FortiNet CLI Cheat Sheet

The following table lists show / diag/ update/ config commands for FortiGate, which can be handy. Will update this list once in a while

CommandWhat does it do?
config system arp-tableAdd static ARP entries
config system interfaceShow all NIC’s
config router prefix-listAdd a prefix-list
Type show, to see current prefix-lists.
config router route-mapAdd a route-map
Type show, to see current route maps
diag debug crashlog readGet crash log – shows the crashlog in a readable format.
diag debug ratingShow list of FortiGuard Services
diag ip arp delete <interface name> <IP address>Remove a single ARP table entry
diag ip arp list View ARP cache
diagnose debug enable > diagnose debug application fnbamd -1 Debug LDAP or Radius
diag debug reset
diag ip router bgp all enable
diag ip router bgp level info
diag debug enable
Debug BGP
diag debug disableDisable Debug output
diagnose firewall ipgeo country-listShow Geo IP countries
diagnose firewall ipgeo ip-list allShow Geo IP IPv4 address list
diagnose hardware deviceinfo nicShow hardware info for NIC
diagnose hardware deviceinfo nic <nic>Show device information for specific NIC: 
diagnose hardware sysinfo shmShow shared memory information – Look if conservemode is 1
diagnose sys ha hadiff statusShow a HA diff:
diagnose sys ha reset uptimeExecute a fail-over
diagnose sys kill process_id 15Kill processes – uses a unconditional kill. 
diagnose sys session listShow session table
diagnose sys tcpsockList open networking ports:
diagnose sys topShow top with processes: 
exec router clear bgp allClear all BGP sessions
exec router clear bgp all softSoft Clear all BGP (this will refresh the BGP routing table, but BGP session remains)
exec router clear bgp ip soft x.x.x.xSoft Clear BGP for specific neighbor
exec ha manage 0/1Manage other cluster member through HA interface
exec log displayDisplay log 
exec ping <dst>Execute a ping
exec ping-optionsSet specific ping options
exec ping-options source Set specific source IP
exec tac reportGenerate a TAC report
exec telnet ip:portExecute a telnet
exec ssh ip:portExecute a SSH client
exec tracerouteExecute a traceroute 
exec clear system arp tableClear ARP cache
exec log filterSet a log filter
exec update-geo-ipUpdate Geo IP addresses
exec update-avUpdate Antivirus Database
exec update-ipsUpdate IPS Database
get router info routing-table allShow routing table
get router info routing-table databaseShow routing database 
get router info routing-table bgpShow BGP routes
get router info routing-table ospfShow OSPF routes
get router info routing-table connectedShow Direct Connected routes
get router info routing-table details <host>Get routing information for specific <host> 
get router info bgp summaryShow BGP Peer status and received prefixes
get router route-mapShow available route-maps
get router prefix-listShow available prefix-lists
get system arpShow ARP table
get system checksum statusShow HA checksum
get system ha statusShow HA status
get system performance statusShow performance usage
get system performance topShow top – , use SHIFT+M to sort on memory usage. 
get system session listShort list for session table
get system statusShow system status 
get vpn ipsec tunnel detailsShow details for IPSEC VPN tunnel
get vpn ipsec tunnel summaryShow summary list of IPSEC VPN tunnels 
diag vpn ipsec statusVerify IPsec Offload to Network Processors (NP)
diag vpn tunnel listnpu_flag=00 Means that ingress & egress ESP packets are not offloaded
npu_flag=01 Means only egress ESP packets can be offloaded, ingress ESP packets will be handled by the kernel
npu_flag=02 Means only ingress ESP packets can be offloaded, egress ESP packets will be handled by the kernel
npu_flag=03 Means that both ingress & egress ESP packets will be offloaded

For a fast tunnel npu_flag=03 is essential

Posted

in

by

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security