Release date 20200225 – v6.2.3
Original work by Frederic Kasmirczak, updated by Exclusive Networks
| Main command structure | |
| show | Display changes to the default configuration |
| get | List the configuration of the current object or table |
| edit |
Create or edit a table in the current object. edit 0 will use the next ID available in a sequence number |
| set/unset | Set a field / Reset a field to the default value |
| next | Save current entry (edit X) and return to table |
| end | Save the current changes and exit menu |
| abort | Exit commands without saving the fields (ctrl+C) |
| delete | Remove a table from the current object |
| tree | Display the command tree for the current config section |
| Interface | |
| show/get system interface | Show interfaces status. Use get to retrieve dynamic information (such as PPPoE IP) |
|
config sys interface edit <port> set ip x.x.x.x/y set allow ssh ping https end | Basic interface ip configuration |
| diag netlink device list | Show interfaces statistics (errors) |
| diag hard dev nic <port> | Show interfaces statistics |
| Static routing | |
|
config router static edit 0 set device internal set dst x.x.x.x/y set gateway z.z.z.z set dynamic-gateway ena end | Add a static route (set a static gateway OR enable dynamic-gateway for DHCP/PPPoE) |
| get router info routingtable all get router info routingtable database | Display the current routing table active/configured |
| get ro info ro details x.x.x.x | Display the route used to reach the IP x.x.x.x |
| diag firewall proute list | Display the Policy Routes (have precedence over the routing table) |
| diag ip route list | Display the kernel routing table |
| Basic | |
| get sys status | Show status summary |
| get sys perf stat | Show Fortigate ressources summary |
| execute ping(-options) | Ping something (can add options) |
| execute ssh <user>@<ip> | SSH to another server |
| exec shutdown/reboot | Shutdown the device/reboot |
| get sys arp (| grep x.x) | Show the arp table (filtered by x.x) |
| show | grep -f something | Find where “something” is used (cases-sensitive, can use -i to be case insensitive) |
| Disk/upgrade/config management | |
| diag hard deviceinfo disk | Show disks and partitions usage |
| diag sys flash list | Show partitions status |
| exec setnextreboot ? | Select partition for the next reboot |
| exec factoryreset [keepvmlicense] | Reset to factory default (2 to keep network) (if VM, use keepvmlicense) |
| exec backup conf | Backup configuration |
| exec restore config | Restore configuration (reboots) |
| diag debug config-error-log read | Show config parsing errors (after upgrade) > should be empty |
| exec formatlogdisk | Format log disk |
| High availability | |
|
get sys ha status diag sys ha status | Show HA conf summary |
| diag sys ha history read | Show HA history events |
|
diag deb en
diag
deb cons timestamp en diag deb app hatalk 1 diag deb app hasync 1 | Troubleshoot HA synchronization issue |
|
diag sys ha check cluster diag sys ha check sh root | Show the config checksum for any members of the cluster and show details of the config for a vdom (here root) |
| exec ha synchronize all | Synchronize all parts of the config |
| diag sys ha resetuptime | Reset ha uptime criteria (to trigger failover unless override is enabled => default is disabled) |
| diag sniffer packet haint ‘ether[12:2]=0x8890’ 6 | Sniffer on heartbeat ports (here haint) |
| exec ha manage <id> <admin> | Connect on a subordinate device |
| Debug | |
|
diag debug enable diag debug flow sh c en diag debug flow sh f en diag debug flow filter saddr x.x.x.x diag debug flow filter daddr y.y.y.y diag debug flow trace start 10 diag debug reset | Debug flow |
|
diag sys
session filter src x.x.x.x diag sys session filter dst x.x.x.x diag sys session list diag sys session clear | Filter session table List session Clear these sessions |
| diag debug crashlog read | Show crashlog |
|
diag deb en diag deb app fnbamd -1 | Debug authentication |
| diag debug report | Collect lots of info |
|
diag sys top
<seconds> <nb_lines> shift+P for CPU ordering, shift+M for Mem ordering | Processes usage (CPU usage) |
|
diag sys top-summary
‘-s mem’ ‘-h’ to show options | Processes usage (Mem usage) |
| Network Packet Capture |
|
diag
sniffer packet <interface> ‘<filter>’ <verbose>
<count> <a/l> <interface>: physical, virtual, vpn, any <filter>: tcpdump filter <verbose>: there are six verbose levels: 1print header of packets 2print header and data from the IP header 3print header and data from the Ethernet header (convert using fgt2eth) 4,5,6like 1,2,3, with interface name <count> the number of packets, can be 0 to stop using ctrl+C <a/l> to enable absolute/local timestamp, nothing for relative timestamp |
| VPN | |
| diag vpn ike gateway list | Show phase 1 |
| diag vpn tunnel list |
Show phase 2 (shows npu flag) |
| diag vpn ike gateway flush name <phase1> | Flush a phase 1 |
| diag vpn tunnel up <phase2> | Bring up a phase 2 |
|
diag debug
en diag vpn ike log-filter daddr x.x.x.x diag debug app ike 1 | Troubleshoot VPN issue |
| FortiGuard | |
| execute update-now | Forces a download of the whole AV/IPS database, with license check |
|
diag
deb en diag deb app update -1 | Troubleshoot AV/IPS download |
| diag autoupd status/version | Show FGD engine and database |
| diag debug rating | Show current connectivity with URL rating servers |
| Most wanted Tips : http://kb.fortinet.com/ | |
| Multi-wan routing scenarios | FD32103 |
| Convert “diag sniff packet” to wireshark | FD30877 |
| Hairpin NAT | FD36202 |
| Config transfer/conversion | FD10063 |
| FSSO Troubleshoot | FD31819 |
| Maximum log-age | FD36366 |
| Blackhole routes for cleaner VPN failovers | FD36695 |
| Allow TCP session creation without SYN flag | FD40929 |
| Other great source for information | |
| http://docs.fortinet.com/ | Official documentation (handbook, cli guide, release notes, hardware guides, etc…) |
| http://cookbook.fortinet.com/ | Howtos, videos, etc… |
| http://forum.fortinet.com/ | Official forum |
| http://fusecommunity.fortinet.com | User communiy, with groups |
This document is distributed under the free license: Attribution-ShareAlike 4.0 International Creative Commons BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0/
You are free to:
- Share — copy and redistribute the material in any medium or format.
- Adapt — remix, transform, and build upon the material for any purpose, even commercially.
- The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
