CLI Commands for Troubleshooting FortiGate Firewalls

This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff. I am using it personally as a cheat sheet / quick reference and will update it from time to time.

Coming from Cisco, everything is “show”. With Fortinet you have the choice confusion between show | get | diagnose | execute. Not that easy to remember. It is “get router info6 routing-table” to show the routing table but “diagnose firewall proute6 list” for the PBF rules. Likewise the sys | system keyword. It is always “diagnose sys” but “execute system”.

Entering the correct vdom/gobal config

Remember to enter the correct vdom or global configuration tree before configuring anything:

To execute any “show” command from any context use the sudo keyword with the global/vdom-name context followed by the normal commands (except “config”) such as:

 

Show running-config & grep & scp

To show the running configuration (such as “show run” on Cisco) simply type:

To show the entire running configuration with default values use:

To omit the “–More–” stops when displaying many lines, you can set the terminal output to the following, which will display all lines at once. This is similar to “terminal length 0” from Cisco. Be careful with it, because this command is persistent. Set it to default after usage!

To find a CLI command within the configuration, you can use the pipe sign “|” with “grep” (similar to “include” on Cisco devices). Note the “-f” flag to show the whole config tree in which the keywords was found, e.g.:

 

Example with grep but WITHOUT the -f option (which makes no sense at all):

Now with the -f option. Note the “<—” at the end of every line that has the “ipv6” keyword in it, while the full configuration part around it is listed.

 

In order to copy the configuration via SCP from a backup server you must first enable the SCP protocol for the admin:

before you can grab it from the backup server, e.g. Linux with:

 

General Information

The very basics:

 

After rebooting a fresh device which is already licensed, it takes some time until it is “green” at the dashboard. The following commands can troubleshoot and start the “get license” process. Use the first three to enable debugging and start the process, while the last one disables the debugging again:

 

General Network Troubleshooting

Which is basically ping and traceroute:

 

Routing

Routing table, RIB, FIB, policy routes, routing protocols, route cache, and much more. ;) Note the differences between IPv6 and legacy IP.

 

High Availability

 

Session Table

Display the current active sessions:

 

Remote Server Authentication Test

In order to test user credentials against some (remote) authentication servers such as LDAP or RADIUS or even local:

 

Sniffer / Packet Capture

Sniff packets like tcpdump does. (Only if the built-in packet capture feature in the GUI does not meet your requirements.) This can be used for investigating connection problems between two hosts. There are no details of the firewall policy decisions. Use the debug flow (next paragraph) for analysis about firewall policies, etc.

with:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name <<<<<< good default choice
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

Examples: (Thanks to the comment from Ulrich for the IPv6 example)

Here are two more examples on how to show LLDP or CDP packets in order to reveal the connected layer 2 ports from switches. Kudos to Joachim Schwierzeck.

 

Flow

If you want to see the FortiGate details about a connection, use this kind of debug. E.g., it shows the routing decision and the policy, which allowed the connection.

Example:

 

VPN

To show details about IKE/IPsec connections, use these commands:

To debug IKE/IPsec sessions, use the VPN debug:

To reset a certain VPN connection, use this (Credit):

 

Log

For investigating the log entries (similar to the GUI), use the following filters, etc.:

 

Defaults

Just a reminder for myself:

  • IP: 192.168.1.99
  • Login: admin
  • Password: <blank>

To change the IP address of the mgmt interface (or any other) via the CLI, these commands can be used:

 

Password Recovery & Factory Reset

Just the links here: Resetting a lost Admin password and How to reset a FortiGate with the default factory settings.

Links

44 thoughts on “CLI Commands for Troubleshooting FortiGate Firewalls

  1. Nice Job – good summary of most of the commands you need or routinely use.
    John K. NSE7

      1. Hi ihsan,
        I am not aware of a global history of commands. As far as I know you can only move through your own commands in that current CLI session (arrow up key).

        With the following CLI command you can see how many lines are stored in the history buffer:
        get gui console status

  2. Be careful using this as a sniffer. “Sniff packets like tcpdump does. ” is not a true statement. Fortinet support reports that if you have devices with ASIC offload enabled and you’re running anything in the v5 train, you will not see the entire conversation as you would with tcpdump.

    You must DISABLE ASIC OFFLOAD (see page 10 of http://docs.fortinet.com/uploaded/files/1607/fortigate-hardware-accel-50.pdf). Unfortunately for me, I can’t make live mods to firewall policies for troubleshooting. Disabling auto offload now makes the Fortigate sniffer less useful… :-(

  3. Great thanks! What is the command on 5.2.x to check file system for errors and repair?
    The following does not work: diagnose system file-system fscheck

    1. Hi Alex,
      try the following:
      diag hardware deviceinfo disk
      diag hardware smartctl -a /dev/sda
      I don’t know if this is exactly what you are searching for. But you’ll get some information about the disks.

  4. Some additional information for sniffing a IPv6 subnet:
    # diagnose sniffer packet any ‘net 2001:db8::/32’ 6 1000 l

      1. Hey max,
        sorry, normally I am answering to almost all questions, but I currently have no FortiGate cluster to test any commands. I simply do not know which one to use. Have you already googled it?
        (If you only need it once you can also do a packet capture and analyze the MAC addresses with Wireshark. ;))

    1. Sorry Jason for the confusion, but it’s only the WordPress plugin on my blog. There is not coloring on the FortiGate CLI at all.
      (I like the coloring here because it helps to distinguish between different areas.)

  5. Hi i would like to know how i can debug live traffic on Fortigate. i.e to see if certain traffic is passing or not. like i can debug in ASA to check all traffic then filter by the IP im interested in and see if its going through or not. if for example im pinging and would like to know if the ping went through the firewall or it got blocked?

      1. Hi Johannes,

        When i issue “diagnose debug flow filter daddr 8.8.8.8” i get no results although there’s traffic passing through. i.e im pinging that address 8.8.8.8 but the command returns nothing

        1. Hey again. Just to be sure: Have you used the complete list of commands listed there? If you want to trace all connections to 8.8.8.8 you must use all of the following in this order:

          diagnose debug reset
          diagnose debug flow filter daddr 8.8.8.8
          diagnose debug flow show console enable
          diagnose debug enable
          diagnose debug flow trace start 10
          diagnose debug disable

          1. Ow ok thanks Johannes. i wan only entering diagnose debug flow filter daddr 8.8.8.8”.

            I will use the complete list of commands. but is the last command not disabling the diag?
            i should enter the last command after i got the results and so that i can stop the diag right?

  6. Fortigate 100 A
    After adding all fields in column settings in the policy section, I couldn’t open the Policy section again; giving HTTP Error: 400.
    Please advise if I can reset to the default column settings so the page opens again.

    1. Hey NH,
      please open a ticket at Fortinet. I had some HTTP 400 errors as well during the last years and it was sometimes much more complicated than only a single setting. (However, you can try to reboot the device first. ;))

      1. I opened the browser through Explorer/Mozilla after the issue was on chrome.
        it worked. Then when I noticed that the window opened, I deleted history from chrome and browser also worked again.

  7. —–BEGIN PGP MESSAGE—–

    wf8AAAEMAzN4XYDqxwVlAQf9GvzIJ7z94/HPn2CwKE5Vd6ejjOLn3VdsN9nmTBEF
    1JoG0NfSyesaJKIvcU1yPD6tP0z77Bmywhs2ADVY2L2GM4qcycPvO0hot8DdUyMy
    4wsZI+84tsiwk33qkEqNGj/ux08EKhK1TgqkuG3KfOppKU+SUQJ0CvtmPGIFIHyf
    oF2sMJ5s4lgRkSqnd0ZD89XnexQ2AAri53O0mZH9n+3eXo9Affzfm4cpOPhWkGx5
    /zqkvkDpGdyX/FKwy06MKh5LDhKzxQpy+fyDisl+rp9dfcvsc306S3e0x4LvWUNC
    HKVd0CtoAy6qQy+3u2EVu+xDJRxsVmdimTSsKzULtoHGv8H/AAABDAPDsO3KyJqH
    eAEH/RAUnE/MWXFuj/5rD7MsFNfepyQae+YQUCenpQgLWWBvtsWe2K41SSm6k6dM
    kLbUQwKXb/CNq++IN3gv9DV7IblHXFTPkwDE9JAZ+glpJOuHqPfT8AvkCWQXyn9A
    eCY81Pn/KCIW/nSVDV5Z9Pj2VyWPA56MgePLcxHehn5i3EFQ2IV2qi6B/CpyibEX
    LXKAAdibpOPdQUFWVU7UFsL8pZjce6XWhZtG9HirRpPIcNqQUpZBfzyKndBdfoyM
    BALQir0XknErnj4uVxEE7cSRGH0AL16abmbDBq3y8KHH6/v96yNrGmtOttiZSe4w
    w3xyK9lEiX3zsHoftP5p/hojxVHS/wAAALYBOUQ1mK8ZCD9iqb1ZRX1Lm1lySvaB
    eK1R3/bmgjiDVgv6nYwRTlj9+EIdGrXw330oSF8GzuSdTvaAGYlxkW121mrSs1yZ
    sI68l1wk0Fsa3EbaYUKapaQt1ZmtdpMNxe/owG/mk4tqxmjLNialY38Z/yu8v+kS
    2QSMJAKXU3t6+QjAWScjLXGcneNtCxcd1WI9J6AkPH1f2ldkTsNyOXo94PU0qZF7
    L4WkKft3DJ9ujRpwhrKOdg==
    =duS3
    —–END PGP MESSAGE—–

Leave a Reply

Your email address will not be published. Required fields are marked *