IDEA I/O home  | cheat sheets  | github

Cheatsheet FortiGate CLI

Cheatsheet for FortiGate Command Line Interface CLI.

This article contains some useful FortiGate commands. Please note that not all commands work on all FortiGate versions. Not all commands are supported and some do change.

General Tips

External support (Fortinet)

System

Status

Open Network Connections

Performance

Processes

LDAP / Radius Authentication

diagnose debug enable
diagnose debug application fnbamd -1 

High Availability

Object Management

Log

Layer 1 (Physical Layer)

Network Interface Card

Layer 2 (Data Link Layer)

Address Resolution Protocol (ARP)

Layer 3 (Network Layer)

Internet Protocol

Routing

Poor man’s traceroute

If you would like to test a traceroute for a different source IP than the one assigned to your outbound interface you can use poor-mans-traceroute.

Use this procedure:

  1. Open a second ssh session and filter on the outbound interface for icmp
  2. Set the execute ping-options timeout to 1.
  3. Set the execute ping-options source to your source IP.
  4. Ping the target host.
  5. Observer the ICMP time to live exceeded message you get from the first router.
  6. Increase the timeout to 2 and repeat from step 4.

OSPF

Use Fortinet’s recommended procedure to debug OSPF: http://kb.fortinet.com/kb/viewContent.do?externalId=FD31207

IPSEC

Look for:

Geo IP Information

Layer 4 (Transport Layer)

Firewall

Session List Filters

It is possible to set filters for the session list.

Traffic Flow through FortiGate

        diagnose debug enable
        diagnose debug flow show console enable
        Diag debug flow show function enable
        diagnose debug flow filter add 10.10.0.1
        diagnose debug flow trace start 100

Sniffer

Packets with TCP RST flag set:

diagnose sniffer packet internal ‘tcp[13] & 4 != 0’

Packets with TCP SYN flag set:

diagnose sniffer packet internal 'tcp[13] & 2 != 0'

Packets with TCP SYN ACK flag set:

diagnose sniffer packet internal 'tcp[13]=18'

Packets with TCP SYN and TCP ACK

diagnose sniffer packet internal 'tcp[13] = 18'

Layer 5 (Session Layer)

SSL-Inspection

Fortinet Single Sing On (FSSO)

diag debug enable
diag debug authd fsso list
diag debug authd fsso server-status
diag debug authd fsso-summary

Layer 7 (Application Layer)

Proxy

        execute log filter dump
        execute log filter category 0
        execute log filter field hostname www.google.ch
        execute log display

FortiGuard

Antivirus

IPS