Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
mihediwa
Staff
Staff

Created on ‎11-09-2017 08:53 AM Edited on ‎03-24-2024 09:13 PM By Community Manager

Article Id 195991

Troubleshooting Tip: How to debug FortiAuthenticator Services

Description


This article describes how to perform basic debugging for certain FortiAuthenticator services in order to verify if the processes are working as expected. It also explains what additional debug information to provide TAC support with at the beginning of a ticket.

 

Scope

 

FortiAuthenticator.

Solution


The following service debug outputs are accessible on FortiAuthenticator v6.x through the FortiAuthenticator URL https://<FAC IP>/debug/:

 

Service name

Troubleshooting scope

URL direct access

Disk Monitor

Disk R/W activity

https://<FAC IP>/debug/disk_monitor/

FSSO

Collector Agent (log level is configured in the Authentication >SSO > General menu *)

Communication between FAC collector agent and FortiGate

Communication between FAC collector agent and DC FAC collector agent logon events

https://<FAC IP>/debug/fsso-agent/

FSSO (Filtered)

FSSO Filtered Logs (Filter set under Fortinet SSO Methods > SSO > General --> Configure Log Filter

https://<FAC IP>/debug/fsso-agent-filtered/

FSSO Domain Manager

Logs regarding SSO domains

https://<FAC IP>/debug/domain-manager/

GUI

Configuration changes tracking
Administrators logons tracking

https://<FAC IP>/debug/gui/

HA

HA – High Availability status

https://<FAC IP>/debug/slony/
HW Monitor

Hardware Monitor status

https://<FAC IP>/debug/hw_monitor/
Kernel Log

Kernel log of the Fortiauthneticator

https://<FAC IP>/debug/kernlog/

LB

Logs regarding HA Load Balance

https://<FAC IP>/debug/lb/

LB HA Sync

Logs regarding HA Load Balance syncing

https://<FAC IP>/debug/lb_sync/

LDAP

FAC local LDAP directory

https://<FAC IP>/debug/ldap/

LDAP User Sync Daemon

Logs regarding LDAP user sync daemon

https://<FAC IP>/debug/ldap_user_sync/

Push Authentication Service* removed in 6.5.x

Logs regarding Push notification for Mobile FortiToken and the push service

https://<FAC IP>/debug/push-service/

RADIUS Accounting

RADIUS Accounting SSO Logs

https://<FAC IP>/debug/radacct/

RADIUS Accounting Monitor

RADIUS Accounting Monitor Logs

https://<FAC IP>/debug/rad_accounting/

RADIUS Authentication

RADIUS user’s local authentication
NAS clients
RADIUS Authentication Logs (v5.0)

https://<FAC IP>/debug/radius/

RADIUS DNS Updates

RADIUS DNS update log

https://<FAC IP>/debug/radius_dns/

REST API

Logs regarding FAC REST API

Logs regarding FAC Windows Agent

Logs regarding FAC OWA Agent

https://<FAC IP>/debug/rest_api/

SAML User Sync Daemon

Logs regarding SAML User sync Daemon

https://<FAC IP>/debug/saml_user_sync/

SNMP

SNMP Logs

https://<FAC IP>/debug/snmp/

Syslog SSO

Syslog SSO Logs

https://<FAC IP>/debug/syslog_sso/

TACACS+

Logs regarding TACACS+ service

https://<FAC IP>/debug/tac_plus/

TACACS+ Accounting

Logs regarding TACACS+ Accounting

https://<FAC IP>/debug/tac_acct/

TACACS+ Authentication

Logs regarding TACACS+ Authentication

https://<FAC IP>/debug/tac_authen/

TACACS+ Authorization

Logs regarding TACACS+ Authorization

https://<FAC IP>/debug/tac_author/
WAD Service

WAD debug for HTTP traffic (push notification, http/https traffic,API)

https://<FAC IP>/debug/wad-service/

Web Server

Web server errors

Client connections

SSL Errors

https://<FAC IP>/debug/apache-error/

WinAD Monitor

Logs regarding FAC integration/joining Windows AD

https://<FAC IP>/debug/winad_mon/

CLI Packet Capture (tcpdumpfile)

Only available when exec tcpdumpfile has run from FAC CLI (and was stopped).

https://<FAC IP>/debug/pcap-dump/

 

To download Packet Capture from FortiAuthenticator, https://<FAC IP>/debug/pcap-dump/ needs to be typed manually on FAC version 6.5.2

 

The debug logs can be downloaded from the page itself (upper right button).

 

TAC Support may ask users to download these or a debug report from GUI -> Log Access -> Log section.

In FortiAuthenticator 6.2 and below, the option looks like this:

 

 

In later versions, this has been changed slightly:
 
 
In FortiAuthenticator Version 6.4.x, the 'Summary debug log' is found under Logging -> Log Access -> Logs:

ndumaj_0-1664185868814.png

 

In FortiAuthenticator version 6.5.2, the debug log is in the same location but it looks different:

https://<FAC-IP>/debug

 

FAC 6.5.2.png

 

The file 'report-summary.dbg' is encrypted and is meant for Fortinet TAC.
The resulting report.dbg or report-summary.dbg contains the latest logs, but with less duration than what is visible in the https://<FAC IP>/debug menu.

Note:
If report-summary debug fails to generate from GUI then try to generate it from CLI via TFTP/FTP 

 

Related articles:

Technical Tip: How to run a packet capture with FortiAuthenticator.
Extract Summary Debug Report from FortiAuthenticator via CLI with TFTP/FTP

17388
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.