Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Renante_Era
Staff
Staff

Created on ‎09-20-2023 10:22 AM Edited on ‎02-17-2025 08:22 AM By Moderator

Article Id 274812

Troubleshooting Tips: Collecting IPS engine related debugs

Description This article describes how to collect IPS engine debugs.
Scope FortiGate v7.0 and above.
Solution
  1. Show FortiGate stats and memory usages:

 

get sys status

get system performance status

diagnose hardware sysinfo memory

diagnose sys session stat

diagnose ips session list by-mem 15

diagnose ips session status

diagnose autoupdate version | grep "IPS Attack" -A 6

diagnose ips memory status

diagnose sys top 2 30 4

di sys top-mem 10

di sys top-mem 10

di sys top-mem 10

 

  1.  If the IPS engine's memory usage appears to be higher than normal, then run 'diag sys process pstack $pid' (4 times) to get the pstack for the process.

 

diag sys process pstack <PID with high usage>

fnsysctl cat /proc/$PID/smaps

 

  1. Restart the process.

 

diag sys kill 11 <PID>

 

  1. Get the crash log as well.

 

diagnose debug crashlog read

 

Note:

Additional debugging commands for TAC.

 

diagnose system session clear

diagnose debug reset

diagnose ips debug enable all <- Instead of 'all', use one from a list of categories displayed by pressing '?' after enable.

diagnose ips filter set "host x.x.x.x" <- x.x.x.x = testing host IP.

diagnose debug enable

 

Disable afterwards with the following command:

 

diagnose debug disable

 

Note:

Selecting all for the ISP debug will cause high memory usage and can lead to kernel conserve mode as this debug is copying sessions that are inspected by IPS engine which will lead to doubling the amount of sessions.

It is always recommended to specify the type of session on the debug also it is strongly recommended to USD the filtering command 'diagnose ips filter...' unless the goal of the debug is to collect events for all hosts.

 

In cases where an IPS profile is assigned to a firewall policy in proxy inspection mode, the recommended live debug commands are:

 

On the Filter you can also add several hosts, for example:

 

diagnose ips filter set 'host x.x.x.x and host z.z.z.z'

 

Filter parameters need be used as it was used for IPS debugging.

 

diagnose debug reset

diagnose wad debug enable category [all, http, session ,...] <- Use question mark '?' to view all available categories.

diagnose wad debug level verbose <- Verbosity level. When troubleshooting, it is recommended to use verbose.

diagnose wad filter dst 10.10.10.10  <- Filtering the logs based on destination address.

diagnose wad filter port 443         <- Filtering the logs based on destination port.

diagnose debug console timestamp enable

diagnose debug enable

 

To confirm which filters are in use:

 

diagnose wad filter list 

drop unknown sessions: disabled 

dest ip: 10.10.10.10-10.10.10.10

dest port: 443-443

 

To disable the debug:

 

diagnose debug disable

diagnose debug reset

 
Labels:
4349
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.