FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
vpolovnikov
Staff
Staff
Article Id 362101
Description This article describes VPN log gathering for optimal troubleshooting experience during technical support engagement.
Scope FortiClient\EMS, FortiGate, SSL VPN, IPsec.
Solution

When engaging with technical support, it is critical to provide correct logs and configuration files as it significantly speeds up the troubleshooting processes and minimizes redundant interactions.

 

Follow the steps below to collect VPN logs from FortiClient and FortiGate when addressing VPN connection issues.

 

FortiClient:

 

Step 1: Enable debug log level:

Turn on the debug log level for FortiClient via a System Settings endpoint profile.

 

On EMS, navigate to the System Settings profile assigned to the endpoint in question:

Endpoint Profiles -> System Settings -> Select the profile -> Advanced -> Log Level -> Debug.

 

Debug log level.png

 

Confirm FortiClient received the profile update and switched the log level to debug from the Settings tab.

 

FortiClient debug log.png

 

Step 2: Collect FortiClient Backup.

Configuration files are crucial as technical support engineers may provide feedback on what might be adjusted in order to address the issue or improve user experience.

 

Collect the FortiClient configuration file from the Settings tab.

If Backup is greyed out, make sure Do Not Allow User to Back up Configuration is disabled under the System Settings endpoint profile on EMS.

 

FortiClient backup.png

 

FortiGate.

 

Step 3: Retrieve Configuration File.

Collect the FortiGate backup file for configuration review.

 

FortiGate backup.png

 

Step 4: Gather CLI Diagnostics.

Run the following commands on the firewall before making a connection.

 

When SSL VPN is used.

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ssl debug-filter src-addr4 X.X.X.X <public address of endpoint>
diagnose debug app sslvpn -1
diagnose debug enable

 

When IPsec is used:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 X.X.X.X <public address of endpoint>
diagnose debug app ike -1
diagnose debug enable

 

Note: 

Starting from v7.4.1, the  'diagnose vpn ike log-filter src-addr4'  command has been changed to  'diagnose vpn ike log filter rem-addr4' For more details, refer to this link IPsec Tunnel (debugging IKE).

 

In case of SAML or RADIUS/LDAP authentication, add one of the following commands to either of the above:

 

diagnose debug app fnbamd -1 <- RADIUS/LDAP authentication.
diagnose debug app samld -1 <- SAML authentication.

 

Step 5: Reproduce the issue:

Reproduce the issue by attempting to connect to the VPN tunnel. Take note of the endpoint's local time when reproducing the issue.

 

Step 6: Gather the logs:

Once the issue has been reproduced and captured, collect the CLI output on FortiGate.

 

FortiGate debugs.png

Collect FortiClient diagnostics.

For Windows: FortiClient console -> About -> Diagnostics Tool.

For macOS and Linux: FortiClient console -> Settings -> Export Logs.

 

FortiClient diagnostics.png

 

The VPN logs can also be found on the PC, on the following paths:

  • C:\Program Files\Fortinet\FortiClient\logs\trace
  • C:\Users\%USER%\AppData\Roaming\FortiClient\logs\trace

Attach collected files to the support ticket for review.