Network System

Network Troubleshooting Process information

get hardware nic [port] Interface information get system performance status General performance information
get system arp Process list
diag ip arp list ARP table diag sys top [sec] [number]
Sort with P (CPU) / M (Memory)
exec clear system arp table Clears ARP table Process list with grouped processes and
diag sys top-summary [sec]
exec ping x.x.x.x shared memory.

CHEATSHEET
exec ping-options [option] Ping utility
diag debug crashlog read Crash log
exec traceroute x.x.x.x
exec traceroute-options [option] Traceroute utility
exec telnet x.x.x.x [port] Telnet utility
Traffic Processing
General debugging
Interface information diag debug appl [appl-name]
[debug_level]
diag ip address list List of IP addresses on FortiGate interfaces Debugger for several applications
diag test appl [appl-name]

FORTIGATE FOR FORTIOS 6.0

© BOLL Engineering AG, FortiOS Cheat Sheet Version 1.5 / 13.09.2018
diag firewall iplist list

Transparent Mode
List of IP addresses on VIP and IP-Pools [test_level]
diag debug console timestamp
enable
diag debug enable
Enables timestamp in console

Enable/disable output for “diag debug” and

diag netlink brctl Bridge MAC table diag debug disable “diag ip” commands
diag debug reset Reset debug levels
Routing
General Routing troubleshooting Paket Sniffer
get router info routing-table diag sniffer packet [if] ‘[fil- Packet sniffer. Use filters!
Default device information all Routing table
ter]’ [verbose] [count] [ts] Verbose levels 1-6 for different output
admin / [no password] Default login get router info routing-table Shows Routing decision for specified
Default IP on port1, internal details x.x.x.x Destination-IP
192.168.1.99/24
or management port get router info routing-table Flow Trace
database Routing table with inactive routes
9600/8-N-1 diag debug flow filter [filter]
hardware flow control disabled Default serial console settings
get router info kernel Forwarding information base diag debug flow show iprope en
Debug command for traffic flow.
diag debug flow show fun ena
diag firewall proute list List of policy-based routes Use filters to narrow down search results
diag debug flow trace start
Fortinet Links diag ip rtcache list List of route cache [packet count]
docs.fortinet.com Documentation Overview of dynamic routing protocol
get router info protocols
kb.fortinet.com Knowledge base configuration
Firewall session troubleshooting
cookbook.fortinet.com Cookbook exec router restart Restart of routing process diag sys session filter Filter for session list
www.fortiguard.com FortiGuard Website diag sys link-monitor status/ Shows link monitor status / diag sys session list[expect] Lists all (or expected) sessions
interface/launch per interface / for WAN LLB
support.fortinet.com Support site (Login required) diag sys session clear Clear all / filtered sessions
forum.fortinet.com User forum (Login required) Session statistics, memory tension, ephem-
BGP diag sys session stat
wiki.diagnose.fortinet.com Diagnose-Wiki eral drops
get router info bgp summary BGP summary of BGP status diag firewall iprope clear
blog.boll.ch Boll-Blog Resets counter for all or specific firewall
get router info bgp neighbors Information on BGP neighbors 00100004 [<id>] policy id
diag ip router bgp all enable
General system commands diag ip router bgp level info Real-time debugging for BGP protocol

get system status

Internet Services Database
General system information exec router clear bgp Restart of BGP session
diag internet-service Lists summary/details for specific Internet
exec tac report Generates report for support id-summary/id <id> Service
tree Lists all commands OSPF Reverse ISDB lookup for specific IP,
diag internet-service info …
<command> ? / tab Use ? or tab in CLI for help get router info ospf status OSPF status protocol, port
get router info ospf interface Information on OSPF interfaces diag internet-service match
<command> | grep [filter] Grep command to filter outputs Reverse ISDB lookup for specific IP
<vdom> <ip> <netmask>
get router info ospf neighbors Information on OSPF neighbors
get router info ospf database
Factory Reset brief / router lsa Summary / Details of all LSDB entries UTM Services
exec factoryreset Reset whole configuration get router info ospf database Information on LSAs originating from Signature Update
self-originate FortiGate
exec factoryreset2 Reset with retaining admin, interfaces and diag debug rating Service information
static routing diag ip router ospf all enable
diag ip router ospf level info Real-time debugging of OSPF protocol diag autoupdate versions Detailed versions of packages
exec router clear ospf process Restart of OSPF session diag debug appl update -1
Firmware Update exec update-now Troubleshooting update process
diag debug config-error-log read Show config errors after firmware upgrades
IPS
diag ips anomaly list
diag ips packet status
diag test appl ipsmonitor 2
diag test appl ipsmonitor 5
diag test appl ipsmonitor 99
Spamfilter
diag spamfilter fortishield
servers
diag debug appl spamfilter 255
Webfilter
diag webfilter fortiguard
statistics list
diag test appl urlfilter 1
Authentication
Authentication
diag firewall auth filter
diag firewall auth list
diag test authserver
[auth-protocol] [server-object]
[user] [password]
diag debug appl auth -1
diag debug appl fnbamd -1
FSSO
diag debug authd fsso filter
diag debug authd fsso list
diag debug authd fsso
server-status
diag debug fsso-polling …
diag debug appl fssod -1
Explicit Proxy
diag wad user list/clear
diag wad filter
diag wad session list
diag test appl wad 112
diag test appl wad 2200
diag test appl wad 110
diag test appl wad 104
VPN
IPSEC VPN
diag debug appl ike 63
diag vpn ike log filter
diag vpn ike gateway list
diag vpn tunnel list
diag vpn ike gateway flush
diag vpn tunnel flush
Lists statistics of DoS-Policies
IPS packet statistics
Enable / disable IPS engine
Toggle bypass status
Restart all ipsengine and monitor
Displays FortiShield server list.
Debugger for spamfilter
Statistics of FortiGuard requests
Lists webfilter test commands
Filter for authentication list
List of authenticated user
Authentication test
Debugging of local authentication protocol
Debugging of Remote authentication
protocol
Filter for FSSO user list.
List of FSSO authenticated user
List of FSSO collector agents
Info for clientless polling FSSO
Debugging of clientless polling FSSO
List / clear of explicit proxy user
Filtering / listing of web proxy sessions
Enables output of subsequent commands
Maximum number of users
Current proxy user
DNS statistics for explicit proxy
Debugging of IKE negotiation
Filter for IKE negotiation output
Phase 1 state
Phase 2 state
Delete Phase 1
Delete Phase 2
get vpn ipsec tunnel details
get vpn ipsec state tunnel
diag vpn ipsec status
Hardware
Disk operations
diag hardware deviceinfo disk
exec disk list
exec disk scan [ref_int]
exec disk format [ref_int]
exec formatlogdisk
Hardware Acceleration
set auto-asic-offload disable
set npu-offload disable
Hardware information
diag hardware sysinfo cpu
diag hardware sysinfo memory
diag hardware sysinfo conserve
diag hardware test suite all
get hardware nic [port]
get system interface physical/
transceiver
HQIP hardware check
https://support.fortinet.com
àDownload à HQIP
Wireless, FortiExtender, Modem
Wireless Controller
exec wireless-controller
restart-acd
exec wireless-controller
reset-wtp
Access Point
cfg –a ADDR_MODE=DHCP|STATIC
cfg –a AP_IPADDR=”xxx.xxx.xxx.
xx”
cfg –a AP_NET-
MASK=”255.255.255.0”
cfg –a IPGW=”yyy.yyy.yyy.yyy”
cfg –a AC_IPADDR_1=”zzz.zzz.
zzz.zzz”
cfg –c
cfg –s
cfg -x
Detailed tunnel information
Detailed tunnel statistics
Shows IPSEC crypto status
List disks with partitions
List the disks and partitions
Run a disk check operation
Format the specified partitions or disks
and then reboots the system if a reboot is
required
Formatting the log disk, reboot included
Miscellaneous
Disable session offloading per firewall
policy
Disable VPN offloading per Phase 1
CPU information
Memory size, utilization
Conserve Mode details: “Mem”: Memory /
“FD”: File descriptor
Hardware test (available only on newer
models)
Physical interface information
Signal information for Copper or SFP/SFP+
interfaces
Download Hardware Quick Inspection
Package (HQIP) Images to scan hardware
for possible faults
Restart wireless controller daemon
Restart FortiAPs
Change IP from DHCP to static on FortiAP
Set static IP on FortiAP
Set subnet mask on FortiAP
Set gateway on FortiAP
Specify IP of Wireless Controller
on FortiAP
Save config on FortiAP
List config on FortiAP
Reset to factory default
Report errors, suggestions or comments to info@boll.ch
FortiExtender
get extender sys-info [FXT SN] Check the FortiExtender status
get extender modem-status [FXT Get the detailed modem status of the
SN] FortiExtender
diag debug application
Enable FortiExtender logging and
debugging, collect information for about
extender -1
5 minutes
exec extender reset-
Restart managed FortiExtender
fortiextender
exec extender restart-
Restart for AC daemon
fortiextender-daemon
Modem
diag sys modem detect Detect attached modem
diag debug appl modemd 3 Debugger for modem commands
Traffic Shaper
diag firewall shaper traffic-
shaper list / stats Traffic shaper list / statistics
diag firewall shaper per-ip-
shaper list / stats Per IP traffic shaper list / statistics
High Availability
execute ha manage [index] Jump to cluster member
get sys ha status Information about current HA status
diag sys ha dump-by vcluster Show cluster member uptime
diag sys ha reset-uptime Reset cluster member uptime
Show config checksums of all cluster
diag sys ha checksum cluster
member
exec sys ha checksum recalculate Recalculation of config checksums
diag debug appl hatalk -1
Debugging of HA-Talk/-Sync protocols
diag debug appl hasync -1
exec ha ignore-hardware-revision
Set ignore status for different HW revisions
status/enable/disable
VDOMs
sudo {global|vdom-name}
{diagnose|execute|show|get}
Sudo-command to access global / VDOM
settings directly
FortiToken
diag fortitoken info Current FortiToken status
exec fortitoken activate [Forti-
Manual FortiToken activation
TokenSN]
diag deb appl forticldd 255 FortiToken activation debugging
exec fortitoken-mobile import
0000-0000-0000-0000 Recover Trial FortiToken
Logging
diag log test
Generates dummy log messages