Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎02-27-2023 07:08 AM Edited on ‎12-29-2023 09:05 AM By Moderator

Article Id 247389

Troubleshooting Tip: Initial troubleshooting commands for Virtual Servers

Description This article lists useful commands for initial troubleshooting steps with issues running FortiGate with Virtual Servers.
Scope FortiGate, FortiOS.
Solution

Verification and debug


Check the status of the real servers:


diagnose firewall vip realserver

 

Any of the following options can be supplied:

 

  • list: create a list.
  • up: change the address to 'up'.
  • down: change the address to 'down'.
  • healthcheck: perform a server health check.
  • clear: clear the firewall VIP, VIP6 real server statistics.

 

Information about Virtual Servers can also be viewed in the GUI under Monitoring -> Load Balance Monitor.


For general stats

 

get test ipldbd 2 (where ipldbd is the load balance daemon)

 

Example output:

 

num of vf=1
--------dump ipldb vf=0----------
num of vips=1
num of registered monitor types=6
num of ping monitors=0
num of ping monitors=3
num of tcp monitors=0
num of http monitors=0
num of https monitors=0
num of dns monitors=0

 

 

The following command displays VIP filters. This is useful on FortiGates with many VIPs:

 

diagnose firewall vip virtual-server filter <option>

 

  • list: display the current filter.
  • clear: erase the current filter.
  • name: specify a VIP name to filter by.
  • src: specify a source address range to filter by.
  • dst: specify a destination address range to filter by.
  • src-port: specify a source port range to filter by.
  • dst-port: specify a destination port range to filter by.
  • vd: specify the index of a virtual domain. -1 matches all.
  • negate: negate the specified filter parameter.

Use the following command to view virtual server stats:

 

diagnose firewall vip virtual-server stats

 

The best verification is a packet sniffer. In the sniffer, it is possible to view how packets are being forwarded based on the current load-balancing method. 

 

diagnose sniffer packet <interface/any> ‘<filter>’ <verbose> <count>
<Timestamp format>

 

To stop the sniffer, press Ctrl+C on the keyboard.

 

It is possible to change the format above to sniff for the specific traffic being forwarded towards the servers.

 

See the help page for more information about load balancing diagnosis commands:

 

To compare with configuration, refer to the following documentation:

Virtual server load balance - FortiGate administration guide.

Technical Tip: Configure virtual server.

Troubleshooting Tip: How to fix an issue with Virtual Servers.
3197
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.