Show Menu

Fortigate troubleshooting Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

CLI Basics

show s full-c­onf­igu­ration
show config­uration
config vdom
enter the correct vdom or global config­uration
edit <vd­om-­nam­e>
select vdom
show | grep -f ipv6
To find a CLI command within the config­ura­tion, you can use the pipe sign “|”
execute backup config flash
save your config
config system global
    set revisi­on-­bac­kup­-on­-logout enable
aves a backup of your config­uration after each logout automa­tically
get system interface physical
overview of hardware interfaces
get hardware nic <ni­c-n­ame>
Details of a single network interface, same as: diagnose hardware deviceinfo nic <ni­c-n­ame>
fnsysctl ifconfig
kind of hidden command to see more interface stats such as errors
get system status
==show version
get system perfor­mance status
CPU and network usage
diagnose sys top
top with all forked processed
diagnose sys top-su­mmary
top easier, incl. CPU and mem bars.
diagnose test applic­ation dnsproxy 6
shows the IP addresses of FQDN objects
diagnose debug crashlog read
shows crashlog, a status of 0 indicates a normal close of a process!
execute reboot
reboot your device
config system interface
edit mgmt
set ip 192.16­8.1.1 255.25­5.255.0
set allowa­ccess ping https ssh
To change the IP address of the mgmt interface

General Network Troubl­esh­ooting

execute ping-o­ptions ?
execute ping-o­ptions source <so­urc­e-i­nte­rfa­ce-­IP>
execute ping <ho­stn­ame­|ip>
Ping from another source address
execute traceroute <ho­stn­ame­|ip>
execute tracer­out­e-o­ptions ?
execute ping-o­ptions view-s­ettings
view settings
execute ping6-­options view-s­ettings
view settings
execute tracer­out­e-o­ptions view-s­ettings
view settings

Remote Server Authen­tic­ation Test

diagnose test authserver ldap <se­rve­r_n­ame> <us­ern­ame> <pa­ssw­ord>
diagnose test authserver radius <se­rve­r_n­ame> <chap | pap | mschap | mschap­2> <us­ern­ame> <pa­ssw­ord> diagnose test authserver local <gr­oup­_na­me> <us­ern­ame> <pa­ssw­ord>
diagnose test authserver local <gr­oup­_na­me> <us­ern­ame> <pa­ssw­ord>

Session Table

get system session list
rough view with NAT, only IPv4
diagnose sys session filter clear
diagnose sys session filter ?
diagnose sys session filter dst
diagnose sys session filter dport 53
diagnose sys session list
show the session table with the filter just set


get router info routin­g-table all
IPv4 needs an "­all­" at the end
get router info6 kernel
Forwarding Inform­ation Base
diagnose firewall proute6 list
#Policy Routes + WAN Load Balancing
2 3 4 diagnose sys ha status
execute ha manage ?
execute ha manage <de­vic­e-i­nde­x>
diagnose sys ha showcsum
verify the checksum of all synchr­onized peers


display the next 10 packets, after that, disable the flow: diagnose debug disable
diagnose debug reset
diagnose debug flow filter ?
diagnose debug flow filter saddr
diagnose debug flow filter daddr
diagnose debug flow show console enable
diagnose debug enable
diagnose debug flow trace start
diagnose debug disable


To show details about IKE/IPsec connec­tions, use these commands:
get vpn ike gateway <na­me>
get vpn ipsec tunnel name <na­me>
get vpn ipsec tunnel details
diagnose vpn tunnel list
diagnose vpn ipsec status #shows all crypto devices with counters that are used by the VPN
get router info routin­g-table all
To debug IKE/IPsec sessions, use the VPN debug:
diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter ?
diagnose vpn ike log-filter dst-addr4
diagnose debug app ike 255 #shows phase 1 and phase 2 output
diagnose debug enable #after enough output, disable the debug:
diagnose debug disable
To reset a certain VPN connection
diag vpn tunnel reset <phase1 name>


Just a reminder for myself:

IP: 192.16­8.1.99
Login: admin
Password: <bl­ank>

Backup and Restore

execute backup full-c­onfig tftp <fu­ll-­con­fig­-fi­len­ame> <tftp server ip>
Backup command with tftp server
execute restore config tftp <fu­ll-­con­fig­-fi­len­ame> <tftp server ip>
Restore command with tftp server