FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssudhakar
Staff
Staff
Article Id 192582

Description


This article describes basic commands that are recommended to run to check the health of the system.

Scope


For FortiGate-6k-7k .

Solution

 

These commands are to be executed on global mode (config global)

 

get system status

 

  • This command gives the information about firmware, build, HA mode,config-sync, and FPC master.

 


  

diagnose load-balance status

 

  • This command gives the information on which FPC/FPM is the master.
  • The status message shows 'Running'.
  • In case of any error, the status message shows 'waiting for data heartbeat', 'waiting for configuration sync' etc.
 
 

get system performance status

 

  • A FortiGate that is idle will look like CPU states: 0% user 0% system 0% nice 100% idle.
  • However, if the network is running slow it will be something like:
  • CPU states: 1% user 98% system 0% nice 1% idle.
  • Memory: gives the info about total/used/free space.The memory usage should not be too high. If >70%, contact support.
 

 
 get sys ha status
 
  • This command gives information about Master and slave status like whether the cluster is In-sync, same vlan id, cluster uptime, and ha history. 
  • Check - HA Health Status: OK
  • Check - MONDEV stats: the 'up/down'. This state should be same on both chassis.
  • In case the cluster is of out-of-sync or any of the check fails, contact support.
 
 
 
 
diagnose sys confsync status
 
  • Check to see if all blades are in sync (in_sync=1).
  • In case of any conf sync issue, the status will show in_sync=0.

 

 
  
diagnose sys ha dump-by group
 
  • best_hbdev=ha2 gives the information that the communication is over ha2 interface. best_hbdev, dp_rsync_hbdev, slave_fim_dp_rsync_hbdev should select real ports, none of them should be 'NA'.
  • It gives information about the number of Active worker blades in a cluster, uptime and reset_cn.
  • The active workers should be same on both the chassis.
  • link_failure, pingsvr_failure, active_worker should be same.
  • Master’s chassis flag should be “1”, Slave chassis flag should be '0'. During upgrade process, the forced master will be set to “3”. Once the upgrade is finished, it will be set to 1. 
 
ssudhakar_0-1658786521750.png
 
diagnose sys confsync showcsum | grep "SN\|^all"
 
  • Each blade will print out 4 lines of checksum.
  • 1st-2nd lines of checksum should be same on all blades on both Master and Slave chassis.
  • 3rd-4th lines of checksum should be same within the chassis.
 
 
 
Best Practices during Chassis-upgrade.
 
  1. Perform these health-check commands before and after the upgrade to make sure all blades are running and sync status.
  2. When performing a step-by-step upgrade, always make sure all blades are up and in sync after each upgrade step before proceeding to the next upgrade.
  3. Take a backup of the config file and it is always preferred to have a console connection and physical access to the device during the upgrade window.

 

Related  articles:

Technical Tip: How to find the config difference between blades in 6K/7K Chassis using 'diagnose sys...

Troubleshooting Tip: FortiGate 7000 Series blade config synchronization issues (confsync)

Contributors