Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Renante_Era
Staff
Staff

Created on ‎11-21-2023 10:26 PM Edited on ‎05-07-2025 07:31 AM By Community Manager

Article Id 285471

Technical Tip: Gather the FortiGate baseline before a problem occurs

Description This article describes some guidelines to follow before a problem occurs.
Scope FortiGate.
Solution

Diagnosing the FortiGate to identify abnormal behavior is difficult unless the baseline is known or what is a relatively normal operating pattern. Normal is defined and measured in many ways. It can be performance, network topology, or behavior.

For instance, if the FortiGate CPU usage is 75% and the baseline is at 60% to 69%, then 75% is probably still normal.

However, if the CPU baseline is 12% to 15%, then there may be a problem.

 

  • Record the Baseline.
  • CPU usage.
  • Memory usage.
  • Traffic volume.
  • Traffic directions -- traffic pattern and distribution.
  • Protocols and port numbers -- what protocols are blocked or proxied.
  • Which devices are normally connected to each node.
  • List the distribution of protocols and applications used during specific times of the day, week, or year.
  • Monitor traffic flows and resource usage using the following tools:
    • Security Fabric.
    • FortiView.
    • FortiAnalyzer/Logging/Syslog.
    • SNMP.
    • Alert email.
    • CLI debug commands.

 

Network Diagrams:

Flows and other specifications of normal behavior are derived from topology thus a network diagram is important when troubleshooting. It is necessary to have a physical network diagram and a logical network diagram.

A physical diagram shows how cables, ports, and devices are connected between buildings and cabinets, while a logical diagram shows OSI Layer 3 relationships between virtual LANs, IP subnets, and routers. It should also show application protocols such as DHCP, DNS, HTTP/S, etc.

 

Debug commands:

 

get system status

get system performance status

diagnose sys top-mem 99

get system performance firewall statistics

diagnose sys session stat

diagnose sys vd stats

fnsysctl ifconfig

diagnose sys top 1 60 10

get hardware nic <interface_name>

get sys arp

diagnose debug report

execute traceroute <dest_IP_addr or hostname>

execute ping <dest_IP_addr or hostname>

 

Because of NAT and routing, it is necessary to specify a different ping source IP address since the default address is the IP of the outgoing interface. Keep in mind that if there is no response, the target may not have been configured to reply to ICMP echo requests.

 

execute ping-option source <interface_IP_address>
Labels:
736
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.