Skip to main content
sjoshi
Staff
sjoshi
Staff
September 29, 2025

Troubleshooting Tip: How to automate FortiGate IPSEC VPN script using FortiLightHouse

  • September 29, 2025
  • 0 replies
  • 719 views
Description

 

This article describes how to automate IPsec VPN troubleshooting command on FortiGate devices using FortiLightHouse.

 

Scope

 

FortiGate.

 

Solution

 

FortiLightHouse CLI (FlhCli) is a monitoring utility designed to collect critical outputs from FortiGate firewalls. It gathers the necessary debug information to assist Fortinet TAC and Engineering teams in performing in-depth analysis.

Download the FlhCli tool on the system from the link below:

FortiLightHouse 

 

Once the binary file has been downloaded, open the Command Prompt by typing the commands in the search bar. Navigate to the download directory from the Command Prompt & execute flhcli.exe to start the application.

 

a.PNG

 

Run the command flhcli.exe setup to create the required XML configuration file.

 

a.PNG

 

A monitoring script is required to run against the predefined device.

 

A sample IPSEC VPN script. It can be adjusted as per the requirement.

 

<flhscript version="1">
<parameters name="default">
<list name="status">
<query type="pids">
<option name="process">cpu</option>
</query>
</list>
</parameters>
<settings name="default">
<ics>100ms</ics>
<cycleDuration>30s</cycleDuration>
</settings>

<cycle name="performance" parameters="default" settings="default">
<command context="global">get vpn ipsec tunnel summary</command>
<command context="global">diagnose vpn tunnel list</command>
<command context="global">diagnose vpn ike gateway list</command>
<command context="global">diagnose debug console timestamp enable</command>
<command context="global">diagnose debug duration 0</command>
<command context="global">diagnose debug application ike -1</command>
<command context="global">diagnose debug enable</command>

</cycle>
</flhscript>

 

Ensure that the monitoring script and the flhcli XML files are stored in the same directory.

The script output is saved in a file named HUBFGT_monitor.txt. The script is configured with a 30-second cycle interval, which can be adjusted as required.

 

a.PNG

 

Execute the command below to run the script.


flhcli -force-pty -redirect <<<device_name>>>_monitor --rotate-age 4h --name <<<device_name>>> cmd xml --xml <<script name>> --cycle performance

 

For example:


flhcli -force-pty -redirect HUBFGT_monitor --rotate-age 4h --name HUBFGT cmd xml --xml IPSEC_VPN.xml --cycle performance

 

a.PNG

      Terms & ConditionsAccessibility statement