Fortigate Commands

bytereign

Fortigate Firewall Commands – Useful while troubleshooting of fortigate firewall

 

General Commands

  1. get system interface physical (overview of hardware interfaces)
  2. get hardware nic <nic-name> (details of a single network interface, same as: diagnose

hardware deviceinfonic [nic-name])

  • fnsysctlifconfig <nic-name> (Hidden command to see more interface stats such as errors)
  • get system status (show version)
  • get system performance status (CPU and network usage)
  • diagnose sys top (top with all forked processed)
  • diagnose sys top-summary (top easier include CPU and mem bars. Forks are displayed by [x13])
  • diagnoseautoupdate versions (lists the attack definition versions, last update, etc.)
  • diagnose log test (generated all possible log entries)
  • diagnose test application dnsproxy6 (shows the IP addresses of FQDN objects)
  • diagnose debug crashlog read (shows crashlog, a status of 0 indicates a normal close of a process)
  • execute dhcp lease-list
  • diagnose iparp list
  • diagnose ipv6 address list
  • diagnose ipv6 neighbor-cache list
  • diagnose sys ntp status

 

Firewall Routing

  • get router info routing-table all
  • get router <routing-protocol> (basic information about the enabled routing protocol)
  • diagnose firewall proute list (policy-based routing)
  • diagnose firewall proute6 list
  • diagnose iprtcache list

 

Network Troubleshooting (Execute Commands)

  1. execute ping-options?
  2. execute ping-options source (Ip address of the interface)
  3. execute ping <hostname|ip>
  4. execute ping6-options?
  5. execute ping6 <hostname|ip>
  6. execute traceroute <hostname|ip>
  7. execute tracert6 <hostname|ip>
  • CPU Processing Status
  1. diag sys top
  2. diag sys top-summary
  1. Firewall Session Table
  • diagnose sys session filter clear
  • diagnose sys session filter src xx.xx.xx.xx
  • diagnose sys session filter dport xx
  • diagnose sys session list (show the session table with the filter)

 

Firewall Debug

  1. diagnose debug reset
  2. diagnose debug flow filter clear
  3. diagnose debug flow filter saddr xx.xx.xx.xx
  4. diagnose debug flow filter daddr xx.xx.xx.xx
  5. diagnose debug flow show console enable
  6. diagnose debug enable
  7. diagnose debug flow trace start 10
  8. diagnose debug disable
  9. diagnose debug flow filter saddr

 

Firewall VPN

  • get vpnike gateway <name>
  • get vpnipsec tunnel name <name>
  • get vpnipsec tunnel details
  • diagnose vpn tunnel list
  • diagnose vpnipsec status (shows all crypto devices with counters that are used by the VPN)
  • get router info routing-table all
  • get vpnike gateway <name>

 

VPN Debug

  • diagnose debug reset
  • diagnose vpnike log-filter clear
  • diagnose vpnike log-filter dst-addr4 xx.xx.xx.xx
  • diagnose debug app ike 255
  • diagnose debug enable
  • diagnose debug disable
  • show vpnipsec phase2-interface | grep–f

 

SSL VPN 

  • diagnose debug reset
  • diagnose debug flow filter clear
  • diagnose debug application ssl -1
  • diagnose debug enable
  • diagnose debug flow trace start 10
  • diagnose debug disable

 

Authentication

  1. diag test authserverldap LDAP-Access 123456 Customer1234$

 

Sniffer

  1. diagnose sniffer packet any “host <box1> and host <box2>”

 

Reset VPN Command

  1. diagvpn tunnel reset <phase1 name>

 

Firewall Failover

  1. diagnose sys ha reset-uptime
  2. get sys status (To check the firmware, Serial number)
  3. get sys per status
  4. get sys arp
  5. get router info vrrp
  6. execute ha manage (To get into secondary)

 

Config system settings

  1. set allow-subnet-overlap (enable/disable)

Firewall Disable Break

{config system console

set output standard

end}

 

Firewall Policy

{config firewall policy

edit 1

set status enable 1}

 

Firewall FSSO List

  1. diagnose debug authdfsso list

Total Number of Sessions

  • diagnose sys session list | grep total
  • diagnose sys top-summary
  • dia sys kill 11 <pid>
  • fortimanager output
  • diagnosedvm device list

 

Upgrading The Firewall By CLI Mode

  1. Execute update-now (To update the antivirus and attack definitions)
  2. Make sure the TFTP server is running.
  3. Copy the new firmware image file to the root directory of the TFTP server
  4. Log into the CLI Mode
  5. Make sure the FortiGate unit can connect to the TFTP server.
  6. Execute ping xx.xx.xx.xx
  7. Execute restore image tftp <filename> <tftp_ipv4>
  8. Execute restore image tftpimage.out xx.xx.xx.xx
  9. This operation will replace the current firmware version)
  10. Do you want to continue? (yes/no)
  11. Execute update-now

 

Troubleshooting (Error After Upgrade)

  1. diag debug config-error-log-read