Skip to main content

Useful CLI commands

Cheatsheets

CLI Commands

To start a transaction in CLI use execute config-transaction start.

A workspace mode transaction times out in five minutes if there is no activity. When a transaction times out, all changes are discarded

Commit config changes with execute config-transaction commit.
Abort with execute config-transaction abort.

Generic Commands

Default Device Information
admin / no password Default login
192.168.1.99 Default IP on port1, internal or management port
9600/8-N-1, hw flow control disabled Default serial console settings
General system commands
get system status General system information
exec tac support Generates report for support
tree List all commands
<command> ? / tab Use ? or tab in CLI for help
<command> | grep [filter] Grep commands to filter output
Fortigate most used ports
UDP/53, UDP/8888 Fortiguard Queries
TCP/389, UDP/389 LDAP, PKI Authentication
TCP/443 Contract Validation, FortiToken, Firmware Updates
TCP/443, TCP/8890 AV and IPS Update
UDP/500, ESP IPSEC VPN
UDP/500, UDP/4500 IPSEC VPN with NAT-Traversal
TCP/514 FortiManager, FortiAnalyzer
TCP/1812, TCP/1813 RADIUS Auth & Accounting
UDP/5246, UDP/5247 CAPWAP
TCP/8001 FSSO
TCP/8013 Compliance and Security Fabric
ETH Layer 0x8890, 0x8891 and 0x8893 HA Heartbeat
For HA The virtual MAC address is determined based on following formula:
00-09-0f-09-<group-id_hex>-(<vcluster_integer> + <idx>)

Network commands

Interface information
diag ip address list List of IP addresses on FortiGate interfaces
diag firewall iplist list List of IP addresses on VIP and IP-Pools
Security Fabric
diag sys csf upstream / downstream List of up/downstream devices
diag sys csf neighbor list MAC/IP list of connected FG devices
diag automation test <stich_name> Test stitches in the CLI
diag test appl csfd 1 ... Display security fabric statistics
diag debug appl csfd -1 Real-time debugger
Switch Controller

diag switch-controller switch-info mac-table

Managed FortiSwitch MAC address list

diag switch-controller switch-info port-stats

Managed FortiSwitch port statistics

diag switch-controller switch-info trunk

Trunk information

diag switch-controller switch-info mclag

Dumps MCLAG releated information from FortiSwitch

execute switch-controller get-conn-status

Get FortiSwitch connection status
execute switch-controller diagnose-connection Get FortiSwitch connection diagnostics
SD-WAN

diag sys virtual-wan-link member

Provide interface details
diag sys virtual-wan-link health-check <name> State of SLAs

diag sys virtual-wan-link service <rule-id>

SD-WAN rule state

diag sys virtual-wan-link intf-sla-log <intf-name>

Link Traffic History

diag sys virtual-wan-link sla-log <sla> <link_id>

SLA-Log on specific interface

diag test application lnkmtd 1/2/3

Statistics of link-monitor
diag debug application link- monitor -1 Real-time debugger of link-monitor
Network Troubleshooting

get hardware nic [port]

Interface information

get system arp
diag ip arp list

ARP table

exec clear system arp table

Clears ARP table

exec ping x.x.x.x
exec ping-options [option]

Ping utility

exec traceroute x.x.x.x

exec traceroute-options [option]

Traceroute utility

exec telnet x.x.x.x [port]

Telnet utility

diag traffictest server-intf

diag traffictest client-intf

diag traffictest port [port]

diag traffictest run -c [public_iperf_server_ip]

Iperf test directly run from FortiGate
Transparent Mode
Routing
get router info routing-table allShow routing table
get router info routing-table details x.x.x.xShow routing decision for specified destination-IP
get router info routing-table databaseRouting table with inactive routes