Evil TTL - Network Solutions
Evil TTL   >   WatchGuard Troubleshooting Overview

Evil_TTL> show | s

WatchGuard Troubleshooting Overview

Category:WatchGuard -> XTM

This article was written at the time when I was researching available functions that could help a network administrator to troubleshoot WatchGuard XTM Firewalls. The research time was very limited. Hence those are the only functions that I’ve managed to write down. For more information address official configuration guides.

Debug

Define debug level:

WG#debug ?
  <string>  CLI debugging level <critical|error|warning|info|debug|dump

Diagnose

Specify an external location to send internal diagnostic information:

WG#diagnose to ?
  <ftp>   FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
  <tftp>  TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
 
WG#usb diagnostic enable ?
  <cr>   Carriage return
  <int>  Frequencyin seconds <900-2147483647

Export

You can also export various useful information:

WG#export ?
  allowed-site  Allowed IP address
  blocked-site  Blocked IP address
  config        Appliance configuration
  muvpn         Mobile VPN with IPSec client configuration file
  support       Support log message file

WG#export allowed-site to ?
  <ftp>   FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
  <tftp>  TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>

WG#export config to ?
  <ftp>    FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
  <tftp>   TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
  console  Console terminal 

NOTE

Don’t export it into console,/i> if you don’t wish to wait for about 20 seconds until the output is finished. It’s that huge!

The support snapshot contains device configuration and status information that can help WatchGuard technical support troubleshoot issues. To access the support service you have to purchase LiveSecurity Service subscription for 1 or several years. A maximum of 48 support snapshots are stored on the USB drive. The number at the end of the file name is incremented for each snapshot. For example, the first two files have the names support1.tgz and support2.tgz. Use no usb diagnostic enable to disable this feature.

To export it to a USB drive, prepare it first. If you don’t do it, you will see the following error:

WG#sh usb
%ErrorFailed to get usb statusdoesn't find usb drive. 

After plugging in a USB flash drive:

WG#sh usb
--
-- USB Drive
--
Device name            :
Device size            :15458304
Partition size         :15446048
Used size              :4774464
Available storage      :10671584


WG#usb format ?
  <cr>      Carriage return
  <string>  Force format <yes|no>

WG#export support to ?
  <ftp>   FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
  <tftp>  TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
  usb     USB drive
  
WG#export support to usb 

Support information structure on the USB drive:

F:\80BE05699C0xx
 certs
 configs
 feature-keys
 flash-images
 support
  certs
  config
  current_log
  debug
  debug_log
  firewall
  ike_diags
  licenses
  networking
  packages
  proc
  proxy
  system 

In each support directory there are tons of files. Explore them. It’s interesting.

There’s another handy diagnostic tool available in WatchGuard Firewall. It is a well known tcpdump utility.

By privilege15