By Manny Fernandez

March 6, 2020

Debugging Fortigate GUI from the CLI

Have you ever gotten a strange failure in the Fortigate GUI?  It is sometimes unclear to see what the issue is or what caused the error.  FortOS has a debug command that can help you track down the “unidentifiable” error.  The other use case where this debug method comes in handy, is when you are uploading a configuration script via the GUI and you get a failure.  Sometimes, the import fails but you still have the objects you imported available inside the GUI.  I always wonder if it actually worked or not.

Lets get started:

Lets start by entering the commands from an SSH or Console connection

diag debug cli 8 
diag debug enable

Note: The diag debug cli X options are from 1 - 8 .  The higher the number the higher the verbosity in the output.

Manually Editing from Within the GUI

2020-03-05_23-06-40

Above, I edited Interface 22 and added an alias, and IP address, and modified the Administrative access

LAB-FW-01 # 0: config system interface
0: edit "port22"
0: set ip 13.1.1.1 255.255.255.0
0: set allowaccess https ssh http
0: set alias "10GB-Internet"
0: end
0: config system interface
0: edit "port22"
0: config ipv6
0: end
0: end
write config file success, prepare to save in flash
[__create_file_new_version:263] the new version config file '/data/./config/global_system_interface.gz.v000000240' is created
[symlink_config_file:330] a new version of '/data/./config/global_system_interface.gz' is created: /data/./config/global_system_interface.gz.v000000240
[symlink_config_file:373] the old version '/data/./config/global_system_interface.gz.v000000239' is deleted
[symlink_config_file:376] '/data/./config/global_system_interface.gz' has been symlink'ed to the new version '/data/./config/global_system_interface.gz.v000000240'. The old version '/data/./config/global_system_interface.gz.v000000239' has been deleted
zip config file /data/./config/global_system_interface.gz success!
diag deb dis

Above, you can see where the GUI is basically running the CLI commands in the background.  Additionally, you can see how the FortiGate handles the config file as the changes are made.  Since the concept of Commit does not exist (or did not exist until later on and not by default), the changes are made at once.

2020-03-05_23-06-27

I attached the screenshot so you can see the full output.

NOTE: When I ran the diag debug cli 7 the output was the same save for the bottom section.  The config file specifics are not displayed.

Running Scripts from the GUI

This is something I do a lot of.  I have written many articles here on the Monkey where I ran the scripts from inside the FortiGate GUI.  Sometimes though, I get a failure error but I do not get a stdout so it becomes complicated to figure out where the script failed.

In the following example, I purposely modified the script so it would fail.  I did this by choosing a subnet mask for the interface as 255.25.255.2 which obviously is incorrect.

config system interface
   edit "port22"
   set ip 13.1.1.1 255.255.255.2
   set allowaccess https ssh http
   set alias "10GB-Internet"
end

I named this file wrong-script and connected to the GUI.

To get to the script section in 6.2.3 …

2020-03-05_23-49-56

  1. Choose the Username on the top right of the GUI.
  2. Then choose Configuration
  3. Then choose Script

Previous versions has the scripts under System then Advanced and finally Configuration Scripts.

You will then be presented with a screen asking you to upload the file (see below)

2020-03-05_23-19-02

Next we are going to browse to the location of the file (in my case, ~Desktop)

2020-03-05_23-18-48

Select the file (e.g. wrong-script) and click Open

2020-03-05_23-19-23

Now you will see the file we created wrong-script is selected in the Select file section.

2020-03-05_23-20-05

When we run the script, we see the infamous error, with no explanation.  However when we go back to the CLI where we ran our diag deb cli 8 we should be able to see the error.

2020-03-05_23-21-27

LAB-FW-01 # 0: config system interface
0: edit "port22"
-9: set ip 13.1.1.1 255.255.255.2
0: set allowaccess https ssh http
0: set alias "10GB-Internet"
0: end

As you can see in the screenshot and the snippet represented by the -9 , this section is the one that has the error.  Obviously, we can see line contains and error in the subnet mask.

Hope this helps.

 

 

 

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • If you have ever dug through a drawer full... Full Story

  • In this article, I will cover the basic AC... Full Story

  • OSPF (Open Shortest Path First) is a link-state IGP... Full Story