Useful CLI commands
Cheatsheets
- FortiOS 6.2 Cheat Sheet (https://blog.boll.ch/cheatsheet-fortios-version-6-2/)
CLI Commands
To start a transaction in CLI use execute config-transaction start.
A workspace mode transaction times out in five minutes if there is no activity. When a transaction times out, all changes are discarded
Commit config changes with execute config-transaction commit.
Abort with execute config-transaction abort.
Generic Commands
Default Device Information
admin / no password | Default login |
192.168.1.99 | Default IP on port1, internal or management port |
9600/8-N-1, hw flow control disabled | Default serial console settings |
General system commands
get system status | General system information |
exec tac support | Generates report for support |
tree | List all commands |
<command> ? / tab | Use ? or tab in CLI for help |
<command> | grep [filter] | Grep commands to filter output |
Fortigate most used ports
UDP/53, UDP/8888 | Fortiguard Queries |
TCP/389, UDP/389 | LDAP, PKI Authentication |
TCP/443 | Contract Validation, FortiToken, Firmware Updates |
TCP/443, TCP/8890 | AV and IPS Update |
UDP/500, ESP | IPSEC VPN |
UDP/500, UDP/4500 | IPSEC VPN with NAT-Traversal |
TCP/514 | FortiManager, FortiAnalyzer |
TCP/1812, TCP/1813 | RADIUS Auth & Accounting |
UDP/5246, UDP/5247 | CAPWAP |
TCP/8001 | FSSO |
TCP/8013 | Compliance and Security Fabric |
ETH Layer 0x8890, 0x8891 and 0x8893 | HA Heartbeat For HA The virtual MAC address is determined based on following formula: 00-09-0f-09-<group-id_hex>-(<vcluster_integer> + <idx>) |
Network commands
Interface information
diag ip address list | List of IP addresses on FortiGate interfaces |
diag firewall iplist list | List of IP addresses on VIP and IP-Pools |
Security Fabric
diag sys csf upstream / downstream | List of up/downstream devices |
diag sys csf neighbor list | MAC/IP list of connected FG devices |
diag automation test <stich_name> | Test stitches in the CLI |
diag test appl csfd 1 ... | Display security fabric statistics |
diag debug appl csfd -1 | Real-time debugger |
Switch Controller
diag switch-controller switch-info mac-table |
Managed FortiSwitch MAC address list |
diag switch-controller switch-info port-stats |
Managed FortiSwitch port statistics |
diag switch-controller switch-info trunk |
Trunk information |
diag switch-controller switch-info mclag |
Dumps MCLAG releated information from FortiSwitch |
execute switch-controller get-conn-status |
Get FortiSwitch connection status |
execute switch-controller diagnose-connection | Get FortiSwitch connection diagnostics |
SD-WAN
diag sys virtual-wan-link member |
Provide interface details |
diag sys virtual-wan-link health-check <name> | State of SLAs |
diag sys virtual-wan-link service <rule-id> |
SD-WAN rule state |
diag sys virtual-wan-link intf-sla-log <intf-name> |
Link Traffic History |
diag sys virtual-wan-link sla-log <sla> <link_id> |
SLA-Log on specific interface |
diag test application lnkmtd 1/2/3 |
Statistics of link-monitor |
diag debug application link- monitor -1 | Real-time debugger of link-monitor |