FortiGate diagnose CLI

diagnose debug enable
diagnose debug flow show console enable
diagnose debug flow filter add 10.10.20.30
diagnose debug flow trace start 100


fg60cxadsl # diagnose sys session filter src 192.168.1.110
fg60cxadsl # diagnose sys session filter dport 80


Next it's time to clear the session by issuing thesession clear command as follows:

fg60cxadsl # diagnose sys session clear
Step 3: Sniffer trace

Take a sniffer trace as per the following examples when running a constant ping (or TCP connection) from PC1 to PC2.
This will answer the following questions:
- Is traffic arriving to the FortiGate and does it arrive on the expected port?- Is the ARP resolution correct for the targeted next-hop?- Is the traffic exiting the FortiGate to the destination?- Is the traffic sent back to the source?

FGT# diagnose sniffer packet any "host <PC1> or host <PC2>" 4

or

FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and icmp" 4


Including the ARP protocol in the filter may be useful to troubleshoot a failure in the ARP resolution (for instance PC2 may be down and not responding to the FortiGate ARP requests)

FGT# diagnose sniffer packet any "host <PC1> or host <PC2> or arp" 4


To stop the sniffer, type CTRL+C.

Step 4: Debug flow

Traffic should come in and leave the FortiGate. If not, proceed with a debug flow as follows:

diag debug enable
diag debug flow filter add <PC1>    or    diag debug flow filter add <PC2>
diag debug flow show console enable
diag debug flow trace start 100          <== this will display 100 packets for this flow
diag debug enable


To stop all other debug, type "diag debug flow trace stop".

Step 5: Session list

diag sys session filter src PC1
diag sys session list 

or 

diag sys session filter dst PC1
diag sys session list 

To clear all sessions corresponding to a filter:

diag sys session filter dst PC1
diag sys session clear