The following table lists show / diag/ update/ config commands for FortiGate, which can be handy. Will update this list once in a while
Command | What does it do? |
config system arp-table | Add static ARP entries |
config system interface | Show all NIC’s |
config router prefix-list | Add a prefix-list Type show, to see current prefix-lists. |
config router route-map | Add a route-map Type show, to see current route maps |
diag debug crashlog read | Get crash log – shows the crashlog in a readable format. |
diag debug rating | Show list of FortiGuard Services |
diag ip arp delete <interface name> <IP address> | Remove a single ARP table entry |
diag ip arp list | View ARP cache |
diagnose debug enable > diagnose debug application fnbamd -1 | Debug LDAP or Radius |
diag debug reset diag ip router bgp all enable diag ip router bgp level info diag debug enable | Debug BGP |
diag debug disable | Disable Debug output |
diagnose firewall ipgeo country-list | Show Geo IP countries |
diagnose firewall ipgeo ip-list all | Show Geo IP IPv4 address list |
diagnose hardware deviceinfo nic | Show hardware info for NIC |
diagnose hardware deviceinfo nic <nic> | Show device information for specific NIC: |
diagnose hardware sysinfo shm | Show shared memory information – Look if conservemode is 1 |
diagnose sys ha hadiff status | Show a HA diff: |
diagnose sys ha reset uptime | Execute a fail-over |
diagnose sys kill process_id 15 | Kill processes – uses a unconditional kill. |
diagnose sys session list | Show session table |
diagnose sys tcpsock | List open networking ports: |
diagnose sys top | Show top with processes: |
exec router clear bgp all | Clear all BGP sessions |
exec router clear bgp all soft | Soft Clear all BGP (this will refresh the BGP routing table, but BGP session remains) |
exec router clear bgp ip soft x.x.x.x | Soft Clear BGP for specific neighbor |
exec ha manage 0/1 | Manage other cluster member through HA interface |
exec log display | Display log |
exec ping <dst> | Execute a ping |
exec ping-options | Set specific ping options |
exec ping-options source | Set specific source IP |
exec tac report | Generate a TAC report |
exec telnet ip:port | Execute a telnet |
exec ssh ip:port | Execute a SSH client |
exec traceroute | Execute a traceroute |
exec clear system arp table | Clear ARP cache |
exec log filter | Set a log filter |
exec update-geo-ip | Update Geo IP addresses |
exec update-av | Update Antivirus Database |
exec update-ips | Update IPS Database |
get router info routing-table all | Show routing table |
get router info routing-table database | Show routing database |
get router info routing-table bgp | Show BGP routes |
get router info routing-table ospf | Show OSPF routes |
get router info routing-table connected | Show Direct Connected routes |
get router info routing-table details <host> | Get routing information for specific <host> |
get router info bgp summary | Show BGP Peer status and received prefixes |
get router route-map | Show available route-maps |
get router prefix-list | Show available prefix-lists |
get system arp | Show ARP table |
get system checksum status | Show HA checksum |
get system ha status | Show HA status |
get system performance status | Show performance usage |
get system performance top | Show top – , use SHIFT+M to sort on memory usage. |
get system session list | Short list for session table |
get system status | Show system status |
get vpn ipsec tunnel details | Show details for IPSEC VPN tunnel |
get vpn ipsec tunnel summary | Show summary list of IPSEC VPN tunnels |
diag vpn ipsec status | Verify IPsec Offload to Network Processors (NP) |
diag vpn tunnel list | npu_flag=00 Means that ingress & egress ESP packets are not offloaded npu_flag=01 Means only egress ESP packets can be offloaded, ingress ESP packets will be handled by the kernel npu_flag=02 Means only ingress ESP packets can be offloaded, egress ESP packets will be handled by the kernel npu_flag=03 Means that both ingress & egress ESP packets will be offloaded For a fast tunnel npu_flag=03 is essential |