Technical Tip: Unable to run debug command

This article describe the configuration to verify if administrator could not run debug commands in FortiGate CLI. 

In some environments, administrator can be restricted to perform debug/diagnostic but still allowed to perform configuration.

If the 'Unknown action 0' error appears when running the debug command as below:

diagnose debug application sslvpn -1
Unknown action 0

Check the user admin profile using the following command:

show full system accprofile

The administrator will not be allowed to run the diagnostic commands if  'system-diagnostics' is set to disable.

To allow the administrator to have right to perform diagnostic (Only super admin can change this setting).:

Enable Permit usage of CLI diagnostic commands from system > Admin profile:

CLI command:

config system accprofile 

       edit <adminprofile_name>
    set system-diagnostics enable
end

Note:
From FortiOS 7.4.2, the command to modify this option was changed to permit usage of CLI commands. In the GUI, change the permit usage of CLI commands to 'enable'. If it is set to custom, make sure to enable Diagnostic:

Additionally, enable cli-diagnose in the CLI:

config system accprofile

       edit <adminprofile_name>
        set cli-diagnose enable
    end

Related document:

config system accprofile - FortiGate CLI reference