Useful FortiGate Commands

Useful FortiGate Commands

^{Created: 2021-01-27 01:07:35 | Last modified: 2025-05-01 20:35:14}
^{Access: Read}^{| Views: 65}^{| Rating: N/A}^{| Tags: fortigate}
List of commands useful to use inside the FortiGate CLI

Commands

Get a list of DHCP leases

execute dhcp lease-list

Ping an IP address

execute ping 192.168.1.100

Diagnostics

Get the system status, firmware version information etc

get system status

Reboot the firewall

execute reboot

Restore a config from a USB drive, saved to root

execute restore config usb filename.conf

List directories on filesystem

fnsysctl ls -l /data/
diagnose sys last-modified-files /data/lib
diagnose sys last-modified-files /var/
diagnose sys last-modified-files /data/etc/
diagnose sys last-modified-files /flash

Get the system status, diagnosing memory and CPU issues. Get system uptime

#View overall memory and CPU usage
get system performance status

#View process info
#Order is - process name, Process ID, Process state, CPU usage %, Memory usage %
get system performance top

#Example with showing 40 lines and with a refresh of 1 second
get sys per top 1 40

# Get a summery of all processes
diagnose sys top-summary

# Other commands
diag hard sysinfo memory
diag hard sysinfo slab
diag hard sysinfo shm
diag hard sys conserve
diag debug crashlog read

# Per VDOM reporting
get log disk setting
get log disk filter
get log memory setting
get log memory filter

HA Status

get system ha status

Select Slave Node where USERNAME is the username to access the device, usually admin and 1 is the unit number

execute ha manage 1 USERNAME

Change Master to Slave. This is done by changing the priority of the HA device

config system ha
  set priority 1
end

View Licensing Info. Look for the Contract Expiry Date

diagnose autoupdate versions

View fortiguard contact

get system fortiguard

Run top for system processes (gets the top used services)

get system performance top

Kill a process (e.g. httpsd)

diagnose sys kill 11

Clear all IP sessions

diag sys session clear

Debug spam filter

diag de app spamfilter -1 
diag de en 

#After done the debug, run the following to stop 
diag de di 
diag de app spamfilter 0

Get interface information e.g. error rates where NIC is the interface

diag hardware deviceinfo nic NIC

Configs

When two FortiGate clusters are in the same network, you may experience packet loss because of MAC conflicts. Thee fix is to set the group-id of each of the clusters so they are different

config system ha
  set group-id ID_OF_CLUSTER_INTEGER
end

Set SPAM Threshold

#http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32695&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=55581519&stateId=0%200%2055583060

config system fortiguard
set antispam-score-threshold 120
end

When adding a VPN, we need to blackhole a session so it doesn't become stale. This is because the WAN comes up first and the VPN comes up 2nd and the session is already established. We need to add a blackhole route for when WAN interface goes down

config router static
    edit 4
        set dst 10.30.0.0 255.255.255.0
        set distance 100
        set blackhole enable
    next
end