This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff. I am using it personally as a cheat sheet / quick reference and will update it from time to time.
Coming from Cisco, everything is “show”. With Fortinet you have the choice confusion between show | get | diagnose | execute. Not that easy to remember. It is “get router info6 routing-table” to show the routing table but “diagnose firewall proute6 list” for the PBF rules. Likewise the sys | system keyword. It is always “diagnose sys” but “execute system”.
Entering the correct vdom/gobal config
Remember to enter the correct vdom or global configuration tree before configuring anything:
1 2 3 |
config global config vdom edit <vdom-name> |
To execute any “show” command from any context use the sudo keyword with the global/vdom-name context followed by the normal commands (except “config”) such as:
1 2 3 4 |
sudo {global | <vdom-name>} {diagnose | execute | show | get} ... sudo global show system admin sudo root get system interface physical |
Show running-config & grep & scp
To show the running configuration (such as “show run” on Cisco) simply type:
1 |
show |
To show the entire running configuration with default values use:
1 |
show full-configuration |
When you are in a config submenu you can list the subsequent configuration options with all further submenus with:
1 |
tree |
For example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
fg2 (ntp) # tree -- <ntp> -- ntpsync |- type |- syncinterval (1,1440) |- [ntpserver] --*id (0,4294967295) |- server (64) |- ntpv3 |- authentication |- key |- key-id (0,4294967295) |- interface-select-method +- interface (16) |- source-ip |- source-ip6 |- server-mode |- authentication |- key-type |- key |- key-id (0,4294967295) +- [interface] --*interface-name (80) |
To omit the “–More–” stops when displaying many lines, you can set the terminal output to the following, which will display all lines at once. This is similar to “terminal length 0” from Cisco. Be careful with it, because this command is persistent. Set it to default after usage!
1 2 3 |
config system console set output standard end |
To find a CLI command within the configuration, you can use the pipe sign “|” with “grep” (similar to “include” on Cisco devices). Note the “-f” flag to show the whole config tree in which the keywords was found, e.g.:
1 2 |
show | grep -f ipv6 show full-configuration | grep -f ipv6 |
Example with grep but WITHOUT the -f option (which makes no sense at all):
1 2 3 4 5 6 |
FGT90D # show | grep ipv6 set gui-ipv6 enable config ipv6 config ipv6 config ipv6 set ipv6 2001:db8::cafe |
Now with the -f option. Note the “<—” at the end of every line that has the “ipv6” keyword in it, while the full configuration part around it is listed.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
FGT90D # show | grep -f ipv6 config system global set admin-sport 8443 set admintimeout 480 set alias "FGT90D" set compliance-check disable set disk-usage log set gui-certificates enable set gui-device-latitude "71.74753660917492" set gui-device-longitude "-1.8141242882158528" set gui-ipv6 enable <--- set gui-lines-per-page 200 set gui-wireless-opensecurity enable set hostname "FGT90D" set switch-controller enable set timezone 26 end config system interface edit "wan1" set vdom "root" set mode dhcp set allowaccess ping https ssh set type physical set role wan set snmp-index 1 config ipv6 <--- set ip6-mode dhcp set ip6-allowaccess ping https ssh set dhcp6-prefix-delegation enable end next edit "internal" set vdom "root" set ip 192.168.99.1 255.255.255.0 set allowaccess ping https ssh set type hard-switch set stp enable set device-identification enable set snmp-index 5 config ipv6 <--- set ip6-mode delegated set ip6-allowaccess ping https ssh set ip6-send-adv enable set ip6-upstream-interface "wan1" set ip6-subnet ::1/64 end next edit "internal2-soft" set vdom "root" set ip 192.168.88.1 255.255.255.0 set allowaccess ping https ssh set type switch set device-identification enable set fortiheartbeat enable set snmp-index 6 config ipv6 <--- set ip6-mode delegated set ip6-allowaccess ping https ssh set ip6-send-adv enable set ip6-upstream-interface "wan1" set ip6-subnet ::3:0:0:0:1/64 end next end config system dns-database edit "weberforti.rocks" set domain "weberforti.rocks" config dns-entry edit 1 set type AAAA set hostname "knoppix" set ipv6 2001:db8::cafe <--- next end set primary-name "forti.weberlab.de" set contact "johannes@webertest.net" next end |
You can even extend your grepping by using multiple expressions to grep, wrapped into single quotes and \|, such as: (Thanks to Ulrich’s comment!)
1 2 |
show | grep -f 'internal\|wan' diag vpn tunnel list | grep 'name\|esp\|ah' |
In order to copy the configuration via SCP from a backup server you must first enable the SCP protocol for the admin:
1 2 3 |
config system global set admin-scp enable end |
before you can grab it from the backup server, e.g. Linux with:
1 2 |
scp <username>@<FortiGate-ip/name>:sys_config <destination> scp admin@192.168.7.106:sys_config ~/fortigate-config-2017-11-20.txt |
To save your config through the CLI in order to have it in the GUI under <username> -> Configuration -> Revisions, use:
1 |
execute backup config flash |
Even better, you should enable the following feature which saves a backup of your configuration after each logout automatically:
1 2 3 |
config system global set revision-backup-on-logout enable end |
General Information
The very basics:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
get system interface physical #overview of hardware interfaces get hardware nic <nic-name> #details of a single network interface, same as: diagnose hardware deviceinfo nic <nic-name> fnsysctl ifconfig <nic-name> #kind of hidden command to see more interface stats such as errors get system status #==show version get system performance status #CPU and network usage execute sensor list #power supply, temperature, fans execute sensor detail diagnose sys top #top with all forked processed diagnose sys top-summary #top easier, incl. CPU and mem bars. Forks are displayed by [x13] or whatever execute dhcp lease-list get system arp diagnose ip arp list diagnose ipv6 address list diagnose ipv6 neighbor-cache list diagnose sys ntp status diagnose autoupdate versions #lists the attack definition versions, last update, etc. diagnose log test #generated all possibe log entries diagnose test application dnsproxy 6 #shows the IP addresses of FQDN objects diagnose debug crashlog read #shows crashlog, a status of 0 indicates a normal close of a process! |
After rebooting a fresh device which is already licensed, it takes some time until it is “green” at the dashboard. The following commands can troubleshoot and start the “get license” process. Use the first three to enable debugging and start the process, while the last one disables the debugging again:
1 2 3 4 |
diag debug app update -1 diag debug enable exec update-now diag debug disable |
To reboot your device, use:
1 |
execute reboot |
General Network Troubleshooting
Which is basically ping and traceroute. Unluckily it is shitty difficult to use those commands since you need a couple of subcommands to source pings from a different interface, and so on. Furthermore, the traceroute for IPv6 uses its options on the CLI directly such as “-i <interface>”, while traceroute for IPv4 uses the “traceroute-options …” subcommands:
1 2 3 4 5 6 7 8 9 10 11 12 |
execute ping6-options ? execute ping6-options source <source-interface-IP> execute ping6 <hostname|ip> execute ping-options ? execute ping-options source <source-interface-IP> execute ping <hostname|ip> execute tracert6 <hostname|ip> execute traceroute <hostname|ip> execute traceroute-options ? |
To view the current …-options, use this:
1 2 3 |
execute ping-options view-settings execute ping6-options view-settings execute traceroute-options view-settings |
Routing
Routing table, RIB, FIB, policy routes, routing protocols, route cache, and much more. ;) Note the differences between IPv6 and legacy IP.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
get router info6 routing-table #routing table = active routes get router info routing-table all #IPv4 needs an "all" at the end get router info6 routing-table database #Routing Information Base WITH inactive routes get router info routing-table database get router info6 kernel #Forwarding Information Base get router info kernel diagnose firewall proute6 list #Policy Routes + WAN Load Balancing diagnose firewall proute list get router <routing-protocol> #basic information about the enabled routing protocol diagnose ip rtcache list #route cache = current sessions w/ routing information |
High Availability
Diagnose and managing: (Just another **** example on how “get | diagnose | execute” is mixed along with “sys | system”.)
1 2 3 4 5 |
get system ha status diagnose sys ha status execute ha manage ? #switch to the CLI of a secondary unit execute ha manage <device-index> diagnose sys ha checksum show #verify the checksum of all synchronized peers |
Manually test a failover by decreasing the priority of the current master (since highest priority wins):
1 |
execute ha set-priority <serial-number> <new-priority> |
Don’t forget to restore the priority value to your original one!
Start a sync at a secondary device to (from?) the master: (Honestly, I am not sure what “synchronize” means in this command. I would like to decide which config to push to the other device. The Fortinet documentation reads: “Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with the
primary unit or to stop a synchronization process that is in progress.”)
1 |
execute ha synchronize {start | stop} |
Session Table
Display the current active sessions:
1 2 3 4 5 6 7 |
get system session list #rough view with NAT, only IPv4 diagnose sys session filter clear diagnose sys session filter ? diagnose sys session filter dst 8.8.8.8 diagnose sys session filter dport 53 diagnose sys session list #show the session table with the filter just set |
Remote Server Authentication Test
In order to test user credentials against some (remote) authentication servers such as LDAP or RADIUS or even local:
1 2 3 |
diagnose test authserver ldap <server_name> <username> <password> diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password> diagnose test authserver local <group_name> <username> <password> |
FSSO User Authentication
When you’re using some kind of Fortinet single sign-on (FSSO) features such as the agentless/agent polling mode to a Windows AD you can use the following commands to get some information about the recognized users and agent servers:
1 2 3 |
diagnose debug authd fsso list diagnose debug authd fsso server-status diagnose firewall auth list |
The first one shows all monitored users with details concerning their LDAP groups:
1 2 3 4 5 6 7 |
fg # diagnose debug authd fsso list ----FSSO logons---- IP: 192.168.210.10 User: weberjoh Groups: CN=CONT_APPLIKATION_A,OU=CONTAINER,DC=fortinetz,DC=intern+CN=ROLE_IT_SECURITY,OU=ROLES,DC=fortinetz,DC=intern+CN=Benutzer,CN=Builtin,DC=fortinetz,DC=intern Workstation: MemberOf: FSSO_ROLE_IT_SECURITY IP: 192.168.210.12 User: hochmuth Groups: CN=ROLE_IT_SECURITY,OU=ROLES,DC=fortinetz,DC=intern+CN=Benutzer,CN=Builtin,DC=fortinetz,DC=intern Workstation: MemberOf: FSSO_ROLE_IT_SECURITY IP: 192.168.220.2 User: Administrator Groups: CN=Benutzer,CN=Builtin,DC=fortinetz,DC=intern+CN=Administratoren,CN=Builtin,DC=fortinetz,DC=intern Workstation: Total number of logons listed: 3, filtered: 0 ----end of FSSO logons---- |
while the last one shows the users with their corresponding FortiGate user groups and traffic counters:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
fg # diagnose firewall auth list 192.168.210.10, weberjoh type: fsso, id: 0, duration: 2515, idled: 91 server: Local FSSO Agent packets: in 16087 out 12285, bytes: in 14252780 out 2247455 group_id: 2 group_name: FSSO_ROLE_IT_SECURITY 192.168.210.12, hochmuth type: fsso, id: 0, duration: 855, idled: 59 server: Local FSSO Agent packets: in 21860 out 8950, bytes: in 28899400 out 792035 group_id: 2 group_name: FSSO_ROLE_IT_SECURITY 192.168.220.2, Administrator type: fsso, id: 0, duration: 1492, idled: 140 server: Local FSSO Agent packets: in 573 out 651, bytes: in 174760 out 99049 ----- 3 listed, 0 filtered ------ |
If you need further debugging messages you can enable it for the Fortigate non-blocking auth daemon and the FSSO daemon:
1 2 3 |
diagnose debug enable diagnose debug application fnbamd 255 diagnose debug application fssod 255 |
Sniffer / Packet Capture
Sniff packets like tcpdump does. (Only if the built-in packet capture feature in the GUI does not meet your requirements.) This can be used for investigating connection problems between two hosts. There are no details of the firewall policy decisions. Use the debug flow (next paragraph) for analysis about firewall policies, etc.
1 |
diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbose> <count> <time-format> |
with:
verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name <<<<<< good default choice
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time
Examples: (Thanks to the comment from Ulrich for the IPv6 example)
1 2 3 4 |
diagnose sniffer packet any 'host 8.8.8.8' 4 4 l diagnose sniffer packet any 'host 8.8.8.8 and dst port 53' 4 10 a diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l diagnose sniffer packet any 'net 2001:db8::/32' 6 1000 l |
Here are two more examples on how to show LLDP or CDP packets in order to reveal the connected layer 2 ports from switches. Kudos to Joachim Schwierzeck.
1 2 3 4 5 |
LLDP: diagnose sniffer packet port1 'ether proto 0x88cc' 4 1 a CDP: diagnose sniffer packet port1 'ether[20:2] == 0x2000' 6 1 a |
Flow
If you want to see the FortiGate details about a connection, use this kind of debug. E.g., it shows the routing decision and the policy, which allowed the connection.
1 2 3 4 5 6 7 8 9 |
diagnose debug reset diagnose debug flow filter ? diagnose debug flow filter saddr 172.16.23.11 diagnose debug flow filter daddr 8.8.8.8 diagnose debug flow show function-name enable diagnose debug enable #display the next 10 packets: diagnose debug flow trace start 10 diagnose debug disable |
Example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
fg2 # diagnose debug reset fg2 # diagnose debug flow filter daddr 1.1.1.1 fg2 # diagnose debug flow show function-name enable show function name fg2 # diagnose debug enable fg2 # diagnose debug flow trace start 10 fg2 # id=20085 trace_id=169 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=17, 194.247.4.10:1492->1.1.1.1:53) from local. " id=20085 trace_id=169 func=resolve_ip_tuple_fast line=5535 msg="Find an existing session, id-06868db4, original direction" id=20085 trace_id=169 func=__ip_session_run_tuple line=3332 msg="run helper-dns-udp(dir=original)" id=20085 trace_id=170 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=17, 194.247.5.6:37400->1.1.1.1:53) from internal. " id=20085 trace_id=170 func=init_ip_session_common line=5619 msg="allocate a new session-0686a887" id=20085 trace_id=170 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-194.247.4.1 via wan1" id=20085 trace_id=170 func=fw_forward_handler line=748 msg="Allowed by Policy-1: AV" id=20085 trace_id=170 func=ids_receive line=277 msg="send to ips" id=20085 trace_id=170 func=av_receive line=293 msg="send to application layer" id=20085 trace_id=171 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=17, 194.247.5.6:37400->1.1.1.1:53) from local. " id=20085 trace_id=171 func=resolve_ip_tuple_fast line=5535 msg="Find an existing session, id-0686a887, original direction" id=20085 trace_id=171 func=__ip_session_run_tuple line=3332 msg="run helper-dns-udp(dir=original)" id=20085 trace_id=172 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=17, 194.247.4.10:1492->1.1.1.1:53) from local. " id=20085 trace_id=172 func=resolve_ip_tuple_fast line=5535 msg="Find an existing session, id-06868db4, original direction" id=20085 trace_id=172 func=__ip_session_run_tuple line=3332 msg="run helper-dns-udp(dir=original)" fg2 # diagnose debug disable |
VPN
To show details about IKE/IPsec connections, use these commands:
1 2 3 4 5 6 |
get vpn ike gateway <name> get vpn ipsec tunnel name <name> get vpn ipsec tunnel details diagnose vpn tunnel list diagnose vpn ipsec status #shows all crypto devices with counters that are used by the VPN get router info routing-table all |
To debug IKE/IPsec sessions, use the VPN debug:
1 2 3 4 5 6 7 |
diagnose debug reset diagnose vpn ike log-filter clear diagnose vpn ike log-filter ? diagnose vpn ike log-filter dst-addr4 1.2.3.4 diagnose debug app ike 255 #shows phase 1 and phase 2 output diagnose debug enable #after enough output, disable the debug: diagnose debug disable |
To reset a certain VPN connection, use this (Credit):
1 |
diag vpn tunnel reset <phase1 name> |
Log
For investigating the log entries (similar to the GUI), use the following filters, etc.:
1 2 3 4 5 6 7 |
execute log filter reset execute log filter category event execute log filter field #press enter for options execute log filter field dstport 8001 execute log filter view-lines 1000 execute log filter start-line 1 execute log display |
Defaults
Just a reminder for myself:
- IP: 192.168.1.99
- Login: admin
- Password: <blank>
To change the IP address of the mgmt interface (or any other) via the CLI, these commands can be used:
1 2 3 4 5 6 |
config system interface edit mgmt set ip 192.168.1.1 255.255.255.0 set allowaccess ping https ssh next end |
Password Recovery & Factory Reset
Just the links here: Resetting a lost Admin password and How to reset a FortiGate with the default factory settings.
Links
- Fortinet: FortiOS Admin Guides
- itsecworks: Fortigate troubleshooting commands
Featured image “Warten auf Arbeit” by Günter Hentschel is licensed under CC BY-ND 2.0.
Wow! Thanks for share.
it’s so complete for resolve a problem
Regards.
Great stuff! I’ve been looking for it
Thank you so much for sharing.
Great, thanks for sharing!!
Greetings
Nice Job – good summary of most of the commands you need or routinely use.
John K. NSE7
How to check failover history in fortigate ?
how to check which the history of commands
Hi ihsan,
I am not aware of a global history of commands. As far as I know you can only move through your own commands in that current CLI session (arrow up key).
With the following CLI command you can see how many lines are stored in the history buffer:
get gui console status
Thank you very much, thats really helpful!
Very nice indeed. Thanks for sharing.
Still very helpful
Really thanks for your sharing
Hi, How do adjust MTU on the Ipsec tunnel in fortigate?
Hi Dicky,
I am not fully sure, but to my mind the MTU size cannot be changed on a tunnel interface. On a normal hardware interface, it can be done with this CLI commands:
config system interface
edit wan1
set mtu-override enable
set mtu
next
end
Source: http://kb.fortinet.com/kb/documentLink.do?externalID=11745
… but these commands are not present on the tunnel interfaces.
It works! Thanks.
Be careful using this as a sniffer. “Sniff packets like tcpdump does. ” is not a true statement. Fortinet support reports that if you have devices with ASIC offload enabled and you’re running anything in the v5 train, you will not see the entire conversation as you would with tcpdump.
You must DISABLE ASIC OFFLOAD (see page 10 of http://docs.fortinet.com/uploaded/files/1607/fortigate-hardware-accel-50.pdf). Unfortunately for me, I can’t make live mods to firewall policies for troubleshooting. Disabling auto offload now makes the Fortigate sniffer less useful… :-(
Oh yes, thanks for your hint!!
Thanks a lot mate!
Great thanks! What is the command on 5.2.x to check file system for errors and repair?
The following does not work: diagnose system file-system fscheck
Hi Alex,
try the following:
diag hardware deviceinfo disk
diag hardware smartctl -a /dev/sda
I don’t know if this is exactly what you are searching for. But you’ll get some information about the disks.
Hi, there is one command in fortigate that will show you what ever you do in gui its equivalent cli will be displayed over there.
Some additional information for sniffing a IPv6 subnet:
# diagnose sniffer packet any ‘net 2001:db8::/32’ 6 1000 l
Oh yeah, Ulrich, thanks! I added it to the list.
thanks a lot, muchas gracias!
Dear all,
Thanks a lot …its helpful for finding the problems.
Dear All,
Thanks for great stuff. Appreciate knowledge sharing.
Thanks for this nice post, finally the essential in a short survey
superb man!!!
Hi, how to show the mac address of the virtual ip address (ha mode)?
Hey max,
sorry, normally I am answering to almost all questions, but I currently have no FortiGate cluster to test any commands. I simply do not know which one to use. Have you already googled it?
(If you only need it once you can also do a packet capture and analyze the MAC addresses with Wireshark. ;))
How were you able to get the output in color, or was that changed for the post?
Sorry Jason for the confusion, but it’s only the WordPress plugin on my blog. There is not coloring on the FortiGate CLI at all.
(I like the coloring here because it helps to distinguish between different areas.)
very useful….appreciate your help
Hi i would like to know how i can debug live traffic on Fortigate. i.e to see if certain traffic is passing or not. like i can debug in ASA to check all traffic then filter by the IP im interested in and see if its going through or not. if for example im pinging and would like to know if the ping went through the firewall or it got blocked?
Hey King. This is exactly what I described within the “Flow” section above. ;) Please have a look at it.
Cheers, Johannes
Hi Johannes,
When i issue “diagnose debug flow filter daddr 8.8.8.8” i get no results although there’s traffic passing through. i.e im pinging that address 8.8.8.8 but the command returns nothing
Hey again. Just to be sure: Have you used the complete list of commands listed there? If you want to trace all connections to 8.8.8.8 you must use all of the following in this order:
diagnose debug reset
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show console enable
diagnose debug enable
diagnose debug flow trace start 10
diagnose debug disable
Ow ok thanks Johannes. i wan only entering diagnose debug flow filter daddr 8.8.8.8”.
I will use the complete list of commands. but is the last command not disabling the diag?
i should enter the last command after i got the results and so that i can stop the diag right?
Fortigate 100 A
After adding all fields in column settings in the policy section, I couldn’t open the Policy section again; giving HTTP Error: 400.
Please advise if I can reset to the default column settings so the page opens again.
Hey NH,
please open a ticket at Fortinet. I had some HTTP 400 errors as well during the last years and it was sometimes much more complicated than only a single setting. (However, you can try to reboot the device first. ;))
I opened the browser through Explorer/Mozilla after the issue was on chrome.
it worked. Then when I noticed that the window opened, I deleted history from chrome and browser also worked again.
how to generate ip accounting using cli
How to write a comment with “hello” and “thanks” as well as a problem discription that anyone can understand?
Hey Johannes ,
I want to know, what is CLI command for the matching(policy lookup) the policy in fortinate, as similar to juniper
Hi manjunatha Joshi,
I am sorry, but I don’t know what you are searching for exactly. You can display the policies with “show firewall policy” and “show firewall policy6”. But this only shows the configured policies. Are you looking for a policy test, depending on source/destination addresses/ports? I don’t know whether such “tests” exist on the FortiGate.
—–BEGIN PGP MESSAGE—–
wf8AAAEMAzN4XYDqxwVlAQf9GvzIJ7z94/HPn2CwKE5Vd6ejjOLn3VdsN9nmTBEF
1JoG0NfSyesaJKIvcU1yPD6tP0z77Bmywhs2ADVY2L2GM4qcycPvO0hot8DdUyMy
4wsZI+84tsiwk33qkEqNGj/ux08EKhK1TgqkuG3KfOppKU+SUQJ0CvtmPGIFIHyf
oF2sMJ5s4lgRkSqnd0ZD89XnexQ2AAri53O0mZH9n+3eXo9Affzfm4cpOPhWkGx5
/zqkvkDpGdyX/FKwy06MKh5LDhKzxQpy+fyDisl+rp9dfcvsc306S3e0x4LvWUNC
HKVd0CtoAy6qQy+3u2EVu+xDJRxsVmdimTSsKzULtoHGv8H/AAABDAPDsO3KyJqH
eAEH/RAUnE/MWXFuj/5rD7MsFNfepyQae+YQUCenpQgLWWBvtsWe2K41SSm6k6dM
kLbUQwKXb/CNq++IN3gv9DV7IblHXFTPkwDE9JAZ+glpJOuHqPfT8AvkCWQXyn9A
eCY81Pn/KCIW/nSVDV5Z9Pj2VyWPA56MgePLcxHehn5i3EFQ2IV2qi6B/CpyibEX
LXKAAdibpOPdQUFWVU7UFsL8pZjce6XWhZtG9HirRpPIcNqQUpZBfzyKndBdfoyM
BALQir0XknErnj4uVxEE7cSRGH0AL16abmbDBq3y8KHH6/v96yNrGmtOttiZSe4w
w3xyK9lEiX3zsHoftP5p/hojxVHS/wAAALYBOUQ1mK8ZCD9iqb1ZRX1Lm1lySvaB
eK1R3/bmgjiDVgv6nYwRTlj9+EIdGrXw330oSF8GzuSdTvaAGYlxkW121mrSs1yZ
sI68l1wk0Fsa3EbaYUKapaQt1ZmtdpMNxe/owG/mk4tqxmjLNialY38Z/yu8v+kS
2QSMJAKXU3t6+QjAWScjLXGcneNtCxcd1WI9J6AkPH1f2ldkTsNyOXo94PU0qZF7
L4WkKft3DJ9ujRpwhrKOdg==
=duS3
—–END PGP MESSAGE—–
Hi All,
I have a Fortigate 100D firmware 5.4.3, was fine until last weekend. After that no dhcp, for lan interface, no access for mgt, wan, or lan interfaces.
no ping response for these inferfaces .
i get login by serial console and reset to default factory. But no success.
how bring system up and GUI ?
thanks
Hi Costa,
seems like a bigger problem on your device. I can’t help you. You should open a ticket at Fortinet.
Sorry,
Johannes
Thank you. Great stuff and very helpful!
Perfect article. well written
Thanks
How I can export the result from those commands in a text file?
I am using PuTTY with Session logging. Works perfectly. ;)
this is definitely helpful documentation
Kodus to you!
Keep up the good work
sir i have fortigate firewall 2000e we use Explicit Proxy but Active authentication using LDAP problem is User & Device Authentication we can not do it
This is great stuff! Thanx!!
Hi,
i wan to know how many processors and the type of processor (speed etc) are there on Fortigate 1000D, can any one share the output or findings.
Hi Az,
did you try CLI-command “# get hardware ?” and use one of the displayed options?
Regards
Ulrich
Hello,
Super work
Awesome.
Nice work
I am new to Fortigate and this article helped me a lot for synchronizing my experience of other firewalls knowledge with Fortigate.
Thank you
Good Luck
Tipp to use grep to find expression1 OR expression2 on FortiOS:
show | grep ‘edit\|npu’ –> shows all lines with word ‘edit’ or word ‘npu’
Another example:
diag vpn tunnel list | grep ‘name\|esp\|ah’
Hey Ulrich. Thanks for this great hint! I have added it into the post.
Thanks gr8 information..
can someone help with AP inventory command which should provide list of complete associated APs with hostname, IP, mac details in single command.
Yogesh
Respect man for sharing it, respect :)
Very helpful thank you
Hi there,
Noticed you missed out a good HA cmd for Fotigates doesn’t work on the Fortiweb.
#diagnose sys ha reset-uptime ####force a failover will loose around 5 packets..
dude your the man!!!!!!
Some additional information for sniffing IPv6 ping (ICMP6 echo request and echo reply) :
# diagnose sniffer packet any ‘ip6[40]=128 or ip6[40]=129’ 6 1000 l
How to understand it:
if byte 40 of an IP6 packet (starting from 0 so this is first byte of ICMPv6 header) has value 128 (ICMPv6 echo request) or value 129 (ICMP6 echo reply), then show the packet.
Thanks a lot man, Really great guide for daily use.
great content, thanks for sharing.
i want add telnet commeand in my router
How can I show the available vdom on a box.
Is there any command that lists all vdoms? Thanks
You can use this one:
config global
sudo ?
alternatively:
diagnose sys vd list
Cheers.
Fantastic page, I love it. Almost everything I need to know in one place. Many thanks for putting this page up.
Thanks for this page ! Very helpful !
A nice command to see the tree structure in the config sub part where you are and attributes valid value ranges :
FG (interface) # tree
(do not use at the root level otherwise you display the whole conf tree !)
One you should not need (undocumented) :
# fnsysctl ls
(you can replace ls with other bash commands : ps, cat, …)
Nice! Thanks for that. I wasn’t aware of this “tree” command. Have added it to the list.
Thank you for this great page! It was super helpful in solving a “mysterious” routing problem. :)
*** PASSWORD RECOVERY FUNCTIONALITY IS DISABLED ***
*** Please contact the person(s) or company responsible for managing this device ***
THU-ART-FW-01 login: maintainer
Password: ********************
Welcome !
THU-ART-FW-01 # config system admin
7657: Unknown action 3
Command fail. Return code -1
THU-ART-FW-01 # get system
7657: Unknown action 0
Command fail. Return code -1
THU-ART-FW-01 # diagnose
7657: Unknown action 0
Command fail. Return code -1
THU-ART-FW-01 # config
7657: Unknown action 3
Command fail. Return code -1
Hi,
i’m a newbie to Fortinet world (i’m an old Cisco ASA user) and this is a very good resource!
I have read all the post but …
Does exist something like Cisco “do” command when you are in a config ?
For example i’m in
config system interface
edit port1
and i want to show the config of another interface whitout exit the scope
About the sudo command, i’m in a Fortigate 7.0.1 and it do not work
Thanks.
Awesome write-up! Very much appreciated!!!!!
This page is still super useful! :)
The Flow section especially helped me figure out exactly what an application was doing (using load balancers, etc.) – to see exactly what needed to go through my Fortigate 1500 firewall.
Thank you for creating this page!
very useful command bro!
I love this. Thank you so much! Just your intro to this article alone soothes my pain:-)