Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎02-27-2023 07:08 AM Edited on ‎08-16-2024 02:03 AM By Community Manager

Article Id 247389

Troubleshooting Tip: Initial troubleshooting commands for Virtual Servers

Description This article lists useful commands for initial troubleshooting steps with issues running FortiGate with Virtual Servers.
Scope FortiGate.
Solution

Verification and debug


Check the status of the real servers:


diagnose firewall vip realserver

 

Any of the following options can be supplied:

 

  • list: create a list.
  • up: change the address to 'up'.
  • down: change the address to 'down'.
  • healthcheck: perform a server health check.
  • clear: clear the firewall VIP, VIP6 real server statistics.

 

Information about Virtual Servers can also be viewed in the GUI under Monitoring -> Load Balance Monitor.


For general stats

 

get test ipldbd 2 (where ipldbd is the load balance daemon)

 

Example output:

 

num of vf=1
--------dump ipldb vf=0----------
num of vips=1
num of registered monitor types=6
num of ping monitors=0
num of ping monitors=3
num of tcp monitors=0
num of http monitors=0
num of https monitors=0
num of dns monitors=0

 

 

The following command displays VIP filters. This is useful on FortiGates with many VIPs:

 

diagnose firewall vip virtual-server filter <option>

 

  • list: display the current filter.
  • clear: erase the current filter.
  • name: specify a VIP name to filter by.
  • src: specify a source address range to filter by.
  • dst: specify a destination address range to filter by.
  • src-port: specify a source port range to filter by.
  • dst-port: specify a destination port range to filter by.
  • vd: specify the index of a virtual domain. -1 matches all.
  • negate: negate the specified filter parameter.

Use the following command to view virtual server stats:

 

diagnose firewall vip virtual-server stats <option>

 

list            List all statistics.
clear           Clear all statistics.
http            HTTP statistics.
ssl             SSL statistics.
crypto-clear    Clear SSL crypto statistics.
operational     Operational info and statistics.
summary         Summary statistics.

 

The best verification is a packet sniffer. In the sniffer, it is possible to view how packets are being forwarded based on the current load-balancing method. 

 

diagnose sniffer packet <interface/any> ‘<filter>’ <verbose> <count>
<Timestamp format>

 

To stop the sniffer, press Ctrl+C on the keyboard.

 

It is possible to change the format above to sniff for the specific traffic being forwarded towards the servers.

 

The following commands output can be helpful to start initial troubleshooting and understand the Virtual server issue.

 

fnsysctl date
diag firewall vip virtual-server real-server list
diag firewall vip virtual-server server
diag firewall vip virtual-server stats list
diag firewall vip virtual-server session list
diag firewall vip realserver healthcheck stats show
diag firewall vip realserver list

 

get router info routing-table all
get router info routing-table database
get router info kernel
diagnose firewall proute list
diagnose ip rtcache list

 

See the help page for more information about load balancing diagnosis commands:

 

Related documents:

Virtual server load balance - FortiGate administration guide.

Technical Tip: Configure virtual server.

Troubleshooting Tip: How to fix an issue with Virtual Servers.
6249
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.