Browser docs

FORTIGATE – CLI COMMANDS

Luigi June 19, 2023 3 min read notes fortigate
On this page

About

Fortinet Logo

In this resourceful page, you will find an in-depth exploration of the Command Line Interface (CLI) commands for Fortinet’s FORTIGATE network security appliances. Whether you are a network administrator, security professional, or someone seeking to bolster their understanding of FORTIGATE’s CLI capabilities, this page is your go-to source for essential command insights.

Disclaimer

COMMANDS:

MAIN COMMAND STRUCTURE

Use commands to navigate through the CLI hierarchy, similar to navigating through directories in a file system. Common commands include:

  • config: Enter configuration mode.
  • edit: Enter a specific configuration section.
  • show: Display configuration or status information.
  • get: Get specific configuration settings.
  • set/unset: Set a field / Reset a field to the default value.
  • next: Save current entry (edit X) and return to table.
  • prev: Move to the previous configuration section.
  • end: Exit configuration mode.
  • tree: Display the command tree for the current config section.
  • abort: Exit commands without saving the fields (ctrl+C).
  • delete: Remove a table from the current object.

Configuration:

Use commands to configure various settings on the Fortigate device. For example:

  • config system interface: Configure network interfaces.
  • config firewall policy: Set up firewall policies.
  • config system admin: Manage administrator accounts.
  • config vpn ipsec phase1-interface: Configure IPsec VPN settings.
  • config system global: Configure global settings.

Monitoring:

Use commands to monitor the device’s status and performance. For example:

  • get system status: Display system status.
  • get system performance status: Show performance statistics.
  • get router info routing-table: View the routing table.
  • diagnose hardware sysinfo: Get hardware information.

Basic Commands:

  • exec shutdown/reboot: Shutdown the device/reboot.
  • execute ping(-options): Ping something (can add options).
  • execute ssh <user>@<ip>: SSH to another server.
  • get sys arp (| grep x.x): Show the arp table (filtered by x.x).
  • show | grep -f something: Find where “something” is used (cases-sensitive, can use -i to be case insensitive).

Saving/backup Configuration:

After making changes, use the end command followed by execute backup config <filename> to save the configuration to a file.

Exiting the CLI:

Type exit or press Ctrl + D to exit the CLI and return to the regular prompt.

Logging Out:

Always log out of the CLI using the exit command or by closing the terminal window.

INTERFACE COMMANDS

  • show/get system interface Show interfaces status. Use get to retrieve dynamic information (such as PPPoE IP)
  • Basic interface ip configuration:
1 config sys interface
2   edit <port>
3      set ip x.x.x.x/y
4      set allow ssh ping https
5   end

  • diag hard dev nic <port> Show interfaces statistics

  • diag netlink device list Show interfaces statistics (errors)

  • get hardware nic <inerface name> Hardware info of the interface: MAC address, state (up/down), duplex (full, half), Rx/Tx packets, drops.

  • diagnose hardware deviceinfo nic <nic name> Same as above.

  • get sys interface transceiver List all SFP/SFP+ transceivers installed with info on: vendor name, serial number, temperature, voltage consumed, and, most important - Transmit (TX) and Receive (RX) signal power in dBm.

  • get hardware npu np6 port-list Show on which interfaces the NPU offloading is enabled.

  • diagnose npu np6lite port-list Same as above but for NP6-lite.

  • fnsysctl ifconfig <interface name> Gives the same info as Linux ifconfig. The only way to see the actual MTU of the interface.

  • fnsysctl cat /proc/net/dev Similar to netstat shows errors on the interfaces, drops, packets sent/received.

  • diagnose ip address list Show IP addresses configured on all the Fortigate interfaces.

  • diagnose sys gre list Show configured GRE tunnles and their state.

  • diag debug application pppoed -1

  • dia debug application pppoe -1

  • dia debug applicaiton ppp -1 Enable all ADSL/PPPoE-related debug.

  • execute interface pppoe-reconnect Force ADSL re-connection.

  • diagnose sys waninfo Show WAN interface info: public IP address of the WAN interface, guessed geo location of this IP, and whetehr this IP address is in FortiGuard black list.