LLDP and USB

Hi,

Q1: It is possible, her eis the cookbook: https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/183352/restoring-from-a-usb-drive#:~:text=To%20restore%20the%20firmware%20from%20a%20USB%20drive%3A,-Copy%20the%20firmware&text=the%20USB%20drive.-,Connect%20the%20USB%20drive%20to%20the%20USB%20port%20of%20the,9)%20or%20null%20modem%20cable.&text=y%2Fn)-,Type%20y%20.,restores%20the%20firmware%20and%20restarts.

Q2: Almost equal
Q3: In a short, "get" will show you the current configuration of a given functionality, while "diag" will help to diagnose and get some detailed information about the daemons

Q4: Please refer to Q3 - lldp is handled by separate daemon and therefore the outputs of that daemon have to be displayed with the diag command

Hi,
Q5:"get" will show the values for a given part of the configuration while "show" will show the configuration lines, an example:

FG101E-1 # show wanopt settings
config wanopt settings
set host-id "default-id"
end

---------------------

FG101E-1 # get wanopt settings
host-id : default-id
tunnel-ssl-algorithm: high
auto-detect-algorithm: simple

Q6: I can`t remember any "diagnose" command that would alter the configuration file.
I would suggest reading the description of the command before executing it, so you are sure what exactly you are doing.

Ahmad

Q7 When I key in "diagnose lldprx port summary", it prompts me "please input args". How do I know what argument to input?

Q8 How do I show virtual ip addresses? What is the command? Such as the virtual ip assigned to the cluster?

Q9 How do I show the lldp neighbor is from which firewall INTERFACE from the GUI?

Q7: Indeed it asks for extra arguments, but you don`t have to enter any arguments, just hit enter after "diag lldprx neighbor summary" and you`ll get the list of the lldp neigbors

Q8: IP address assigned to the interfaces of the fortigate can be viewed via "diag IP address list" command. 
When a cluster is operating, the fortios assigns virtual MAC addresses to each primary unit interface. HA uses virtual MAC addresses so that if a failover occurs, the new primary unit interfaces will have the same virtual MAC addresses and IP addresses as the failed primary unit. As a result, most network equipment would identify the new primary unit as the exact same device as the failed primary unit.
virtual mac addresses can be listed via this command:
"diag sys ha mac"
Q9:
1. Enable lldp
2. Enable device detection on the interfaces where you expect the lldp neighbors to be

3. Go to Dashboard > Devices&Users> Device Inventory

You would see the list of the devices.

Ahmad

Just to chip in on the get/diag/etc distinction...

The distinction between get / diagnose / execute isn't always 100% clear-cut.

"get" usually shows the given configuration object's details in full (similar to "show full"), e.g. "get system global".

It also shows some status information, e.g. "get system status".

As a rule of thumb, running "get" commands should always be safe.

"diagnose" mostly handles diagnostic commands to get debug information ("diag wad...", "diag debug app ... ", "diag test app ..."), but some commands also show status/statistics (arguably similar to "get"), e.g. "diag sys waninfo".

"diagnose" commands can potentially be "destructive", in the sense that they affect the operation of the unit:

• "diagnose log test" will generate test logs that will be recorded in your logs.
• restarting/killing wad or ipsengine may impact sessions currently processed by these processes.
• enabling verbose debug outputs of a busy process may increase CPU utilization.

The common theme of "execute" is to "do something" rather then "display information" (get), or generate/gather debugs ("diagnose"):

execute reboot
execute ping

execute vpn ipsec tunnel up <phase2_name>

execute disconnect-admin-session

execute disk format

execute wake-on-lan

...but you will still find some execute commands that will simply display some status/information:

execute dhcp lease-list

execute disk list

At the end of the day, one does not need to worry about which is which. You either know the command to get the information or do the action you want, or you do not, in which case you can search for the desired commands in the documentation, check forums, ask a colleague, or check with TAC support.

Q1:

Usually overlooked, but how about this ?

config system auto-update

- by default enabled

- and so if there will be USB present with suitable FortiOS firmware image as file named "image.out" , then on next reboot that one will be installed

- similarly for config, if named "fgt_system.conf"

- those above are default names but fully configurable under the 'system auto-install' 

Q2

it does not truly matter as USB depends on version and speeds and might be faster, BUT part of the FortiOS upgrade is reboot and boot up time depends on unit size and some units can boot significantly slower and so spend a lot of time in this phase making even seconds differences between firmware upload method insignificant in total time of the operation.
But that depends on unit type/size heavily.

PS: I would suggest to split questions to separate thematically related posts (like Q1+Q2 and separate those from Q3 ..)

Q10 When I input "diag lldprx neighbor summary" I get a blank output so I assume that lldp is disabled. However, when I go to "Dashboard > Devices&Users> Device Inventory" , I can see the neighbors. Why is this so?

Q11 Is there an equivalent of "show etherchannel summary" in fortinet? "diag ip address list " only shows the ip address, but not the logical interfaces and their names. 

Can anyone help to answer my 2 questions above?