oatoer2024, 23:24 CLI Commands for Troubleshooting FortiGate Frewals | [Link]
[Link]
IT-Security, Networks, IPv6, VPN, DNS!
CLI Commands for Troubleshooting FortiGate
Firewalls
© 2015-12-21 te Fortinet, Memorandum — @ Cheat Sheet, CLI, FortiGate, Fortinet, Quick Reference, SCP,
Troubleshooting & Johannes Weber
This blog postis a lst of common troubleshooting commands lam using on the FortiGate CLI. It's not,
complete nor very detailled, but provides the basic commands for troubleshooting network related issues
that are not resolvable via the GUI. lam not focused on too many memory, process, kernel, etc. details. These
must only be used if there are really specific problems. | am more focused on the general troubleshooting
stuff. am using it personally as a cheat sheet / quick reference and will update it from time to time.
Coming from Cisco, everything is “show With Fortinet you have the ehe:ce confusion between show | get|
diagnose | execute. Not that easy to remember. Its “get router infos routing-table” to show the routing ta-
ble but “diagnose firewall proutes list” for the PBF rules. Likewise the sys | system keyword. Its always “di-
agnose sys” but “execute system’.
Entering the correct vdom/gobal config
Remember to enter the correct vdor or global configuration tree before configuring anything:
I config global
2 config vdom
3___ edit
To execute any “show” command from any context use the sudo keyword with the global/vdom-name
context followed by the normal commands (except “config”) such as:
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you
wish. Read More
[Link]-commands-for- troubleshooting ortigate-frewalis! 126�‘oaioer2024, 23:24 CLI Commands for Troubleshooting FortiGate Frewals | [Link]
NEOX RIESIGE AUSWAHL
NETO EIS PORTABLE + RACKMOUNTABLE
x» NETZWERK-TAPS
coer = 84006
Show running-config & grep & scp
‘To show the running configuration (such as “show run" on Cisco) simply type:
show
To show the entire running configuration with defautt values use:
1_show full-configuration
When you are in a config submenu you can list the subsequent configuration options with all further sub-
‘menus with:
i tree
For example:
Click To Expand Code
To omit the “-More-” stops when displaying many lines, you can set the terminal output to the following,
which will display all ines at once. Thisis similar to “terminal length 0” from Cisco. Be careful with it, be-
tent. Setit to default after usage!
cause this command is pe
T config system console
2 set output standard
3 end
‘To find a CLI command within the configuration, you can use the pipe sign “[" with “grep” (similar to “in-
clude” on Cisco devices). Note the “f” flag to show the whole config tree in which the keywords was
found, eg,
1 show I grep -F ipv6
2 show full-configuration | grep -f ipv6
Example with grep but WITHOUT the -f option (which makes no sense at all:
1 FGT90D F show | grep ipve
2 set gui-ipve enable
3 config ipv6
4 config ipv6
5 config ipv6
6
set ipv6 [Link] :cafe
Now with the -f option. Note the “<—" at the end of every ine that has the “ipv6” keyword init, while the full
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you
wish. Accept Read More
[Link]-commands-for- troubleshooting ortigate-frewalis!�0410812028, 23:21 (CLI Commands for Troubleshooting FotuGate Frewall | [Link]
You can even extend your grepping by using multiple expressions to grep, wrapped into single quotes and
\[, such as: (Thanks to Ulrich’s comment!)
1 show I grep -F "internal\ Iwan"
2 diag vpn tunnel List | grep ‘name\lesp\lah"
In order to copy the configuration via SCP from a backup server you must first enable the SCP protocol for
the admin:
1 “config system global
2 set admin-scp enable
3 end
before you can grab it from the backup server, e.g, Linux with
1 sep @: sys_config
2_scp admin@[Link]:sys_config ~/fortigate-config-2017-11-20. txt
To save your config through the CL! in order to have it in the GUI under -> Configuration >
Revisions, us
1 execute backup config flash
Even better, you should enable the following feature which saves a backup of your configuration after each
logout automatically:
I config system global
2 set revision-backup-on-logout enable
3. end
General Information
The very basics:
T get system interface physical Foverview of hardnare interfaces
2 get hardware nic Hdetails of a single network interface, sam
3. fnsysctl ifconfig #kind of hidden command to see more interfa
4 get system status #eeshon version
5 get system performance status HCPU and network usage
6 execute sensor list #power supply, temperature, fans
7 execute sensor detail
8 diagnose sys top #top with all forked processed
2 diagnose sys top-sunmary #top easier, incl. CPU and mem bars. Forks
10 execute dhcp lease-list
11 get system arp
12 diagnose ip arp list
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you
wish. Accept Read More
[Link]-commands-for-troubleshootingorigate-frewalis!�oatoer2024, 23:24 CLI ommands for Troubleshooting FortiGate Frewals | [Link]
19 diagnose debug crashlog read #shows crashlog, a status of 0 indicates a ¥
Atter rebooting a fresh device which is already licensed, it takes some time untilitis “green” at the dash-
board. The following commands can troubleshoot and start the “get license” process. Use the first three to
bles the debugging again:
enable debugging and start the process, while the last one
diag debug app update -1
diag debug enable
exec update-now
diag debug disable
To reboot your device, use:
1 execute reboot
General Network Troubleshooting
Which is basically ping and traceroute. Unluckly itis shitty dificult to use those commands since you need 2
couple of subcommands to source pings from a different interface, and so on. Furthermore, the traceroute for
", while traceroute for Pv4 uses the “tracer-
IPV6 uses its options on the CLI directly such as"
‘oute-options ...” subcommands:
execute ping6-options ?
execute ping6-options source
execute ping6
1
2
3
4
5. execute ping-options ?
6 execute ping-options source
? execute ping
8
9 execute tracert6
11 execute traceroute
12 execute traceroute-options 7
‘To view the current ....options, use this:
1 execute ping-options vien-settings
2 execute ping6-options vien-settings
3 execute traceroute-options view-settings
Routing
Routing table, RIB, FIB, policy routes, routing protocols, route cache, and much more.;) Note the differences
between IPv6 and legacy IP.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you
wish. Read More
[Link]-commands-for- troubleshooting ortigate-frewalis!
428�‘oatoer2024, 23:21 CLI Commands for Troubleshooting FortiGate Frewals | [Link]
4 get router info6 routing-table database #Routing Information Base WITH inactivd
5 get router info routing-table database |
6
7 get router infoé kernel #Forwarding Information Base |
8 get router info kernel |
9
10 diagnose Firewall proutes list Policy Routes + WAN Load Balancing
11 diagnose firewall proute list |
2
43 get router Weasic information about the enabled routing
44 diagnose ip rtcache list route cache = current sessions w/ routing |
2Y NEOXx
a Sr
ADVANCED NEXT GENERATION b
D
eacserrise? NETWORK PACKET BROKER 2)
High Availability
Diagnose and managing: (Just another
“sys| system”)
example on how “get | diagnose | execute” is mixed along with
1 get system ha status
2 diagnose sys ha status
3 execute ha manage ? switch to the CLI of a secondary unit
4 execute ha manage
5 diagnose sys ha checksum show verify the checksum of all synchronized pee
Manually test a failover by decreasing the priority of the current master (since highest priority wins):
7 execute ha set-priority
Don't forget to restore the priority value to your original one!
Start a sync at a secondary device to (from?) the master: (Honestly, lam not sure what “synchronize” means
inthis command. | would lke to decide which config to push to the other device. The Fortinet documentation
reads: “Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration
with the
primary unit orto stop a synchronization process that isin progress”)
i execute ha synchronize {start | stop}
Session Table
Display the current active sessions:
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you
wish. Read More
nitps:lweberbiog nellcl-cammands-fr-raubleshooting frtigate-rewal’! 526�‘oatoer2024, 23:21 (CLI Commands for Troubleshooting FortiGate Frewals | [Link]
5 diagnose sys session filter dst [Link]
6 diagnose sys session filter dport 53
7 diagnose sys session list show the session table with the filter just
Remote Server Authentication Test
In order to test user credentials against some (remote) authentication servers such as LDAP or RADIUS or
even local:
T diagnose test authserver ldap
2 diagnose test authserver radius
FSSO User Authentication
When you're using some kind of Fortinet single sign-on (FSSO) features such as the agentless/agent polling
mode to a Windows AD you can use the following commands to get some information about the recognized
users and agent servers:
1 diagnose debug authd fsso list
2 diagnose debug authd fsso server-status
3._diagnose firewall auth List
The first one shows all monitored users with details concerning their LDAP groups:
Click To Expand Code
while the last one shows the users with their corresponding FortiGate user groups and traffic counters:
Click To Expand Code
Ifyou need further debugging messages you can enable it for the Fortigate non-blocking auth daemon and
the FSSO daemon:
T diagnose debug enable
2 diagnose debug application fnband 255
3. diagnose debug application fssod 255
Sniffer / Packet Capture
‘Sniff packets like tepdump does. (Only if the built-in packet capture feature in the GUI does not meet your
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you
wish. Read More
nitps:lweberbiog nelll-cammands-fr-raubleshooting frtigate-frewal’! 626�oatoer2024, 23:24 CLI Commands for Troubleshooting FortiGate Frewals | [Link]
1 diagnose sniffer packet ''
with:
verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets if available)
4: print header of packets
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
{:local time
terface name
get vpn ipsec tunnel name
get vpn ipsec tunnel details
diagnose vpn tunnel list
diagnose vpn ipsec status shows all crypto devices with counters that
get router info routing-table oll
‘To debug IKE/IPsec sessions, use the VPN debug:
1 diagnose debug reset
2 diagnose vpn ike log-filter clear
3 diagnose vpn ike log-filter ?
4 diagnose vpn ike log-filter dst-addra [Link]
5 diagnose debug app ike 255 shows phase 1 and phase 2 output
6 diagnose debug enable ¥after enough output, disable the debug:
7
diagnose debug disable
‘To reset a certain VPN connection, use this (Credit):
1 diag vpn tunnel reset
Log
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you
wish. Accept Read More
[Link]-commands-for-troubleshootingorigate-frewalis!�oainsr2024, 23:24 (CLI Commands for Troubleshooting FotuGale Frewalls | [Link]
2 execute log filter category event
execute log filter field #press enter for options |
execute log filter field dstport 8001
execute log filter view-lines 1000 |
execute log filter start-line 1
execute log display |
Defaults
Just a reminder for myself:
= 1P:[Link]
= Login: admin
= Password:
To change the IP address of the mgmt interface (or any other) via the CLI, these commands can be used:
1 config system interface ]
2 edit mgmt
3 set ip [Link] [Link] |
4 set allonaccess ping https ssh
5 next
6 end
NEOX
DANSE PORTABLE ASW. SecurfTy
PACKET CAPTURE APPLANCE PURE IE
1006 ... §
Password Recovery & Factory Reset
Just the links here: Resetting a lost Admin password and How to reset a FortiGate with the default factory
settings.
Links
= Fortinet: FortiOS Admin Guides
1 itsecworks: Fortigate troubleshooting commands
Featured image “Warten auf Arbeit" by Giinter Hentschel s licensed under CC BY-ND 2.0,
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you
wish, Read More
nitpslweberbiog neleli-cammands-fr-raubleshooting frtigate-frewal’! 9126
