This article was written at the time when I was researching available functions that could help a network administrator to troubleshoot WatchGuard XTM Firewalls. The research time was very limited. Hence those are the only functions that I’ve managed to write down. For more information address official configuration guides.
Debug
Define debug level:
WG#debug ?
<string> CLI debugging level <critical|error|warning|info|debug|dump>
Diagnose
Specify an external location to send internal diagnostic information:
WG#diagnose to ?
<ftp> FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
<tftp> TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
WG#usb diagnostic enable ?
<cr> Carriage return
<int> Frequency, in seconds <900-2147483647>
Export
You can also export various useful information:
WG#export ?
allowed-site Allowed IP address
blocked-site Blocked IP address
config Appliance configuration
muvpn Mobile VPN with IPSec client configuration file
support Support log message file
WG#export allowed-site to ?
<ftp> FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
<tftp> TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
WG#export config to ?
<ftp> FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
<tftp> TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
console Console terminal
NOTE
Don’t export it into console,/i> if you don’t wish to wait for about 20 seconds until the output is finished. It’s that huge!
The support snapshot contains device configuration and status information that can help WatchGuard technical support troubleshoot issues. To access the support service you have to purchase LiveSecurity Service subscription for 1 or several years. A maximum of 48 support snapshots are stored on the USB drive. The number at the end of the file name is incremented for each snapshot. For example, the first two files have the names support1.tgz and support2.tgz. Use no usb diagnostic enable to disable this feature.
To export it to a USB drive, prepare it first. If you don’t do it, you will see the following error:
WG#sh usb
%Error: Failed to get usb status, doesn't find usb drive.
After plugging in a USB flash drive:
WG#sh usb
--
-- USB Drive
--
Device name :
Device size :15458304
Partition size :15446048
Used size :4774464
Available storage :10671584
WG#usb format ?
<cr> Carriage return
<string> Force format <yes|no>
WG#export support to ?
<ftp> FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
<tftp> TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
usb USB drive
WG#export support to usb
Support information structure on the USB drive:
F:\80BE05699C0xx
certs
configs
feature-keys
flash-images
support
certs
config
current_log
debug
debug_log
firewall
ike_diags
licenses
networking
packages
proc
proxy
system
In each support directory there are tons of files. Explore them. It’s interesting.
There’s another handy diagnostic tool available in WatchGuard Firewall. It is a well known tcpdump utility.
By privilege15