- Show FortiGate stats and memory usages:
get sys status
get system performance status
diagnose hardware sysinfo memory
diagnose sys session stat
diagnose ips session list by-mem 15
diagnose ips session status
diagnose autoupdate version | grep "IPS Attack" -A 6
diagnose ips memory status
diagnose sys top 2 30 4
di sys top-mem 10
di sys top-mem 10
di sys top-mem 10
- If the IPS engine's memory usage appears to be higher than normal, then run 'diag sys process pstack $pid' (4 times) to get the pstack for the process.
diag sys process pstack <PID with high usage>
fnsysctl cat /proc/$PID/smaps
- Restart the process.
diag sys kill 11 <PID>
- Get the crash log as well.
diagnose debug crashlog read
Note:
Additional debugging commands for TAC.
diagnose ips debug enable all //instead of "all" you can use from list of categories displayed by pressing "?" after enable
diagnose ips filter set "host x.x.x.x" //x.x.x.x = testing host IP
diagnose debug enable
Disable once done:
diagnose debug reset
diagnose debug disable
Note:
Selecting all for the ISP debug will cause high memory usage and can lead to kernel conserve mode as this debug is copying sessions that are inspected by IPS engine which will lead to doubling the amount of sessions.
It is always recommended to specify the type of session on the debug also it is strongly recommended to USD the filtering command 'diagnose ips filter...' unless the goal of the debug is to collect events for all hosts.
In the case of IPS profile is assigned to a firewall policy in proxy inspection mode, The recommended live debug commands are:
diagnose debug reset
diagnose wad debug enable category [all, http, session ,...] <----- Use question mark '?' to view all available categories.
diagnose wad debug level verbose <----- verbosity level, when troubleshooting it is recommend to use verbose.
diagnose debug console timestamp enable
diagnose debug enable
To disable the debug:
diagnose debug disable
diagnose debug reset
|
