On the FortiGate CLI:

get system status
get system performance status
diagnose sys session stat
get system ha
diagnose firewall dynamic list
diagnose endpoint record list

diagnose endpoint ztna-shm list
diagnose endpoint fctems test-connectivity <EMS>
diagnose test application fcnacd 2
execute fctems verify <EMS>

diagnose de crashlog read

FCNAC:

diagnose debug reset

diagnose debug application fcnacd -1

diagnose debug console timestamp enable

diagnose endpoint filter show-large-data yes

diagnose debug enable

Disable debug:

diagnose debug disable

diagnose debug reset

WAD:

diagnose debug reset

diagnose wad filter src x.x.x.x

diagnose wad filter dst x.x.x.x

diagnose wad debug enable category all

diagnose wad debug enable level verbose

diagnose debug enable

Disable debug: 

diagnose debug disable

diagnose debug reset

From v7.4.2, 'diagnose endpoint record list' has been changed to 'diagnose endpoint ec-shm list'.

From v7.6.0, TAG will be reflected in forward traffic logs. Refer to the below document for more information: Include EMS tag information in traffic logs

1. FortiClient UIDs (from the About page).
2. FortiClient Diagnostic logs (for that specific client, which should have enough logs for 1-2 days - based on file size).

On the EMS:
Collect these logs preferably when debug mode is enabled on EMS, but that times-out in 30 minutes, so it is not always easy to catch.

C:\Program Files (x86)\Fortinet\FortiClientEMS\logs
C:\Program Files (x86)\Fortinet\FortiClientEMS\Fcm\logs