |
Description |
|
add <interface_name> <IPv4_address> <IP_network_mask> |
Add a static route to the specified interface. |
|
delete <interface_name> <IPv4_address> |
Delete a static route from the specified interface. |
|
flush |
Delete the routing table. |
|
list [<arguments>] |
Display the routing table. |
|
verify <interface_name> <IPv4_address> <IP_network_mask> |
Verify a static route on the specified interface. |
Example output
S524DF4K15000024 # diagnose ip route list tab=254 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.105.16.1 dev=2(mgmt) tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/24 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8) tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.16.0/22 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt) tab=254 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->39.3.2.0/24 pref=0.0.0.0 gwy=180.1.1.2 dev=72(vlan85) tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.0/24 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35) tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.0/24 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85) tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/24 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/32 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.1/32 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.255/32 pref=10.10.10.1 gwy=0.0.0.0 dev=74(vlan-8) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.16.0/32 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.19.3/32 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.105.19.255/32 pref=10.105.19.3 gwy=0.0.0.0 dev=2(mgmt) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->11.1.1.100/32 pref=11.1.1.100 gwy=0.0.0.0 dev=74(vlan-8) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=1(lo) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=73(int1) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.0/32 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.1/32 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->170.38.65.255/32 pref=170.38.65.1 gwy=0.0.0.0 dev=71(vlan35) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.0/32 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.1/32 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->180.1.1.255/32 pref=180.1.1.1 gwy=0.0.0.0 dev=72(vlan85) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/32 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt) tab=255 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.99/32 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt) tab=255 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.255/32 pref=192.168.1.99 gwy=0.0.0.0 dev=2(mgmt)
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | pbr | rip | ripng | static | zebra}
Use these commands to display statistics for bidirectional forwarding detection (BFD), Border Gateway Protocol (BGP) routing, Intermediate System to Intermediate System Protocol (IS-IS) routing, open shortest path first (OSPF) routing for IPv4 traffic, OSPF routing for IPv6 traffic, Protocol Independent Multicast (PIM) routing, policy-based routing (PBR), Routing Information Protocol (RIP) routing for IPv4 traffic, RIP routing for IPv6 traffic, static routes, and core routing daemon:
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | pbr | rip | ripng | static | zebra} cpu-usage
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | pbr | rip | ripng | static | zebra} crash-backtrace-clear
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | pbr | rip | ripng | static | zebra} crash-backtrace-read
diagnose ip router zebra fpm-counters clear
diagnose ip router zebra fpm-counters show
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | pbr | rip | ripng | static | zebra} memory-usage
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | pbr | rip | ripng | static | zebra} work-queues
|
Variable |
Description |
|
cpu-usage |
Display statistics for CPU usage. |
|
crash-backtrace-clear |
Delete the crash-backtrace information. |
|
crash-backtrace-read |
Display the crash-backtrace information. |
|
fpm-counters clear |
Erase the hardware offload counters. |
|
fpm-counters show |
Display the hardware offload counters. |
|
memory-usage |
Display statistics for memory usage. |
|
work-queues |
Display information about work queues. |
diagnose ip router command
Use these commands to send commands to various daemons in enable mode (cmd) or in configure terminal mode (cmd-conf-term).:
diagnose ip router command bfd {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command bgp {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command isis {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command ospf {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command ospf6 {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command pim {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command rip {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command static {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command zebra {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router fwd
Use these commands for debugging layer-3 forwarding:
diagnose ip router fwd l3-clear-stats
diagnose ip router fwd l3-disable-ip-tracing
diagnose ip router fwd l3-ecmp
diagnose ip router fwd l3-egress
diagnose ip router fwd l3-enable-ip-tracing <IP_address>
diagnose ip router fwd l3-enable-ip-tracing6 <IPv6_address>
diagnose ip router fwd l3-intf
diagnose ip router fwd l3-rvi-dev-info <RVI_name>
diagnose ip router fwd l3-rvi-info
diagnose ip router fwd l3-stats
|
Variable |
Description |
|
l3-clear-stats |
Delete layer-3 statistics. |
|
l3-disable-ip-tracing |
Disable IP tracing. |
|
l3-ecmp |
Display information about equal cost multi-path (ECMP) routing. |
|
l3-egress |
Display layer-3 egress information. |
|
l3-enable-ip-tracing <IP_address> |
Enable IPv4 host tracing |
|
l3-enable-ip-tracing6 <IPv6_address> |
Enable IPv6 host tracing. |
|
l3-intf |
Display information about layer-3 interfaces. |
|
l3-rvi-dev-info <RVI_name> |
Display RVI internal information. |
|
l3-rvi-info |
Display which ports and trunks are RVIs. |
|
l3-stats |
Display layer-3 statistics. |
Example
FS1E483Z17000008 # diagnose ip router fwd l3-rvi-dev-info RVI10 RVI trunkid: -1: Ifindex: 64 Numlinks: 0 port: 1 (Port,StationId): (1,1)
FS1E483Z17000008 # diagnose ip router fwd l3-rvi-info RVI port1: Ifindex: 64 RVI port7: Ifindex: 67 RVI port23: Ifindex: 73 RVI port37: Ifindex: 69 RVI port39: Ifindex: 77 RVI port40: Ifindex: 77 RVI port43: Ifindex: 74 RVI trunk0: Ifindex: 77 Port Info: port1 port7 port23 port37 port39 port40 port43 internal
diagnose ip router process show
Use this command to display information about the process launch of the core routing daemon, static routing daemon, BGD daemon, OSPF (IPv4 and IPv6) daemons, BFD daemon, RIP daemon, IS-IS daemon, and PIM daemon:
diagnose ip router process show
diagnose ip router terminal-monitor
Use this command to enable or disable the display of router information on the terminal:
diagnose ip router terminal-monitor {enable | disable}
diagnose ip rtcache list
Use this command to list the routing cache:
diagnose ip rtcache list
diagnose ip rules list
Use this command to list IP rules.
diagnose ip rules list
Example
S524DF4K15000024 # diagnose ip rules list tab=0 fam=2 action=1 flags: 0x0 prio=1000 src=0.0.0.0/0 dst=0.0.0.0/0 table=(0) tab=0 fam=2 action=7 flags: 0x0 prio=2000 src=0.0.0.0/0 dst=0.0.0.0/0 table=(0) tab=255 fam=2 action=1 flags: 0x0 prio=32765 src=0.0.0.0/0 dst=0.0.0.0/0 table=(255) tab=254 fam=2 action=1 flags: 0x0 prio=32766 src=0.0.0.0/0 dst=0.0.0.0/0 table=(254) tab=253 fam=2 action=1 flags: 0x0 prio=32767 src=0.0.0.0/0 dst=0.0.0.0/0 table=(253)
diagnose ip tcp
Use this command to list or clear the TCP sockets:
diagnose ip tcp {list | flush}
Example
S524DF4K15000024 # diagnose ip tcp list sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:03E8 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 3099 1 e647d300 100 0 0 10 -1 1: 00000000:0A29 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 1587 1 e647c000 100 0 0 10 -1 2: 00000000:0A2A 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 3338 1 e647dc80 100 0 0 10 -1 3: 00000000:03EB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 3103 1 e647d7c0 100 0 0 10 -1 ...
diagnose ip udp
Use this command to list or clear the UDP sockets:
diagnose ip udp {list | flush}
Example
S524DF4K15000024 # diagnose ip udp list sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops 24: 00000000:E818 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4097 2 e69e38c0 0 53: 00000000:0035 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1972 2 e6029440 0 67: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 964 2 e5fd2d80 0 67: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 963 2 e5fd2b40 0 68: 00000000:0044 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1961 2 e6029200 0 181: 00000000:90B5 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 7681206 2 e6b94b40 0 350: 00000000:C15E 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3301 2 e69e2b40 0 370: 0100007F:1972 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1793 2 e6028fc0 0 404: 00000000:B994 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 112 2 e5fd2000 0 415: 00000000:859F 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 11905 2 e5fd38c0 0 415: 00000000:C99F 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3113 2 e6029d40 0 450: 00000000:E9C2 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 157 2 e5fd2480 0 520: 00000000:0208 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2196 2 e5fd3680 0 546: 00000000:CA22 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2156 2 e5fd3440 0 549: 00000000:9225 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2057 2 e5fd2fc0 0 653: 00000000:AE8D 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 775 2 e5fd2900 0 654: 00000000:B68E 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1977 2 e6029b00 0 688: 00000000:12B0 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3321 2 e69e2fc0 0 712: 00000000:0EC8 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3320 2 e69e2d80 0 713: 00000000:0EC9 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3322 2 e69e3200 0 763: 00000000:92FB 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 9848617 2 e6ad7200 0 788: 0100007F:0714 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3224 2 e69e2240 0 805: 0100007F:A725 0100007F:0714 01 00000000:00000000 00:00000000 00000000 0 0 3292 2 e69e2900 0 882: 00000000:8372 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1974 2 e60298c0 0 972: 00000000:B7CC 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3260 2 e69e26c0 0 981: 00000000:EBD5 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 39752 2 e69e3b00 0 990: 00000000:BBDE 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4357 2 e69e3d40 0
diagnose ipv6 address
Use these commands to manage IPv6 addresses:
diagnose ipv6 address add <interface_name> <IPv6_address>
diagnose ipv6 address anycast <arguments>
diagnose ipv6 address delete <interface_name> <IPv6_address>
diagnose ipv6 address flush
diagnose ipv6 address list
diagnose ipv6 address multicast <interface_name> <IPv6_address>
|
Variable |
Description |
|
add <interface_name> <IPv6_address> |
Add an IPv6 address to the specified interface. Use the following format for the IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx |
|
anycast <arguments> |
Add an IPv6 anycast address. |
|
delete <interface_name> <IPv4_address> |
Delete an IPv6 address from the specified interface. Use the following format for the IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx |
|
flush |
Delete all IPv6 addresses. |
|
list |
List all IPv6 addresses and which interfaces they are assigned to. |
|
multicast <interface_name> <IPv6_address> |
Add an IPv6 multicast address to the specified interface. Use the following format for the IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx |
Example output
S524DF4K15000024 # diagnose ipv6 address list dev=1 devname=lo flag=P scope=254 prefix=128 addr=::1 prefered=-1 valid=-1 dev=2 devname=mgmt flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e4 prefered=-1 valid=-1 dev=70 devname=internal flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1 dev=71 devname=vlan35 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1 dev=72 devname=vlan85 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1 dev=74 devname=vlan-8 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 valid=-1
diagnose ipv6 devconf
Use these commands to configure IPv6 devices:
diagnose ipv6 address devconf accept-dad {0 | 1 | 2}
diagnose ipv6 address devconf disable_ipv6 {0 | 1 }
|
Variable |
Description |
|
accept-dad {0 | 1 | 2} |
Configure the detection of duplicate IPv6 address:
|
|
disable_ipv6 {0 | 1 } |
Configure IPv6 operation:
|
diagnose ipv6 ipv6-tunnel
Use these commands to manage IPv6 tunnels:
diagnose ipv6 ipv6-tunnel add <tunnel_name> <interface_name> <source_IPv6_address> <destination_IPv6_address>
diagnose ipv6 ipv6-tunnel delete <tunnel_name>
diagnose ipv6 ipv6-tunnel list
|
Variable |
Description |
|
add <tunnel_name> <interface_name> <source_IPv6_address> <destination_IPv6_address> |
Create a tunnel between two IPv6 addresses on the specified interface. Use the following format for the IPv6 addresses: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx |
|
delete <tunnel_name> |
Delete the specified IPv6 tunnel. |
|
delete <interface_name> <IPv4_address> |
List all IPv6 tunnels. |
Example output
S524DF4K15000024 # diagnose ipv6 ipv6-tunnel list sys_list_tunnel6:233 not implemented
diagnose ipv6 neighbor-cache
Use these commands to manage the IPv6 Address Resolution Protocol (ARP) table:
diagnose ipv6 neighbor-cache add <interface_name> <IPv6_address> <MAC_address>
diagnose ipv6 neighbor-cache delete <interface_name> <IPv4_address>
diagnose ipv6 neighbor-cache flush <interface_name>
diagnose ipv6 neighbor-cache list
|
Variable |
Description |
|
add <interface_name> <IPv6_address> |
Add an ARP entry for the IPv6 address on the specified interface. |
|
delete <interface_name> <IPv6_address> |
Delete an ARP entry for the IPv6 address on the specified interface. |
|
flush <interface_name> |
Delete the ARP table for the specified interface. |
|
list |
Display the ARP table. |
Example output
S524DF4K15000024 # diagnose ipv6 neighbor-cache list ifindex=1 ifname=lo :: 00:00:00:00:00:00 state=00000040 use=1096280 confirm=1102281 update=1096280 ref=6
diagnose ipv6 route
Use these commands to manage the IPv6 routing table:
diagnose ipv6 route flush
diagnose ipv6 route list
|
Variable |
Description |
|
flush |
Delete the routing table. |
|
list |
Display the routing table. |
Example output
S524DF4K15000024 # diagnose ipv6 route list type=02 protocol=unspec flag=00000000 oif=1(lo) dst:::1/128 gwy::: prio=0 type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e4/128 gwy::: prio=0 type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0 type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0 type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0 type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0 type=01 protocol=kernel flag=00000000 oif=70(internal) dst:fe80::/64 prio=100 type=01 protocol=kernel flag=00000000 oif=74(vlan-8) dst:fe80::/64 prio=100 type=01 protocol=kernel flag=00000000 oif=71(vlan35) dst:fe80::/64 prio=100 type=01 protocol=kernel flag=00000000 oif=72(vlan85) dst:fe80::/64 prio=100 type=01 protocol=kernel flag=00000000 oif=2(mgmt) dst:fe80::/64 prio=100 type=01 protocol=boot flag=00000000 oif=70(internal) dst:ff00::/8 prio=100 type=01 protocol=boot flag=00000000 oif=74(vlan-8) dst:ff00::/8 prio=100 type=01 protocol=boot flag=00000000 oif=71(vlan35) dst:ff00::/8 prio=100 type=01 protocol=boot flag=00000000 oif=72(vlan85) dst:ff00::/8 prio=100 type=01 protocol=boot flag=00000000 oif=2(mgmt) dst:ff00::/8 prio=100 type=07 protocol=kernel flag=00000000 oif=73(int1) prio=ffffffff
diagnose ipv6 sit-tunnel
Use these commands to manage IPv4 tunnels:
diagnose ipv6 sit-tunnel add <tunnel_name> <interface_name> <source_IPv4_address> <destination_IPv4_address>
diagnose ipv6 sit-tunnel delete <tunnel_name>
diagnose ipv6 sit-tunnel list
|
Variable |
Description |
|
add <tunnel_name> <interface_name> <source_IPv4_address> <destination_IPv4_address> |
Create a tunnel between two IPv4 addresses on the specified interface. Use the following format for the IPv4 addresses: XXX.XXX.XXX.XXX |
|
delete <tunnel_name> |
Delete the specified IPv4 tunnel. |
|
delete <interface_name> <IPv4_address> |
List all IPv4 tunnels. |
Example output
S524DF4K15000024 # diagnose ipv6 sit-tunnel list sys_list_tunnel6:263 not implemented
diagnose log alertconsole
Use the following commands to manage alert console messages:
diagnose log alertconsole clear
diagnose log alertconsole fgd-retrieve
diagnose log alertconsole list
diagnose log alertconsole test
|
Variable |
Description |
|
clear |
Clear alert console messages. |
|
fgd-retrieve |
Retrieve FortiGuard alert console messages. |
|
list |
List current alert console messages. |
|
test |
Generate alert console messages. |
Example output
S524DF4K15000024 # diagnose log alertconsole list There are 50 alert console messages: 2017-10-10 13:26:07 Administrator acmin login failed 2017-10-09 15:41:32 Firmware upgraded by admin 2017-09-29 15:14:11 Firmware upgraded by admin 2017-09-28 07:45:38 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-09-28 07:45:35 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-09-28 07:45:32 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-09-26 08:46:09 Firmware upgraded by admin 2017-09-21 16:16:59 Firmware upgraded by admin 2017-09-19 15:21:16 Administrator [3~[3~[3~ login failed 2017-09-12 16:29:22 Administrator get test dnsproxy ? login failed 2017-09-11 15:49:17 Administrator get router prefix-list login failed 2017-09-06 08:37:44 Firmware upgraded by FortiCloud 2017-09-05 16:49:54 Administrator R 1 login failed 2017-09-01 07:30:03 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-09-01 07:30:00 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-09-01 07:29:57 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-08-31 16:56:35 Administrator O 1 login failed 2017-08-31 16:53:34 Administrator R u 1 login failed 2017-08-31 16:20:29 Administrator cinfcon login failed 2017-08-29 08:37:56 Firmware upgraded by FortiCloud 2017-08-25 13:26:49 Administrator sdmin login failed 2017-08-24 11:00:46 Administrator conconfig login failed 2017-08-24 08:29:01 Firmware upgraded by FortiCloud 2017-08-21 09:16:13 Firmware upgraded by unknown 2017-08-21 08:58:20 System shutdown (factory default) 2017-08-16 08:31:31 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-08-16 08:31:28 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-08-16 08:31:25 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-08-15 07:33:29 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 2017-08-15 07:33:26 Administrator ERROR: Class:0; Subclass:10000; Ope login failed 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart 1969-12-31 17:00:07 System restart
diagnose loop-guard status
Use this command to display which ports have loop guard enabled:
diagnose loop-guard status
To enable loop guard on a port, see config switch interface.
Example output
S524DF4K15000024 # diagnose loop-guard status Portname State Status Timeout(m) MAC-Move Count Last-Event _________________ _______ _________ __________ ________ _____ __________________ port1 disabled - - - - - port2 disabled - - - - - port3 disabled - - - - - port4 disabled - - - - - port5 disabled - - - - - port6 disabled - - - - - port7 disabled - - - - - port10 disabled - - - - - port11 disabled - - - - - port12 enabled - 45 0 0 - port13 disabled - - - - - port14 disabled - - - - - port15 disabled - - - - - port16 disabled - - - - - port17 disabled - - - - - port18 disabled - - - - - port19 disabled - - - - - port20 disabled - - - - - port21 enabled - 45 50 0 - port22 disabled - - - - - port24 disabled - - - - - port25 disabled - - - - - port26 disabled - - - - - port27 disabled - - - - - port28 disabled - - - - - port29 disabled - - - - - port30.1 disabled - - - - - port30.2 disabled - - - - - port30.3 disabled - - - - - port30.4 disabled - - - - - G100D3G15817028 disabled - - - - -
diagnose option82-mapping relay
Use this command to display the option-82 setting for DHCP relay for each valid system interface:
diagnose option82-mapping relay <valid_system_interface>
Example output
S524DF4K15000024 # diagnose option82-mapping relay internal
Interface Name Remote-ID(hex) Circuit-ID(hex)
internal 085B0EF195E5 00000000
diagnose option82-mapping snooping
Use this command to display the option-82 settings for DHCP snooping for a specific VLAN and FortiSwitch interface:
diagnose option82-mapping snooping <VLAN_ID> <valid_switch_interface>
Example output
S524DF4K15000024 # diagnose option82-mapping snooping 100 port2
Interface Name Remote-ID(hex) Circuit-ID(hex)
port2 085B0EF195E5 00640102
diagnose settings
Use these commands to manage diagnostic settings:
diagnose settings info
diagnose settings reset
|
Variable |
Description |
|
info |
List all diagnostic settings. |
|
reset |
Reset all diagnostic settings to their default settings. |
Example output
S524DF4K15000024 # diagnose settings info debug output: disable console timestamp: disable console no user log message: disable fsmgr debug level: 16 (0x10) CLI debug level: 3
diagnose sniffer packet
Use this command to examine packets received on a specific interface:
diagnose sniffer packet <interface_name | any> <logical_filter | none> <verbose | 1-6> <sniffer_count> <timestamp_format>
|
Variable |
Description |
|
<interface_name | any> |
Enter the name of a network interface or enter |
|
<logical_filter | none> |
Enter a logical filter or
For example, to examine UDP packets received at port 1812 from host forti1 and host forti2 or forti3:
To examine TCP packets between two PCs through port 80:
To examine packets with the RST flag set:
To examine packets with the destination MAC address of 00:09:0f:89:10:ea:
|
|
<verbose | 1-6> |
Set the level of detail for the results:
|
|
<sniffer_count> |
Enter the number of packets to examine. |
|
<timestamp_format> |
Enter |
Example output
S524DF4K15000024 # diagnose sniffer packet any interfaces=[any] filters=[none] 0.977537 arp who-has 192.168.0.10 tell 192.168.1.99 0.977755 127.0.0.1 -> 0.0.0.0: icmp: type-#20 1.057565 224.0.0.18 -> 33.5.255.1: ip-proto-10 (frag 65392:4294967276@1336+) 1.057578 802.1Q vlan#8 P0 -- 224.0.0.18 -> 33.5.255.1: ip-proto-10 (frag 65392:4294967276@1336+) 1.113131 arp who-has 10.105.16.1 tell 10.105.19.8 1.977047 arp who-has 192.168.0.10 tell 192.168.1.99 1.990059 127.0.0.1 -> 0.0.0.0: icmp: type-#20 ... S524DF4K15000024 # diagnose sniffer packet internal none verbose interfaces=[internal] filters=[none] pcap_lookupnet: internal: no IPv4 address assigned 0.840645 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20 1.113149 arp who-has 192.168.0.10 tell 192.168.1.99 1.850162 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20 2.109899 arp who-has 192.168.0.10 tell 192.168.1.99 2.859653 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20 3.109412 arp who-has 192.168.0.10 tell 192.168.1.99 3.869169 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20 4.128948 arp who-has 192.168.0.10 tell 192.168.1.99 ... S524DF4K15000024 # diagnose sniffer packet internal none 3 10 a interfaces=[internal] filters=[none] pcap_lookupnet: internal: no IPv4 address assigned 2017-10-11 16:09:42.393816 arp who-has 192.168.0.10 tell 192.168.1.99 0x0000 ffff ffff ffff 085b 0ef1 95e5 0806 0001 .......[........ 0x0010 0800 0604 0001 085b 0ef1 95e5 c0a8 0163 .......[.......c 0x0020 0000 0000 0000 c0a8 000a .......... 2017-10-11 16:09:42.483785 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20 0x0000 0100 5e00 0012 0000 5e00 0105 8100 0008 ..^.....^....... 0x0010 0800 45c0 0028 8fec 0000 ff70 369c 0a0a ..E..(.....p6... 0x0020 0a01 e000 0012 2105 ff01 0001 d392 0b01 ......!......... 0x0030 0164 0000 0000 0000 0000 .d........ ...
diagnose snmp
Use these commands to display SNMP information:
diagnose snmp ip frags
diagnose snmp trap send
|
Variable |
Description |
|
ip frags |
Display fragmentation and reassembly information |
|
trap send |
Generate a trap event and send it to the SNMP daemon. |
Example output
S524DF4K15000024 # diagnose snmp ip frags ReasmTimeout = 0 ReasmReqds = 0 ReasmOKs = 0 ReasmFails = 0 FragOKs = 0 FragFails = 0 FragCreates = 0
diagnose stp instance list
Use this command to display information about Multiple Spanning Tree Protocol (MSTP) instances:
diagnose stp instance list <STP_ID> <port_number>
To create an STP instance, see config switch stp instance.
|
Variable |
Description |
|
<STP_ID> |
Enter the STP identifier. If you enter a higher number than the valid range, the results for all STP instances are displayed. If no STP identifier is specified, results for all STP instances are displayed. |
|
<port_number> |
Enter the port number. If no port number is specified, results for all physical ports are displayed. |
Example output
S524DF4K15000024 # diagnose stp instance list 0 MST Instance Information, primary-Channel: Instance ID 0 (CST) Config Priority 32768 Bridge MAC 085b0ef195e4, MD5 Digest 40d5eca178c657835c83bbcb16723192 Root MAC 085b0ef195e4, Priority 32768, Path Cost 0, Remaining Hops 20 (This bridge is the root) Regional Root MAC 085b0ef195e4, Priority 32768, Path Cost 0 (This bridge is the regional root) Active Times Forward Time 15, Max Age 20, Remaining Hops 20 TCN Events Triggered 1 (1d 0h 19m 56s ago), Received 0 (1d 0h 19m 56s ago) Port Speed Cost Priority Role State HelloTime Flags ________________ ______ _________ _________ ___________ __________ _________ ______________ port1 - 200000000 128 DISABLED DISCARDING 2 EN ED port3 - 200000000 128 DISABLED DISCARDING 2 EN ED port4 - 200000000 128 DISABLED DISCARDING 2 EN ED port5 - 200000000 128 DISABLED DISCARDING 2 EN ED port6 - 200000000 128 DISABLED DISCARDING 2 EN ED port7 - 200000000 128 DISABLED DISCARDING 2 EN ED port8 - 200000000 128 DISABLED DISCARDING 2 EN ED port9 - 200000000 128 DISABLED DISCARDING 2 EN ED port10 - 200000000 128 DISABLED DISCARDING 2 EN ED port11 - 200000000 128 DISABLED DISCARDING 2 EN ED port12 - 200000000 128 DISABLED DISCARDING 2 EN ED port13 - 200000000 128 DISABLED DISCARDING 2 EN ED port14 - 200000000 128 DISABLED DISCARDING 2 EN ED port17 - 200000000 128 DISABLED DISCARDING 2 EN ED port18 - 200000000 128 DISABLED DISCARDING 2 EN ED port19 - 200000000 128 DISABLED DISCARDING 2 EN ED port20 - 200000000 128 DISABLED DISCARDING 2 EN ED port21 - 200000000 128 DISABLED DISCARDING 2 EN ED port22 - 200000000 128 DISABLED DISCARDING 2 EN ED port23 - 200000000 128 DISABLED DISCARDING 2 EN ED port24 - 200000000 128 DISABLED DISCARDING 2 EN ED port25 - 200000000 128 DISABLED DISCARDING 2 EN ED port26 - 200000000 128 DISABLED DISCARDING 2 EN ED port27 - 200000000 128 DISABLED DISCARDING 2 EN ED port28 - 200000000 128 DISABLED DISCARDING 2 EN ED port29 - 200000000 128 DISABLED DISCARDING 2 EN ED port30 - 200000000 128 DISABLED DISCARDING 2 EN ED internal 1G 20000 128 DESIGNATED FORWARDING 2 ED Mclag-icl-trunk - 200000000 128 DISABLED DISCARDING 2 ED first-mclag - 200000000 128 DISABLED DISCARDING 2 EN ED Flags: EN(STP enable), ED(Edge), LP(Loop Protection), RG(Root Guard Triggered), BG(BPDU Guard Triggered)
diagnose stp mst-config list
Use this command to display the MSTP configuration:
diagnose snmp mst-config list
To configure an MSTP instance, see config switch stp settings.
Example output
S524DF4K15000024 # diagnose stp mst-config list MST Configuration Identification Information Unit: primary MST Configuration Name: region1 MST Configuration Revision: 1 MST Configuration Digest: ac36177f50283cd4b83821d8ab26de62 Instance ID Mapped VLANs Priority ____________________________________________________ 0 32768 1 8192
diagnose stp rapid-pvst-port
Use these commands to diagnose the interoperation with per-VLAN RSTP (Rapid PVST+ or RPVST+):
diagnose stp rapid-pvst-port clear [<port_name>]
diagnose stp rapid-pvst-port list [<port_name>]
|
Variable |
Description |
|
clear [<port_name>] |
Clear all flags and timers on the RPVST+ port. |
|
list [<port_name>] |
Show the status of one port or all ports. If any of the ports is in the “IC” state, the command output gives the reason: VLAN priority inconsistent, VLAN configuration mismatch, or both. |
diagnose stp vlan list
Use this command to display the MSTP information for a specific VLAN:
diagnose stp vlan list <VLAN_ID>
|
Variable |
Description |
|
<VLAN_ID> |
Enter the VLAN identifier. The value range is 1-4095. |
Example output
S524DF4K15000024 # diagnose stp vlan list 10 MST Instance Information, primary-Channel: Instance ID : 0 Switch Priority : 32768 Root MAC Address : 085b0ef195e4 Root Priority: 32768 Root Pathcost: 0 Regional Root MAC Address : 085b0ef195e4 Regional Root Priority: 32768 Regional Root Path Cost: 0 Remaining Hops: 20 This Bridge MAC Address : 085b0ef195e4 This bridge is the root Port Speed Cost Priority Role State Edge STP-Status Loop Protection ________________ ______ _________ _________ ___________ __________ ____ __________ ________ port1 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port2 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port3 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port4 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port5 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port6 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port9 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port10 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port11 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port12 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port13 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port14 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port15 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port16 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port17 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port18 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port19 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port20 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port21 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port22 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port23 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port24 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port25 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port26 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port27 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port28 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port29 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port30 - 200000000 128 DISABLED DISCARDING YES ENABLED NO internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO
diagnose switch 802-1x status
Use this command to display the status of a port using IEEE 802.1x authentication:
diagnose switch 802-1x status [<port_name>]
|
Variable |
Description |
|
[<port_name>] |
Enter the port name. If the port is not specified, the status of all 802.1x-authenticated ports is returned. In the output, the value in the “Traffic-Vlan” column is the VLAN where the client was successfully authenticated. |
To enable IEEE 802.1x authentication on a port, see config switch interface.
Example output
S548DF4K15000195 # diagnose switch 802-1x status port3 : Mode: mac-based (mac-by-pass disable) Link: Link up Port State: authorized: ( ) EAP pass-through : Enable EAP auto-untagged-vlans : Disable Quarantine VLAN (4093) detection : Enable Native Vlan : 10 Allowed Vlan list: 10,15 Untagged Vlan list: 10 Guest VLAN : Auth-Fail Vlan : Switch sessions 2/240, Local port sessions:2/20 Client MAC Type Traffic-Vlan Dynamic-Vlan 94:10:3e:b9:12:65 802.1x 10 0 cc:5a:53:5f:d5:16 802.1x 10 15 Sessions info: 94:10:3e:b9:12:65 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=8 params:reAuth=3600 cc:5a:53:5f:d5:16 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=7 params:reAuth=3600
diagnose switch 802-1x status-dacl
Use this command to display the status of dynamic access control lists (DACLs) on 802.1x ports:
diagnose switch 802-1x status-dacl [<port_name>]
|
Variable |
Description |
|
[<port_name>] |
Enter the port name. If the port is not specified, the status of all ports is returned. |
Example output
S148FNTF20000098 # diagnose switch 802-1x status-dacl port11 port11: Mode: port-based (mac-by-pass disable) DACL :enable: :
diagnose switch acl counter
Use these commands to display information about access control lists (ACLs):
diagnose switch acl counter all
diagnose switch acl counter app <name>
diagnose switch acl counter id <policy_ID>
diagnose switch acl counter list-apps
|
Variable |
Description |
|
all |
List all applications using ACL counters. |
|
app <name> |
List ACL counters for this application. |
|
id <policy_ID> |
List the ACL counter for this ACL policy identifier. |
|
list-apps |
List application names that use ACL counters. |
Example output
S524DF4K15000024 # diagnose switch acl counter list-apps Application Policy ID Range _______________________________________________ loop-gaurd (2049-2049) l3-arp-req (2050-2050) l3-arp-reply (2051-2051) dst-mac (2052-2052) bfd-single-hop (2053-2053) bfd-multi-hop (2054-2054) ospf (2055-2055) rip (2056-2056) mclag (2057-2057) mclag-l3-arp-req (2058-2058) mclag-l3-arp-reply (2059-2059) mclag-bfd-single-hop (2060-2060) mclag-bfd-multi-hop (2061-2061) mclag-ospf (2062-2062) mclag-rip (2063-2063) fortilink (2064-2064) fortilink-1 (2065-2065) mclag-fortilink (2066-2066) mclag-icl (2067-2067) mac-sa-mcast (2068-2068) forti-trunk (2069-2069) vwire (2304-2367) vwire-acl (2368-133503) dhcp-snooping (133504-141695) arp-snooping (141696-145792) access-vlan (145793-149889) network-monitor (149890-149930)
diagnose switch acl hw-entry-index
NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
Use this command to find the hardware mapping for the specified ACL policy identifier:
diagnose switch acl hw-entry-index <id>
|
Variable |
Description |
|
<id> |
Enter the ACL policy identifier. |
Example output
S124EP4N17000016 # diagnose switch acl hw-entry-index 1 ID HW-INDEX AGG CNTR-IDX _________________________________________ 000001 896 n 7
diagnose switch acl schedule
Use this command to list ACL policies with a schedule:
diagnose switch acl schedule egress
diagnose switch acl schedule ingress
diagnose switch acl schedule prelookup
|
Variable |
Description |
|
egress |
List all ACL egress policies with a schedule. |
|
ingress |
List all ACL ingress policies with a schedule. |
|
prelookup |
List all ACL prelookup policies with a schedule. |
Example output
S524DF4K15000024 # diagnose switch acl schedule ingress ACL Ingress Name 1 In Schedule
diagnose switch arp-inspection stats clear
Use this command to delete dynamic ARP inspection statistics:
diagnose switch arp-inspection stats clear <VLAN_ID>
|
Variable |
Description |
|
<VLAN_ID> |
Enter a single VLAN identifier or a range of VLAN identifiers separated by commas. For example: 1,3-4,6,7,9-100 |
To enable dynamic ARP inspection on a VLAN, see config switch vlan.
diagnose switch cpuq
NOTES:
- Be careful about changing the CPU queue rate because the change is made directly to the hardware.
- After the switch is rebooted, the CPU queue rate returns to the default value.
- For the FS-108E and FS-124E families, the configured CPU queue rate has a 16-kbps granularity. Use the
diagnose switch cpuq showcommand to see the actual queue rate. - For the FS-108E and FS-124E families, the CPU queue rate is more accurate with larger packets.
Use this command to display the CPU queue rate on the FSR-112D-POE, FS-1xxE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx, and FS-3xxx families:
diagnose switch cpuq show
Use this command to change the CPU queue rate on the FSR-112D-POE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx, and FS-3xxx families:
diagnose switch cpuq rate <queue_number> <new_pps_rate>
Use this command to change the CPU queue rate on the FS-108E and FS-124E families:
diagnose switch cpuq rate <queue_number> <new_Kbps_rate>
|
Variable |
Description |
|
show |
Display the CPU queue rate for all queues. |
|
rate <queue_number> <new_pps_rate> |
Change the CPU queue rate for the specified queue to the new packets-per-second (PPS) rate. |
|
diagnose switch cpuq rate <queue_number> <new_Kbps_rate> |
Change the CPU queue rate for the specified queue to the new Kbps rate. |
Example output (FS-548)
NOTE: The number of queues, queue classifications, and default CPU queue rates can differ among the FortiSwitch platforms.
S548DF5018000776 # diagnose switch cpuq show Queue | Rate(pps) ---------------------- 17 2000 (MIRROR/SFLOW) 18 500 (L3_DEST_MISS) 19 5000 (ARP_REQ) 20 10000 (DEFAULT) 21 1000 (NHOP) 22 8000 (DHCP/OSPF/BFD/RIP/IGMP/FORTLINK_VLAN) 23 6000 (ARP_REPLY) 24 5000 (FORTILINK/MCLAG) 25 1500 (BPDU/LOOPGUARD)
diagnose switch egress list
Use this command to display the port egress map:
diagnose switch egress list <port_name>
|
Variable |
Description |
|
<port_name> |
Enter the port name. |
Example output
S524DF4K15000024 # diagnose switch egress list port1 Switch Interface Egress Map, primary-Channel Port Map: Name(Id): port1(1) port2(2) port3(3) port4(4) port5(5) port6(6) port7(7) port8(8) port9(9) port10(10) port11(11) port12(12) port13(13) port14(14) port15(15) port16(16) port17(17) port18(18) port19(19) port20(20) port21(21) port22(22) port23(23) port24(24) port25(25) port26(26) port27(27) port28(28) port29(29) port30(30) internal(31) cpu0(31) Source Interface Destination Ports ________________ ___________________________________ port1 1-6,9-31
diagnose switch ip-mac-binding entry
Use this command to display the counters for an IP-MAC binding entry:
diagnose switch ip-mac-binding entry <entry_ID>
|
Variable |
Description |
|
<entry_ID> |
Enter an IP-MAC binding entry identifier. |
To enable IP-MAC binding, see config switch global.
Example output
S524DF4K15000024 # diagnose switch ip-mac-binding entry 1 Binding Entry: 1 Binding IP: 1.20.168.172 255.255.255.255 Binding MAC: 00:21:CC:D2:76:72 Status: Enabled Statistic: Permit packets: 0x00 Drop packets: 0x00 -----------------------------------------------------
diagnose switch ip-source-guard hardware entry filter
Use these commands to select which IP source-guard entries to display:
diagnose switch ip-source-guard hardware entry filter clear
diagnose switch ip-source-guard hardware entry filter interface <interface_name>
diagnose switch ip-source-guard hardware entry filter ip <IPv4_address>
diagnose switch ip-source-guard hardware entry filter mac <MAC_address>
diagnose switch ip-source-guard hardware entry filter print
|
Variable |
Description |
|
clear |
Remove the current filter. |
|
interface <port_name> |
Display entries for the specified port. |
|
ip <IPv4_address> |
Display entries for the specified IPv4 address. |
|
mac <MAC_address> <mask> |
Delete entries for the specified MAC address and mask. |
|
|
Display the current filter. |
diagnose switch ip-source-guard hardware entry list
Use this command to display all IP source-guard entries. Static entries were manually added by the config switch ip-source-guard command. Dynamic entries were added by DHCP snooping.
diagnose switch ip-source-guard hardware entry list
diagnose switch mac-address
Use these commands to manage the MAC address table:
diagnose switch mac-address delete {all | entry <xx:xx:xx:xx:xx:xx>}
diagnose switch mac-address filter clear
diagnose switch mac-address filter flags <flag bit pattern>
diagnose switch mac-address filter port-id-map <port-ID list>
diagnose switch mac-address filter show
diagnose switch mac-address filter trunk-id-map <trunk-ID list>
diagnose switch mac-address filter vlan-map <VLAN_list>
diagnose switch mac-address list
diagnose switch mac-address switch-port-macs-db
|
Variable |
Description |
|
delete {all | entry <xx:xx:xx:xx:xx:xx>} |
Delete all MAC address entries or a specific MAC address entry. |
|
filter clear |
Delete the filter for the MAC address table list. |
|
filter flags <flag bit pattern> |
Specify the flag bit pattern to match. Use this pattern to mask important bits. This value is hexadecimal. |
|
filter port-id-map <port-ID list> |
List the port identifiers to display MAC addresses for. Separate the port identifiers with commas. For example: 1,3,5-17,19 |
|
filter show |
Display the filter for the MAC address table list. |
|
filter trunk-id-map <trunk-ID list> |
List the trunk identifiers to display MAC addresses for. Separate the trunk identifiers with commas. For example: 1,2-4,77 |
|
filter vlan-map <VLAN_list> |
List the VLAN identifiers to display MAC addresses for. Separate the VLAN identifiers with commans. For example: 1,2-4,77 |
|
list |
List the MAC address entries and the total number of entries. |
|
switch-port-macs-db |
List which MAC addresses are assigned to local ports. |
Example output
S524DF4K15000024 # diagnose switch mac-address filter show flag bit pattern: 0x00000000 flag bit Mask: 0x00000000 vlan map: 0-4095 port-id map: 1,64 trunk-id map: 0-127 S524DF4K15000024 # diagnose switch mac-address list MAC: 08:5b:0e:f1:95:e5 VLAN: 4094 Port: internal(port-id 31) Flags: 0x00010460 [ static hit src-hit native ] MAC: d6:dd:25:be:2c:43 VLAN: 1 Port: port1(port-id 1) Flags: 0x00000020 [ static ] Total Displayed: 2 S524DF4K15000024 # diagnose switch mac-address switch-port-macs-db Total MACs : 30 MAC-1 : 08:5b:0e:f1:95:e6 MAC-2 : 08:5b:0e:f1:95:e8 MAC-3 : 08:5b:0e:f1:95:ea MAC-4 : 08:5b:0e:f1:95:ec MAC-5 : 08:5b:0e:f1:95:ee MAC-6 : 08:5b:0e:f1:95:f0 MAC-7 : 08:5b:0e:f1:95:f2 MAC-8 : 08:5b:0e:f1:95:f4 MAC-9 : 08:5b:0e:f1:95:f6 MAC-10 : 08:5b:0e:f1:95:f8 MAC-11 : 08:5b:0e:f1:95:fa MAC-12 : 08:5b:0e:f1:95:fc MAC-13 : 08:5b:0e:f1:95:fe MAC-14 : 08:5b:0e:f1:96:00 MAC-15 : 08:5b:0e:f1:96:02 MAC-16 : 08:5b:0e:f1:95:e7 MAC-17 : 08:5b:0e:f1:95:e9 MAC-18 : 08:5b:0e:f1:95:eb MAC-19 : 08:5b:0e:f1:95:ed MAC-20 : 08:5b:0e:f1:95:ef MAC-21 : 08:5b:0e:f1:95:f1 MAC-22 : 08:5b:0e:f1:95:f3 MAC-23 : 08:5b:0e:f1:95:f5 MAC-24 : 08:5b:0e:f1:95:f7 MAC-25 : 08:5b:0e:f1:95:f9 MAC-26 : 08:5b:0e:f1:95:fb MAC-27 : 08:5b:0e:f1:95:fd MAC-28 : 08:5b:0e:f1:95:ff MAC-29 : 08:5b:0e:f1:96:01 MAC-30 : 08:5b:0e:f1:96:03
diagnose switch macsec statistics
Use this command to display MACsec traffic statistics for the specified port. If no port is specified, statistics for all ports are returned.
diagnose switch macsec statistics [<port_name>]
diagnose switch macsec status
Use this command to display the MACsec status of the specified port. If no port is specified, the status for all ports is returned.
diagnose switch macsec status [<port_name>]
diagnose switch managed-switch
Use this command to display information about the FortiSwitch unit when it is managed by a FortiGate unit:
diagnose switch managed-switch dump xlate-vlan
diagnose switch mclag
Use these commands to manage information about MCLAGs:
diagnose switch mclag clear-stats {all | icl | mclag <trunk_name>}
diagnose switch mclag icl
diagnose switch mclag list <trunk_name>
|
Variable |
Description |
|
clear-stats {all | icl | mclag} |
Delete statistics for all MCLAGs, delete MCLAG ICLs, or delete the statistics for the MCLAG with the specified trunk. |
|
icl |
List all inter-chassis links (ICLs). |
|
list <trunk_name> |
Display statistics for the MCLAG with the specified trunk. |
To set up an MCLAG, see config switch trunk.
Example output
Switch1 # diagnose switch mclag icl ICL-trunk icl-ports 47-48 egress-block-ports 3,37 interface-mac 08:5b:0e:73:fb:e7 local-serial-number FS1D483Z14000113 peer-mac 08:5b:0e:73:f8:87 peer-serial-number FS1D483Z14000097 Local uptime 0 days 3h:57m:59s Peer uptime 0 days 3h:57m:16s MCLAG-STP-mac 08:5b:0e:73:f8:86 keepalive interval 1 keepalive timeout 60 dormant candidate Peer split-brain Normal Counters received keepalive packets 14012 transmited keepalive packets 14012 received keepalive drop packets 2
diagnose switch mirror auto-config
Use these commands to manage switch mirroring using ERSPAN encapsulation with automatically configured header contents:
diagnose switch mirror auto-config restart
diagnose switch mirror auto-config status
|
Variable |
Description |
|
restart |
Restart the ERSPAN mirroring daemon. |
|
status |
Display the status of the ERSPAN mirroring. |
Example output
S524DF4K15000024 # diagnose switch mirror auto-config status Session name: Last update: never Error msg: State: None Flags: 0x00000000 () Config: Last good config update: never Route Lookup: Last good route update: never Collector IP: 0.0.0.0 Nexthop IP: 0.0.0.0 SVI name: SVI devindex: 0 SVI source MAC: 00:00:00:00:00:00 SVI VLAN: 0 SVI source IP: 0.0.0.0 Nexthop ARP resolution: Last good ARP update: never Nexthop MAC: 00:00:00:00:00:00 Switching table resolution: Last good update: never L2 result: MAC: 00:00:00:00:00:00 VLAN: 0 port-id: 0 Flags: 0x00000000 Switch interface: Switch interface VLAN 0: untagged Hardware updates: Last good update: never Last failed update: never Last update return: 0:Success. Resolved/Running state: Last entered: never Last left: never
diagnose switch mirror hardware status
Use this command to display information about the driver-level and hardware-level switch mirroring:
diagnose switch mirror hardware status
Example output
S524DF4K15000024 # diagnose switch mirror hardware status [flink.sniffer]=========================== Installed : no ( inactive)
diagnose switch modules
Use these commands to display information about physical layer (PHY) modules:
diagnose switch modules eeprom <physical_port_name>
diagnose switch modules state-machine <physical_port_name>
|
Variable |
Description |
|
eeprom |
Display fragmentation and reassembly information |
|
trap send |
Generate a trap event and send it to the SNMP daemon. |
Example output
S524DF4K15000024 # diagnose switch modules state-machine port10 DMI Status ---------------------------------- monitor_interval 10 minutes next_monitor_in 0:44 dmi_trace 0 alarm_trap_enabled 0 num_ports 30 mod_pres 0x0000000000000000 mod_rxlos 0x0000000000000000 state_runs 62380 state_transitions 6 Module Summary | | Alarm - Warning Flags | DMI | Module |Temp | Vcc |TxBia|TxPwr|RxPwr| port | curr state | prev state | -IC | Type | State |Hi|Lo|Hi|Lo|Hi|Lo|Hi|Lo|Hi|Lo| ---------------------------------------------------------------------------------- 1 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 2 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 3 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 4 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 5 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 6 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 7 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 8 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 9 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 10 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 11 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 12 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 13 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 14 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 15 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 16 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 17 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 18 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 19 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 20 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 21 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 22 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 23 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 24 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..| 25 | EMPTY | EMPTY | 0-0 | NONE |EMPTY |..|..|..|..|..|..|..|..|..|..| 26 | EMPTY | EMPTY | 0-0 | NONE |EMPTY |..|..|..|..|..|..|..|..|..|..| 27 | EMPTY | EMPTY | 0-0 | NONE |EMPTY |..|..|..|..|..|..|..|..|..|..| 28 | EMPTY | EMPTY | 0-0 | NONE |EMPTY |..|..|..|..|..|..|..|..|..|..| 29 | EMPTY | EMPTY | 0-0 | NONE |EMPTY |..|..|..|..|..|..|..|..|..|..| 30 | EMPTY | EMPTY | 0-0 | NONE |EMPTY |..|..|..|..|..|..|..|..|..|..|
diagnose switch mrp
Use these commands to display information about the Media Redundancy Protocol (MRP):
diagnose switch mrp clear
diagnose switch mrp stats
diagnose switch mrp status
|
Variable |
Description |
|
clear |
Delete the MRP statistics for the manager node. |
|
stats |
Display the Manager MRP statistics for the manager node. |
|
status |
Display the current MRP status. |
diagnose switch network-monitor
Use these commands to manage information produced by network monitoring:
diagnose switch network-monitor cfg-stats
diagnose switch network-monitor clear-db
diagnose switch network-monitor dump-l2-db
diagnose switch network-monitor dump-l3-db
diagnose switch network-monitor dump-monitors
diagnose switch network-monitor parser-stats
|
Variable |
Description |
|
cfg-stats |
Display network-monitoring configuration statistics. |
|
clear-db |
Delete all network-monitoring database entries. |
|
dump-l2-db |
List all detected devices from the layer-2 database. |
|
dump-l3-db |
List all detected devices from the layer-3 database. |
|
dump-monitors |
List the monitors used for survey-mode network monitoring. |
|
parser-stats |
List the network-monitoring parser statistics. |
Example output
S524DF4K15000024 # diagnose switch network-monitor cfg-stats Network Monitor Configuration Statistics: ---------------------------------- Adds : 1 Deletes : 0 Free Entries : 19 S524DF4K15000024 # diagnose switch network-monitor dump-monitors Entry ID Monitor Type Monitor MAC Packet-count ================================================================= 1 directed-mode 00:25:00:61:64:6d 0 2 survey-mode 08:5b:0e:f1:95:e5 0 3 survey-mode 08:5b:0e:f1:95:e5 0 4 survey-mode 08:5b:0e:f1:95:e5 0 5 survey-mode 00:00:5e:00:01:05 0 6 survey-mode 08:5b:0e:f1:95:e5 0 7 survey-mode 00:21:cc:d2:76:72 0 S524DF4K15000024 # diagnose switch network-monitor parser-stats Network Monitor Parser Statistics: ---------------------------------- Arp : 0 Ip : 0 Udp : 0 Tcp : 0 Dhcp : 0 Eapol : 0 Unsupported : 0
diagnose switch pdu-counters
Use these commands to manage information from switch packet PDU counters:
diagnose switch pdu-counters clear
diagnose switch pdu-counters list
|
Variable |
Description |
|
clear |
Clear switch packet PDU counters. |
|
list |
List nonzero switch packet PDU counters. |
Example output
S548DN5018000377 # diagnose switch pdu-counters list primary CPU counters: packet receive error : 0 Non-zero port counters: port1: IGMP Membership Report : 45 IGMP Membership Leave : 3 IGMPv3 Membership Report : 69002 port13: IGMP Query packet : 50794 IGMPv3 Membership Report : 50794 port47: LACP packet : 15474 STP packet : 237919 LLDP packet : 168194 IGMP Query packet : 50757 IGMP Membership Report : 29 IGMP Membership Leave : 1 port48: LACP packet : 15475 STP packet : 6 LLDP packet : 168192 port51: IGMP Membership Report : 19 IGMP Membership Leave : 4 IGMPv3 Membership Report : 4
diagnose switch physical-ports cable-diag
Use this command to display the results of a time-domain reflectometer (TDR) diagnostic test on the specified port.
diagnose switch physical-ports cable-diag <port_name>
Example output
S524DF4K15000024 # diagnose switch physical-ports cable-diag port1 port1: cable (4 pairs, length +/- 10 meters) pair A Open, length 0 meters pair B Open, length 0 meters pair C Open, length 0 meters pair D Open, length 0 meters
diagnose switch physical-ports datarate
Use this command to display the number of packets received and transmitted on the specified ports as well as the data rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.
diagnose switch physical-ports datarate [<port_list>]
Example output
S524DF4K15000024 # diagnose switch physical-ports datarate 1,3,4-6 Rate Display Mode: DATA_RATE Port | TX Packets | TX Rate || RX Packets | RX Rate | ---------------------------------------------------------------------------------- port1 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | port3 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | port4 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | port5 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | port6 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | ---------------------------------------------------------------------------------- | 0.0000 Mbps || | 0.0000 Mbps | ctrl-c to stop
diagnose switch physical-ports eee-status
Use this command to display whether the specified port has energy-efficient Ethernet (EEE) enabled. If the port is not specified, the status of all ports is displayed.
diagnose switch physical-ports eee-status [<port_name>]
Example output
S524DF4K15000024 # diagnose switch physical-ports eee-status port9 Portname State RX-LPI-Status TX-LPI-Status TX(ms) RX(ms) TX-Resolved(ms) RX-Resolved(ms) -------------------------------------------------------------------------------------------------- port9 Enabled Inactive Inactive 0 0 0 0
diagnose switch physical-ports hw-counter
Use these commands to display information about counters:
diagnose switch physical-ports hw-counter add {rx | tx} <counter_id> <counter|counter|counter...>
diagnose switch physical-ports hw-counter clear {rx | tx} <counter_id>
diagnose switch physical-ports hw-counter info
diagnose switch physical-ports hw-counter remove {rx | tx} <counter_id> <counter|counter|counter...>
diagnose switch physical-ports hw-counter search <port_name> <interval_seconds> <counter|counter|counter...>
diagnose switch physical-ports hw-counter search-cancel
diagnose switch physical-ports hw-counter search-results
diagnose switch physical-ports hw-counter show {rx | tx | all} <port_name>
|
Variable |
Description |
|
hw-counter add {rx | tx} <counter_id> <counter|counter|counter...> |
Add trigger flags to a specified counter. |
|
hw-counter clear {rx | tx} <counter_id> |
Clear a specific counter. |
|
hw-counter info |
Display the supported trigger flags (RX and TX). |
|
hw-counter remove {rx | tx} <counter_id> <counter|counter|counter...> |
Remove trigger flags from the specified counters. |
|
hw-counter search <port_name> <interval_seconds> <counter|counter|counter...> |
Retrieve the data for the specified triggers on a specified port within the interval in seconds. |
|
hw-counter search-cancel |
Cancel the currently running search. |
|
hw-counter search-results |
Display the last search results. |
|
hw-counter show {rx | tx | all} <port_name> |
Show all trigger flags and statistics on a specified port. |
Example output
S524DF4K15000024 # diagnose switch physical-ports hw-counter show all port9 ---------------------------------------------------------------------------------- | Counter Statistics (port:9) ---------------------------------------------------------------------------------- |Type|Counter ID| Value | Trigger Flags Enabled ---------------------------------------------------------------------------------- | Rx | 0| 0|RIPD4 RIPD6 RDISC RPORTD PDISC | | | | RFILDR RDROP VLANDR ---------------------------------------------------------------------------------- | Rx | 1| 0|IMBP ---------------------------------------------------------------------------------- | Rx | 2| 0|RIMDR ---------------------------------------------------------------------------------- | Tx | 0| 0|TGIP6 TGIPMC6 ---------------------------------------------------------------------------------- | Tx | 1| 0|TIPD6 TIPMCD6 ---------------------------------------------------------------------------------- | Tx | 2| 0|TGIPMC6 ---------------------------------------------------------------------------------- | Tx | 3| 0|TPKTD ---------------------------------------------------------------------------------- | Tx | 4| 0|TGIP4 TGIP6 ---------------------------------------------------------------------------------- | Tx | 5| 0|TIPMCD4 TIPMCD6 ---------------------------------------------------------------------------------- | Tx | 6| 0|THIGIG2 ----------------------------------------------------------------------------------
diagnose switch physical-ports io-stats
Use these commands to display information about input/output packet statistics:
diagnose switch physical-ports io-stats clear-local <port_list>
diagnose switch physical-ports io-stats cumulative
diagnose switch physical-ports io-stats list [<port_list>]
|
Variable |
Description |
|
io-stats clear-local <port_list> |
Delete the statistics for input and output packets for the specified ports. Use commas to separate ports. For example: 1,3,4-6 |
|
io-stats cumulative |
Display the cumulative statistics for input and output packets for all ports. |
|
io-stats list [<port_list>] |
List the statistics for input and output packets for the specified ports. If the ports are not specified, the statistics for all ports are displayed. |
Example output
S524DF4K15000024 # diagnose switch physical-ports io-stats cumulative Cumulative IO Stats: RX PacketsBpdu 69035 RX PacketsL3RxCpu 1020 RX PacketsRxAll 112157 RX PacketsFlpOrIGMP 39831 ----------------------------------------------------------------------------------
diagnose switch physical-ports led-flash
Use this command to flash all port LEDs on and off for a specified number of minutes so that a particular switch can be identified. Valid times are 5, 15, 30, or 60 minutes. Use disable to stop the LEDs from flashing.
diagnose switch physical-ports led-flash disable
diagnose switch physical-ports led-flash {5 | 15 | 30 | 60}
diagnose switch physical-ports linerate
Use this command to display the number of packets received and transmitted on the specified ports as well as the line rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.
diagnose switch physical-ports linerate [<port_list>]
Example output
S524DF4K15000024 # diagnose switch physical-ports linerate 1,3,4-6 Rate Display Mode: LINE_RATE Port | TX Packets | TX Rate || RX Packets | RX Rate | ---------------------------------------------------------------------------------- port1 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | port3 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | port4 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | port5 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | port6 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps | ---------------------------------------------------------------------------------- | 0.0000 Mbps || | 0.0000 Mbps | ctrl-c to stop
diagnose switch physical-ports list
Use this command to display the details for the specified port. If the port is not specified, the details for all ports are displayed.
diagnose switch physical-ports list [<port_name>]
Example output
S524DF4K15000024 # diagnose switch physical-ports list port1 Port(port1) is Admin up, line protocol is down Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes) Address is 08:5B:0E:F1:95:E6, loopback is not set MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II half-duplex, 0 Mb/s, link type is auto input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes 0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes 0 unicasts, 0 multicasts, 0 broadcasts 0 fragments, 0 undersizes, 0 collisions, 0 jabbers
diagnose switch physical-ports mapping
Use this command to display which drivers are associated with which ports:
diagnose switch physical-ports mapping
Example output
S524DF4K15000024 # diagnose switch physical-ports mapping Unmapped port IDs: Userspace | Driver Port Name PortID | Unit Port Driver Name -------------------- ------ | ------ ------ ---------------- port1 1 | 0 2 ge1 port2 2 | 0 1 ge0 port3 3 | 0 3 ge2 port4 4 | 0 4 ge3 port5 5 | 0 6 ge5 port6 6 | 0 5 ge4 port7 7 | 0 7 ge6 port8 8 | 0 8 ge7 port9 9 | 0 10 ge9 port10 10 | 0 9 ge8 port11 11 | 0 11 ge10 port12 12 | 0 12 ge11 port13 13 | 0 14 ge13 port14 14 | 0 13 ge12 port15 15 | 0 15 ge14 port16 16 | 0 16 ge15 port17 17 | 0 18 ge17 port18 18 | 0 17 ge16 port19 19 | 0 19 ge18 port20 20 | 0 20 ge19 port21 21 | 0 22 ge21 port22 22 | 0 21 ge20 port23 23 | 0 23 ge22 port24 24 | 0 24 ge23 port25 25 | 0 42 xe0 port26 26 | 0 43 xe1 port27 27 | 0 44 xe2 port28 28 | 0 45 xe3 port29 29 | 0 46 xe4 port30 30 | 0 50 xe8 internal 31 | 0 0 cpu0
diagnose switch physical-ports mdix-status
Use this command to display whether a specified port is a medium-dependent interface crossover (MDIX) port:
diagnose switch physical-ports mdix-status <port_name>
Example output
S524DF4K15000024 # diagnose switch physical-ports mdix-status port1 port1: MDIX(Crossover)
diagnose switch physical-ports port-stats
Use these commands to list port statistics for the specified ports or list port statistics that are not zero. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.
diagnose switch physical-ports port-stats [<port_list> | non-zero]
Example output
S524DF4K15000024 # diagnose switch physical-ports port-stats 1 port1 Port Stats: Rx Bytes: 0 Rx Packets: 0 Rx Unicasts: 0 Rx NUnicasts: 0 Rx Multicasts: 0 Rx Broadcasts: 0 Rx Discards: 0 Rx Errors: 0 Rx Oversize: 0 Rx Pauses: 0 Rx IPMC Dropped: 0 Rx 64 Octets Packets: 0 Rx 65-127 Octets Packets: 0 Rx 128-255 Octets Packets: 0 Rx 256-511 Octets Packets: 0 Rx 512-1023 Octets Packets: 0 Rx 1024-1518 OctetsPackets: 0 Rx 1519-2047 Octets Packets: 0 Rx 2048-4095 Octets Packets: 0 Rx 4096-9216 Octets Packets: 0 Rx 9217-16383 Octets Packets: 0 Rx L3 Packets: 0 Tx Bytes: 0 Tx Packets: 0 Tx Unicasts: 0 Tx NUnicasts: 0 Tx Multicasts: 0 Tx Broadcasts: 0 Tx Discards: 0 Tx Errors: 0 Tx Oversize: 0 Tx Pauses: 0 Tx IPMC Dropped: 0 Tx 64 Octets Packets: 0 Tx 65-127 Octets Packets: 0 Tx 128-255 Octets Packets: 0 Tx 256-511 Octets Packets: 0 Tx 512-1023 Octets Packets: 0 Tx 1024-1518 Octets Packets: 0 Tx 1519-2047 Octets Packets: 0 Tx 2048-4095 Octets Packets: 0 Tx 4096-9216 Octets Packets: 0 Tx 9217-16383 Octets Packets: 0 Fragments: 0 Undersize: 0 Jabbers: 0 Collisions: 0 CRC Alignment Errors: 0 IPMC Bridged: 0 IPMC Routed: 0 ----------------------------------------------------------------------------------
diagnose switch physical-ports qos-rates
Use these commands to display real-time egress QoS queue rates, including the data rate, line rate, and drop rate:
diagnose switch physical-ports qos-rates clear <port_list>
diagnose switch physical-ports qos-rates list [<port_list>]
diagnose switch physical-ports qos-rates non-zero
|
Variable |
Description |
|
qos-rates clear <port_list> |
Delete the QoS statistics for the specified ports. If the ports are not specified, the statistics for all ports are deleted. |
|
qos-rates list [<port_list>] |
Display the real-time egress QoS queue rates for the specified ports. If the ports are not specified, the rates for all ports are displayed. Press |
|
qos-stats non-zero |
Display only the real-time egress QoS queue rates that are not zero. Press |
Example output
S548DF5018000776 # diagnose switch physical-ports qos-rates non-zero
---------------------------- ---------------------------------------------
---------------------------- ---------------------------------------------
--------------------------- ---------------------------------------------
ctrl-c to
port6 QoS Rates:
queue | PPS | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |
---------------------------------------------------------------------------
7 | 0.0000 | 0.0000 | 0.0000 | 0.0000 | 0.0000 |
---------------------------- ---------------------------------------------
port28 QoS Rates:
queue | PPS | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |
---------------------------------------------------------------------------
7 | 0.8466 | 0.0008 | 0.0010 | 0.0000 | 0.0000 |
---------------------------- ---------------------------------------------
internal QoS Rates:
queue | PPS | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |
---------------------------------------------------------------------------
25 | 0.8472 | 0.0009 | 0.0010 | 0.0000 | 0.0000 |
---------------------------- ---------------------------------------------
ctrl-c to stop
^C
diagnose switch physical-ports qos-stats
Use these commands to display QoS statistics:
diagnose switch physical-ports qos-stats clear <port_list>
diagnose switch physical-ports qos-stats list [<port_list>]
diagnose switch physical-ports qos-stats non-zero
diagnose switch physical-ports qos-stats set-qos-counter-revert [<port_list>]
diagnose switch physical-ports qos-stats set-qos-counter-zero [<port_list>]
|
Variable |
Description |
|
qos-stats clear [<port_list>] |
Delete the QoS statistics for the specified ports. If the ports are not specified, the statistics for all ports are deleted. |
|
qos-stats list [<port_list>] |
Display the QoS statistics for the specified ports. If the ports are not specified, the statistics for all ports are displayed. |
|
qos-stats non-zero |
List only QoS statistics that are not zero. |
|
qos-stats set-qos-counter-revert [<port_list> ] |
Restore QoS counters to direct hardware values for the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports. |
|
qos-stats set-qos-counter-zero [<port_list>] |
Clear QoS counters (applies to all applications except SNMP) for the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports. |
Example output
S524DF4K15000024 # diagnose switch physical-ports qos-stats list 1 port1 QoS Stats: queue | unicast pkts | unicast bytes | multicast pkts | multicast bytes ---------------------------------------------------------------------------------- 0 | 0 | 0 | 0 | 0 1 | 0 | 0 | 0 | 0 2 | 0 | 0 | 0 | 0 3 | 0 | 0 | 0 | 0 4 | 0 | 0 | 0 | 0 5 | 0 | 0 | 0 | 0 6 | 0 | 0 | 0 | 0 7 | 0 | 0 | 0 | 0 queue | ucast drop pkts | ucast drop bytes | mcast drop pkts | mcast drop bytes ---------------------------------------------------------------------------------- 0 | 0 | 0 | 0 | 0 1 | 0 | 0 | 0 | 0 2 | 0 | 0 | 0 | 0 3 | 0 | 0 | 0 | 0 4 | 0 | 0 | 0 | 0 5 | 0 | 0 | 0 | 0 6 | 0 | 0 | 0 | 0 7 | 0 | 0 | 0 | 0 ----------------------------------------------------------------------------------
diagnose switch physical-ports queue-bandwidth-setting
Use these commands to display the bandwidth setting (kbps or percentage) for the egress queues. If the ports are not specified, the bandwidth setting for all egress queues are displayed.
diagnose switch physical-ports queue-bandwidth-setting [<port_list>]
Example output
S524DF4K15000024 # diagnose switch physical-ports queue-bandwidth-setting port23 port23 cosq bandwidth setting: (0: disabled) port | q | KbpsMin | KbpsMax -------+---+----------+----------+ port23 | 0 | 0 | 0 port23 | 1 | 0 | 0 port23 | 2 | 0 | 0 port23 | 3 | 0 | 0 port23 | 4 | 0 | 0 port23 | 5 | 0 | 0 port23 | 6 | 0 | 0 port23 | 7 | 0 | 0
diagnose switch physical-ports set-counter-revert
Use this command to restore hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.
diagnose switch physical-ports set-counter-revert [<port_list>]
diagnose switch physical-ports set-counter-zero
Use this command to clear all hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports. Use commas to separate ports. If the ports are not specified, the command affects all ports.
diagnose switch physical-ports set-counter-zero [<port_list>]
diagnose switch physical-ports split-status
Use this command to display information about split ports:
diagnose switch physical-ports split-status
Example output
S524DF4K15000024 # diagnose switch physical-ports split-status Port Name Split Phy Name Port Index Child Index ---------------- ----- ---------------- ---------------- ---------- port29 No - 29 - port30.1 Yes port30 30 0 port30.2 Yes port30 32 1 port30.3 Yes port30 33 2 port30.4 Yes port30 34 3
diagnose switch physical-ports stats
Use these commands to display counter statistics:
diagnose switch physical-ports stats clear-local <port_list>
diagnose switch physical-ports stats list [<port_list>]
diagnose switch physical-ports stats non-zero
|
Variable |
Description |
|
stats clear-local <port_list> |
Delete the statistics for received and transmitted packets for the specified ports for only the local session. Use commas to separate ports. For example: 1,3,4-6 |
|
stats list [<port_list>] |
List the statistics for received and transmitted packets for the specified ports. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed. |
|
stats non-zero |
List the statistics for counters that are not zero. |
Example output
S524DF4K15000024 # diagnose switch physical-ports stats list Port | TX Packets | TX bytes || RX Packets | RX Bytes | RX L3 Packets | ---------------------------------------------------------------------------------- port1 | 0 | 0 || 0 | 0 | 0 | port2 | 0 | 0 || 0 | 0 | 0 | port3 | 0 | 0 || 0 | 0 | 0 | port4 | 0 | 0 || 0 | 0 | 0 | port5 | 0 | 0 || 0 | 0 | 0 | port6 | 0 | 0 || 0 | 0 | 0 | port7 | 0 | 0 || 0 | 0 | 0 | port8 | 0 | 0 || 0 | 0 | 0 | port9 | 0 | 0 || 0 | 0 | 0 | port10 | 0 | 0 || 0 | 0 | 0 | port11 | 0 | 0 || 0 | 0 | 0 | port12 | 0 | 0 || 0 | 0 | 0 | port13 | 0 | 0 || 0 | 0 | 0 | port14 | 0 | 0 || 0 | 0 | 0 | port15 | 0 | 0 || 0 | 0 | 0 | port16 | 0 | 0 || 0 | 0 | 0 | port17 | 0 | 0 || 0 | 0 | 0 | port18 | 0 | 0 || 0 | 0 | 0 | port19 | 0 | 0 || 0 | 0 | 0 | port20 | 0 | 0 || 0 | 0 | 0 | port21 | 0 | 0 || 0 | 0 | 0 | port22 | 0 | 0 || 0 | 0 | 0 | port23 | 0 | 0 || 0 | 0 | 0 | port24 | 0 | 0 || 0 | 0 | 0 | port25 | 0 | 0 || 0 | 0 | 0 | port26 | 0 | 0 || 0 | 0 | 0 | port27 | 0 | 0 || 0 | 0 | 0 | port28 | 0 | 0 || 0 | 0 | 0 | port29 | 0 | 0 || 0 | 0 | 0 | port30 | 0 | 0 || 0 | 0 | 0 | internal | 393 | 9343000 || 0 | 0 | 0 |
diagnose switch physical-ports summary
Use this command to display a summary about the specified physcial port. If the port is not specified, summaries for all ports are displayed.
diagnose switch physical-ports summary [<port_name>]
Example output
S524DF4K15000024 # diagnose switch physical-ports summary port1 Portname Status Tpid Vlan Duplex Speed Flags Discard __________ ______ ____ ____ ______ _____ __________ _________ port1 down 8100 1 half - , , none Flags: QS(802.1Q) QE(802.1Q-in-Q,external) QI(802.1Q-in-Q,internal) TS(static trunk) TF(forti trunk) TL(lacp trunk); MD(mirror dst) MI(mirror ingress) ME(mirror egress) MB(mirror ingress and egress) CF (Combo Fiber), CC (Combo Copper)
diagnose switch physical-ports virtual-wire list
Use this command to list all virtual wires:
diagnose switch physical-ports virtual-wire list
Example output
S524DF4K15000024 # diagnose switch physical-ports virtual-wire list port7(7) to port8(8) TPID: 0xdee5 VLAN: 70
diagnose switch poe status
Use this command to display power over Ethernet (PoE) information for a specific port:
diagnose switch poe status <physicial_port_name>
|
Variable |
Description |
|
<physicial_port_name> |
Enter the port name. |
Example output
S524DF4K15000024 # diagnose switch poe status port1 Port(1) Power:0.00W, Power-Status: Searching Power-Up Mode: Normal Mode Remote Power Device Type: PD None Power Class: 0 Defined Max Power: 0.00W, Priority: Low. Voltage: 54.90V Current: 0mA
diagnose switch ptp port add-link-delay
Use this command to add an estimated link delay in nanosecods to the specified poort. Adding a link delay helps with debugging, and the setting is cleared when the switch is rebooted:
diagnose switch ptp port add-link-delay <port_name> <estimated_link_delay>
Example output
S548DN4K15000008 # diagnose switch ptp port add-link-delay port49 500 Adding port49's link_delay 500(ns).
diagnose switch ptp port get-link-delay
Use this command to display link-delay information for the specified port:
diagnose switch ptp port get-link-delay <port_name>
Example output
S548DN4K15000008 # diagnose switch ptp port get-link-delay port49 Portname Speed Link-Delay __________ _____ ___________ port49 10G 500ns
diagnose switch qnq dtag-cfg
Use this command to display information about the VLAN stacking (QinQ) configuation:
diagnose switch qnq dtag-cfg
Example output
S548DF5018000776 # diagnose switch qnq dtag-cfg Port Name | QinQ Mode | Add Inner-Tag | Remove Inner-Tag | Priority | Ether-Type ====================================================================================== port39 | customer | add (vid 456) | enable | follow-s-tag | 0x8100
diagnose switch trunk list
Use this command to display link aggregation information:
diagnose switch trunk list [<trunk_name>]
|
Variable |
Description |
|
[<trunk_name>] |
Display link aggregation information for the specified trunk. If the trunk is not specified, link aggregation information for all trunks is displayed. |
Example output
S524DF4K15000024 # diagnose switch trunk list trunk1 Switch Trunk Information, primary-Channel Trunk Name: trunk1 Mode: fortinet-trunk Port Selection Algorithm: N/A - Trunk Down Trunk MAC: 08:5B:0E:F1:95:E6 Active Port Up Time ___________ _________________________ Non-Active Port Status _______________ ____________________ port1 BLOCK port2 BLOCK S524DF4K15000024 # diagnose switch trunk list Switch Trunk Information, primary-Channel Trunk Name: Mclag-icl-trunk Mode: lacp-active (mclag-icl) Port Selection Algorithm: N/A - Trunk Down Trunk MAC: 08:5B:0E:F1:95:F4 Active Port Up Time ___________ _________________________ Non-Active Port Status _______________ ____________________ port15 BLOCK port16 BLOCK LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D) (A|P) - LACP mode is Active or Passive (S|F) - LACP speed is Slow or Fast (A|I) - Aggregatable or Individual (I|O) - Port In sync or Out of sync (E|D) - Frame collection is Enabled or Disabled (E|D) - Frame distribution is Enabled or Disabled status: down ports: 2 LACP mode: active LACP speed: slow aggregator ID: 1 actor key: 0 actor MAC address: 08:5b:0e:f1:95:f4 partner key: 1 partner MAC address: 00:00:00:00:00:00 slave: port15 status: down link failure count: 0 permanent MAC addr: 08:5b:0e:f1:95:f4 actor state: ASAIDD partner state: PSIODD aggregator ID: 1 slave: port16 status: down link failure count: 0 permanent MAC addr: 08:5b:0e:f1:95:f5 actor state: ASAODD partner state: PSIODD aggregator ID: 2 Trunk Name: first-mclag Mode: static (mclag) Port Selection Algorithm: N/A - Trunk Down Trunk MAC: 08:5B:0E:F1:95:E7 Active Port Up Time ___________ _________________________ Non-Active Port Status _______________ ____________________ port2 BLOCK
diagnose switch trunk summary
Use this command to display a summary of the link aggregation information:
diagnose switch trunk summary [<trunk_name>]
|
Variable |
Description |
|
[<trunk_name>] |
Display a summary of the link aggregation information for the specified trunk. If the trunk is not specified, a summary for all trunks is displayed. |
Example output
S524DF4K15000024 # diagnose switch trunk summary Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________ Mclag-icl-trunk lacp-active(mclag-icl) N/A 08:5B:0E:F1:95:F4 down(0/2) N/A first-mclag static(mclag) N/A 08:5B:0E:F1:95:E7 down(0/1) N/A 8DN3X16000001-0 lacp-active(auto-isl) src-dst-ip 08:5B:0E:F0:9B:90 up(1/1) 0 days,0 hours,1 mins,35 secs S524DF4K15000024 # diagnose switch trunk summary first-mclag Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________ first-mclag static(mclag) N/A 08:5B:0E:F1:95:E7 down(0/1) N/A
diagnose switch vlan
Use these commands to display information about virtual LANs:
diagnose switch vlan assignment capabilities
diagnose switch vlan assignment ether-proto flush
diagnose switch vlan assignment ether-proto list [{sorted-by-protocol | sorted-by-vlan}]
diagnose switch vlan assignment ipv4 flush
diagnose switch vlan assignment ipv4 list [{sorted-by-address | sorted-by-vlan}]
diagnose switch vlan assignment ipv6 flush
diagnose switch vlan assignment ipv6 list [{sorted-by-address | sorted-by-vlan}]
diagnose switch vlan assignment mac flush
diagnose switch vlan assignment mac list [{sorted-by-mac | sorted-by-vlan}]
diagnose switch vlan info cache <VLAN_ID>
diagnose switch vlan info dump
diagnose switch vlan list [<VLAN_ID>]
|
Variable |
Description |
|
assignment capabilities |
Display information about hardware capabilities for VLAN assignments. |
|
assignment ether-proto flush |
Delete all VLAN entries assigned by Ethernet frame type and protocol. |
|
assignment ether-proto list [{sorted-by-protocol | sorted-by-vlan}] |
Display VLAN assignments by Ethernet frame type and protocol. Use |
|
assignment ipv4 flush |
Delete all VLAN entries assigned by IPv4 address or subnet. |
|
assignment ipv4 list [{sorted-by-address | sorted-by-vlan}] |
Display VLAN assignments by IPv4 address or subnet. Use |
|
assignment ipv6 flush |
Delete all VLAN entries assigned by IPv6 address or subnet. |
|
assignment ipv6 list [{sorted-by-address | sorted-by-vlan}] |
Display VLAN assignments by IPv6 address or subnet. Use |
|
assignment mac flush |
Delete all VLAN entries assigned by MAC address. |
|
assignment mac list [{sorted-by-mac | sorted-by-vlan}] |
Display VLAN assignments by MAC address. Use |
|
info cache <VLAN_ID> |
Display information about the VLAN cache. |
|
info dump |
Display VLAN-related information. |
|
list [<VLAN_ID>] |
Display which ports are assigned to the specified VLAN identifier. If the VLAN identifier is not specified, the information for all VLAN identifiers is displayed. |
Example output
S524DF4K15000024 # diagnose switch vlan assignment capabilities Assignment modes supported: Port based assignment IPv4 address/subnet based assignment IPv6 address/subnet based assignment MAC address based assignment Ethernet Protocol based assignment S524DF4K15000024 # diagnose switch vlan info dump Ports: [ port1] Force[disabled] [ port2] Force[disabled] [ port3] Force[disabled] [ port4] Force[disabled] [ port5] Force[disabled] [ port6] Force[disabled] [ port7] Force[disabled] [ port8] Force[disabled] [ port9] Force[disabled] [ port10] Force[disabled] [ port11] Force[disabled] [ port12] Force[disabled] [ port13] Force[disabled] [ port14] Force[disabled] [ port15] Force[disabled] [ port16] Force[disabled] [ port17] Force[disabled] [ port18] Force[disabled] [ port19] Force[disabled] [ port20] Force[disabled] [ port21] Force[disabled] [ port22] Force[disabled] [ port23] Force[disabled] [ port24] Force[disabled] [ port25] Force[disabled] [ port26] Force[disabled] [ port27] Force[disabled] [ port28] Force[disabled] [ port29] Force[disabled] [ port30] Force[disabled] [internal] Force[disabled] Private-VLANs: S524DF4K15000024 # diagnose switch vlan list VlanId Ports ______ ___________________________________________________ 1 port1 port2 port3 port4 port5 port6 port7 port8 port9 port10 port11 port12 port13 port14 port15 port16 port17 port18 port19 port20 port21 port22 port23 port24 port25 port26 port27 port28 port29 port30 4094 internal
diagnose switch vlan-mapping egress hardware-entry
Use the following command to check the VLAN mapping on an interface for the egress direction:
diagnose switch vlan-mapping egress hardware-entry
diagnose switch vlan-mapping ingress hardware-entry
Use the following command to check the VLAN mapping on an interface for the ingress direction:
diagnose switch vlan-mapping ingress hardware-entry
diagnose switch vxlan mac-address list
Use the following command to list the MAC address, VXLAN network identifier (VNI), source and destination IP addresses of the VXLAN tunnel, and the VXLAN destination port for the specified VXLAN interface:
diagnose switch vxlan mac-address list <VXLAN_interface_name>
diagnose sys checkused
Use the following command to check which tables are using the entry:
diagnose sys checkused <path.object.mkey>
|
Variable |
Description |
|
<path.object.mkey> |
Display which tables use this entry. |
Example output
S524DF4K15000024 # diagnose sys checkused switch.physical-port.name may be used by table switch.trunk.members.member-name may be used by table switch.mirror.dst may be used by table switch.mirror.src-ingress.name may be used by table switch.mirror.src-egress.name may be used by table switch.acl.policy.ingress-interface.member-name may be used by table switch.acl.policy.action.mirror may be used by table switch.acl.policy.action.redirect may be used by table switch.acl.policy.action.redirect-physical-port.member-name may be used by table switch.acl.policy.action.egress-mask.member-name may be used by table switch.virtual-wire.first-member may be used by table switch.virtual-wire.second-member may be used by table switch.auto-isl-port-group.members.member-name may be used by table system.admin.dashboard.interface
diagnose sys cpuset
Use this command to display information about which CPU set uses a specific process:
diagnose sys cpuset <process_ID> <CPU_set_mask>
|
Variable |
Description |
|
<process_ID> <CPU_set_mask> |
Specify the process identifier and CPU set mask to find out which CPU set uses the process. |
diagnose sys dayst-info
Use this command to display information about daylight saving time:
diagnose sys dayst-info
Example output
S524DF4K15000024 # diagnose sys dayst-info The current timezone '(GMT-8:00)Pacific Time(US&Canada).' daylight saving time starts at Sun Mar 8 02:00:00 1970, ends at Sun Nov 1 01:00:00 1970
diagnose sys fan status
Use this command to display fan information:
diagnose sys fan status
Example output
S524DF4K15000024 # diagnose sys fan status Module Status ___________________________________ Fan OK Fan speed is set to 50.0%.
Use this command if you want to run a Known Answer Test (KAT) in error mode. The switch will halt after restarting. To exit error mode, you must turn the switch off and then on again and have access to the console.
diagnose sys flan-cloud-mgr
Use these commands to manage the SSL tunnel for FortiLAN Cloud management:
diagnose sys flan-cloud-mgr close-access-socket
diagnose sys flan-cloud-mgr shutdown-ssl
|
Variable |
Description |
|
close-access-socket |
Restart the SSL tunnel between a FortiSwitch unit and FortiLAN Cloud by closing the socket. |
|
shutdown-ssl |
Restart the SSL tunnel between a FortiSwitch unit and FortiLAN Cloud by sending a SSL_SHUTDOWN request. |
diagnose sys flash
Use these commands to manage flash memory:
diagnose sys flash format
diagnose sys flash list [<file>]
|
Variable |
Description |
|
format |
Format the shared data partition (flash partition 2). |
|
list [<file>] |
Display statistics for a file or directory in flash memory. If no file or directory is specified, statistics for all flash memory are returned. |
Example output
S524DF4K15000024 # diagnose sys flash list Partition Image TotalSize(KB) Used(KB) Use% Active (*) 1 S524DF-3.6.3-FW-build0390-171020 53248 22922 43% Yes 4096 448 11% Yes 2 53248 0 0% No Flag * : next-boot partition Image build at Oct 20 2017 17:10:54 for b0390
diagnose sys flow-export
Use these commands to manage flow-export data:
diagnose sys flow-export delete-flows-all
diagnose sys flow-export expire-flows-all
|
Variable |
Description |
|
delete-flows-all |
Delete all flow-export data. |
|
expire-flows-all |
Expire all flow-export data. |
diagnose sys kill
Use this command to end a specified process:
diagnose sys kill <signal_number> <process_ID>
|
Variable |
Description |
|
<signal_number> <process_ID> |
End the process with the specified signal. |
To find out which processes are currently running, see diagnose sys vlan list.
diagnose sys link-monitor
Use these commands to manage the link monitor:
diagnose sys link-monitor interface <entry>
diagnose sys link-monitor launch <entry>
diagnose sys link-monitor status {entry | all}
To configure the link health monitor, see config system link-monitor .
|
Variable |
Description |
|
interface <entry> |
Display information about the specified link-monitor entry. |
|
launch <entry> |
Manually launch the specified link-monitor entry. |
|
status {entry | all} |
Display information about a specified link-monitor entry or all link-monitor entries. |
diagnose sys mpstat
Use this command to display information about CPU use:
diagnose sys mpstat <delay> <loops>
|
Variable |
Description |
|
<delay> <loops> |
Display information about the CPU use after the specified number of seconds (default is 5) and for the specified number of loops (default is 1,000,000). If the values for <delay> <loops> are not specified, there is no delay, and the output continues until a key is pressed. |
Example output
S524DF4K15000024 # diagnose sys mpstat Gathering data, wait 5 sec, press any key to quit. ..0..1..2..3..4 TIME CPU %usr %nice %sys %idle 04:02:59 PM all 0.00 0.00 5.73 94.27 0 0.00 0.00 10.87 89.13 1 0.00 0.00 0.59 99.41 04:02:59 PM 0.00 0.00 0.00 0.00 TIME CPU %usr %nice %sys %idle 04:03:04 PM all 0.00 0.00 6.87 93.13 0 0.00 0.00 12.75 87.25 1 0.00 0.00 1.00 99.00 04:03:04 PM 0.00 0.00 0.00 0.00
diagnose sys ntp status
Use this command to display the configuration of the Network Time Protocol (NTP) servers:
diagnose sys ntp status
To configure the NTP servers, see config system ntp.
diagnose sys pcb temp
Use this command to display the printed circuit board (PCB) temperature:
diagnose sys pcb temp
Example output
S524DF4K15000024 # diagnose sys pcb temp Module Status __________________________________ Sensor1 42.0 C
diagnose sys permission list
Use this command to list the permissions required to use the commands for the specified access profile groups:
diagnose sys permission list <all | <group_list>
|
Variable |
Description |
|
<group_list> |
The access profile group can be any of the following: |
Example output
S224ENTF18000826 # diagnose sys permission list sysgrp:r "diagnose certificate all" Read-permissions-required="sysgrp" Write-permissions-required="sysgrp" "diagnose certificate ca" Read-permissions-required="sysgrp" Write-permissions-required="sysgrp" "diagnose certificate local" Read-permissions-required="sysgrp" Write-permissions-required="sysgrp" "diagnose certificate remote" Read-permissions-required="sysgrp" Write-permissions-required="sysgrp" "diagnose switch managed-switch dump xlate-vlan" Read-permissions-required="sysgrp" Write-permissions-required="" "diagnose sys checkused" Read-permissions-required="sysgrp" Write-permissions-required="" "diagnose sys ntp status" Read-permissions-required="sysgrp" Write-permissions-required=""...
diagnose sys permission list-by-accprofile
Use this command to list the available commands and permissions for the specified access profile:
diagnose sys permission list-by-accprofile <access_profile_name>
Use the get system accprofile command to see the available access profiles.
Example output
S224ENTF18000826 # diagnose sys permission list-by-accprofile prof_admin "diagnose automation test" Read-permissions-required="loggrp" Write-permissions-required="loggrp" "diagnose bpdu-guard status" Read-permissions-required="swmonguardgrp" Write-permissions-required="swmonguardgrp" "diagnose certificate all" Read-permissions-required="sysgrp" Write-permissions-required="sysgrp" "diagnose certificate ca" Read-permissions-required="sysgrp" Write-permissions-required="sysgrp" "diagnose certificate local" Read-permissions-required="sysgrp" Write-permissions-required="sysgrp" "diagnose certificate remote" Read-permissions-required="sysgrp" Write-permissions-required="sysgrp" "diagnose debug application alertd" Read-permissions-required="utilgrp" Write-permissions-required="utilgrp" "diagnose debug application authd" Read-permissions-required="utilgrp" Write-permissions-required="utilgrp" "diagnose debug application auto-script" Read-permissions-required="utilgrp" Write-permissions-required="utilgrp"...
diagnose sys permission list-cli
Use this command to list the permissions for the specified CLI path:
diagnose sys permission list-cli <CLI_path>
Example output
S224ENTF18000826 # diagnose sys permission list-cli system.interface "config system interface" Read-permissions-required="netgrp" Write-permissions-required="netgrp" "get system interface physical" Read-permissions-required="netgrp" Write-permissions-required="netgrp"
diagnose sys process
Use this command to display information about a specific process:
diagnose sys process <process_ID>
|
Variable |
Description |
|
<process_ID> |
Display information about the specified process identifier. |
To find out which processes are currently running, see diagnose sys vlan list.
diagnose sys psu status
Use this command to display information about the power supply unit (PSU):
diagnose sys psu status
Example output
S524DF4K15000024 # diagnose sys psu status PSU1 is OK. PSU2 is not present.
diagnose sys remote assistance
After you have contacted Customer Support for assistance, Customer Support might ask you to open a remote assistance session. After you have entered one of the remote assistance commands, Customer Support can examine your FortiSwitch unit remotely to gather more data about your switchʼs configuration and to find the solution to the issue. The remote assistance session uses an SSL tunnel for a secure connection.
You can open a remote assistance session when your FortiSwitch unit is in standalone mode, in FortiLink mode, or managed by FortiLAN Cloud.
diagnose sys remote assistance disable
diagnose sys remote assistance indefinite
diagnose sys remote assistance limit <integer>
|
Variable |
Description |
|
disable |
Disable the remote assistance session. |
|
indefinite |
Enable the remote assistance session until the FortiSwitch unit is rebooted or the |
|
limit <integer> |
Enable the remote assistance session for the specified number of hours. The range is 1-96 hours. |
- Before opening a remote assistance session, your FortiSwitch unit must be able to connect to the Internet.
- Before requesting remote assistance, you must have registered your FortiSwitch unit with FortiCare Support Services (https://www.fortinet.com/support-and-training/support-services/forticare-support.html).
- If your FortiSwitch unit is managed by FortiLAN Cloud, opening a remote assistance session will end the connection between your FortiSwitch unit and FortiLAN Cloud.
Example output
S524DF4K15000024 # diagnose sys remote assistance limit 1 Starting remote assistance ..... Complete. S524DF4K15000024 # diagnose sys remote assistance indefinite Starting remote assistance .... Complete. S524DF4K15000024 # diagnose sys remote assistance disable Stopping remote assistance session .... Complete.
diagnose sys sniffer-profile
Use this command to display information about available packet-capture profiles:
diagnose sys sniffer-profile
Example output
S224ENTF18000826 # diagnose sys sniffer-profile Maximum Allowed Profile: 8. Name | Status | Pkt-Count |Profile-ID | Type | PID ============================================================================== NewPacketCapture | Stop | 0 | 1 | SW-INTF | 0
diagnose sys soc temp
Use this command to display the temperature of the system-on-a-chip (SoC) die:
diagnose sys soc temp
Example output
S224ENTF18000826 # diagnose sys soc temp Module Status ___________________________________ Sensor1 47.3 C
diagnose sys top
Use this command to list the processes currently running on your FortiSwitch unit:
diagnose sys top <delay> <lines>
|
Variable |
Description |
|
<delay> <lines> |
Enter the number of seconds to delay (the default is 5) and the maximum lines of output (the default is 20). |
In the output, the codes displayed on the second output line mean the following:
- U is % of user space applications using CPU. In the example, 0U means 0% of the user space applications are using CPU.
- S is % of system processes (or kernel processes) using CPU. In the example, 0S means 0% of the system processes are using the CPU.
- I is % of idle CPU. In the example, 98I means the CPU is 98% idle.
- T is the total FortiOS system memory in Mb. In the example, 123T means there are 123 Mb of system memory.
- F is free memory in Mb. In the example, 25F means there is 25 Mb of free memory.
Each additional line of the command output displays the following information for each of the processes running on the FortiSwitch (from left to right):
- Process name
- Process identifier
- State that the process is running in. The process state can be:
- R for running
- S for sleep
- Z for zombie
- D for disk sleep
- Amount of CPU that the process is using. CPU usage can range from 0.0 for a process that is sleeping to higher values for a process that is taking a lot of CPU time.
- Amount of memory that the process is using. Memory usage can range from 0.1 to 5.5 and higher.
Example output
S524DF4K15000024 # diagnose sys top 5 5 Run Time: 3 days, 0 hours and 40 minutes 0U, 6S, 94I; 1978T, 1744F pyfcgid 695 S 0.0 0.7 pyfcgid 791 S 0.0 0.7 pyfcgid 792 S 0.0 0.7 httpsd 696 S 0.0 0.6 cmdbsvr 611 S 0.0 0.6
diagnose sys vlan list
Use these commands to display information about configured VLANs:
diagnose syst vlan list
To configure a VLAN, see config switch vlan.
diagnose test application
Use these commands to test specific daemons:
diagnose test application dnsproxy <test_level>
diagnose test application fpmd <test_level>
diagnose test application radiusd <test_level>
diagnose test application sflowd <test_level>
diagnose test application snmpd <test_level>
|
Variable |
Description |
|
dnsproxy <test_level> |
Specify the test level for the DNS proxy daemon:
|
|
fpmd <test_level> |
Specify the test level for the hardware offload daemon. |
|
radiusd <test_level> |
Specify the test level for the RADIUS daemon:
|
|
sflowd <test_level> |
Specify the test level for the sFlow daemon:
|
|
snmpd <test_level> |
Specify the test level for the SNMP daemon:
|
Example output
S524DF4K15000024 # diagnose test application dnsproxy 2 config: alloc=1 DNS_CACHE: alloc=0 DNS UDP: req=6680, res=0, fwd=26720, hits=0, alloc=0 cur=90 v6_cur=0 DNS TCP: req=0, alloc=0 S524DF4K15000024 # diagnose test application fpmd 2 L3 egr obj Num: 0 Max: 8192 LastFoundEgrId: 0 Valid: 0 Gw: 0.0.0.0 IfIndex: 0 RefCount: 0 EgrObj: 0 Status: 0
diagnose test authserver
Use these commands to test the authentication server:
diagnose test authserver cert <arguments>
diagnose test authserver ldap <server_name> <user_name> <password>
diagnose test authserver ldap-digest <arguments>
diagnose test authserver ldap-direct <arguments>
diagnose test authserver ldap-search <arguments>
diagnose test authserver local <arguments>
diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <user_name> <password>
diagnose test authserver radius-direct <server_name _or_IP_address> <port_number> <secret>
diagnose test authserver tacacs+ <server_name> <user_name> <password>
diagnose test authserver tacacs+-direct <arguments>
|
Variable |
Description |
|
cert <arguments> |
Test the certificate authentication. |
|
ldap <server_name> <user_name> <password> |
Test the connection to an LDAP server. For the server_name, use the name of the LDAP object, not the LDAP server name. Use credentials that you have used in the LDAP object itself. |
|
ldap-digest <arguments> |
Test the LDAP HA1 password query. |
|
ldap-direct <arguments> |
Test the connection to an LDAP server. |
|
ldap-search <arguments> |
Search for an LDAP server. |
|
local <arguments> |
Test the local user. |
|
radius <server_name> <chap | pap | mschap | mschap2> <user_name> <password> |
Test the connection to the RADIUS server. |
|
radius-direct <server_name _or_IP_address> <port_number> <secret> |
Test the connection to the RADIUS server. For the port number, enter |
|
tacacs+ <server_name> <user_name> <password> |
Test the connection to the TACACS+ server. |
|
tacacs+-direct <arguments> |
Test the connection to the TACACS+ server. |
diagnose user radius coa
Use this command to display information about RADIUS authentication and RADIUS accounting:
diagnose user radius coa
To configure RADIUS authentication and RADIUS accounting, see config user radius.