get sys perf status
diag test app scanunit 3
diag stat app-usage-ip Facebook
diag stat per-ip-bw
# or
ssh 172.31.35.254 'diagnose stats per-ip-bw' | grep -E "bps.[0-9]{6}" | sed -E 's/^.*addr.([0-9.]+).*([0-9]{6}).*$/\1 \2/g' | awk '{print $1"\t"$2/1024/1024*8}' | sed -E 's/^(.*\.[0-9]{2}).*/\1 Mbps/g'
One by one using the process ID:
diag sys top 1 60
diag sys kill 11 proccess_id
Or, all processess at once:
fnsysctl killall scanunitd
All FortiGate units have a powerful packet sniffer on board. If you know tcpdump you should feel comfortable using the FortiGate Sniffer.
diag sniffer packet <interface> <'filter'> <verbose> <count> <timestamp>
'[[src|dst] host<IP1>] [[src|dst] host<IP2>] [[arp|ip|gre|esp|udp|tcp] [port_no]] [[arp|ip|gre|esp|udp|tcp] [port_no]]'
- print header of packets
- print header and data from IP of packets
- print header and data from Ethernet of packets
- print header of packets with interface name
- print header and data from IP of packets with interface name
- print header and data from Ethernet of packets with interface name
- a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
- l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
- otherwise: relative to the start of sniffing, ss.ms
diag sniffer packet internal 'port 80' 6 0 l
diag sniffer packet internal 'net 172.31.29.0/24' 6 0 l
diag sniffer packet internal 'host 192.168.0.130 and icmp' 6 0 l
diag sniffer packet internal 'host 192.168.0.130 and 192.168.0.1 and tcp port 80' 6 0 l
diag sniffer packet internal 'src host 10.4.30.250' 6 0 l
diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1' 6 0 l
diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1 and tcp' 6 0 l
diag sniffer packet internal 'udp and port 1812 and host 192.168.0.130 and (192.168.0.1 or 192.168.0.2)' 6 0 l
Filtered can be used to display packets based on their content, using hexadecimal byte position.
On FortiOS 5, there is a bug when using the
any
interface mixed with theether
filter, be aware of that.
diagnose sniffer packet port2 "ip[8:1] = 0x01"
diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"
diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"
diagnose sniffer packet internal "tcp[13] & 4 != 0"
diagnose sniffer packet internal "tcp[13] & 2 != 0"
diagnose sniffer packet internal "tcp[13] = 18"
This matches the word this
at an specific place in the data.
- Payload:
0x0040 8f48 8a0c 7468 6973 2069 7320 7069 6e67 .H..this.is.ping
- Filter:
diagnose sniffer packet internal "ether[0x44:4]=0x74686973"
- Payload:
0x0090 1700 0100 0017 f501 1800 0500 2628 0200 ............&(..
- Filter:
diagnose sniffer packet internal "port 6060 and (ether[0x90]=23 or ether[0x90]=24 or ether[0x90]=25 or ether[0x90]=26)"
Note that
0x17 = 23