Skip to main content
kcheng
Staff & Editor
kcheng
Staff & Editor
September 1, 2025

Technical Tip: Performing general healthcheck on a FortiGate

  • September 1, 2025
  • 0 replies
  • 4191 views
Description This article describes how to perform a general health check of a FortiGate. It provides steps to retrieve logs and perform a health check on the device.
Scope FortiGate.
Solution
  1. Run the command 'get sys status' to display versions of firmware, FortiGuard engines, and other system information.
  2. Run the command 'get sys performance status' to display CPU and memory usage, network usage, and session setup rate.
  3. Run the command 'get hardware status' to show ASIC type, hard disk size, RAM size, CPU cores, network card type, etc.
  4. Run the command 'fnsysctl ifconfig' to show a summary for all interfaces, including MAC/HW address, IP address, MTU, Metric, TX, RX, collisions, interface queue size, etc.
  5. Run the command 'get hardware nic <port>' to show port hardware details, MAC/HW address, link status, link settings, and traffic counters.
  6. Run the command 'diagnose sys top 5 20' to show top processes information for 20 processes and refresh every 5 seconds.
  7. Run the command 'fnsysctl ps' to show the list of all processes active in the FortiGate.
  8. Run the command 'diagnose sys top-mem' to show the top 5 processes using the most memory.
  9. Run the command 'get sys session-info full-stat' to show session info statistics.
  10. Run the command 'diagnose debug crashlog read' to show debug crashlog output.
  11. Run the command 'diagnose debug config-error-log read' to show config error logs.
  12. Run the command 'diagnose hardware sys memory' to show system memory information.
  13. Run the command 'diagnose sys top-fd' to show file descriptor memory information.
  14. Run the command 'diagnose hardware sys conserve' to check if the FortiGate is in conserve mode.
  15. Run the command 'diagnose sys session list' to check session creation and teardown rates.
  16. Run the command 'diagnose alertconsole list' to show the current alert messages.
  17. Run the command 'diagnose hardware system slab' to check the verbose allocation of memory consumed.
  18. Run the command 'diagnose firewall iplist list' to check the local IP address.
  19. Run the command 'diagnose netlink interface packet-rate' to check the send/receive rate of interfaces.
  20. Run the command 'diagnose sys logdisk status' to show log disk info. (This command is not available for NVME disks.)

 

In general, FortiGate is in a healthy state based on the following:

  • FortiGate did not show any abnormality in CPU usage by a certain daemon continuously.
  • FortiGate did not show any abnormality in memory usage by a certain daemon.
  • There is no continuous crashlog observed on the FortiGate crashlog output.
  • FortiGate conserve mode is off.

 

Note:

Super Admin privilege is required to run the 'fnsysctl' command. Otherwise, FortiGate will return an error, as explained in this KB article: Troubleshooting Tip: fnsysctl command returns Unknown action 0.

 

If the FortiGate is suspected to fail on the hardware level, the HQIP test would be more appropriate to check: see Technical Tip: RMA: HQIP test (with built-in FortiOS diagnostic commands.
Terms & ConditionsAccessibility statement