Fortigate CLI Cheat Sheet - Release date 20180504 – v 0.5.6.

4 get router info routing- Display the current routing table Diag deb en Debug
Original work by Frederic Kasmirczak, updated by Exclusive Networks table all/database active/configured diag deb app fnbamd -1 authentication
g ro info ro details Display the route used to reach the IP diag debug report Collect lots of
Main command structure x.x.x.x x.x.x.x information
show Display changes to the default configuration
diag firewall proute list Display the Policy Routes (have diag sys top <seconds> <nb_lines> Processes usage
precedence over the routing table) shift+P for CPU ordering, shift+M for Mem ordering (CPU usage)
get List the configuration of the current object or table
edit Create or edit a table in the current object.
diag ip route list Display the kernel routing table diag sys top-summary ‘-s mem’ Processes usage
edit 0 will use the next ID available in a sequence number ‘-h’ to show options (Mem usage)
set/unset
High availability
Set a filed / Reset a field to the default value
get sys ha status
VPN
end Save the current changes Show HA conf summary
diag sys ha status diag vpn ike gateway list Show phase 1
abort Exit commands without saving the fields (ctrl+C) diag sys ha history read Show HA history events Show phase 2
delete Remove a table from the current object diag vpn tunnel list
diag deb en (shows npu flag)
Basic diag deb cons timestamp en Troubleshoot HA synchronization diag vpn ike gateway flush name
Flush a phase 1
diag deb app hatalk -1 issue <phase1>
get sys status Show status summary diag deb app hasync -1 diag vpn tunnel up <phase2> Bring up a phase 2
get sys perf stat Show Fortigate ressources summary Show the config checksum for any
diag sys ha check cluster diag debug en
execute ping(-options) Ping something (can add options) members of the cluster and show Troubleshoot VPN
diag sys ha check sh root details of the config for a vdom (here diag vpn ike log-filter daddr x.x.x.x
execute ssh <user>@<ip> SSH to another server issue
root) diag debug app ike -1
exec shutdown/reboot Shutdown the device/reboot
exec ha synchronize all Synchronize all parts of the
get sys arp (| grep x.x) Show the arp table (filtered by x.x)
configuration FortiGuard
show | grep -f something Find where “something” is used
(cases-sensitive, can use -i to be case diag sys ha reset-uptime Reset ha uptime criteria (to trigger execute update-now Forces a download of the whole AV/IPS
insensitive) failover unless override is enabled => database, with license check
default is disabled)
diag deb en
Interface diag sniffer packet haint diag deb app update -1
Troubleshoot AV/IPS download
Sniffer on heartbeat ports (here haint)
show/get system interface Show interfaces status. Use get to
'ether[12:2]=0x8890' 6
diag debug rating Show current connectivity with URL
retrieve dynamic information (such as exec ha manage <id> Connect on a subordinate device rating servers
PPPoE IP)
config sys interface Debug Most wanted Tips : http://kb.fortinet.com/
edit <port> diag debug enable Multi-wan routing FD32103
set ip x.x.x.x/y Basic interface ip configuration diag debug flow sh c en Convert "diag sniff packet" to wireshark FD30877
set allow ssh ping https diag debug flow sh f en Hairpin NAT FD36202
end diag debug flow filter saddr x.x.x.x Debug flow Config transfer/conversion FD10063
diag debug flow filter daddr y.y.y.y FSSO Troubleshoot FD31819
diag netlink device list Show interfaces statistics (errors) diag debug flow trace start 10
diag debug reset Maximum log-age FD36366
diag hard dev nic <port> Show interfaces statistics
diag sniffer packet <interface> Other great source for information
Disk/upgrade/config management ‘<filter>’ <verbose> <count> <a/l> Official documentation (handbook,
<interface>: physical, virtual, vpn, cli guide, release notes, hardware
diag hard deviceinfo disk Show disks and partitions usage any http://docs.fortinet.com/
guides, etc…)
diag sys flash list Show partitions status <filter>: tcpdump filter
<verbose>: there are six verbose http://cookbook.fortinet.com/ Howtos, videos, etc…
execute set-next-reboot ? Select partition for the next reboot levels: http://wiki.diagnose.fortinet.com/ Fortinet diagnose Wiki
execute factoryreset Reset to factory default (2 to keep 1-print header of packets http://forum.fortinet.com/ Official forum
2-print header and data from the IP header of
[keepvmlicense] network) (if VM, use keepvmlicense) the packets
Packet capture http://fusecommunity.fortinet.com User communiy, with groups
3-print header and data from the Ethernet This document is distributed under the free license:
exe backup conf Backup configuration header of the packets (convert using fgt2eth) Attribution-ShareAlike 4.0 International Creative Commons BY-SA 4.0
4,5,6-like 1,2,3, with interface name https://creativecommons.org/licenses/by-sa/4.0/
exe restore config Restore configuration (reboots) <count> the number of packets, can be 0 You are free to:
diag debug config-error- Show config errors (after to stop using ctrl+C - Share — copy and redistribute the material in any medium or format.
log read upgrade) <a/l> to enable absolute/local - Adapt — remix, transform, and build upon the material for any purpose, even
timestamp, nothing for relative commercially.
execute formatlogdisk Format log disk timestamp - The licensor cannot revoke these freedoms as long as you follow the license terms. Under
diag sys session filter src x.x.x.x the following terms:
Static routing diag sys session filter dst x.x.x.x Show session - Attribution — You must give appropriate credit, provide a link to the license, and indicate
table if changes were made. You may do so in any reasonable manner, but not in any way that
config router static diag sys session list suggests the licensor endorses you or your use.
edit 0 diag sys session filter src x.x.x.x - ShareAlike — If you remix, transform, or build upon the material, you must distribute your
set device internal Clear session contributions under the same license as the original.
Add a static route
diag sys session filter dst x.x.x.x
table No additional restrictions — You may not apply legal terms or technological measures that legally
set dst x.x.x.x/y diag sys session clear restrict others from doing anything the license permits.
set gateway z.z.z.z
diag debug crashlog read Show crashlog
end