FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 336368

 

Description This article describes how to collect debugs from FortiGate via the FortiLightHouse tool.
Scope All supported versions of FortiGate.
Solution

FortiLightHouse CLI or FlhCli is a monitoring tool that helps in collecting essential outputs from the FortiGate firewall. It will collect the required debugs that will help Fortinet TAC and the Engineering team with deep analysis. More information can be found at the below link:

FortiLightHouse

 

This article will focus on the installation of the FlhCli tool on the Windows operating system along with instructions on how to use the tool efficiently.

The first step is to download the binary file based on the operating system.

 

alif_0-1724665460613.png

 

After downloading the binary file, open a command prompt (type ‘cmd’ on search). Run ‘flhcli.exe’ and the following commands are available.

 

alif_1-1724665460620.png

 

Run ‘flhcli.exe setup’ to create the XML configuration file.

 

In the ‘Device name’, define a file name or else the tool will create a file named ‘default’.

In the ‘FortiGate hostname or IP address’, define the IP address of FortiGate.

In the ‘FortiGate SSH listening port’, define the SSH port (if modified on Fortigate), or else default SSH port 22 will be chosen itself. SSH access needs to be allowed on the interface on the FortiGate.

In the ‘SSH username’, define the username through which FortiGate can be accessed or else ‘admin’ is taken by default.

In the ‘SSH password’, define the password. The XML file will contain the encrypted password.

 

The tool will ask where to save the XML file on the machine. If the directory is not defined, the tool will save it automatically in the directory mentioned.

 

If there is more than one device on which the debugs need to be collected, fill in the details for the second device. The configuration is saved in a file named ‘flhcli.xml’.

 

alif_2-1724665460623.png

 

Below is the output of ‘flhcli.xml’ created.

 

alif_3-1724665460625.png

 

After the ‘flhcli.xml’ file is created, run the ‘flhcli.exe test’ to test the basic functionality which will display the output of the ‘get system status’ command.

 

alif_4-1724665460629.png

 

A monitoring script is required to run against the predefined device. A script template is shown below which can be modified as per the requirements.

 

<flhscript version="1">
<parameters name="default">
<list name="status">
<query type="pids">
<option name="process">cpu</option>
</query>
</list>
</parameters>
<settings name="default">
<ics>100ms</ics>
<cycleDuration>10s</cycleDuration>
</settings>

<cycle name="performance" parameters="default" settings="default">
<command context="global">get sys status</command>
<command context="global">get system performance status</command>
<command context="global">diag sys top 1 30 3</command>
<command context="global">diag sys mpstat 1 3</command>

</cycle>
</flhscript>

 

Both the monitoring script and flhcli XML files should be in the same directory.

 

flhcli -force-pty -redirect <<<device_name>>>_monitor --rotate-age 4h --name <<<device_name>>> cmd xml --xml <<script name>> --cycle performance

 

-rotate-age 4h: The log file will be rotated every 4 hours (modified as needed).

 

alif_5-1724665460631.png

 

The output of the script will be stored in a file named 'FGT-Lab_monitor.txt'. A cycle duration of 10 seconds is defined in the script which can be modified as needed. The output shows that one cycle took less than 10 seconds to complete and it will wait for x seconds to run the script again. To stop the script, press ‘ctrl+c’ on the command prompt.

 

Contributors