{"id":33,"date":"2020-03-05T14:29:25","date_gmt":"2020-03-05T13:29:25","guid":{"rendered":"https:\/\/whatifsecu.tech\/?p=33"},"modified":"2020-03-05T14:29:39","modified_gmt":"2020-03-05T13:29:39","slug":"fortigate-cli-cheat-sheet","status":"publish","type":"post","link":"https:\/\/whatifsecu.tech\/?p=33","title":{"rendered":"Fortigate CLI Cheat Sheet"},"content":{"rendered":"\n

Release date 20200225 \u2013 v6.2.3<\/strong><\/p>\n\n\n\n

Original work by Frederic Kasmirczak, updated by\nExclusive Networks<\/p>\n\n\n\n
\n Main command\n structure\n <\/td><\/tr>
\n show\n <\/td>\n Display changes to the default configuration\n <\/td><\/tr>
\n get\n <\/td>\n List the configuration of the current object or table\n <\/td><\/tr>
\n edit\n <\/td>\n Create or edit a table in the current object.
\n edit 0 will use the next ID available in a sequence number\n <\/td><\/tr>
\n set\/unset\n <\/td>\n Set a field \/ Reset a field to the default value\n <\/td><\/tr>
\n next\n <\/td>\n Save current entry\n (edit X) and return to table \n <\/td><\/tr>
\n end\n <\/td>\n Save the current\n changes and exit menu\n <\/td><\/tr>
\n abort\n <\/td>\n Exit commands without saving the fields (ctrl+C)\n <\/td><\/tr>
\n delete\n <\/td>\n Remove a table from the current object\n <\/td><\/tr>
\n tree\n <\/td>\n Display\n the command tree for the current config section\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n Interface\n <\/td><\/tr>
\n show\/get\n system interface\n <\/td>\n Show interfaces status. Use get to retrieve dynamic information (such as PPPoE IP)\n <\/td><\/tr>
\n config sys interface
\n edit <port>
\n set ip x.x.x.x\/y
\n set allow ssh ping https
\n end\n <\/td>		\n Basic interface ip\n configuration\n <\/td><\/tr>
\n diag netlink device list\n <\/td>\n Show interfaces\n statistics (errors)\n <\/td><\/tr>
\n diag hard dev nic\n <port>\n <\/td>\n Show interfaces\n statistics\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n Static\n routing\n <\/td><\/tr>
\n config router static
\n edit 0
\n set device internal
\n set dst x.x.x.x\/y
\n set\n gateway z.z.z.z        \n set\n dynamic-gateway ena
\n end\n <\/td>		\n Add a static route\n  \n (set a static gateway OR<\/strong> enable dynamic-gateway for DHCP\/PPPoE)\n <\/td><\/tr>
\n get\n router info routing\u00adtable all\n get\n router info routing\u00adtable database\n <\/td>\n Display the current routing table active\/configured\n <\/td><\/tr>
\n get ro info ro details x.x.x.x\n <\/td>\n Display the route used to reach the IP x.x.x.x \n <\/td><\/tr>
\n diag firewall proute\n list\n <\/td>\n Display the Policy Routes (have precedence over the\n routing table)\n <\/td><\/tr>
\n diag ip route list\n <\/td>\n Display the kernel routing table\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n Basic\n <\/td><\/tr>
\n get sys status\n <\/td>\n Show status summary\n <\/td><\/tr>
\n get sys perf stat\n <\/td>\n Show Fortigate\n ressources summary\n <\/td><\/tr>
\n execute ping(-options)\n <\/td>\n Ping something (can add options)\n <\/td><\/tr>
\n execute ssh\n <user>@<ip>\n <\/td>\n SSH to another server\n <\/td><\/tr>
\n exec shutdown\/reboot\n <\/td>\n Shutdown the device\/reboot\n <\/td><\/tr>
\n get sys arp (| grep\n x.x)\n <\/td>\n Show the arp table (filtered by x.x)\n <\/td><\/tr>
\n show | grep -f\n something\n <\/td>\n Find where \u201csomething\u201d is used (cases-sensitive, can use -i to be case insensitive)\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n Disk\/upgrade\/config\n management\n <\/td><\/tr>
\n diag hard deviceinfo disk\n <\/td>\n Show disks and partitions usage\n <\/td><\/tr>
\n diag sys flash list\n <\/td>\n Show partitions\n status\n <\/td><\/tr>
\n exec set\u00adnext\u00adreboot ?\n <\/td>\n Select partition for the next reboot\n <\/td><\/tr>
\n exec factoryreset [keepvmlicense]\n <\/td>\n Reset to factory default (2 to keep network) (if VM,\n use keepvmlicense)\n <\/td><\/tr>
\n exec backup conf\n <\/td>\n Backup configuration\n <\/td><\/tr>
\n exec restore config\n <\/td>\n Restore configuration\n (reboots)\n <\/td><\/tr>
\n diag debug config-error-log read\n <\/td>\n Show config parsing errors (after upgrade) >\n should be empty\n <\/td><\/tr>
\n exec formatlogdisk\n <\/td>\n Format log disk\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n High\n availability\n <\/td><\/tr>
\n get sys ha status
\n diag sys ha status\n <\/td>		\n Show HA conf summary\n <\/td><\/tr>
\n diag sys ha history\n read\n <\/td>\n Show HA history events\n <\/td><\/tr>
\n diag deb en\n diag\n deb cons timestamp en
\n diag deb app hatalk \u00ad1
\n diag deb app hasync \u00ad1\n <\/td>		\n Troubleshoot HA synchronization issue\n <\/td><\/tr>
\n diag sys ha check cluster
\n diag sys ha check sh root\n <\/td>		\n Show the config checksum for any members of the cluster and show\n details of the config for a vdom (here root)\n <\/td><\/tr>
\n exec ha synchronize\n all\n <\/td>\n Synchronize all parts of the config\n <\/td><\/tr>
\n diag sys ha\n reset\u00aduptime\n <\/td>\n Reset ha uptime criteria (to trigger failover unless override is\n enabled => default is disabled)\n <\/td><\/tr>
\n diag sniffer packet\n haint ‘ether[12:2]=0x8890’ 6\n <\/td>\n Sniffer on heartbeat ports (here haint)\n <\/td><\/tr>
\n exec ha manage\n <id> <admin>\n <\/td>\n Connect on a subordinate device\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n Debug\n <\/td><\/tr>
\n diag debug enable
\n diag debug flow sh c en
\n diag debug flow sh f en
\n diag debug flow filter saddr x.x.x.x
\n diag debug flow filter daddr y.y.y.y
\n diag debug flow trace start 10
\n diag debug reset\n <\/td>		\n Debug flow\n <\/td><\/tr>
\n diag sys\n session filter<\/strong> src x.x.x.x
\n diag sys session filter<\/strong> dst x.x.x.x
\n diag sys session list<\/strong>\n diag sys\n session clear<\/strong>\n <\/td>		\n Filter<\/strong> session table\n  \n List<\/strong> session\n Clear<\/strong> these sessions\n <\/td><\/tr>
\n diag debug crashlog read\n <\/td>\n Show crashlog\n <\/td><\/tr>
\n diag deb en
\n diag deb app fnbamd -1\n <\/td>		\n Debug authentication\n <\/td><\/tr>
\n diag debug report\n <\/td>\n Collect lots of info \n <\/td><\/tr>
\n diag sys top\n <seconds> <nb_lines>
\n shift+P for CPU ordering, shift+M for Mem ordering<\/em>\n <\/td>		\n Processes usage (CPU usage)\n <\/td><\/tr>
\n diag sys top-summary\n \u2018-s mem\u2019
\n \u2018<\/em>-h<\/em>\u2019<\/em> to show\n options<\/em>\n <\/td>		\n Processes usage (Mem\n usage)\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n Network\n Packet Capture\n <\/td><\/tr>
\n diag\n sniffer packet <interface<\/em>> \u2018<filter<\/em>>\u2019 <verbose<\/em>>\n <count<\/em>> <a\/l<\/em>>
\n <interface<\/em><\/strong>>:\n physical, virtual, vpn, any
\n <filter<\/em><\/strong>>: tcpdump\n filter
\n <verbose<\/em><\/strong>>: there are\n six verbose levels:
\n 1<\/strong>\u00adprint header of packets
\n 2<\/strong>\u00adprint header and data from the\n IP header
\n 3<\/strong>\u00adprint header and data from the\n Ethernet header (convert using fgt2eth)
\n 4<\/strong>,5<\/strong>,6<\/strong>\u00adlike 1,2,3, with\n interface name
\n <count<\/em><\/strong>>\n the number of packets, can be 0 to stop using ctrl+C
\n <a<\/em><\/strong>\/l<\/strong><\/em>> to enable absolute\/local\n timestamp, nothing for relative timestamp\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n VPN\n <\/td><\/tr>
\n diag\n vpn ike gateway list\n <\/td>\n Show phase 1\n <\/td><\/tr>
\n diag vpn tunnel list\n <\/td>\n Show phase 2
\n (shows npu flag)\n <\/td><\/tr>
\n diag vpn ike gateway\n flush name <phase1>\n <\/td>\n Flush a phase 1\n <\/td><\/tr>
\n diag vpn tunnel up\n <phase2>\n <\/td>\n Bring up a phase 2\n <\/td><\/tr>
\n diag debug\n en
\n diag vpn ike log-filter daddr x.x.x.x
\n diag debug app ike \u00ad1 \n <\/td>		\n Troubleshoot VPN issue\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n FortiGuard\n <\/td><\/tr>
\n execute\n update-now\n <\/td>\n Forces a download of the whole AV\/IPS database, with\n license check\n <\/td><\/tr>
\n diag\n deb en
\n diag deb app update -1\n <\/td>		\n Troubleshoot AV\/IPS download\n <\/td><\/tr>
\n diag\n autoupd status\/version\n <\/td>\n Show FGD engine and database\n <\/td><\/tr>
\n diag\n debug rating\n <\/td>\n Show current connectivity with URL rating servers\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n Most wanted\n Tips : http:\/\/kb.fortinet.com\/\n <\/td><\/tr>
\n Multi-wan routing\n scenarios\n <\/td>\n FD32103\n <\/td><\/tr>
\n Convert “diag sniff packet” to wireshark\n <\/td>\n FD30877\n <\/td><\/tr>
\n Hairpin NAT\n <\/td>\n FD36202\n <\/td><\/tr>
\n Config\n transfer\/conversion\n <\/td>\n FD10063\n <\/td><\/tr>
\n FSSO Troubleshoot\n <\/td>\n FD31819\n <\/td><\/tr>
\n Maximum log-age\n <\/td>\n FD36366\n <\/td><\/tr>
\n Blackhole routes for cleaner VPN failovers\n <\/td>\n FD36695\n <\/td><\/tr>
\n Allow TCP session creation without SYN flag\n <\/td>\n FD40929\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n Other great source for information<\/a>\n <\/td><\/tr>
\n http:\/\/docs.fortinet.com\/\n <\/td>\n Official documentation (handbook, cli guide, release\n notes, hardware guides, etc\u2026)\n <\/td><\/tr>
\n http:\/\/cookbook.fortinet.com\/\n <\/td>\n Howtos, videos, etc\u2026\n <\/td><\/tr>
\n http:\/\/forum.fortinet.com\/\n <\/td>\n Official forum\n <\/td><\/tr>
\n http:\/\/fusecommunity.fortinet.com\n <\/td>\n User communiy, with groups\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n

This document is distributed under the free license:  Attribution-ShareAlike 4.0 International\nCreative Commons BY-SA 4.0 https:\/\/creativecommons.org\/licenses\/by-sa\/4.0\/<\/p>\n\n\n\n

You are\nfree to:<\/p>\n\n\n\n