Posted on by patrickmarcpreuss

Fortigate Useful Commands

This is my personal catalog of typical troubleshooting commands I employ when dealing with FortiGate Firewalls.

In contrast to Cisco, where ‘show’ is the universal command, Fortinet offers a range of options, including ‘show,’ ‘get,’ ‘diagnose,’ and ‘execute,’ for retrieving pertinent information.

Important to remember

It is ‘get router info routing-table' to see the routing table, but it is 'diagnose firewall proute list' for the policy based routes.

Please remember to refer to RFC 5737, which designates IPv4 address blocks reserved for documentation purposes (available at rfc-editor.org):

  • 192.0.2.0/24 (TEST-NET-1)
  • 198.51.100.0/24 (TEST-NET-2)
  • 203.0.113.0/24 (TEST-NET-3)
  1. How to enter the vdom/gobal config mode
  2. How to execute “any” show command from any context
  3. Accessing the the configuration
  4. General Information
  5. Network – Stuff
    1. Port Channels
    2. Network – Troubleshooting
  6. Routing
    1. Routing table, active routes
    2. Route lookups
    3. Routing Information Base (RIB)
    4. Forwarding Information Base (FIB)
    5. Policy Routes and WAN Load Balancing
    6. Basic information about routing protocols
    7. BGP
    8. Route cache
  7. High Availability
    1. Diagnose
    2. Manage – switch to the CLI of a secondary unit
    3. Verify the checksum of all peers
    4. Start a sync at a secondary device from the master
  8. Session Table
  9. Authentication / Authorization / Accounting
    1. Remote Server Authentication Test
    2. FSSO User Authentication
  10. Sniffer / Packet Capture
    1. LLDP
    2. CDP
  11. VPN
  12. Log
    1. Logging Settings
  13. Fortinet TAC Commands
  14. Defaults
  15. print tablesize

How to enter the vdom/gobal config mode

config global

config vdom
	edit <vdom-name>

How to execute “any” show command from any context

sudo {global | <vdom-name>} {diagnose | execute | show | get} ...
 
sudo global show system admin
sudo root get system interface physical

Accessing the the configuration

Simply use ‘show’ the confiuration, this will not show all options:

show

To see the full configuration use:

show full-configuration

Subsequent configuration options can be viewed with:

tree

config system console
  set output standard
end

show | grep -f ipv6
show full-configuration | grep -f ipv6

show | grep -f 'internal\|wan'
diag vpn tunnel list | grep 'name\|esp\|ah'

You need to enable scp, to enable config pull with scp from a server.

config system global
    set admin-scp enable
end

On the server side:

scp <username>@<FortiGate-ip/name>:sys_config <destination>

scp admin@198.51.100.1:sys_config /data/backup/fortigate/fortigate-config-2023-09-23.txt

Backup the configuration to flash, this will show in the GUI under
<USERNAME> -> Configuration -> Revisions

execute backup config flash

You can enable this permanently with.

config system global
    set revision-backup-on-logout enable
end

General Information

Basic commands

get system interface physical       #overview of hardware interfaces
get hardware nic <nic-name>         #details of a single network interface, same as: diagnose hardware deviceinfo nic <nic-name>
fnsysctl ifconfig <nic-name>        #kind of hidden command to see more interface stats such as errors
get system status                   #Cisco's: show version
get system performance status       #CPU and network usage
execute sensor list                 #power supply, temperature, fans
execute sensor detail
diagnose sys top                    #top with all forked processed
diagnose sys top-summary            #top easier, incl. CPU and mem bars. Forks are displayed by [x13] or whatever
execute dhcp lease-list
get system arp
diagnose ip arp list
diagnose ipv6 address list
diagnose ipv6 neighbor-cache list
diagnose sys ntp status
diagnose autoupdate versions        #lists the attack definition versions, last update, etc.
diagnose log test                   #generated all possibe log entries
diagnose test application dnsproxy 6    #shows the IP addresses of FQDN objects
diagnose debug crashlog read        #shows crashlog, a status of 0 indicates a normal close of a process!

Network – Stuff

Port Channels

sudo root diag netlink aggregate name aggr1

Network – Troubleshooting

execute ping-options ?
execute ping-options source <source-interface-IP>
execute ping <hostname|ip>
 

execute ping6-options ?
execute ping6-options source <source-interface-IP>
execute ping6 <hostname|ip>

execute traceroute <hostname|ip>
execute traceroute-options ?

execute tracert6 <hostname|ip>

execute ping-options view-settings
execute ping6-options view-settings
execute traceroute-options view-settings

Routing

Routing table, RIB, FIB, policy routes, routing protocols, route cache, and much more.

Routing table, active routes

IPv4 needs an “all” at the end

get router info routing-table all 
get router info6 routing-table

Most of the time i would use the details option.

Route lookups

get router info routing-table details
get router info routing-table details <IP address>

Routing Information Base (RIB)

get router info routing-table database
get router info6 routing-table database

Forwarding Information Base (FIB)

get router info6 kernel
get router info kernel

Policy Routes and WAN Load Balancing

diagnose firewall proute6 list   
diagnose firewall proute list

Basic information about routing protocols

get router <routing-protocol>

BGP

get router info bgp network

Route cache

current sessions w/ routing information

# diagnose ip rtcache list
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=13(root)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.64/32 pref=169.254.0.66 gwy=0.0.0.0 dev=20(havdlink1)

High Availability

Diagnose

get system ha status
diagnose sys ha status

Manage – switch to the CLI of a secondary unit

execute ha manage ?
execute ha manage <device-index>

Verify the checksum of all peers

diagnose sys ha checksum show

Manually do a failover by decreasing the priority of the current master (since highest priority wins):

execute ha set-priority <serial-number> <new-priority>

Don’t forget to restore the priority value to your original one!

Start a sync at a secondary device from the master

The Fortinet documentation reads: “Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with the primary unit or to stop a synchronization process that is in progress.”

execute ha synchronize {start | stop}

Session Table

Display the current active sessions:

get system session list             #rough view with NAT, only IPv4
diagnose sys session filter clear
diagnose sys session filter ?
diagnose sys session filter dst 8.8.8.8
diagnose sys session filter dport 53
diagnose sys session list           #show the session table with the filter just set

Authentication / Authorization / Accounting

Remote Server Authentication Test

In order to test user credentials against some (remote) authentication servers such as LDAP or RADIUS or even local:

diagnose test authserver ldap <server_name> <username> <password>
diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>
diagnose test authserver local <group_name> <username> <password>

FSSO User Authentication

When you’re using some kind of Fortinet single sign-on (FSSO) features such as the agentless/agent polling mode to a Windows AD you can use the following commands to get some information about the recognized users and agent servers:

diagnose debug authd fsso list
diagnose debug authd fsso server-status
diagnose firewall auth list

The first one shows all monitored users with details concerning their LDAP groups:

while the last one shows the users with their corresponding FortiGate user groups and traffic counters:

If you need further debugging messages you can enable it for the Fortigate non-blocking auth daemon and the FSSO daemon:

diagnose debug enable
diagnose debug application fnbamd 255
diagnose debug application fssod 255

Sniffer / Packet Capture

Sniff packets like tcpdump does. (Only if the built-in packet capture feature in the GUI does not meet your requirements.) This can be used for investigating connection problems between two hosts. There are no details of the firewall policy decisions. Use the debug flow (next paragraph) for analysis about firewall policies, etc.

diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbose> <count> <time-format>
with:

verbose:

1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name <<<<<< good default choice
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

Examples

diagnose sniffer packet any 'host 8.8.8.8' 4 4 l
diagnose sniffer packet any 'host 8.8.8.8 and dst port 53' 4 10 a
diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l
diagnose sniffer packet any 'net 2001:db8::/32' 6 1000 l

LLDP

diagnose sniffer packet port1 'ether proto 0x88cc' 4 1 a

CDP

diagnose sniffer packet port1 'ether[20:2] == 0x2000' 6 1 a

Flow

If you want to see the FortiGate details about a connection, use this kind of debug. E.g., it shows the routing decision and the policy, which allowed the connection.

diagnose debug reset
diagnose debug flow filter ?
diagnose debug flow filter saddr 172.16.23.11
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show function-name enable
diagnose debug enable
display the next 10 packets:
diagnose debug flow trace start 10
diagnose debug disable

Example

fg2 # diagnose debug reset
fg2 # diagnose debug flow filter daddr 1.1.1.1
fg2 # diagnose debug flow show function-name enable

show function name

fg2 # diagnose debug enable
fg2 # diagnose debug flow trace start 10
fg2 #
id=20085 trace_id=169 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=17, 194.247.4.10:1492->1.1.1.1:53) from local. "
id=20085 trace_id=169 func=resolve_ip_tuple_fast line=5535 msg="Find an existing session, id-06868db4, original direction"
id=20085 trace_id=169 func=__ip_session_run_tuple line=3332 msg="run helper-dns-udp(dir=original)"
id=20085 trace_id=170 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=17, 194.247.5.6:37400->1.1.1.1:53) from internal. "
id=20085 trace_id=170 func=init_ip_session_common line=5619 msg="allocate a new session-0686a887"
id=20085 trace_id=170 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-194.247.4.1 via wan1"
id=20085 trace_id=170 func=fw_forward_handler line=748 msg="Allowed by Policy-1: AV"
id=20085 trace_id=170 func=ids_receive line=277 msg="send to ips"
id=20085 trace_id=170 func=av_receive line=293 msg="send to application layer"
id=20085 trace_id=171 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=17, 194.247.5.6:37400->1.1.1.1:53) from local. "
id=20085 trace_id=171 func=resolve_ip_tuple_fast line=5535 msg="Find an existing session, id-0686a887, original direction"
id=20085 trace_id=171 func=__ip_session_run_tuple line=3332 msg="run helper-dns-udp(dir=original)"
id=20085 trace_id=172 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=17, 194.247.4.10:1492->1.1.1.1:53) from local. "
id=20085 trace_id=172 func=resolve_ip_tuple_fast line=5535 msg="Find an existing session, id-06868db4, original direction"
id=20085 trace_id=172 func=__ip_session_run_tuple line=3332 msg="run helper-dns-udp(dir=original)"
fg2 # diagnose debug disable

VPN

To show details about IKE/IPsec connections, use these commands:

get vpn ike gateway <name>
get vpn ipsec tunnel name <name>
get vpn ipsec tunnel details
diagnose vpn tunnel list
diagnose vpn ipsec status           #shows all crypto devices with counters that are used by the VPN
get router info routing-table details

To debug IKE/IPsec sessions, use the VPN debug:

diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter ?
diagnose vpn ike log-filter dst-addr4 1.2.3.4
diagnose debug app ike 255          #shows phase 1 and phase 2 output
diagnose debug enable               #after enough output, disable the debug:
diagnose debug disable

To reset a certain VPN connection, use this (Credit):

diag vpn tunnel reset <phase1 name>

Log

For investigating the log entries (similar to the GUI), use the following filters, etc.:

execute log filter reset
execute log filter category event
execute log filter field            #press enter for options
execute log filter field dstport 8001
execute log filter view-lines 1000
execute log filter start-line 1
execute log display

Logging Settings

Some logging settings i like to have enabled.

config log setting
    set fwpolicy-implicit-log enable
    set fwpolicy6-implicit-log enable
    set log-invalid-packet enable
    set local-in-allow enable
    set local-in-deny-unicast enable
    set local-in-deny-broadcast enable
    set neighbor-event enable
end

Fortinet TAC Commands

Commands i like to include into TAC cases

Use 'ssh fortigate | tee $(date +“%Y-%m-%d-%H-%M-%S-debug.txt”)'

execute tac report

Defaults

Just a reminder for myself:

IP: 192.168.1.99
Login: admin
Password: <blank>

To change the IP address of the mgmt interface (or any other) via the CLI, these commands can be used:

config system interface
    edit mgmt
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping https ssh
    next
end

print tablesize

Thanks to Johannes Weber | Weberblog.net for inspiration:

https://blog.webernetz.net/cli-commands-for-troubleshooting-fortigate-firewalls/

Blog at WordPress.com.