Useful CLI commands FortiOS
Cheatsheets
- FortiOS 6.2 CheatSheet (https://blog.boll.ch/cheatsheet-fortios-version-6-2/)
- FortiOS 7.0 CheatSheet (https://blog.boll.ch/cheatsheet-fortios-7-0/)
- FortiOS 7.2 CheatSheet (https://blog.boll.ch/cheatsheet-fortios-v7-2/)
CLI Commands
To start a transaction in CLI use execute config-transaction start.
A workspace mode transaction times out in five minutes if there is no activity. When a transaction times out, all changes are discarded
Commit config changes with execute config-transaction commit.
Abort with execute config-transaction abort.
Generic Commands
Default Device Information
admin / no password | Default login |
192.168.1.99 | Default IP on port1, internal or management port |
9600/8-N-1, hw flow control disabled | Default serial console settings |
General system commands
get system status | General system information |
exec tac support | Generates report for support |
tree | List all commands |
<command> ? / tab | Use ? or tab in CLI for help |
<command> | grep [filter] | Grep commands to filter output |
Fortigate most used ports
UDP/53, UDP/8888 | Fortiguard Queries |
TCP/389, UDP/389 | LDAP, PKI Authentication |
TCP/443 | Contract Validation, FortiToken, Firmware Updates |
TCP/443, TCP/8890 | AV and IPS Update |
UDP/500, ESP | IPSEC VPN |
UDP/500, UDP/4500 | IPSEC VPN with NAT-Traversal |
TCP/514 | FortiManager, FortiAnalyzer |
TCP/1812, TCP/1813 | RADIUS Auth & Accounting |
UDP/5246, UDP/5247 | CAPWAP |
TCP/8001 | FSSO |
TCP/8013 | Compliance and Security Fabric |
ETH Layer 0x8890, 0x8891 and 0x8893 | HA Heartbeat For HA The virtual MAC address is determined based on following formula: 00-09-0f-09-<group-id_hex>-(<vcluster_integer> + <idx>) |
Network commands
Interface information
diag ip address list | List of IP addresses on FortiGate interfaces |
diag firewall iplist list | List of IP addresses on VIP and IP-Pools |
Security Fabric
diag sys csf upstream / downstream | List of up/downstream devices |
diag sys csf neighbor list | MAC/IP list of connected FG devices |
diag automation test <stich_name> | Test stitches in the CLI |
diag test appl csfd 1 ... | Display security fabric statistics |
diag debug appl csfd -1 | Real-time debugger |
Switch Controller
diag switch-controller switch-info mac-table |
Managed FortiSwitch MAC address list |
diag switch-controller switch-info port-stats |
Managed FortiSwitch port statistics |
diag switch-controller switch-info trunk |
Trunk information |
diag switch-controller switch-info mclag |
Dumps MCLAG releated information from FortiSwitch |
execute switch-controller get-conn-status |
Get FortiSwitch connection status |
execute switch-controller diagnose-connection | Get FortiSwitch connection diagnostics |
SD-WAN
diag sys virtual-wan-link member |
Provide interface details |
diag sys virtual-wan-link health-check <name> | State of SLAs |
diag sys virtual-wan-link service <rule-id> |
SD-WAN rule state |
diag sys virtual-wan-link intf-sla-log <intf-name> |
Link Traffic History |
diag sys virtual-wan-link sla-log <sla> <link_id> |
SLA-Log on specific interface |
diag test application lnkmtd 1/2/3 |
Statistics of link-monitor |
diag debug application link- monitor -1 | Real-time debugger of link-monitor |
Network Troubleshooting
get hardware nic [port] |
Interface information |
get system arp |
ARP table |
exec clear system arp table |
Clears ARP table |
exec ping x.x.x.x |
Ping utility |
exec traceroute x.x.x.x exec traceroute-options [option] |
Traceroute utility |
exec telnet x.x.x.x [port] |
Telnet utility |
diag traffictest server-intf diag traffictest client-intf diag traffictest port [port] diag traffictest run -c [public_iperf_server_ip] |
Iperf test directly run from FortiGate |
Transparent Mode
diag netlink brctl |
Bridge MAC table |
Routing
Routing troubleshooting
get router info routing-table all | Show routing table |
get router info routing-table details x.x.x.x | Show routing decision for specified destination-IP |
get router info routing-table database | Routing table with inactive routes |
get router info kernel | Forwarding information base |
diag firewall proute list | List of policy-based routes |
diag ip rtcache list | List of route cache |
exec router restart | Restart of routing process |
diag sys link-monitor status/interface/launch | Show link monitor status / per interface / for WAN LB |
BGP
get router info bgp summary | BGP summary of BGP status |
get router info bgp neighbors | Information of BGP neighbors |
diag ip router bgp all enable diag ip router bgp level info |
Real-time debugging for BGP protocol |
exec router clear bgp all | Restart of BGP session |
OSPF
get router info ospf status | OSPF status |
get router info ospf interface | Information on OSPF interfaces |
get router info ospf neighbor | Information on OSPF neighbors |
get router info ospf database brief / router lsa | Summary / Details of all LSDB entries |
get router info ospf database self-originate | Information on LSAs originating from FortiGate |
diag ip router ospf all enable diag ip router ospf level info |
Real-time debugging of OSPF protocol |
exec router clear ospf process | Restart of OSPF session |
VPN
diag debug appl ike 63 |
Debugging of IKE negotiation |
diag vpn ike log filter |
Filter for IKE negotiation output |
diag vpn ike gateway list |
Phase 1 state |
diag vpn ike gateway flush |
Delete Phase 1 |
diag vpn tunnel list |
Phase 2 state |
diag vpn tunnel flush |
Delete Phase 2 |
get vpn ike gateway |
Detailed gateway information |
get vpn ipsec tunnel details |
Detailed tunnel statistics |
get vpn ipsec tunnel summary |
Detailed tunnel information |
diag vpn ipsec status |
Shows IPSEC crypto status |
show full vpn certificate local |
Export all keys and certs |