[email protected]
0
[email protected]

Shopping cart

Subtotal:

$0.00
View cartCheckout

FCP_FMG_AD-7.4 Diagnostics and Troubleshooting

Diagnostics and Troubleshooting

Detailed list of FCP_FMG_AD-7.4 knowledge points

Diagnostics and Troubleshooting Detailed Explanation

6.1 Common FortiManager Troubleshooting Commands

FortiManager provides various CLI commands to diagnose system performance, network connectivity, and policy management issues. Below are some of the most frequently used troubleshooting commands.

1. Checking System Processes

When FortiManager slows down or crashes, checking system processes can help identify high CPU or memory usage.

Command:

diag sys top

What it does:

  • Displays real-time system performance (CPU, memory usage, and running processes).
  • Helps identify processes consuming too many resources.

Example Output:

Run Time: 23 days, 14 hours
PID   USER      PRI  NI  VIRT   RES   SHR S  %CPU  %MEM   TIME+ COMMAND
1003  root      20   0  325m   85m   15m R  15.3  10.2   1:03.55 fmgd

Solution:

  • If CPU or memory usage is high, consider restarting unnecessary processes using:

    diag sys kill 9 <PID>

    (Replace <PID> with the process ID from diag sys top.)

2. Testing Network Connectivity

If a FortiGate device cannot connect to FortiManager, use ping and traceroute to check connectivity.

Command to Ping a Target:

execute ping <target_IP>

What it does:

  • Tests whether FortiManager can reach a target device (FortiGate, server, etc.).

Command to Trace Network Route:

execute traceroute <target_IP>

What it does:

  • Shows the hops between FortiManager and the target.
  • Helps identify network delays or failures.

Example Output (Traceroute to FortiGate):

 1  192.168.1.1  1.234 ms
 2  203.0.113.10  2.345 ms
 3  10.10.10.1  3.456 ms

Solution:

  • If the ping fails, check if firewall rules are blocking communication.
  • If traceroute stops at a specific hop, check for network issues between FortiManager and FortiGate.

3. Viewing FortiManager Logs

FortiManager logs system events, errors, and policy installation failures.

Command to View Debug Logs:

diag debug application fmg -1

What it does:

  • Shows detailed FortiManager system logs, including:
    • Device connectivity logs.
    • Policy installation logs.
    • License issues.

Example Output:

2024-03-04 10:15:23 fmgd: FortiGate (10.0.0.1) failed to connect - Authentication Error

Solution:

  • If authentication errors appear, check FortiGate's system central-management settings.

6.2 Troubleshooting Common Issues

Now, let’s go through common problems and how to fix them.

1. Device Connectivity Problems

When a FortiGate device does not appear in FortiManager or is disconnected, follow these steps:

Step 1: Check Firewall Rules on FortiGate

  • Ensure that FortiGate allows connections from FortiManager.

  • Use the following command to verify access permissions:

    show system interface

  • Ensure that fgfm (FortiGate-FortiManager communication) is enabled on the management interface:

    config system interface
edit "port1"
set allowaccess ping https ssh fgfm
end

Step 2: Verify FortiGate’s Central Management Settings Run the following command on FortiGate to check if it is properly configured for FortiManager:

show system central-management

What it does:

  • Displays the current FortiManager IP and connection status.

Example Output:

config system central-management
    set mode normal
    set type fortimanager
    set fmg "192.168.1.100"
end

Solution:

  • If the FortiManager IP is incorrect, update it using:

    config system central-management
set fmg <FortiManager_IP>
end

  • If the FortiGate is disconnected, check network settings and firewall rules.

2. Policy Installation Failures

If a policy fails to install on FortiGate, follow these steps:

Step 1: Check Policy Installation Logs Use FortiManager CLI:

diag debug application install -1

What it does:

  • Shows why the policy installation failed.

Step 2: Common Error Messages and Fixes

Error Message Possible Cause Solution
Installation failed: Policy conflict detected Duplicate firewall rules exist. Remove or modify conflicting policies.
FortiGate unreachable Network issue or device is offline. Ensure FortiGate is online and accessible.
Invalid policy configuration Misconfigured security profiles. Check policy objects and correct errors.

Step 3: Fix Configuration Sync Issues If FortiManager and FortiGate are out of sync, manually resync:

execute refresh-device

What it does:

  • Forces FortiManager to retrieve the latest configuration from FortiGate.

3. License Issues

If FortiManager or FortiGate displays a license error, follow these steps:

Step 1: Check License Status in FortiManager Use:

diag hardware deviceinfo license

What it does:

  • Displays the current license status.

Step 2: Common License Issues and Fixes

Issue Cause Solution
License expired FortiManager or FortiGate subscription expired. Renew the license through Fortinet Support.
Device limit exceeded Too many FortiGate devices registered. Upgrade the FortiManager license.
License not activated License file not uploaded. Upload the license file in System Settings → License Management.

Step 3: Re-apply a License If a FortiManager license is not recognized, reload it:

execute update-now

What it does:

  • Forces FortiManager to refresh the license from Fortinet servers.

6.3 Advanced Debugging Techniques

1. Checking Real-Time Debug Logs

When troubleshooting device registration, policy installation, or system errors, real-time debug logs provide detailed information.

  1. What command enables real-time debugging in FortiManager?
    Answer:
diag debug enable
diag debug console timestamp enable
diag debug application fmg -1

Explanation:

  1. diag debug enable – Turns on debugging.
  2. diag debug console timestamp enable – Adds timestamps to log entries.
  3. diag debug application fmg -1 – Displays FortiManager-specific logs.

2. Checking FortiGate and FortiManager Communication

If a FortiGate fails to register with FortiManager, use diagnostic commands to verify communication.

  1. How can you check the FortiGate-FortiManager connection status?
    Answer:
    Run the following command on FortiGate:
diagnose sys central-management status

Explanation:

  • Displays the FortiManager IP, connection status, and last sync time.

3. Checking Policy Package Installation Status

If a policy installation fails, use debug logs to identify the issue.

  1. What command displays policy installation debug logs?
    Answer:
diag debug application install -1

Explanation:

  • Shows detailed logs related to policy installation failures.
  • Helps identify policy conflicts, object errors, or FortiGate sync issues.

4. Debugging Database and Configuration Sync Issues

If FortiManager and FortiGate show "Out of Sync", you can debug configuration synchronization.

  1. What command checks database synchronization in FortiManager?
    Answer:
diagnose dvm device list

Explanation:

  • Lists all registered devices and their synchronization status with FortiManager.

6.4 FortiGate-FortiManager Communication Troubleshooting

1. Checking if FortiGate Can Reach FortiManager

If a FortiGate is not appearing in FortiManager, first check if it can reach FortiManager's IP.

  1. What CLI command tests network connectivity from FortiGate to FortiManager?
    Answer:
execute ping <FortiManager_IP>

Explanation:

  • Verifies if FortiGate can communicate with FortiManager over the network.
  • If the ping fails, check firewall rules, routes, or physical connectivity.

2. Checking FortiGate’s Central Management Settings

If FortiGate is not registered with FortiManager, verify its central management configuration.

  1. What command shows the FortiGate’s FortiManager settings?
    Answer:
show system central-management

Explanation:

  • Displays FortiManager's IP address, connection status, and synchronization mode.

3. Manually Registering FortiGate with FortiManager

If FortiGate is not automatically registering, you can manually add it.

  1. What CLI command registers a FortiGate to FortiManager?
    Answer:
config system central-management
set type fortimanager
set fmg <FortiManager_IP>
end

Explanation:

  • Manually configures FortiGate to connect to FortiManager using its IP address.

6.5 Real-World Troubleshooting Scenarios

Scenario 1: FortiGate Device is "Disconnected" in FortiManager

A FortiGate that was previously connected to FortiManager is now showing as "Disconnected".

  1. What steps should be taken to troubleshoot a disconnected FortiGate device in FortiManager?
    Answer:

  2. Check if FortiGate can reach FortiManager:

execute ping <FortiManager_IP>

  1. Verify firewall policies allowing FortiManager communication.

  2. Check FortiGate's system central-management settings:

show system central-management
  1. If needed, re-register FortiGate:
execute central-management register <FortiManager_IP>
```</ANSWER>

Scenario 2: Policy Package Fails to Install on FortiGate

A policy installation in FortiManager fails with an error message.

  1. What steps should be taken to troubleshoot a failed policy installation?
    Answer:

  2. Check policy package logs:

diag debug application install -1

  1. Ensure the policy is assigned to the correct ADOM.

  2. Run Retrieve Config to update FortiManager with FortiGate’s latest settings.

  3. If "Out of Sync," force synchronization:

execute refresh-device
```</ANSWER>

Scenario 3: FortiManager Reports a License Issue

A security team receives a license error message in FortiManager.

  1. How do you check FortiManager's license status?
    Answer:
    Run the following command in FortiManager CLI:
diag hardware deviceinfo license

Explanation:

  • Displays license expiration status and device limits.
  • If expired, renew the license and upload it in System Settings → License Management.

6.6 Best Practices for Effective Troubleshooting

1. Regularly Monitor System Health

  • Use diag sys top to monitor CPU and memory usage.
  • Check FortiManager logs with diag debug application fmg -1.

2. Ensure Proper Network Connectivity

  • Run execute ping <FortiManager_IP> to check connectivity from FortiGate.
  • Run execute traceroute <FortiManager_IP> to identify network delays.

3. Keep FortiManager and FortiGate in Sync

  • Run execute refresh-device if configurations are out of sync.
  • Run diagnose dvm device list to check sync status.

4. Debug Policy Installation Issues

  • Run diag debug application install -1 to check why a policy failed.
  • Ensure correct ADOM assignment for policy deployment.

5. Verify Licensing Regularly

  • Run diag hardware deviceinfo license to check license validity.
  • Ensure FortiManager and FortiGate licenses are active.

Frequently Asked Questions

What does a device out-of-sync status indicate in FortiManager?

Answer:

The device configuration differs from the FortiManager database configuration.

Explanation:

Out-of-sync status occurs when configuration changes are made directly on the FortiGate instead of through FortiManager. Because FortiManager stores its own configuration database, these changes create a mismatch between the two configurations. Administrators must retrieve or import the device configuration to synchronize the databases before installing new policies.

Demand Score: 90

Exam Relevance Score: 94

Why might a policy installation fail during deployment?

Answer:

Configuration conflicts or missing objects may prevent the installation.

Explanation:

Policy installation failures often occur when referenced objects do not exist, configurations conflict with device settings, or the device database is out of sync. FortiManager generates an installation script based on the policy database, and any mismatch between the database and the device configuration can cause errors. Administrators should review installation logs to identify the specific issue.

Demand Score: 92

Exam Relevance Score: 95

Why is reviewing installation logs important during troubleshooting?

Answer:

They provide detailed information about configuration errors and deployment failures.

Explanation:

When FortiManager installs policies or configuration changes, it generates logs showing each step of the deployment process. If an error occurs, the logs indicate which configuration element failed. This helps administrators quickly identify issues such as invalid objects, incompatible settings, or device communication problems.

Demand Score: 82

Exam Relevance Score: 88

What troubleshooting step should be taken when device configuration changes are not reflected in FortiManager?

Answer:

Perform a configuration retrieval from the device.

Explanation:

Configuration retrieval updates the FortiManager device database to match the current configuration on the FortiGate. This is necessary when changes are made directly on the device outside of FortiManager management.

Demand Score: 80

Exam Relevance Score: 90

Why should administrators avoid making direct configuration changes on FortiGate devices when using FortiManager?

Answer:

It can cause configuration synchronization issues.

Explanation:

Direct changes on the device bypass the FortiManager database. This creates inconsistencies between the centralized management configuration and the device configuration, potentially causing installation failures or policy conflicts.

Demand Score: 78

Exam Relevance Score: 87

What is the first step when troubleshooting policy installation errors?

Answer:

Review the installation preview and logs.

Explanation:

Installation preview shows the configuration changes that will be applied to the device, while logs provide detailed error messages if the installation fails. Together, they help identify configuration mismatches, missing objects, or device-level conflicts.

Demand Score: 83

Exam Relevance Score: 91

 FCP_FMG_AD-7.4 Study Plan FCP_FMG_AD-7.4 Study Methods And Exam Tips FCP_FMG_AD-7.4 Training Details
FCP_FMG_AD-7.4 Training Course
$68$29.99
Related Products
FCP_FMG_AD-7.4 Training Course