Scribd
Upload
268 views

CheatSheet FortiOS 6.4

This document provides a cheat sheet of important FortiGate CLI commands for operations, troubleshooting, firewalling, and high availability configurations using FortiOS 6.4. It includes commands for checking interface, routing, and session information, debugging firewall policies and traffic flows, clearing ARP tables, pinging and tracerouting destinations, and viewing HA status, failover settings, and checksums for configuration synchronization. The cheat sheet also lists commands for FortiGuard services, logging, traffic shaping, and integrated iperf utilities for network testing.

Uploaded by

Vlad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
268 views

CheatSheet FortiOS 6.4

This document provides a cheat sheet of important FortiGate CLI commands for operations, troubleshooting, firewalling, and high availability configurations using FortiOS 6.4. It includes commands for checking interface, routing, and session information, debugging firewall policies and traffic flows, clearing ARP tables, pinging and tracerouting destinations, and viewing HA status, failover settings, and checksums for configuration synchronization. The cheat sheet also lists commands for FortiGuard services, logging, traffic shaping, and integrated iperf utilities for network testing.

Uploaded by

Vlad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

FortiGate

Cheat Sheet - General for FortiOS 6.4

The cheat sheet from BOLL. Here Network Troubleshooting


you can find all important FortiGate get hardware nic [port] Interface Information
CLI commands for the operation and diag ip arp list ARP table
troubleshooting of FortiGates with exec clear system arp table Clears ARP table

FortiOS 6.4. exec ping x.x.x.x


Ping utility
exec ping-options [option]
exec traceroute x.x.x.x
System exec traceroute-options [option]
Traceroute utility

General System Commands exec telnet x.x.x.x [port] Telnet utility


get system status General system information
Integrated Iperf Utility
exec tac report Generates report for support
diag traffictest server-intf
tree Lists all commands
diag traffictest client-intf
<command> ? / tab Use ? or tab in CLI for help Iperf test directly run from
diag traffictest port [port] FortiGate
<command> | grep [filter] Grep command to filter outputs diag traffictest run -c
[public_iperf_server_ip]
diag debug cli 8 Shows webGUI changes in CLI

General Routing Troubleshooting


Process Information
get router info routing-table all Routing table
get system performance status General performance infos
get router info routing-table Shows Routing decision for
Process list
diag sys top [sec] [number] details x.x.x.x specified Destination-IP
Sort with P (CPU) / M (Memory)
get router info routing-table Routing table with inactive
diag debug crashlog read Crash log database routes
get router info kernel Forwarding information base

Traffic Processing diag firewall proute list List of policy-based routes


diag ip rtcache list List of route cache
General Debugging
Overview of dynamic routing
Realtime debugger for different get router info protocols
diag debug appl [appl] [level] protocol configuration
applications
exec router restart Restart of routing process
diag test appl [appl] [test_level] Monitor proxy operations
diag sys link-monitor Shows link monitor status / per
diag debug console timestamp
Enables timestamp in console status/interface/launch interface / for WAN LLB
enable
Enable/disable output for “diag
diag debug [enable/disable]
debug” or “diag ip” commands
diag debug reset Reset debug levels
High Availability
HA General
Firewall Session Troubleshooting exec ha manage [index] [admin] Jump to cluster member
diag sys session filter Filter for session list get sys ha status Information about HA status
diag sys session list (expect) Lists all (or expected) sessions diag sys ha history read Details about past HA events
diag sys session clear Clear all / filtered sessions diag sys ha dump-by vcluster Show cluster member uptime
Session and memory statistics, diag sys ha reset-uptime Reset cluster member uptime
diag sys session stat
drops, clashes
diag debug appl hatalk -1 Debugging of HA-Talk/-Sync
diag firewall iprope clear 100004 Resets counter for all or specific diag debug appl hasync -1 protocol
[<id>] firewall policy id
exec ha ignore-hardware-revision Set ignore status for different
status / enable / disable HW revisions
Packet Sniffer
exec ha failover status View failover status
diag sniffer packet [any/<if>] Packet sniffer. Use filters!
‘[filter]’ [verbose] [count] Verbose levels 1-6 for different Device stays in failover state
[timestamp] output exec ha failover set <cluster_id> regardless of condition. Triggers
a HA failover on master device.
Flow Trace
Cluster Synchronisation
Use filters to narrow down trace
diag debug flow filter [filter] Show config checksums of all
results
diag sys ha checksum cluster
cluster member
diag debug flow show iprop en
diag debug flow show fun en diag sys ha checksum Detailed config checksum for a
Debug command for traffic flow show [vdom] VDOM
diag debug flow trace start
[count]
diag sys ha checksum Recalculation of config
recalculate checksums

Network
Interface Information
diag ip address list List of IPs on FGT interfaces
diag firewall iplist list List of IPs on VIP and IP-Pools

v1.0 page 1
FortiGate
Cheat Sheet - Firewalling for FortiOS 6.4

UTM Services Logging


Generates dummy log
FortiGuard Distibution Network (FDN) diag log test
messages
update.fortiguard.net
URLs to access the FortiGuard exec log list List log file information
service.fortiguard.net
Distribution Network (FDN)
securefw.fortiguard.net Traffic Shaper
diag firewall shaper traffic-shaper
Signature Update Traffic shaper list / statistics
list / stats
diag autoupdate status Summary of Fortiguard settings
diag firewall shaper per-ip-shaper Per IP traffic shaper list /
diag autoupdate versions Detailed versions of packages list / stats statistics

diag debug appl update -1 Realtime debugging for


updating process with manual SIP
exec update-now update diag sys sip status SIP session helper status
diag sys sip-proxy stats list SIP ALG session status
Antivirus
diag sys sip-proxy calls list/clear List/Clear active SIP calls
diag antivirus database-info Antivirus database information
diag debug appl sip -1 Realtime Debugger for SIP
diagnose antivirus test
Different tests for AV engine
"command”

IPS Authentication
diag ips anomaly list Lists statistics of DoS-Policies Authentication
diag ips packet status IPS packet statistics diag firewall auth filter … Filter for authentication list
diag test appl ipsmonitor 2 Enable / disable IPS engine diag firewall auth list List of authenticated user
diag test appl ipsmonitor 5 Toggle bypass status diag test authserver
diag test appl ipsmonitor 99 Restart all IPS processes [auth-protocol] [server] [user] Authentication test
[password]
Webfilter Debugging of local
diag debug appl auth -1
authentication protocol
Webfilter / AntiSpam Server
diag debug rating
information Debugging of remote
diag debug appl fnbamd -1
authentication protocol
diag webfilter fortiguard
Statistics of FortiGuard requests
statistics list
FortiToken
diag webfilter fortiguard cache
List content of webfilter cache diag fortitoken info Current FortiToken status
dump
exec fortitoken activate [Forti-
diag test appl urlfilter 1 Lists webfilter test commands Manual FortiToken activation
TokenSN]
diag debug urlfilter src-addr
x.x.x.x Filter and Realtime Debugging diag deb appl forticldd 255 FortiToken activation debugging
for Webfiltering
diag debug appl urlfiter -1 exec fortitoken-mobile import
Recover Trial FortiToken
0000-0000-0000-0000
Emailfilter
FSSO
diag emailfilter fortishield servers Displays FortiShield server list
diag debug authd fsso filter Filter for FSSO user list
diag emailfilter fortishield stat list Statistics of FortiShield requests
diag debug authd fsso list List of FSSO authenticated user
diag debug authd fsso
List of FSSO collector agents
server-status
Firewall Policy
diag debug fsso-polling … Info for clientless polling FSSO
Device Detection
Debugging of clientless polling
exec update-src-vis Update device detection DB diag debug appl fssod -1
FSSO
diag user device list / clear Show / clear detected devices
Explicit Proxy
Internet Service Database (ISDB) diag wad user list/clear List / clear of explicit proxy user
diag internet-service Lists summary/details for diag wad filter … Filtering / listing of web proxy
info vdom proto port ip specific Internet Service sessions
diag wad session list
Reverse ISDB lookup for
diag internet-service info … diag test appl wad 104 DNS statistics for explicit proxy
specific IP, protocol or port
diag test appl wad 110 Current proxy user
diag internet-service match Reverse ISDB lookup for
<vdom> <ip> <netmask> specific IP Enables output of subsequent
diag test appl wad 112
commands
FQDN diag test appl wad 2200 Maximum number of users
diag test application dnsproxy 6 Dump FQDN cache
diagnose firewall fqdn list List all FQDN

v1.0 page 2
FortiGate
Cheat Sheet - Networking for FortiOS 6.4

VPN Wireless, Switch, FortiExtender


IPsec VPN Access Point (CLI commands on Access Point)
diag debug appl ike 63 Debugging of IKE negotiation cfg –a Change IP from DHCP to static
ADDR_MODE=DHCP|STATIC on FortiAP
diag vpn ike log filter Filter for IKE negotiation output
cfg –a
diag vpn ike gateway list Phase 1 state Set static IP on FortiAP
AP_IPADDR=”xxx.xxx.xxx.xx”
diag vpn ike gateway flush Delete Phase 1
cfg –a AP_NET-
Set subnet mask on FortiAP
diag vpn tunnel list Phase 2 state MASK=”255.255.255.0”
diag vpn tunnel flush Delete Phase 2 cfg –a IPGW=”yyy.yyy.yyy.yyy” Set gateway on FortiAP
get vpn ike gateway Detailed gateway information cfg –a Specify IP of Wireless Controller
AC_IPADDR_1=”zzz.zzz.zzz.zzz” on FortiAP
get vpn ipsec tunnel details Detailed tunnel information
cfg –s / -c List / Save config on FortiAP
get vpn ipsec state tunnel Detailed tunnel statistics
cfg -x Reset to factory default
diag vpn ipsec status Shows IPSEC crypto status

Wireless Controller
exec wireless-controller restart- Restart wireless controller
SD-WAN & Security Fabric acd daemon
SD-WAN exec wireless-controller reset-wtp Restart FortiAPs
diag sys virtual-wan-link member Provide Interface details diag wireless-controller
List rogue APs
diag sys virtual-wan-link health- wlac -c ap-rogue
State of SLAs
check <name> exec wireless-controller spectral-
diag sys virtual-wan-link service scan <wtp-id> <radio-id > <on |
SD-WAN-Rule-State Start or stop spectrum analysis
<rule-id> off> <duration> <channel>
<report-interval>
diag sys virtual-wan-link intf-sla-
Link Traffic History diag wireless-controller wlac -c rf-
log <intf-name>
sa <wtp-id> <radio-id>
diag sys virtual-wan-link sla-log <channel> Show spectrum analysis results
SLA-Log on specific interface
<sla> <link_id> get wireless-controller spectral-
diag test appl lnkmtd 1/2/3 Statistics of link-monitor info <wtp-id> <radio-id>

Real-time debugger of link-


diag debug appl link-mon -1 Switch Controller
monitor
diag switch-controller switch-info Managed FortiSwitch MAC
Security Fabric mac-table address list

diag sys csf upstream / diag switch-controller switch-info Managed FortiSwitch port
List of up/downstream devices port-stats statistics
downstream
MAC/IP list of connected FGT diag switch-controller switch-info
diag sys csf neighbor list Trunk information
devices trunk

diag test appl csfd 1 Display security fabric statistics diag switch-controller switch-info Dumps MCLAG related
mclag information from FortiSwitch
diag debug appl csfd -1 Real-time debugger
exec switch-controller get-conn- Get FortiSwitch connection
diag automation test status status
Test stitches in the CLI
<stitch_name>
exec switch-controller diagnose- Get FortiSwitch connection
connection diagnostics

BGP, OSPF diag switch-controller nac-device


known / clear
Show / Clear NAC devices
BGP
get router info bgp summary BGP summary of BGP status FortiExtender

get router info bgp neighbors Information on BGP neighbors get extender sys-info [FXT SN] Check the FortiExtender status

diag ip router bgp all enable Real-time debugging for BGP get extender modem-status [FXT Get the detailed modem status
diag ip router bgp level info protocol SN] of the FortiExtender

exec router clear bgp all Restart of BGP session FortiExtender debugging, collect
diag debug appl extender -1
information for about 5 minutes
exec extender reset-fortiextender Restart managed FortiExtender
OSPF
exec extender restart-
Restart for AC daemon
get router info ospf status OSPF status fortiextender-daemon
get router info ospf interface Information on OSPF interfaces
Modem
get router info ospf neighbor Information on OSPF neighbors
diag sys modem detect Detect attached modem
get router info ospf database Summary / Details of all LSDB
brief / router lsa entries Debugger for modem
diag debug appl modemd 3
commands
get router info ospf database self- Information on LSAs originating
originate from FortiGate
diag ip router ospf all enable Real-time debugging of OSPF
diag ip router ospf level info protocol
exec router clear ospf process Restart of OSPF session

v1.0 page 3
FortiGate
Cheat Sheet – Other for FortiOS 6.4

System HQIP Hardware Check


Default Device Information
Download Hardware Quick
admin / no password Default login https://support.fortinet.com à Inspection Package (HQIP)
Default IP on port1, internal or Download à HQIP Images to scan hardware for
192.168.1.99 possible faults
management port
9600/8-N-1
Default serial console settings
hardware flow control disabled

Factory Reset General Information


exec factoryreset Reset whole configuration
Fortinet Links
exec factoryreset-shutdown Reset config and shutdown
Documentation, Cookbooks,
docs.fortinet.com
Reset with retaining admin, Release Notes
exec factoryreset2
interfaces and static routing
kb.fortinet.com Knowledge Base

Firmware Update www.fortiguard.com FortiGuard Website

Show config errors after support.fortinet.com Support Site (Login required)


diag debug config-error-log read
firmware upgrades forum.fortinet.com User Forum (Login required)
Fortinet Developer Network
VDOMs fndn.fortinet.net
(Login)
sudo global/ vdom-name Sudo-command to access blog.boll.ch Boll Blog
diag / exec / show / get global / VDOM settings directly

Transparent Mode FortiGate most used ports


diag netlink brctl name host Bridge MAC table TCP/443, TCP & UDP/53 TCP &
FortiGuard Queries
UDP/8888
Workspace Mode TCP/389, UDP/389 LDAP, PKI Authentication
exec config-transaction Start/abort/commit of Contract Validation, FortiToken,
start/abort/commit Workspace Mode TCP/443
Firmware Updates
diag sys config-transaction status State of Workspace Mode TCP/443, TCP/8890 AV and IPS Update
(enabled/disabled)
UDP/500, ESP IPSEC VPN
diag sys config-transaction show Shows all active Workspace
txn-info Modes UDP/500, UDP/4500 IPSEC VPN with NAT-Traversal

diag sys config-transaction show Pending CLI commands of TCP/514 FortiManager, FortiAnalyzer
txn-cli-commands Workspace Mode TCP/1812 RADIUS Authentication
TCP/1813 RADIUS Accounting
UDP/5246, UDP/5247 CAPWAP
Hardware TCP/8001 FSSO
Hardware Information
TCP/8013 Compliance and Security Fabric
diag hardware sysinfo cpu CPU information
ETH Layer 0x8890, 0x8891,
HA Heartbeat / Sync
Conserve Mode details. 0x8893
diag hardware sysinfo conserve “Mem”: Memory / “FD”: File
descriptor
diag hardware sysinfo memory Memory size, utilization
Hardware test (available only on
diag hardware test suite all
newer models)
get hardware nic [port] Physical interface information
get system interface Signal information for Copper or
physical / transceiver SFP/SFP+ interfaces

Disk Operation
diag hardware deviceinfo disk List disks with partitions
exec disk list List the disks and partitions
exec disk scan [ref_int] Run a disk check operation
Format the specified partitions
exec disk format [ref_int]
or disks and reboots the system
Formatting the log disk, reboot
exec formatlogdisk
included

Hardware Acceleration
Disable session offloading per
set auto-asic-offload disable
firewall policy
Disable VPN offloading per
set npu-offload disable
Phase 1

v1.0 page 4

You might also like