Powered by Blogger.

CLI Commands for Troubleshooting FortiGate Firewalls

This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff.

Coming from Cisco, everything is “show”. With Fortinet, you have the choice between show | get | diagnose | execute. Not that easy to remember. Likewise the sys | system keyword. It is always “diagnose sys” but “execute system”. 😉

Entering the correct vdom/gobal Config

Remember to enter the correct vdom or global configuration tree before configuring anything:

To show the running configuration (such as “show run”), simply type in:
To show the entire running configuration with default values, use:
To omit the “–More–” stops when displaying many lines, you can set the terminal output to the following, which will display all lines at once. This is similar to “terminal length 0” from Cisco. Be careful with it, because this command is persistent. Set it to default after usage!
To find a CLI command within the configuration, you can use the pipe sign “|” with “grep” (similar to “include” on Cisco devices). Note the “-f” flag to show the whole config tree in which the keywords was found, e.g.:

General Information

The very basics:

After rebooting a fresh device which is already licensed, it takes some time until it is “green” at the dashboard. The following commands can troubleshoot and start the “get license” process. Use the first three to enable debugging and start the process, while the last one disables the debugging again:

General Network Troubleshooting

Which is basically ping and traceroute:


High Availability

Session Table

Display the current active sessions:


Sniff packets like tcpdump does. This can be used for investigating connection problems between two hosts. There are no details of the firewall policy decisions. Use the debug flow (next paragraph) for analysis about firewall policies, etc.
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
a: UTC time
l: local time
Examples: (Thanks to the comment from Ulrich for the IPv6 example)
Here are two more examples on how to show LLDP or CDP packets in order to reveal the connected layer 2 ports from switches. Kudos to Joachim Schwierzeck.


If you want to see the FortiGate details about a connection, use this kind of debug. E.g., it shows the routing decision and the policy, which allowed the connection.


To show details about IKE/IPsec connections, use these commands:
To debug IKE/IPsec sessions, use the VPN debug:
To reset a certain VPN connection, use this (Credit):


For investigating the log entries (similar to the GUI), use the following filters, etc.:


Just a reminder for myself:
  • IP:
  • Login: admin
  • Password: <blank>
To change the IP address of the mgmt interface (or any other) via the CLI, these commands can be used:

    Blogger Comment
    Facebook Comment