- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- LLDP and USB
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LLDP and USB
Q1 Is it possible to upgrade FW using "execute restore image usb" command because I want to use USB to upgrade my firewall instead of TFTP.
which brings me to the next question
Q2 Is USB or TFTP upgrade faster?
Q3 When I want to see fortigate lldp neighbors, I use the "diagnose lldprx neighbor summary". So what is the difference between a "get" and "diagnose" command?
Q4 Why isnt lldp under the "get" command? Like it is show cdp neighbor in cisco.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
regarding Q2 (upgrade via TFTP or USB):
For using TFTP upgrade, you will have to establish a working network connection first. On a notebook, you will have to set up a static IP, a TFTP server, connect FGT and NB via cable (find a free port on FGT), check connectivity from NB and from FGT side. All of this takes considerably more time than inserting a USB stick, check the auto-install settings, and reboot the FGT.
And preparing and inserting a USB stick can be done by nearly anybody, even without networking skills ('a helping hand'), which can be very convenient if the FGT is in a remote location.
So, I would not denounce the auto-install feature in general. Can be very efficient, for instance when new FGTs arrive and need to be upgraded to a target version at the very beginning. auto-install with 'image.out' and 'fgt_system.conf' settings is enabled by default after factory reset, and thus at delivery from distribution.
Just my 2 cents...
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Q1: It is possible, her eis the cookbook: https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/183352/restoring-from-a-usb-drive#:~:te....
Q2: Almost equal
Q3: In a short, "get" will show you the current configuration of a given functionality, while "diag" will help to diagnose and get some detailed information about the daemons
Q4: Please refer to Q3 - lldp is handled by separate daemon and therefore the outputs of that daemon have to be displayed with the diag command
Ahmad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thank you very much.
Q5 So is there a difference between show & get command such as "show opt storage"?
Q6 So a diagnose command will not have execution of configuration changes on my equipment?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Q5:"get" will show the values for a given part of the configuration while "show" will show the configuration lines, an example:
FG101E-1 # show wanopt settings
config wanopt settings
set host-id "default-id"
end
---------------------
FG101E-1 # get wanopt settings
host-id : default-id
tunnel-ssl-algorithm: high
auto-detect-algorithm: simple
Q6: I can`t remember any "diagnose" command that would alter the configuration file.
I would suggest reading the description of the command before executing it, so you are sure what exactly you are doing.
Ahmad
Ahmad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q7 When I key in "diagnose lldprx port summary", it prompts me "please input args". How do I know what argument to input?
Q8 How do I show virtual ip addresses? What is the command? Such as the virtual ip assigned to the cluster?
Q9 How do I show the lldp neighbor is from which firewall INTERFACE from the GUI?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q7: Indeed it asks for extra arguments, but you don`t have to enter any arguments, just hit enter after "diag lldprx neighbor summary" and you`ll get the list of the lldp neigbors
Q8: IP address assigned to the interfaces of the fortigate can be viewed via "diag IP address list" command.
When a cluster is operating, the fortios assigns virtual MAC addresses to each primary unit interface. HA uses virtual MAC addresses so that if a failover occurs, the new primary unit interfaces will have the same virtual MAC addresses and IP addresses as the failed primary unit. As a result, most network equipment would identify the new primary unit as the exact same device as the failed primary unit.
virtual mac addresses can be listed via this command:
"diag sys ha mac"
Q9:
1. Enable lldp
2. Enable device detection on the interfaces where you expect the lldp neighbors to be
3. Go to Dashboard > Devices&Users> Device Inventory
You would see the list of the devices.
Ahmad
Ahmad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
What is the command to check if LLDP is enabled in the first place?
I can see it in the GUI but not the CLI.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to chip in on the get/diag/etc distinction...
The distinction between get / diagnose / execute isn't always 100% clear-cut.
"get" usually shows the given configuration object's details in full (similar to "show full"), e.g. "get system global".
It also shows some status information, e.g. "get system status".
As a rule of thumb, running "get" commands should always be safe.
"diagnose" mostly handles diagnostic commands to get debug information ("diag wad...", "diag debug app ... ", "diag test app ..."), but some commands also show status/statistics (arguably similar to "get"), e.g. "diag sys waninfo".
"diagnose" commands can potentially be "destructive", in the sense that they affect the operation of the unit:
- "diagnose log test" will generate test logs that will be recorded in your logs.
- restarting/killing wad or ipsengine may impact sessions currently processed by these processes.
- enabling verbose debug outputs of a busy process may increase CPU utilization.
The common theme of "execute" is to "do something" rather then "display information" (get), or generate/gather debugs ("diagnose"):
execute reboot
execute ping
execute vpn ipsec tunnel up <phase2_name>
execute disconnect-admin-session
execute disk format
execute wake-on-lan
...but you will still find some execute commands that will simply display some status/information:
execute dhcp lease-list
execute disk list
At the end of the day, one does not need to worry about which is which. You either know the command to get the information or do the action you want, or you do not, in which case you can search for the desired commands in the documentation, check forums, ask a colleague, or check with TAC support.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q1:
Usually overlooked, but how about this ?
config system auto-update
- by default enabled
- and so if there will be USB present with suitable FortiOS firmware image as file named "image.out" , then on next reboot that one will be installed
- similarly for config, if named "fgt_system.conf"
- those above are default names but fully configurable under the 'system auto-install'
Q2
it does not truly matter as USB depends on version and speeds and might be faster, BUT part of the FortiOS upgrade is reboot and boot up time depends on unit size and some units can boot significantly slower and so spend a lot of time in this phase making even seconds differences between firmware upload method insignificant in total time of the operation.
But that depends on unit type/size heavily.
PS: I would suggest to split questions to separate thematically related posts (like Q1+Q2 and separate those from Q3 ..)
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks but no thanks.
Auto upgrade should be discouraged.
Related Posts
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.