Debugging Fortigate GUI from the CLI

Have you ever gotten a strange failure in the Fortigate GUI?  It is sometimes unclear to see what the issue is or what caused the error.  FortOS has a debug command that can help you track down the “unidentifiable” error.  The other use case where this debug method comes in handy, is when you are uploading a configuration script via the GUI and you get a failure.  Sometimes, the import fails but you still have the objects you imported available inside the GUI.  I always wonder if it actually worked or not.

Lets get started:

Lets start by entering the commands from an SSH or Console connection

diag debug cli 8 
diag debug enable

Note: The diag debug cli X options are from 1 - 8 .  The higher the number the higher the verbosity in the output.

Manually Editing from Within the GUI

Above, I edited Interface 22 and added an alias, and IP address, and modified the Administrative access

LAB-FW-01 # 0: config system interface
0: edit "port22"
0: set ip 13.1.1.1 255.255.255.0
0: set allowaccess https ssh http
0: set alias "10GB-Internet"
0: end
0: config system interface
0: edit "port22"
0: config ipv6
0: end
0: end
write config file success, prepare to save in flash
[__create_file_new_version:263] the new version config file '/data/./config/global_system_interface.gz.v000000240' is created
[symlink_config_file:330] a new version of '/data/./config/global_system_interface.gz' is created: /data/./config/global_system_interface.gz.v000000240
[symlink_config_file:373] the old version '/data/./config/global_system_interface.gz.v000000239' is deleted
[symlink_config_file:376] '/data/./config/global_system_interface.gz' has been symlink'ed to the new version '/data/./config/global_system_interface.gz.v000000240'. The old version '/data/./config/global_system_interface.gz.v000000239' has been deleted
zip config file /data/./config/global_system_interface.gz success!
diag deb dis

Above, you can see where the GUI is basically running the CLI commands in the background.  Additionally, you can see how the FortiGate handles the config file as the changes are made.  Since the concept of Commit does not exist (or did not exist until later on and not by default), the changes are made at once.

I attached the screenshot so you can see the full output.

NOTE: When I ran the diag debug cli 7 the output was the same save for the bottom section.  The config file specifics are not displayed.

Running Scripts from the GUI

This is something I do a lot of.  I have written many articles here on the Monkey where I ran the scripts from inside the FortiGate GUI.  Sometimes though, I get a failure error but I do not get a stdout so it becomes complicated to figure out where the script failed.

In the following example, I purposely modified the script so it would fail.  I did this by choosing a subnet mask for the interface as 255.25.255.2 which obviously is incorrect.

config system interface
   edit "port22"
   set ip 13.1.1.1 255.255.255.2
   set allowaccess https ssh http
   set alias "10GB-Internet"
end

I named this file wrong-script and connected to the GUI.

To get to the script section in 6.2.3 …

1. Choose the Username on the top right of the GUI.
2. Then choose Configuration
3. Then choose Script

Previous versions has the scripts under System then Advanced and finally Configuration Scripts.

You will then be presented with a screen asking you to upload the file (see below)

Next we are going to browse to the location of the file (in my case, ~Desktop)

Select the file (e.g. wrong-script) and click Open

Now you will see the file we created wrong-script is selected in the Select file section.

When we run the script, we see the infamous error, with no explanation.  However when we go back to the CLI where we ran our diag deb cli 8 we should be able to see the error.

LAB-FW-01 # 0: config system interface
0: edit "port22"
-9: set ip 13.1.1.1 255.255.255.2
0: set allowaccess https ssh http
0: set alias "10GB-Internet"
0: end

As you can see in the screenshot and the snippet represented by the -9 , this section is the one that has the error.  Obviously, we can see line contains and error in the subnet mask.

Hope this helps.