FortiGate

Cheat Sheet - General for FortiOS 7.0

The cheat sheet from BOLL. Here Network

you can find all important FortiGate Interface Information
CLI commands for the operation and diag ip address list List of IPs on FGT interfaces

troubleshooting of FortiGates with diag firewall iplist list List of IPs on VIP and IP-Pools

FortiOS 7.0. Network Troubleshooting

get hardware nic [port] Interface Information
diag ip arp list
ARP table
get system arp
System exec clear system arp table Clears ARP table
General System Commands
exec ping x.x.x.x
get system status General system information Ping utility
exec ping-options [option]
exec tac report Generates report for support exec traceroute x.x.x.x
Traceroute utility
tree Lists all commands exec traceroute-options [option]
<command> ? / tab Use ? or tab in CLI for help exec telnet x.x.x.x [port] Telnet utility
<command> | grep [filter] Grep command to filter outputs
Integrated Iperf Utility
diag debug cli 8 Shows webGUI changes in CLI
diag traffictest server-intf
diag traffictest client-intf
Process Information Iperf test directly run from
diag traffictest port [port] FortiGate
get system performance status General performance infos
diag traffictest run -c
Process list [public_iperf_server_ip]
diag sys top [sec] [number]
Sort with P (CPU) / M (Memory)
diag debug crashlog history Crash statistics General Routing Troubleshooting

diag debug crashlog read Crash log get router info routing-table all Routing table
get router info routing-table Shows Routing decision for
details x.x.x.x specified Destination-IP
Traffic Processing get router info routing-table Routing table with inactive
database routes
General Debugging
get router info kernel Forwarding information base
Realtime debugger for different
diag debug appl [appl] [level]
applications diag firewall proute list List of policy-based routes
diag test appl [appl] [test_level] Monitor proxy operations diag ip rtcache list List of route cache
diag debug console timestamp Overview of dynamic routing
Enables timestamp in console get router info protocols
enable protocol configuration
Enable/disable output for “diag exec router restart Restart of routing process
diag debug [enable/disable]
debug” or “diag ip” commands
diag sys link-monitor Shows link monitor status / per
diag debug reset Reset debug levels status/interface/launch interface / for WAN LLB

Firewall Session Troubleshooting

diag sys session filter Filter for session list High Availability
diag sys session list (expect) Lists all (or expected) sessions HA General
diag sys session clear Clear all / filtered sessions exec ha manage [index] [admin] Jump to cluster member
Session and memory statistics, get sys ha status Information about HA status
diag sys session stat
drops, clashes
diag sys ha history read Details about past HA events
diag firewall iprope clear 100004 Resets counter for all or specific
[<id>] firewall policy id diag sys ha dump-by vcluster Show cluster member uptime
diag sys ha reset-uptime Reset cluster member uptime
Packet Sniffer diag debug appl hatalk -1 Debugging of HA-Talk/-Sync
diag sniffer packet [any/<if>] Packet sniffer. Use filters! diag debug appl hasync -1 protocol
‘[filter]’ [verbose] [count] Verbose levels 1-6 for different exec ha ignore-hardware-revision Set ignore status for different
[timestamp] output status / enable / disable HW revisions
exec ha failover status View failover status
Flow Trace
Device stays in failover state
Use filters to narrow down trace
diag debug flow filter [filter] exec ha failover set <cluster_id> regardless of condition. Triggers
results
a HA failover on master device.
diag debug flow show iprop en
diag debug flow show fun en Cluster Synchronisation
Debug command for traffic flow
diag debug flow trace start
[count] Show config checksums of all
diag sys ha checksum cluster
cluster member
diag sys ha checksum Detailed config checksum for a
show [vdom] VDOM
diag sys ha checksum Recalculation of config
recalculate checksums

v1.0 page 1
 FortiGate
Cheat Sheet - Firewalling for FortiOS 7.0

UTM Services Logging

Generates dummy log
FortiGuard Distibution Network (FDN) diag log test
messages
update.fortiguard.net
URLs to access the FortiGuard exec log list List log file information
service.fortiguard.net
Distribution Network (FDN) diag test app miglogd 6 Show log queue and fails
securefw.fortiguard.net
diag fdsm image-list / image- Download firmware image list Traffic Shaper
update-matrix and update-matrix
diag firewall shaper traffic-shaper
Traffic shaper list / statistics
list / stats
Signature Update
diag firewall shaper per-ip-shaper Per IP traffic shaper list /
diag autoupdate status Summary of Fortiguard settings
list / stats statistics
diag autoupdate versions Detailed versions of packages
Realtime debugging for SIP
diag debug appl update -1
updating process with manual diag sys sip status SIP session helper status
exec update-now update
diag sys sip-proxy stats list SIP ALG session status
Antivirus diag sys sip-proxy calls list/clear List/Clear active SIP calls
diag antivirus database-info Antivirus database information diag debug appl sip -1 Realtime Debugger for SIP
diagnose antivirus test … Different tests for AV engine

IPS Authentication
diag ips anomaly list Lists statistics of DoS-Policies Authentication
diag ips packet status IPS packet statistics diag firewall auth filter … Filter for authentication list
diag test appl ipsmonitor 2 Enable / disable IPS engine diag firewall auth list List of authenticated user
diag test appl ipsmonitor 5 Toggle bypass status diag test authserver
diag test appl ipsmonitor 99 Restart all IPS processes [auth-protocol] [server] [user] Authentication test
[password]
Web-&Email-Filter Debugging of local
diag debug appl authd -1
authentication protocol
Webfilter / AntiSpam Server
diag debug rating Debugging of remote
information diag debug appl fnbamd -1
authentication protocol
diag webfilter fortiguard
Statistics of FortiGuard requests
statistics list
FortiToken
diag webfilter fortiguard cache
List content of webfilter cache diag fortitoken info Current FortiToken status
dump
exec fortitoken activate [Forti-
diag test appl urlfilter 1 Lists webfilter test commands Manual FortiToken activation
TokenSN]
diag debug urlfilter src-addr
Filter and Realtime Debugging diag deb appl forticldd 255 FortiToken activation debugging
x.x.x.x
for Webfiltering
diag debug appl urlfiter -1 diag fortitoken debug enable FortiToken debugging
diag emailfilter fortishield servers Displays FortiShield server list exec fortitoken-mobile import Recover Trial FortiToken (delete
0000-0000-0000-0000-0000 existing Trial Token before)
diag emailfilter fortishield stat list Statistics of FortiShield requests

FSSO
DNS-Filter
diag debug authd fsso filter Filter for FSSO user list
Shows server used for DNS-
diag test appl dnsproxy 3 diag debug authd fsso list List of FSSO authenticated user
Filtering
diag debug authd fsso
List of FSSO collector agents
server-status
Firewall Policy diag debug fsso-polling … Info for clientless polling FSSO

Device Detection Debugging of clientless polling

diag debug appl fssod -1
FSSO
exec update-src-vis Update device detection DB
diag user device list / clear Show / clear detected devices Explicit Proxy
diag wad user list/clear List / clear of explicit proxy user
Internet Service Database (ISDB)
diag wad filter … Filtering / listing of web proxy
diag internet-service-name list Lists summary/details for sessions
diag wad session list
<internet-service-id> specific Internet Service
diag test appl wad 104 DNS statistics for explicit proxy
diag internet-service info Reverse ISDB lookup for
<vdom><proto><port><ip><prio> specific IP, protocol or port diag test appl wad 110 Current proxy user
diag internet-service match Reverse ISDB lookup for Enables output of subsequent
diag test appl wad 112
<vdom> <ip> <netmask> specific IP commands
diag test appl wad 2200 Maximum number of users
FQDN
diag test application dnsproxy 6 Dump FQDN cache
diagnose firewall fqdn list List all FQDN

v1.0 page 2
 FortiGate
Cheat Sheet - Networking for FortiOS 7.0

VPN Wireless, Switch, FortiExtender

IPsec VPN Access Point (CLI commands on Access Point)
diag debug appl ike 63 Debugging of IKE negotiation cfg –a Change IP from DHCP to static
ADDR_MODE=DHCP|STATIC on FortiAP
diag vpn ike log filter Filter for IKE negotiation output
cfg –a
diag vpn ike gateway list Phase 1 state Set static IP on FortiAP
AP_IPADDR=”xxx.xxx.xxx.xx”
diag vpn ike gateway flush Delete Phase 1
cfg –a AP_NET-
Set subnet mask on FortiAP
diag vpn tunnel list Phase 2 state MASK=”255.255.255.0”
diag vpn tunnel flush Delete Phase 2 cfg –a IPGW=”yyy.yyy.yyy.yyy” Set gateway on FortiAP
get vpn ike gateway Detailed gateway information cfg –a Specify IP of Wireless Controller
AC_IPADDR_1=”zzz.zzz.zzz.zzz” on FortiAP
get vpn ipsec tunnel details Detailed tunnel information
cfg –s / -c List / Save config on FortiAP
get vpn ipsec state tunnel Detailed tunnel statistics
cfg -x Reset to factory default
diag vpn ipsec status Shows IPSEC crypto status

Wireless Controller
exec wireless-controller restart- Restart wireless controller
SD-WAN & Security Fabric acd daemon
SD-WAN exec wireless-controller reset-wtp Restart FortiAPs
diag sys sdwan member Provide Interface details diag wireless-controller
List rogue APs
diag sys sdwan health-check wlac -c ap-rogue
State of SLAs
status | filter <name> exec wireless-controller spectral-
diag sys sdwan service <rule-id> SD-WAN-Rule-State scan <wtp-id> <radio-id > <on |
Start or stop spectrum analysis
off> <duration> <channel>
diag sys sdwan intf-sla-log <intf- <report-interval>
Link Traffic History
name>
diag wireless-controller wlac -c rf-
diag sys sdwan sla-log <sla> sa <wtp-id> <radio-id>
SLA-Log on specific interface
<link_id> <channel> Show spectrum analysis results
diag test appl lnkmtd 0/1/2 Statistics of link-monitor get wireless-controller spectral-
info <wtp-id> <radio-id>
Real-time debugger of link-
diag debug appl link-mon -1
monitor
Switch Controller

Security Fabric diag switch-controller switch-info Managed FortiSwitch MAC

mac-table address list
diag sys csf upstream /
List of up/downstream devices diag switch-controller switch-info Managed FortiSwitch port
downstream
port-stats statistics
MAC/IP list of connected FGT
diag sys csf neighbor list diag switch-controller switch-info
devices Trunk information
trunk
diag test appl csfd 1 Display security fabric statistics
diag switch-controller switch-info Dumps MCLAG related
diag debug appl csfd -1 Real-time debugger mclag information from FortiSwitch
diag automation test exec switch-controller get-conn- Get FortiSwitch connection
Test stitches in the CLI
<stitch_name> status status
exec switch-controller diagnose- Get FortiSwitch connection
connection diagnostics
BGP, OSPF diag switch-controller mac-device
Show / Clear MAC devices
BGP known / clear
get router info bgp summary BGP summary of BGP status
FortiExtender
get router info bgp neighbors Information on BGP neighbors
get extender sys-info [FXT SN] Check the FortiExtender status
diag ip router bgp all enable Real-time debugging for BGP
diag ip router bgp level info protocol get extender modem-status [FXT Get the detailed modem status
SN] of the FortiExtender
exec router clear bgp all Restart of BGP session
FortiExtender debugging, collect
diag debug appl extenderd -1
information for about 5 minutes
OSPF exec extender reset-fortiextender Restart managed FortiExtender
get router info ospf status OSPF status exec extender restart-
Restart for AC daemon
fortiextender-daemon
get router info ospf interface Information on OSPF interfaces
get router info ospf neighbor Information on OSPF neighbors Modem
get router info ospf database Summary / Details of all LSDB diag sys modem detect Detect attached modem
brief / router lsa entries
Debugger for modem
get router info ospf database self- Information on LSAs originating diag debug appl modemd 3
commands
originate from FortiGate
diag ip router ospf all enable Real-time debugging of OSPF
diag ip router ospf level info protocol
exec router clear ospf process Restart of OSPF session

v1.0 page 3
Cheat Sheet – Other FortiGate
for FortiOS 7.0

System
Default Device Information Hardware Acceleration
admin / no password Default login Disable session offloading per
set auto-asic-offload disable
firewall policy
Default IP on port1, internal or
192.168.1.99 Disable VPN offloading per
management port set npu-offload disable
Phase 1
9600/8-N-1
Default serial console settings
hardware flow control disabled
HQIP Hardware Check
Factory Reset
Download Hardware Quick
exec factoryreset Reset whole configuration
https://support.fortinet.com → Inspection Package (HQIP)
exec factoryreset-shutdown Reset config and shutdown Download → HQIP Images to scan hardware for
possible faults
Reset with retaining admin,
exec factoryreset2
interfaces and static routing
exec factoryreset keepvmlicense Reset whole config but license
General Information
Firmware Update Fortinet Links
Show config errors after Documentation, Cookbooks,
diag debug config-error-log read docs.fortinet.com
firmware upgrades Release Notes
kb.fortinet.com Knowledge Base
VDOMs
www.fortiguard.com FortiGuard Website
sudo global/ vdom-name Sudo-command to access
support.fortinet.com Support Site (Login required)
diag / exec / show / get global / VDOM settings directly
forum.fortinet.com User Forum (Login required)
Transparent Mode Fortinet Developer Network
fndn.fortinet.net
(Login)
diag netlink brctl name host Bridge MAC table
blog.boll.ch Boll Blog
Workspace Mode
exec config-transaction Start/abort/commit of FortiGate most used ports
start/abort/commit Workspace Mode
TCP/443, TCP & UDP/53 TCP &
diag sys config-transaction status State of Workspace Mode FortiGuard Queries
UDP/8888
(enabled/disabled)
TCP/389, UDP/389 LDAP, PKI Authentication
diag sys config-transaction show Shows all active Workspace
txn-info Modes Contract Validation, FortiToken,
TCP/443
Firmware Updates
diag sys config-transaction show Pending CLI commands of
txn-cli-commands Workspace Mode TCP/443, TCP/8890 AV and IPS Update
UDP/500, ESP IPSEC VPN
UDP/500, UDP/4500 IPSEC VPN with NAT-Traversal
Hardware
TCP/514 FortiManager, FortiAnalyzer
Hardware Information
TCP/1812 RADIUS Authentication
diag hardware sysinfo cpu CPU information TCP/1813 RADIUS Accounting
Conserve Mode details. UDP/5246, UDP/5247 CAPWAP
diag hardware sysinfo conserve “Mem”: Memory / “FD”: File
descriptor TCP/8001 FSSO

diag hardware sysinfo memory Memory size, utilization TCP/8013 Compliance and Security Fabric

Hardware test (available only on ETH Layer 0x8890, 0x8891,

diag hardware test suite all HA Heartbeat / Sync
newer models) 0x8893

get hardware status ASIC and NP information

get vpn status ssl hw- Show HW acceleration status
acceleration-status for SSL VPN
get hardware nic [port] Physical interface information
get system interface Signal information for Copper or
physical / transceiver SFP/SFP+ interfaces

Disk Operation
diag hardware deviceinfo disk List disks with partitions
exec disk list List the disks and partitions
exec disk scan [ref_int] Run a disk check operation
Format the specified partitions
exec disk format [ref_int]
or disks and reboots the system
Formatting the log disk, reboot
exec formatlogdisk
included

v1.0 page 4