Fortinet Cheat Sheet

Categories

  • Fortinet

Switch and Gate Serial Connections

  1. The fortigates operate on 9600 8N1
  2. The Switches operate on 115200 8N1

Changing an interface running speed

When changing the speed on a port on the FortiGate it will change the speed of all ports in the at group to that speed.

  1. config vdom
  2. edit <VDOM_NAME>
  3. config sytem interface
  4. edit port 32
  5. set speed 10000full
  6. next
  7. pressy ‘y’
  8. end

Checking Fortigate HA Syncronization

c v
edit <VDOM>
diagnose system ha status

Accessing the second Fortigate in a HA pair

config global
get system ha status
execute ha manage 1 <username>

Determine Switch Connection Status

execute switch-controller get-conn-status

Determine Switch Syncronization Status

To check the synch satus of a switch you will first need to get the switch-id value from the get-con-status command above.

execute switch-controller get-sync-status switch-id <Switch-id>

Diagnose MCLAG connectivity issues

Diagnostic commands must be run from the switch itself.

diag switch mclag icl

diag switch mclag list

Gathering Switch debug info

1. Gather PDU Counters

Run this command several times with interval 2-3 sec. It will check any control packet loop flooding, so need to be run several times. Please do this on the switch that’s causing the issue and all switches connected to that switch.

diagnose switch pdu-counters list

2. Gather physical port line rantes

Allow this to run for some time at least 1 minute so we can gather data. Please do this on the switch that’s causing the issue and all switches connected to that switch.

diagnose switch physical-ports linerate up

3.Diagnose ACL issues

On each mclag-icl switch, first find an unused switch port. Then check switch a1. cl ingress config and create an ACL entry. If the ACL entry could be created/deleted, then no acl issues below.

config switch acl ingres
edit <unused #>
set ingress-interface <switch port>
config action
set counter enable 
end
end
config switch acl ingress
delete <acl entry #>
end

4. Generate debug report

Run this command on each switch (especially mclag-icl switches and the swithces possibly causing the issue.

diag debug report

5. Check running process

Run this on each switch (especially mclag-icl switches possibly causing the issue)

fn top

6. Check MCLAG peer consistencty

This command is included in the diag debug report. Just run it one more time on each mclag-icl switch. And check the “mismatch” trunk. If there are mismatched trunks run the second command.

diag switch mclag peer-consistency-check
diag switch mclag peer-consistency-check <mismatched trunk name>

7. Check Fortigate for crash data

execute switch-controller get-conn
diag debug crash read

Add/Edit 802.1x Security Policy

802.1x Policies can only be created or edited from the CLI, you can set a policy on a switch port using CLI or GUI after it has beeen configured.

c v
edit <VDOM>
config switch-controller security-policy 802-1X
show
edit <Policy name>

Debug 802.1X Authentication Errors at the Switch

In the even that you are experiencing .1X authentication errors you should first check the logs of your Radius server. In this case FortiAuth is being used, so you can check the debug logs there for Radius Authentication messages.

If the authentication is successful you should see a message:

”"”802.1x authentication successful”””

If you are seeing successful authentication messages at the RADIUS server side, but the client is still failing to authenticate you must check at the switch level.

  1. SSH into the switch that the user is physically connecting to.
  2. execute diag debug enable
  3. execute diag debug application fnbamd 255
  4. Connect the system again and you will see the full list of messages
  5. execute diag debug disable when you are finished.