07. Diagnostics And Troubleshooting Flashcards
FMG behind NAT default settings
only FortiManager can discover a new device.
If the FGFM tunnel is torn down, only FortiManager tries to reestablish the FGFM tunnel.
By default, the NATed FortiManager IP address is not configured on FortiGate central management.
FMG behind NAT best practice
configure the FortiManager NATed IP address on FortiGate under the central management configuration.
This allows FortiGate to announce itself to FortiManager and try to re-establish the FGFM tunnel, if it is torn down.
On FGT
Config system central-management
Set fmg {FMG natted IP address}
End
On FMG
Config system admin settings
Set mgmt-addr {FMG natted ip address}
End
if you configure the FortiManager NATed IP address under the FortiManager system administrator settings, FortiManager sets this address on FortiGate during the discovery process
Fortigate behind NAT
FortiManager can discover FortiGate through the FortiGate NATed IP address.
FortiGate can also announce itself to FortiManager
If the FGFM tunnel is torn down, only FortiGate attempts to reestablish the connection.
FortiManager treats the NATed FortiGate as an unreachable device and doesn’t attempt to reestablish the FGFM tunnel.
FMG and FGT behind NAT
FortiGate device is discovered by FortiManager through the FortiGate NATed IP address.
FortiManager does not attempt to reestablish the FortiGate to FortiManager (FGFM) tunnel to the FortiGate NATed IP address, if the FGFM tunnel is interrupted.
If the FortiManager NATed IP address is configured on FortiGate under the central management configuration, FortiGate tries to reestablish the FGFM tunnel, if it is torn down.
FGFM keepalive messages
Only FGT sends keep alive messages regardless who initiated FGFM tunnel
Keep alive include configuration checksums
The messages also show ips version of the FortiGate device
Keepalive message includes
fgfm-sock-timeout: the maximum FortiManager or FortiGate communication socket idle time, in seconds
fgfm_keepalive_itvl: the interval at which the FortiGate sends a keepalive signal to a FortiManager device to keep the FortiManager or FortiGate communication protocol active
When FGFM tunnel is torn down
If there are no responses to the keepalive messages for the duration of the sock timeout value
FGFM debug on FGT
Diag debug application fgfmd 255
Diag debug en
Shows keepalive messages
FGFM debug on FMG
Diag debug application fgfmsd 255
Diag debug en
Shows keepalive messages
Recovery logic FMG
For each installation, FortiManager sends the following commands to the managed FortiGate device:
• Set commands, needed to apply the configuration changes
test FGFM tunnel, if down
Unset commands, to recover the configuration changes
Recovery logic FGT
When applying changes, FortiGate:
• Applies the set commands, using memory only, nothing written to a configuration file
• Tests the FGFM connection to FortiManager
If the connection fails to reestablish, FortiGate applies the unset command after 15 minutes (not configurable and not based on sock timeout values)
Optional config (disabled by default)
Config system dvm
Set rollback-allow-reboot enable
End
If the connection remains down, and rollback-allow-reboot is enabled on FortiManager, FortiGate reboots to recover the previous configuration from its configuration file.
replace the standalone managed device (RMA)
manually change the serial number of the faulty device to the serial number of the replacement device on FortiManager. Then, you redeploy the configuration
replacing a FortiGate cluster member
FortiManager learns the new serial number through the FGFM tunnel
Steps to replace managed device
1.note original FGT device name
Diag dvm device list
2. Update serial number
Exe device replace sn <dev> <new>
3. Verify sn was updated on FMG side
Diag dvm device list
4. Send registration request from replaced FGT
5. If connectivity fails after you update the serial number, you might need to reclaim the management tunnel.
Exe fgfm reclaim-dev-tunnel <optional,device name></new></dev>
Note that the replacement FortiGate should not contact FortiManager before the execute device replace sn <devname> <serialnum> command is run. If it does, you will have to delete the unregistered device entry prior to rerunning the command.</serialnum></devname>
What happens if you reclaim management tunnel without specifying device name?
Exe fgfm reclaim-dev-tunnel
FortiManager tries to reclaim tunnels from all managed devices
If FMG is behind NAT, what step is recommended
A. Configure nated ip,address,of FMG with set mgmt-addr command under the conf system admin settings
B. Configure NAT ip address on fortigate
A. Configure nated ip,address,of FMG with set mgmt-addr command under the conf system admin settings
What does fgfm-sock-timeout command does
A. It sets idle time out setting for communication between FMG and FGT
B. It sets idle time out setting for communication between FMG and public Fortiguard server
A. It sets idle time out setting for communication between FMG and FGT
CLI commands to confirm FGFM tunnel is up
Diag fgfm session-list
Diag dvm device list
CLI command to read crash log
Diag debug crashlog read
Diag snif pack command on FMG
Unlike FGT, FortiManager supports only verbose options 1, 2, and 3.
partitions on FortiManager
/dev/shm is used as shared memory.
• /tmp is temporary file storage file system.
• /data is the pointer to the flash disk partition.
• /var is used for FortiManager database storage.
• /drive0 is used as the FortiAnalyzer archives and postgres database.
• /Storage is used for FortiAnalyzer log and report storage.
View partitions with
diagnose system print df command
Processes status
Check for any locked processes
On idle system no process should be locked
Diag dvm lock