"Exploring New Diamention"

"Journey towards new learning"

Home > Blogging > Firewall > Fortigate Daily Life Troubleshooting Commands

Fortigate Daily Life Troubleshooting Commands

May 12, 2023 ,


sudo {global | <vdom-name>} {diagnose | execute | show | get} ...

sudo global show system admin
sudo root get system interface physical

get system interface physical #overview of hardware interfaces
get hardware nic <nic-name> #details of a single network interface, same as: diagnose hardware deviceinfo nic <nic-name>
fnsysctl ifconfig <nic-name> #kind of hidden command to see more interface stats such as errors
get system status #==show version
get system performance status #CPU and network usage
execute sensor list #power supply, temperature, fans
execute sensor detail
diagnose sys top #top with all forked processed
diagnose sys top-summary #top easier, incl. CPU and mem bars. Forks are displayed by [x13] or whatever
execute dhcp lease-list
get system arp
diagnose ip arp list
diagnose ipv6 address list
diagnose ipv6 neighbor-cache list
diagnose sys ntp status
diagnose autoupdate versions #lists the attack definition versions, last update, etc.
diagnose log test #generated all possibe log entries
diagnose test application dnsproxy 6 #shows the IP addresses of FQDN objects
diagnose debug crashlog read #shows crashlog, a status of 0 indicates a normal close of a process!
diag debug app update -1
diag debug enable
exec update-now
diag debug disable

get system session list #rough view with NAT, only IPv4

diagnose sys session filter clear
diagnose sys session filter ?
diagnose sys session filter dst 8.8.8.8
diagnose sys session filter dport 53
diagnose sys session list #show the session table with the filter just set

diagnose test authserver ldap <server_name> <username> <password>
diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>
diagnose test authserver local <group_name> <username> <password>
diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbose> <count> <time-format>

diagnose debug reset
diagnose debug flow filter ?
diagnose debug flow filter saddr 172.16.23.11
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show function-name enable
diagnose debug enable
#display the next 10 packets:
diagnose debug flow trace start 10
diagnose debug disable

diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter ?
diagnose vpn ike log-filter dst-addr4 1.2.3.4
diagnose debug app ike 255 #shows phase 1 and phase 2 output
diagnose debug enable #after enough output, disable the debug:
diagnose debug disable

execute log filter reset
execute log filter category event
execute log filter field #press enter for options
execute log filter field dstport 8001
execute log filter view-lines 1000
execute log filter start-line 1
execute log display


get system ha status
diagnose sys ha status
execute ha manage ? #switch to the CLI of a secondary unit
execute ha manage <device-index>
diagnose sys ha checksum show #verify the checksum of all synchronized peers



Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.