FortiGate Command Cheat Sheet
This guide covers the most important FortiGate CLI commands that every network administrator should know.
Working with FortiGate firewalls often requires diving into the CLI to get deeper insights and perform advanced troubleshooting. While the GUI is intuitive for many tasks, the command-line interface (CLI) gives you speed, precision, and access to powerful diagnostic tools.
In this article, you’ll find a categorized list of useful FortiGate CLI commands covering everything from system diagnostics to routing, firewall policies, packet capture, and VPN troubleshooting. Whether you’re maintaining a production environment or investigating a tricky issue, these commands will help you get the job done efficiently.
Device Diagnostics
Monitoring the system health and performance of a FortiGate device is essential for detecting and resolving issues early. Here are some of the most important diagnostic commands:
| Command | Description |
|---|---|
get system status | Displays basic system info such as hostname, firmware version, and serial number. |
get system performance top | Similar to Linux’s top command – shows real-time CPU/memory usage and active sessions. |
diag sys top | A more detailed view of running processes, sorted by CPU usage. |
diag hardware deviceinfo | Shows detailed hardware information. |
diag debug crashlog read | Reads crash logs for analyzing system stability issues. |
get system performance status | Quick summary of CPU, memory, sessions, and more. |
diag sys flash list | Displays information about the flash memory, which can be useful when checking storage health. |
Tip: Run these commands during high load or suspected slowness to identify resource bottlenecks.
IP Settings and Routing
| Command | Description |
|---|---|
get system interface | Lists interfaces with IP addresses and statuses. |
get router info routing-table all | Shows the complete routing table. |
get router info routing-table database | Displays the underlying routing database. |
diag ip route list | Shows active routes currently in use. |
diag netlink interface list | Displays low-level interface info including physical links. |
Useful Examples
If you’d like to dive deeper into routing-related topics, feel free to check out the following articles where I explain these features in more detail:
- How to Check the Routing Table in FortiGate CLI – A step-by-step guide on how to display and analyze the routing table directly from the command line.
- How to Configure a Static Route on FortiGate – Learn how to create and manage static routes for better traffic control in your FortiGate firewall.
These tutorials provide practical examples and screenshots, making it easier to apply what you learn in real environments.
Policy Settings
| Command | Description |
|---|---|
show firewall policy | Lists all firewall policies. |
diagnose firewall iprope list | Shows how policies are applied to traffic. |
diag debug flow | Analyzes how traffic flows through policies (requires enabling debug). |
show full-configuration firewall policy | Displays complete firewall policy configuration with comments. |
Useful Examples
For a more in-depth look at configuring and optimizing firewall policies on FortiGate, make sure to check out these related posts:
- Fortinet FortiGate Policy Implementation – This article walks you through the process of creating and managing firewall policies, with practical tips and examples.
- Fortinet FortiGate Firewall Policies – Best Practices – Learn how to structure and organize your policies for improved security and easier maintenance.
These resources complement the CLI commands by showing how to apply policy settings effectively in both the GUI and CLI environments.
Packet Capture
| Command | Description |
|---|---|
diag sniffer packet any 'host x.x.x.x' 4 | Captures packets for a specific host. |
diag sniffer packet any 'port 443' 6 | Filters capture to HTTPS traffic. |
diag debug flow | Enables flow debugging for traffic analysis. |
diag debug enable / disable | Starts or stops debug mode (needed for flow analysis). |
| GUI Packet Capture | Available under Network > Packet Capture, useful for visual analysis. |
Useful Examples
If you’re interested in a step-by-step walkthrough of capturing packets using both the CLI and GUI, take a look at this detailed guide:
- FortiGate Packet Capture from CLI and GUI – Learn how to perform packet captures efficiently, filter traffic, and analyze results using built-in FortiGate tools.
This article is perfect if you want to visualize traffic flow or troubleshoot specific communication issues between devices.
VPN (Site-to-Site) Troubleshooting
| Command | Description |
|---|---|
diag vpn tunnel list | Lists all active VPN tunnels. |
get vpn ipsec tunnel summary | Shows tunnel status and stats. |
diag debug application ike -1 | Enables IKE debugging (for IPSec VPN). |
diag debug enable / disable | Starts/stops general debug logging. |
get vpn ssl monitor | Monitors SSL VPN sessions. |
Useful Examples
For a practical guide on identifying and resolving VPN tunnel issues, check out the article below:
- Fortinet FortiGate Site-to-Site VPN Troubleshooting – This post explains how to verify tunnel status, read debug output, and solve common configuration problems using FortiGate CLI tools.
It’s especially helpful when your VPN tunnels are not coming up or experiencing intermittent drops.
Logging and Logs Review
| Command | Description |
|---|---|
execute log display | Displays log entries in the CLI. |
execute log filter category event | Filters logs by category. |
diagnose debug application logd -1 | Enables debug for the logging daemon. |
Useful Examples
Understanding how to properly manage and analyze logs is crucial for detecting issues and auditing network activity. For a complete overview, check out the following article:
- Fortinet FortiGate Log Management – Learn how to view, filter, and interpret FortiGate logs using both the CLI and GUI. This guide also covers log categories and best practices for retaining critical data.
Whether you’re troubleshooting or reviewing events for compliance, effective log management is essential.
Firmware and Updates
| Command | Description |
|---|---|
get system firmware | Shows current firmware version. |
execute update-now | Manually trigger a system update. |
diagnose autoupdate version | Displays update version info. |
Useful Examples
Upgrading FortiGate firmware is a key part of keeping your system secure and stable. If you’re unsure about the correct upgrade steps or need guidance on version compatibility, the following resources will help:
- Fortinet FortiGate Upgrade Path Tool – Learn how to use Fortinet’s official upgrade path tool to avoid skipping critical firmware versions.
- Fortinet FortiGate Firmware Upgrade – A complete guide on preparing for, executing, and verifying a firmware upgrade on your FortiGate device.
Following best practices during upgrades minimizes downtime and ensures system integrity.
User Access and Admin
| Command | Description |
|---|---|
get system admin | Shows admin users and their roles. |
show system admin | Displays configuration of admin accounts. |
diagnose test authserver | Test external authentication (LDAP/RADIUS). |
Useful Examples
Managing administrator profiles and permissions properly is essential for maintaining a secure and well-organized FortiGate environment. If you’re interested in learning more about default admin roles, permission levels, and how to manage them effectively, check out this article:
- FortiGate Default Admin Profiles and Permissions – This guide explains the different built-in admin profiles, how to customize them, and how to assign appropriate access rights based on user roles.
Use this as a reference when you’re setting up user access or applying the principle of least privilege in your firewall administration.
DNS and Connectivity
| Command | Description |
|---|---|
diagnose test application dnsproxy 6 | Tests DNS resolution. |
execute ping 8.8.8.8 | Pings a public IP to test internet connectivity. |
execute traceroute google.com | Traces the route to a domain. |
Useful Examples
Proper DNS configuration is crucial for name resolution, connectivity, and overall network performance. If you want to configure or troubleshoot DNS on your FortiGate device, this article will help:
- FortiGate DNS Server Configuration – A detailed guide on setting up DNS servers, configuring FortiGate as a DNS forwarder, and verifying DNS behavior using CLI tools.
This tutorial is especially useful when diagnosing issues like slow browsing or failed domain lookups.
Conclusion
Mastering the FortiGate CLI can significantly enhance your ability to manage and troubleshoot your network infrastructure. While the GUI provides many useful tools, the CLI gives you precise control and faster access to critical system data. Whether you’re dealing with VPN issues, traffic bottlenecks, or just doing routine checks, these commands will save you time and help maintain a healthy FortiGate environment. Bookmark this guide and refer to it whenever you need quick, reliable CLI solutions.
About The Author
