When you’ve got the Forticlient diag file from the end user, save it to a folder somewhere and extract it. It’ll be a .cab file, which can be unzipped using 7zip or Winzip.
Once it’s extracted you’ll see these directories:
Best place to start is the VPN folder:
Check out the ipconfig.txt file to make sure they’ve got a network connection, their wireless is connected etc, then check the logs.txt, this’ll show you that the diagnostics collection worked and whether they could connect to the VPN or not. If you look at the time/date stamps you can see when the connection was made and when it got disconnected:
5/27/2020 10:42:37 AM Notice VPN date=2020-05-27 time=10:42:36 logver=1 type=traffic level=notice sessionid=2466219824 hostname=MAPS50 pcdomain=cccs.co.uk uid=29C7C640C34A4AC2A01B081440E50738 devid=FCT8001836653466 fgtserial=N/A emsserial=N/A regip=N/A srcname=sslvpn srcproduct=N/A srcip=10.251.2.3 srcport=N/A direction=outbound dstip=vpn.stepchange.org remotename=N/A dstport=443 user=michellec@cccs.co.uk proto=6 rcvdbyte=25769806324 sentbyte=25769808424 utmaction=passthrough utmevent=vpn threat=connect vd=N/A fctver=6.0.1.0099 os="Microsoft Windows 10 , 64-bit (build 18362)" usingpolicy="" service= url=N/A userinitiated=0 browsetime=N/A
5/27/2020 10:42:37 AM Information VPN id=96600 user=michellec@CCCS.CO.UK msg="SSLVPN tunnel status" vpnstate=connected vpntunnel="Work VPN" vpntype=ssl
5/27/2020 10:43:26 AM Information VPN FortiSslvpn: 15132: Ras: connection to fortissl terminated
5/27/2020 10:43:26 AM Error VPN FortiSslvpn: 11812: Error find interface for local_gwy 0302fb0a
5/27/2020 10:43:26 AM Error VPN (repeated 1 times in last 1 sec) FortiSslvpn: 11812: Error find interface for local_gwy 0302fb0a
With this example, it’s connected at 10:42:37 and disconnected at 10:43:26 as they’ve done the diagnostic test. It shows the IP address of the VPN they’ve connected to, so we can check if they’re on the correct one for their device type, we can see what username they’ve put in, plus whether or not the ‘customise port’ option in the forticlient is ticked, that can be turned off if you’re able to remote onto their PC/laptop to troubleshoot. The errors at the end there refer to the disconnect from the VPN as the local gateway becomes unreachable.
Next thing to check is the ‘general’ directory:
Check the logs.txt file, this keeps a month or twos worth of logs for the connection status and shows what the previous log file contains, but will also show login attempts that have errored out, plus the error code:
4/1/2020 4:00:47 PM Error VPN id=96603 user="SYSTEM@NT AUTHORITY" msg="SSLVPN tunnel connection failed (Error=-12)." remotegw=vpn.stepchange.org vpnstate=connected vpntunnel="Work VPN" vpntype=ssl vpnuser=michellec@cccs.co.uk
We can also see the disconnects, so if we needed to, we can piece together how often their VPN is closing down:
4/7/2020 1:32:17 PM Information VPN FortiSslvpn: 14172: Ras: connection to fortissl terminated
Fortinet have a pretty comprehensive site/forum with a ton of info on error codes, so if there’s anything in there you don’t understand or want to check out, just google it. For instance this from the same log file comes up as possibly being an issue with TLS not being enabled in the browser:
4/7/2020 1:54:08 PM Error VPN FortiSslvpn: 8164: error: poll_recv_ssl -> SSL_get_error(): 5
The systeminfo.txt gives a comprehensive overview of the hardware on the PC, plus a boat load of info on the software/drivers/services config. I guess it could be useful if you suspect a driver issue, say for a network adapter and need to check it out you could search in that file.
The last file to check is the ‘allproducts.xml’ file in the Install directory:
This will show you a list of installed software, you can check that certain software like Kaspersky is up to date, there have been a handful of issues where the AV needed an update kicking off manually and until it was done it seemed to cobble the ports required for connecting the device to the network properly.