FORTIGATE – CLI COMMANDS

June 19, 2023 3 min read notes fortigate

On this page

About§

In this resourceful page, you will find an in-depth exploration of the Command Line Interface (CLI) commands for Fortinet’s FORTIGATE network security appliances. Whether you are a network administrator, security professional, or someone seeking to bolster their understanding of FORTIGATE’s CLI capabilities, this page is your go-to source for essential command insights.

Disclaimer§

By no means this is an official supported/recommended Fortinet command list ! Furthermore, care must be taken at the time to use Shell commands!

COMMANDS:§

MAIN COMMAND STRUCTURE§

Navigate the CLI:§

Use commands to navigate through the CLI hierarchy, similar to navigating through directories in a file system. Common commands include:

config: Enter configuration mode.
edit: Enter a specific configuration section.
show: Display configuration or status information.
get: Get specific configuration settings.
set/unset: Set a field / Reset a field to the default value.
next: Save current entry (edit X) and return to table.
prev: Move to the previous configuration section.
end: Exit configuration mode.
tree: Display the command tree for the current config section.
abort: Exit commands without saving the fields (ctrl+C).
delete: Remove a table from the current object.

Configuration:§

Use commands to configure various settings on the Fortigate device. For example:

config system interface: Configure network interfaces.
config firewall policy: Set up firewall policies.
config system admin: Manage administrator accounts.
config vpn ipsec phase1-interface: Configure IPsec VPN settings.
config system global: Configure global settings.

Monitoring:§

Use commands to monitor the device’s status and performance. For example:

get system status: Display system status.
get system performance status: Show performance statistics.
get router info routing-table: View the routing table.
diagnose hardware sysinfo: Get hardware information.

Basic Commands:§

exec shutdown/reboot: Shutdown the device/reboot.
execute ping(-options): Ping something (can add options).
execute ssh <user>@<ip>: SSH to another server.
get sys arp (| grep x.x): Show the arp table (filtered by x.x).
show | grep -f something: Find where “something” is used (cases-sensitive, can use -i to be case insensitive).

Saving/backup Configuration:§

After making changes, use the end command followed by execute backup config <filename> to save the configuration to a file.

Exiting the CLI:§

Type exit or press Ctrl + D to exit the CLI and return to the regular prompt.

Logging Out:§

Always log out of the CLI using the exit command or by closing the terminal window.

INTERFACE COMMANDS§

show/get system interface Show interfaces status. Use get to retrieve dynamic information (such as PPPoE IP)
Basic interface ip configuration:

1 config sys interface
2   edit <port>
3      set ip x.x.x.x/y
4      set allow ssh ping https
5   end
markdown

diag hard dev nic <port> Show interfaces statistics
diag netlink device list Show interfaces statistics (errors)
get hardware nic <inerface name> Hardware info of the interface: MAC address, state (up/down), duplex (full, half), Rx/Tx packets, drops.
diagnose hardware deviceinfo nic <nic name> Same as above.
get sys interface transceiver List all SFP/SFP+ transceivers installed with info on: vendor name, serial number, temperature, voltage consumed, and, most important - Transmit (TX) and Receive (RX) signal power in dBm.
get hardware npu np6 port-list Show on which interfaces the NPU offloading is enabled.
diagnose npu np6lite port-list Same as above but for NP6-lite.
fnsysctl ifconfig <interface name> Gives the same info as Linux ifconfig. The only way to see the actual MTU of the interface.
fnsysctl cat /proc/net/dev Similar to netstat shows errors on the interfaces, drops, packets sent/received.
diagnose ip address list Show IP addresses configured on all the Fortigate interfaces.
diagnose sys gre list Show configured GRE tunnles and their state.
diag debug application pppoed -1
dia debug application pppoe -1
dia debug applicaiton ppp -1 Enable all ADSL/PPPoE-related debug.
execute interface pppoe-reconnect Force ADSL re-connection.
diagnose sys waninfo Show WAN interface info: public IP address of the WAN interface, guessed geo location of this IP, and whetehr this IP address is in FortiGuard black list.

Browser docs