Fortigate CLI Cheat Sheet

Release date 20200225 – v6.2.3

Original work by Frederic Kasmirczak, updated by Exclusive Networks

Main command structure
show Display changes to the default configuration
get List the configuration of the current object or table
edit Create or edit a table in the current object.
edit 0 will use the next ID available in a sequence number
set/unset Set a field / Reset a field to the default value
next Save current entry (edit X) and return to table
end Save the current changes and exit menu
abort Exit commands without saving the fields (ctrl+C)
delete Remove a table from the current object
tree Display the command tree for the current config section
show/get system interface Show interfaces status. Use get to retrieve dynamic information (such as PPPoE IP)
config sys interface
edit <port>
set ip x.x.x.x/y
set allow ssh ping https
Basic interface ip configuration
diag netlink device list Show interfaces statistics (errors)
diag hard dev nic <port> Show interfaces statistics
Static routing
config router static
edit 0
set device internal
set dst x.x.x.x/y
set gateway z.z.z.z        set dynamic-gateway ena
Add a static route   (set a static gateway OR enable dynamic-gateway for DHCP/PPPoE)
get router info routing­table all get router info routing­table database Display the current routing table active/configured
get ro info ro details x.x.x.x Display the route used to reach the IP x.x.x.x
diag firewall proute list Display the Policy Routes (have precedence over the routing table)
diag ip route list Display the kernel routing table
get sys status Show status summary
get sys perf stat Show Fortigate ressources summary
execute ping(-options) Ping something (can add options)
execute ssh <user>@<ip> SSH to another server
exec shutdown/reboot Shutdown the device/reboot
get sys arp (| grep x.x) Show the arp table (filtered by x.x)
show | grep -f something Find where “something” is used (cases-sensitive, can use -i to be case insensitive)
Disk/upgrade/config management
diag hard deviceinfo disk Show disks and partitions usage
diag sys flash list Show partitions status
exec set­next­reboot ? Select partition for the next reboot
exec factoryreset [keepvmlicense] Reset to factory default (2 to keep network) (if VM, use keepvmlicense)
exec backup conf Backup configuration
exec restore config Restore configuration (reboots)
diag debug config-error-log read Show config parsing errors (after upgrade) > should be empty
exec formatlogdisk Format log disk
High availability
get sys ha status
diag sys ha status
Show HA conf summary
diag sys ha history read Show HA history events
diag deb en diag deb cons timestamp en
diag deb app hatalk ­1
diag deb app hasync ­1
Troubleshoot HA synchronization issue
diag sys ha check cluster
diag sys ha check sh root
Show the config checksum for any members of the cluster and show details of the config for a vdom (here root)
exec ha synchronize all Synchronize all parts of the config
diag sys ha reset­uptime Reset ha uptime criteria (to trigger failover unless override is enabled => default is disabled)
diag sniffer packet haint ‘ether[12:2]=0x8890’ 6 Sniffer on heartbeat ports (here haint)
exec ha manage <id> <admin> Connect on a subordinate device
diag debug enable
diag debug flow sh c en
diag debug flow sh f en
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr y.y.y.y
diag debug flow trace start 10
diag debug reset
Debug flow
diag sys session filter src x.x.x.x
diag sys session filter dst x.x.x.x
diag sys session list diag sys session clear
Filter session table   List session Clear these sessions
diag debug crashlog read Show crashlog
diag deb en
diag deb app fnbamd -1
Debug authentication
diag debug report Collect lots of info
diag sys top <seconds> <nb_lines>
shift+P for CPU ordering, shift+M for Mem ordering
Processes usage (CPU usage)
diag sys top-summary ‘-s mem’
-h to show options
Processes usage (Mem usage)
Network Packet Capture
diag sniffer packet <interface> ‘<filter>’ <verbose> <count> <a/l>
<interface>: physical, virtual, vpn, any
<filter>: tcpdump filter
<verbose>: there are six verbose levels:
1­print header of packets
2­print header and data from the IP header
3­print header and data from the Ethernet header (convert using fgt2eth)
4,5,6­like 1,2,3, with interface name
<count> the number of packets, can be 0 to stop using ctrl+C
<a/l> to enable absolute/local timestamp, nothing for relative timestamp
diag vpn ike gateway list Show phase 1
diag vpn tunnel list Show phase 2
(shows npu flag)
diag vpn ike gateway flush name <phase1> Flush a phase 1
diag vpn tunnel up <phase2> Bring up a phase 2
diag debug en
diag vpn ike log-filter daddr x.x.x.x
diag debug app ike ­1
Troubleshoot VPN issue
execute update-now Forces a download of the whole AV/IPS database, with license check
diag deb en
diag deb app update -1
Troubleshoot AV/IPS download
diag autoupd status/version Show FGD engine and database
diag debug rating Show current connectivity with URL rating servers
Most wanted Tips : http://kb.fortinet.com/
Multi-wan routing scenarios FD32103
Convert “diag sniff packet” to wireshark FD30877
Hairpin NAT FD36202
Config transfer/conversion FD10063
FSSO Troubleshoot FD31819
Maximum log-age FD36366
Blackhole routes for cleaner VPN failovers FD36695
Allow TCP session creation without SYN flag FD40929
Other great source for information
http://docs.fortinet.com/ Official documentation (handbook, cli guide, release notes, hardware guides, etc…)
http://cookbook.fortinet.com/ Howtos, videos, etc…
http://forum.fortinet.com/ Official forum
http://fusecommunity.fortinet.com User communiy, with groups

This document is distributed under the free license:  Attribution-ShareAlike 4.0 International Creative Commons BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0/

You are free to:

  • Share — copy and redistribute the material in any medium or format.
  • Adapt — remix, transform, and build upon the material for any purpose, even commercially.
  • The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.

No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.


Leave a Reply

Your email address will not be published. Required fields are marked *