Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Renante_Era
Staff
Staff

Created on ‎09-20-2023 10:22 AM Edited on ‎04-20-2025 05:35 PM By Staff

Article Id 274812

Troubleshooting Tip: Collecting IPS engine related debugs

Description This article describes how to collect IPS engine debugs.
Scope FortiGate v7.0 and above.
Solution
  1. Show FortiGate stats and memory usage:

 

get sys status

get system performance status

diagnose hardware sysinfo memory

diagnose system session stat

diagnose ips session list by-mem 15

diagnose ips session status

diagnose autoupdate version | grep "IPS Attack" -A 6

diagnose ips memory status

diagnose test application ipsmonitor 1

diagnose system top 2 30 4

diagnose system top-mem 10

diagnose system top-mem 10

diagnose system top-mem 10

 

  1. If the IPS engine's memory usage appears to be higher than normal, run 'diag sys process stack $pid' (four times) to get the stack for the process.

 

diagnose system process pstack <PID with high usage>

fnsysctl cat /proc/$PID/smaps

 

  1. Restart the process.

 

diagnose system kill 11 <PID>

 

  1. Get the crash log as well.

 

diagnose debug crashlog read

 

Note:

Additional debugging commands for TAC.

 

diagnose debug reset

diagnose ips debug enable all <- Instead of 'all', use one from a list of categories displayed by pressing '?' after enable.

diagnose ips filter set "host x.x.x.x" <- x.x.x.x = testing host IP.

diagnose debug enable

 

Disable afterwards with the following command:

 

diagnose debug disable

 

Note:

Selecting all for the IPS debug will cause high memory usage and can lead to kernel conserve mode as this debug is copying sessions inspected by the IPS engine, which will lead to doubling the sessions.

It is always recommended to specify the type of session on the debug also, it is strongly recommended to use the filtering command 'diagnose ips filter...' unless the goal of the debug is to collect events for all hosts.

 

In cases where an IPS profile is assigned to a firewall policy in proxy inspection mode, the recommended live debug commands are:

 

On the Filter, add several hosts, for example:

 

diagnose ips filter set 'host x.x.x.x and host z.z.z.z'

 

Filter parameters need be used as it was used for IPS debugging.

 

diagnose debug reset

diagnose wad debug enable category [all, http, session ,...] <----- Use question mark '?' to view all available categories.

diagnose wad debug enable level verbose <- Verbosity level. When troubleshooting, it is recommended to use verbose.

diagnose wad filter dst 10.10.10.10  <----- Filtering the logs based on the destination address.

diagnose wad filter port 443         <----- Filtering the logs based on the destination port.

diagnose debug console timestamp enable

diagnose debug enable

 

To confirm which filters are in use:

 

diagnose wad filter list 

drop unknown sessions: disabled 

dest ip: 10.10.10.10-10.10.10.10

dest port: 443-443

 

To disable the debug:

 

diagnose debug disable

diagnose debug reset
Labels:
5103
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.