Fortinet Document Library

Version:


Table of Contents

Deploying FortiGate-VMX

VMware-NSX Security Fabric integration

Resources

Upgrade Path Tool
6.0.1
Download PDF
Copy Link

Troubleshooting

CLI commands are useful for troubleshooting.

Log into the FortiGate-VMX SVM using SSH or via the GUI, then use the command line widget.

You can see a detailed list of available CLI commands in the FortiOS CLI Reference.

You can see command options by entering ?.

For example,

exec nsx ?
group 		NSX Security Group Management
instance 	NSX instance management
service 	NSX service management

To show current settings, run:

config global
exec nsx group list
exec nsx instance list
exec nsx status/get

Command

Description

exec nsx group list

Show list of group/clusters and VMX instances that belong to them.

exec nsx instance list

Show detailed running status of all VMX instances.

exec nsx service status/get

Show the status of NSX service and its ID.

The FortiGate-VMX SVM requires an Internet connection to validate its license and receive updates from FDN. Besides locating this status in the Web UI, you may also open the console and run the following command to see license status as well as all stats of the system:

get system status

To force a license validation from the FortiGate-VMX SVM to FDN, you can run the following command:

config global
exec update-now

To collect logs on the FortiGate-VMX SVM, run:

config global
diag debug enable/disable
diag debug application <name> <level>
diag debug flow trace start/stop

Command

Description

diag debug enable/disable

Enable/disable debugging output.

diag debug application <name> <level>

Start debugging the named application with the specified debug level.

diag debug flow trace start/stop

Start/stop packet trace debugging information for allowed/dropped traffic by rules.

For more detail, refer to http://kb.fortinet.com and search by keywords.

To check network connectivity and run ping on SVM or VMX, run the following commands:

config vdom
edit ns/nsx/root
exec ping <host>

To collecting NetX logs from SVM / VMX, run the following commands:

config vdom
edit ns/nsx/root
exec log filter category 1
exec log filter category <Enter>
exec log display

Command

Description

exec log filter category 1

Here "1" means event log.

exec log filter category <Enter>

Shows the list of category numbers/names.

exec log display

Display the log.

To show all rules on the specified VDOM, run the following commands:

config vdom
edit ns/nsx/root
show

The connection settings to NSX service, Username, password, VMX image URL, etc. can be seen in the output. (Entering the SDN config mode first and then running show will produce the same result as running show from within the global mode)

config global
show system sdn-connector
config global
config system sdn-connector
edit nsx
show/get

To exit from a mode/save and exit, run the following command:

end

Resources

Troubleshooting

CLI commands are useful for troubleshooting.

Log into the FortiGate-VMX SVM using SSH or via the GUI, then use the command line widget.

You can see a detailed list of available CLI commands in the FortiOS CLI Reference.

You can see command options by entering ?.

For example,

exec nsx ?
group 		NSX Security Group Management
instance 	NSX instance management
service 	NSX service management

To show current settings, run:

config global
exec nsx group list
exec nsx instance list
exec nsx status/get

Command

Description

exec nsx group list

Show list of group/clusters and VMX instances that belong to them.

exec nsx instance list

Show detailed running status of all VMX instances.

exec nsx service status/get

Show the status of NSX service and its ID.

The FortiGate-VMX SVM requires an Internet connection to validate its license and receive updates from FDN. Besides locating this status in the Web UI, you may also open the console and run the following command to see license status as well as all stats of the system:

get system status

To force a license validation from the FortiGate-VMX SVM to FDN, you can run the following command:

config global
exec update-now

To collect logs on the FortiGate-VMX SVM, run:

config global
diag debug enable/disable
diag debug application <name> <level>
diag debug flow trace start/stop

Command

Description

diag debug enable/disable

Enable/disable debugging output.

diag debug application <name> <level>

Start debugging the named application with the specified debug level.

diag debug flow trace start/stop

Start/stop packet trace debugging information for allowed/dropped traffic by rules.

For more detail, refer to http://kb.fortinet.com and search by keywords.

To check network connectivity and run ping on SVM or VMX, run the following commands:

config vdom
edit ns/nsx/root
exec ping <host>

To collecting NetX logs from SVM / VMX, run the following commands:

config vdom
edit ns/nsx/root
exec log filter category 1
exec log filter category <Enter>
exec log display

Command

Description

exec log filter category 1

Here "1" means event log.

exec log filter category <Enter>

Shows the list of category numbers/names.

exec log display

Display the log.

To show all rules on the specified VDOM, run the following commands:

config vdom
edit ns/nsx/root
show

The connection settings to NSX service, Username, password, VMX image URL, etc. can be seen in the output. (Entering the SDN config mode first and then running show will produce the same result as running show from within the global mode)

config global
show system sdn-connector
config global
config system sdn-connector
edit nsx
show/get

To exit from a mode/save and exit, run the following command:

end