07. Diagnostics And Troubleshooting

Question 1

FMG behind NAT default settings

Answer 1

only FortiManager can discover a new device.
If the FGFM tunnel is torn down, only FortiManager tries to reestablish the FGFM tunnel.
By default, the NATed FortiManager IP address is not configured on FortiGate central management.

Question 2

FMG behind NAT best practice

Answer 2

configure the FortiManager NATed IP address on FortiGate under the central management configuration.
This allows FortiGate to announce itself to FortiManager and try to re-establish the FGFM tunnel, if it is torn down.

On FGT
Config system central-management
Set fmg {FMG natted IP address}
End

On FMG
Config system admin settings
Set mgmt-addr {FMG natted ip address}
End

if you configure the FortiManager NATed IP address under the FortiManager system administrator settings, FortiManager sets this address on FortiGate during the discovery process

Question 3

Fortigate behind NAT

Answer 3

FortiManager can discover FortiGate through the FortiGate NATed IP address.
FortiGate can also announce itself to FortiManager

If the FGFM tunnel is torn down, only FortiGate attempts to reestablish the connection.
FortiManager treats the NATed FortiGate as an unreachable device and doesn’t attempt to reestablish the FGFM tunnel.

Question 4

FMG and FGT behind NAT

Answer 4

FortiGate device is discovered by FortiManager through the FortiGate NATed IP address.

FortiManager does not attempt to reestablish the FortiGate to FortiManager (FGFM) tunnel to the FortiGate NATed IP address, if the FGFM tunnel is interrupted.
If the FortiManager NATed IP address is configured on FortiGate under the central management configuration, FortiGate tries to reestablish the FGFM tunnel, if it is torn down.

Question 5

FGFM keepalive messages

Answer 5

Only FGT sends keep alive messages regardless who initiated FGFM tunnel

Keep alive include configuration checksums

The messages also show ips version of the FortiGate device

Question 6

Keepalive message includes

Answer 6

fgfm-sock-timeout: the maximum FortiManager or FortiGate communication socket idle time, in seconds

fgfm_keepalive_itvl: the interval at which the FortiGate sends a keepalive signal to a FortiManager device to keep the FortiManager or FortiGate communication protocol active

Question 7

When FGFM tunnel is torn down

Answer 7

If there are no responses to the keepalive messages for the duration of the sock timeout value

Question 8

FGFM debug on FGT

Answer 8

Diag debug application fgfmd 255
Diag debug en

Shows keepalive messages

Question 9

FGFM debug on FMG

Answer 9

Diag debug application fgfmsd 255
Diag debug en

Shows keepalive messages

Question 10

Recovery logic FMG

Answer 10

For each installation, FortiManager sends the following commands to the managed FortiGate device:
• Set commands, needed to apply the configuration changes
test FGFM tunnel, if down

Unset commands, to recover the configuration changes

Question 11

Recovery logic FGT

Answer 11

When applying changes, FortiGate:
• Applies the set commands, using memory only, nothing written to a configuration file
• Tests the FGFM connection to FortiManager
If the connection fails to reestablish, FortiGate applies the unset command after 15 minutes (not configurable and not based on sock timeout values)

Optional config (disabled by default)

Config system dvm
Set rollback-allow-reboot enable
End

If the connection remains down, and rollback-allow-reboot is enabled on FortiManager, FortiGate reboots to recover the previous configuration from its configuration file.

Question 12

replace the standalone managed device (RMA)

Answer 12

manually change the serial number of the faulty device to the serial number of the replacement device on FortiManager. Then, you redeploy the configuration

Question 13

replacing a FortiGate cluster member

Answer 13

FortiManager learns the new serial number through the FGFM tunnel

Question 14

Steps to replace managed device

Answer 14

1.note original FGT device name
Diag dvm device list
2. Update serial number
Exe device replace sn <dev> <new>
3. Verify sn was updated on FMG side
Diag dvm device list
4. Send registration request from replaced FGT
5. If connectivity fails after you update the serial number, you might need to reclaim the management tunnel.
Exe fgfm reclaim-dev-tunnel <optional,device name></new></dev>

Note that the replacement FortiGate should not contact FortiManager before the execute device replace sn <devname> <serialnum> command is run. If it does, you will have to delete the unregistered device entry prior to rerunning the command.</serialnum></devname>

Question 15

What happens if you reclaim management tunnel without specifying device name?

Answer 15

Exe fgfm reclaim-dev-tunnel

FortiManager tries to reclaim tunnels from all managed devices

Question 16

If FMG is behind NAT, what step is recommended

A. Configure nated ip,address,of FMG with set mgmt-addr command under the conf system admin settings
B. Configure NAT ip address on fortigate

Answer 16

A. Configure nated ip,address,of FMG with set mgmt-addr command under the conf system admin settings

Question 17

What does fgfm-sock-timeout command does

A. It sets idle time out setting for communication between FMG and FGT
B. It sets idle time out setting for communication between FMG and public Fortiguard server

Answer 17

A. It sets idle time out setting for communication between FMG and FGT

Question 18

CLI commands to confirm FGFM tunnel is up

Answer 18

Diag fgfm session-list
Diag dvm device list

Question 19

CLI command to read crash log

Answer 19

Diag debug crashlog read

Question 20

Diag snif pack command on FMG

Answer 20

Unlike FGT, FortiManager supports only verbose options 1, 2, and 3.

Question 21

partitions on FortiManager

Answer 21

/dev/shm is used as shared memory.
• /tmp is temporary file storage file system.
• /data is the pointer to the flash disk partition.
• /var is used for FortiManager database storage.
• /drive0 is used as the FortiAnalyzer archives and postgres database.
• /Storage is used for FortiAnalyzer log and report storage.

View partitions with
diagnose system print df command

Question 22

Processes status

Answer 22

Check for any locked processes

On idle system no process should be locked

Diag dvm lock

Question 23

Stuck process or task

Answer 23

Diag dvm proc list

Task 81 (pending) 1 lines, 0% done

cancel or delete the pending (stuck) task from Task Monitor on the System Settings pane.

Question 24

Show current debug settings

Answer 24

Diag debug info

Question 25

Reset debug settings to defaults

Answer 25

Diag debug reset

Question 26

Debug device level operations such as registering, deleting, auto update, refresh, resend process

Answer 26

Diag debug application dmapi 255

Question 27

Debug ADOM to device db copy process and import policy packages

Answer 27

Diag debug application securityconsole 255

Question 28

Debug registration process and install process including CLI scripts run directly on devices, retrieves and revision history

Answer 28

Diag debug application depmanager 255
Diag debug dpm conf-trace enable

Question 29

Best practice before performing a firmware upgrade

Answer 29

Make sure all administrators are logged off, and perform database integrity checks

Question 30

What if integrity issue can’t be resolved

Answer 30

If you cannot resolve a data integrity issue, you can perform a factory reset on FortiManager, and then restore the configuration using a good backup configuration.

Question 31

What command can you use to sniff FGFM communication between FMG and FGT

A. Diag sniffer packet any “port 8113” 3
B. Diag sniffer packet any “port 541” 3

Answer 31

B. Diag sniffer packet any “port 541” 3

Question 32

Which statement about FMG best practices is true

A. To shutdown FMG always do graceful shutdown by running exe shutdown CLI command
B. to shutdown FMG unplug power cable

Answer 32

A. To shutdown FMG always do graceful shutdown by running exe shutdown CLI command

Question 33

How to see what templates applied to particular device

Answer 33

check from the Provisioning Templates widget, or from the individual device Configuration and Installation Status widget

Question 34

Display whole device configuration

Answer 34

Exe fmpolicy print-device-database

displays the device configuration, including device-level changes made from FortiManager. It does not display the changes caused by applying the system template. Also, ADOM-level configuration changes made from FortiManager, such as firewall policies and objects, are not displayed. These changes are applied (copied) to the device-level database at the installation.

Question 35

Display individual object config

Answer 35

Exe fmpolicy print-device-object

Does not display any ADOM level (fw policy and related objects) changes made from FMG

Question 36

view the policies and objects at the ADOM level

Answer 36

Exe fmpolicy print-adom-database
Exe fmpolicy print-adom-package
Exe fmpolicy print-adom-object

Question 37

If you view the policies for the Local-FortiGate at the device level, is the newly configured firewall policy shown?

Answer 37

At the device level, ADOM-level (firewall policy and related objects) configuration changes that have been made from FortiManager are not displayed until after the Policy & Objects installation is performed.

Question 38

Which command is useful when troubleshooting ADOM level issues

A. Execute fmpolicy print-device-object
B. execute fmpolicy print-adom-database

Answer 38

B. execute fmpolicy print-adom-database

Question 39

Which FGT configuration setting is part,of device-level database on FMG

A. Routing
B. Firewall policies

Answer 39

A. Routing

Question 40

What happens When you execute the reload failure command?

Answer 40

FortiManager connects to FortiGate and downloads its configuration file. Then, FortiManager performs a reload operation on the device database.

There are two possible outcomes:
- If there are no errors in the FortiGate configuration, the reload is successful, and the device-level databaseis updated with the FortiGate configuration. However, note that a new revision history entry is not created.
- If there are errors in the FortiGate configuration, the output of the reload command indicates the point in the configuration at which the device-level database failed to update.

Question 41

What is Failed reload

Answer 41

An operation that fails to update device-level database from revision history database

Typically from inconsistent or failed FortiGate configuration

Question 42

Troubleshooting reload failure

Answer 42

Diag test deploymanager reloadconf {dev id}

Device id get from
Diag dvm device list output

Question 43

Dynamic mapping for an address object

Answer 43

FortiManager can create a dynamic mapping for an address object, if the address object name is the same, but contains a different value locally.
However, there is one restriction—the associated interface cannot be different. This is because, at the ADOM level, this address object might be used by other policy packages, which might not have the same interfaces.

Question 44

How to approach Import issues

Answer 44

1. Verify that policies and objects have been imported into ADOM database (no failures)
2. Check download import report for reason on failed import
3. If local logging set to debug level, local event logs will contain failed import details

Question 45

Installation of policy with failed import objects

Answer 45

attempt to install it using the installation wizard for Policy & Objects, FortiManager deletes the failed objects and
policies. This is because the policy package is not aware of missing or failed policies and objects.

Question 46

Ways to fix failed import issues due to interface binding

Answer 46

1. You can remove the interface binding to make it the same as the FortiManager ADOM object.
2. If there is a need to keep the interface binding for FortiGate that is having issues with a partial policy import, you can rename the address object to a unique name that is not part of the ADOM database

In either case run a script from FortiManager using the Remote FortiGate Directly (Via CLI) option, or you can locally log in to FortiGate to make the configuration change.

Question 47

Copy operation during installation

Answer 47

copy operation is the first operation that FortiManager performs, before you perform the actual installation.
It is the operation in which FortiManager tries to copy the ADOM-level object or policy to the device database. It is the opposite of the import operation.

Question 48

What is the reason for Copy failure. What to check for tips to identify issue

Answer 48

Copy failure issues are usually caused by having incorrect or missing object dependencies when copying from the ADOM database to the device database. The incorrect or missing object dependencies are caused by corruption or inconsistencies in the FortiManager database.

View Progress Report section helps you to identify the failing issue.

Question 49

Default behaviour when copy failure happens

Answer 49

When a copy failure happens, the device database is restored to its original state, prior to the copy attempt

Question 50

3 main reasons why installation may fail

Answer 50

1. An ADOM and FGT version mismatch
2. Incorrect object attribute modification caused by ADOM version upgrade
3. Incorrect order of operations on FMG

Question 51

Remote original

Answer 51

Value configured on FGT after installation attempt

Question 52

What is To be installed value?

Answer 52

Value that was expected to be installed based on changes from FMG

Question 53

Verification report shows

Answer 53

differences between the configuration that was expected to be installed and what was installed on the FortiGate device

Question 54

Failed installation resolution

Answer 54

First, verify that the FortiGate version is the same as, or supported by, the ADOM version.
If the FortiGate version is not supported by the ADOM version, or if FortiManager doesn’t support some FortiGate CLI features, then:
1. Move the FortiGate device to the supported ADOM, or use the script to resolve the issue.
2. Perform the installation again.

If the ADOM version is correct or the ADOM upgrade was performed, then:
1. Retrieve the FortiGate configuration so that FortiManager updates the device database with the correct syntax.
2. Make a small device-level change and install it to ensure that there is not a device-database issue.
• If the installation is unsuccessful, check and fix the device-level settings.
• If the installation is successful, check and, if needed, recreate the object or policy.
3. Perform the installation again

As a last resort, to isolate and fix the installation failure issues, you can:
1. Create a new ADOM with matching firmware on FortiGate.
2. Move FortiGate to the new ADOM.
3. Retrieve the configuration and import policy packages.
4. Recreate the object or policy from the FortiManager GUI (if supported), or using a script, and perform the installation

Question 55

What does status Copy Failed indicate

A. Operation that failed to copy device database from revision history
B. Operation that failed to copy ADOM level policy or object to device database

Answer 55

B. Operation that failed to copy ADOM level policy or object to device database

Question 56

Admin configured new policy on FMG and had not pushed changes to managed FGT. In which DB changes will be saved

A. ADOM level database
B. Device level database

Answer 56

A. ADOM level database