| Description | This article describes how to collect debugs from FortiGate via the FortiLightHouse tool. |
| Scope | All supported versions of FortiGate. |
| Solution |
FortiLightHouse CLI, also known as FlhCli, is a monitoring tool that helps collect essential outputs from the FortiGate firewall. It will collect the required debugs that will help Fortinet TAC and the Engineering team with deep analysis. More information can be found at the link below:
This article will focus on the installation of the FlhCli tool on the Windows operating system, along with instructions on how to use the tool efficiently. The first step is to download the binary file corresponding to the operating system.
After downloading the binary file, open a command prompt (type ‘cmd’ in search). Run ‘flhcli.exe', and the following commands are available.
Run ‘flhcli.exe setup’ to create the XML configuration file.
In the ‘Device name’, define a file name, or else the tool will create a file named ‘default’. In the ‘FortiGate hostname or IP address’, define the IP address of FortiGate. In the ‘FortiGate SSH listening port’, define the SSH port (if modified on FortiGate), or else the default SSH port 22 will be chosen. SSH access needs to be allowed on the interface of the FortiGate. In the ‘SSH username’, define the username through which FortiGate can be accessed, or else ‘admin’ is taken by default. In the ‘SSH password’, define the password. The XML file will contain the encrypted password.
The tool will ask where to save the XML file on the machine. If the directory is not defined, the tool will save it automatically in the directory mentioned.
If there is more than one device on which the debugs need to be collected, fill in the details for the second device. The configuration is saved in a file named ‘flhcli.xml’.
Below is the output of ‘flhcli.xml’ created.
After the ‘flhcli.xml’ file is created, run the ‘flhcli.exe test’ to test the basic functionality, which will display the output of the ‘get system status’ command.
A monitoring script is required to run against the predefined device. A script template is shown below, which can be modified as per the requirements.
<flhscript version="1"> <cycle name="performance" parameters="default" settings="default"> </cycle>
Both the monitoring script and the flhcli XML files should be in the same directory.
flhcli -force-pty -redirect <<<device_name>>>_monitor --rotate-age 4h --name <<<device_name>>> cmd xml --xml <<script name>> --cycle performance
-rotate-age 4h: The log file will be rotated every 4 hours (modified as needed). -force-pty: It is necessary to collect outputs using specific commands, for example, FortiOS command 'diagnose test application ...'. -rotate-size: The log file can be rotated after a specific size. The size value should be mentioned in MB.
The output of the script will be stored in a file named 'FGT-Lab_monitor.txt'. A cycle duration of 10 seconds is defined in the script, which can be modified as needed. The output shows that one cycle took less than 10 seconds to complete, and it will wait for x seconds to run the script again. To stop the script, press 'Ctrl + C' on the command prompt.
If using a Linux-based environment to execute the script, the following command needs to be used:
./flhcli -force-pty -redirect <<<device_name>>>_monitor --rotate-age 4h --name <<<device_name>>> cmd xml --xml <<script name>> --cycle performance
In some cases, running the script can cause high CPU utilization on the firewall, and to avoid the high CPU utilization, the script needs to be stopped. To stop the script, the flhcli files need to be deleted, then the flhcli process should be killed. To kill the flhcli process, follow the command below on the monitoring tool.
pkill -f flhcli |
