Evil_TTL> show | s

WatchGuard Troubleshooting Overview

Category:WatchGuard -> XTM

This article was written at the time when I was researching available functions that could help a network administrator to troubleshoot WatchGuard XTM Firewalls. The research time was very limited. Hence those are the only functions that I’ve managed to write down. For more information address official configuration guides.


Define debug level:

WG#debug ?
<string>  CLI debugging level <critical|error|warning|info|debug|dump


Specify an external location to send internal diagnostic information:

WG#diagnose to ?
<ftp>   FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
<tftp>  TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
WG#usb diagnostic enable ?
<cr>   Carriage return
int>  Frequencyin seconds <900-2147483647


You can also export various useful information:

WG#export ?
allowed-site  Allowed IP address
-site  Blocked IP address
  config        Appliance configuration
  muvpn         Mobile VPN with IPSec client configuration file
  support       Support log message file

#export allowed-site to ?
<ftp>   FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
<tftp>  TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>

WG#export config to ?
<ftp>    FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
<tftp>   TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
console  Console terminal 


Don’t export it into console,/i> if you don’t wish to wait for about 20 seconds until the output is finished. It’s that huge!

The support snapshot contains device configuration and status information that can help WatchGuard technical support troubleshoot issues. To access the support service you have to purchase LiveSecurity Service subscription for 1 or several years. A maximum of 48 support snapshots are stored on the USB drive. The number at the end of the file name is incremented for each snapshot. For example, the first two files have the names support1.tgz and support2.tgz. Use no usb diagnostic enable to disable this feature.

To export it to a USB drive, prepare it first. If you don’t do it, you will see the following error:

WG#sh usb
%ErrorFailed to get usb statusdoesnt find usb drive

After plugging in a USB flash drive:

WG#sh usb
USB Drive
Device name            :
Device size            :15458304
Partition size         
Used size              
Available storage      

#usb format ?
<cr>      Carriage return
string>  Force format <yes|no>

WG#export support to ?
<ftp>   FTP file(UTF-8 encoding) transfer <ftp://[user[:passwd]@]host[:port]/url-path>
<tftp>  TFTP file(UTF-8 encoding) transfer <tftp://host/url-path>
usb     USB drive
#export support to usb 

Support information structure on the USB drive:


In each support directory there are tons of files. Explore them. It’s interesting.

There’s another handy diagnostic tool available in WatchGuard Firewall. It is a well known tcpdump utility.

By privilege15