Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msingh_FTNT
Staff
Staff

Created on ‎08-02-2024 09:26 AM Edited on ‎10-01-2024 10:20 PM By Community Manager

Article Id 330125

Technical Tip: FortiGate routing debug commands

Description This article provides a list of debug commands for which the output should be captured when trying to solve routing issues.
Scope FortiGate.
Solution

Daemon(s):

 

  • zebos_launcher (zebos launcher daemon)
  • imi (routing related)
  • bgpd (bgp)
  • ospfd (ospf)
  • ospf6d (ospfv3)
  • ripd (rip)
  • ripngd (ripv6)
  • radvd (router adv daemon

 

Administrative Distances:

Routing protocol Default administrative distance

Direct physical connection 1

Administrative Distances  
Routing Protocol Default administrative distance
Direct physical connection 1
Static 10
EBGP 20
IBGP 200
OSPF 110
RIP 120

 

General Debugs:

 

Static Routing:


get router info routing-table all <- Displays all the active routes in the routing table.
get router info routing-table database <- Get full routing-table information.
- all routes learned by unit from different sources: BGP, OSPF, RIP, IS-IS, static and connected.

get router info routing-table details x.x.x.x <- Routing entry for x.x.x.x. Known via 'connected' or OSPF etc.
diagnose ip route list <- To check if the route is injected in kernel.
get router info routing-table connected <- Displays all directly connected routes.
get router info routing-table static <- Displays static routes configured.
diagnose ip arp list
get system arp
diagnose ip rtcache list
execute router restart <- Will restart the routing table. Check with the customer before executing this command as it might cause interruption.

 

Identify the source Interface for a particular IP Address:

 

get router info routing-table details 8.8.8.8 <----- Subnet.

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 10.9.15.254, via port1

 

The default static routing is configured for port1 and to the internet:

 

config router static

show
config router static
edit 1

set dst 0.0.0.0 0.0.0.0
set gateway 10.9.15.254
set device "port1"
next
end

 

OSFP Routing: 

 

get router info routing all <----- See all the directly connected routes, OSPF routes, BGP routes etc.
get router info protocols <----- Find information networks being advertised.
get router info ospf database router lsa <- Gives information about the router LSA and individual networks received by the router.
get router info ospf database self-originate <- Gives information about router LSAs advertised by the router
get router info routing-table ospf <- Gives information about the OSPF routes.
get router info ospf database brief <- Displays the OSPF LSDB.
get router info ospf neighbor all <- Show all neighbors.

 

BGP Routing: 

 

get router info bgp summary <- Verify BGP peering status, number of prefixes received/sent and peering up time.
get router info bgp neighbors <neighbour_address> advertised-routes <- Know which networks are advertised to specific neighbors.
get router info bgp network <- Show routes injected into the BGP table.
get router info bgp community-info <- Show BGP community strings in use.
get router info routing-table all <- Get active routing-table information (routes in use by unit).

get router info routing-table bgp <- Get BGP active routing-table information (BGP routes in use by unit.
get router info routing-table database <- Get full routing-table information (all routes learned by unit from different sources: BGP, OSPF, RIP, IS-IS, static and connected. Some of them are in use, some of them not.)
get router info bgp neighbors x.x.x.x received-routes <- Get the received routes from the neighbour.
get router info bgp neighbors x.x.x.x routes <- Routes being injected into our routing table after filtration.

 

Troubleshooting:
 

Debugging OSPF LSAs:

 

Run these debug commands to check the LSA, as well as information on Hello/Dead Timers.

 

diag ip router ospf all enable
diag ip router ospf level info
diag debug console timestamp enable
diag debug enable

 

OSPF Sniffer:

 

A sniffer that can be used to troubleshoot OSPF issues.

 

diagnose sniffer packet any "proto 89" 3

 

Debugging BGP Hello/Dead Timers and more:

 

Run these debug commands to check information on Hello/DeadTimers and more.

 

diag ip router bgp all enable
diag ip router bgp level info
diag debug console timestamp enable
diag debug enable

 

BGP Sniffer:

 

BGP uses port number 179. Run the sniffer on port 179 to analyze BGP Traffic:

 

diagnose sniffer packet any "port 179" 3

 

To check the routing entry in Zebos (kernel):

 

Sometimes, it is also important to examine the ZebOS configuration if FortiOS is not parsing the routing configuration correctly into ZebOS.

 

diag ip router command show-vrf <vdom> <zebos command>
diag ip router command show-vrf root show run
diag ip router command show-vrf root show run int <name>
diag ip router command show-vrf root show interface <name>
diag ip router command show-vrf root show ip route
diag ip router command show-vrf root show ip route x.x.x.x
2122
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.