My FortiGate FortiOS CLI Bible’ish

General Recon
get system status # Gather helpful info version, SN, etc.

Debug WebUI activity
diag debug cli 8
diag debug enable

Multi-Line Grep
show | grep ‘%something\|%something-else\|%even-more’ # Multiple grep strings

Example:

get router info bgp summary | grep '10.255.255.164\|152.162.33.49'

---

Interface and IP information

dia ip address list # All IP addresses on the box (Cisco: show ip int br | e unass)

diagnose netlink interface list
diagnose netlink interface list port5

get system interface transceiver
diag ip arp delete <interface> <ip-address>
fnsysctl ifconfig port16

diag ip arp list # Shows ARP Table

index   ----- This is the interface index of the corresponding FortiGate interface.
ifname    ----- This is the name of the FortiGate interface.
x.x.x.x    ----- This is the IP address of the neighbor device connected to the corresponding interface.
00:00:00:00:00:00   ----- This is the MAC address corresponding to the above IP address.
state -----  This is a hexadecimal value of the 8 bit field defining the current state of the ARP entry as shown below.
use    ----- Time in seconds, since the ARP entry was last used to add the MAC address to an egress packet.
confirm    ----- Time in seconds, since the ARP entry entered the state REACHABLE/NOARP/PERMANENT.
update  ----- Time in seconds, since the ARP entry was last updated with a ARP response.
ref    ----- Number of time the ARP entry was used to forward an egress packet.

diagnose firewall iplist list To get information on ip-pool/VIP.
diagnose sys vd list List Virtual Domains.
diagnose sys cmdb info(Run 2 to 4 times) CMDB information.
diagnose hardware deviceinfo disk Display information of all disks. If the unit doesn’t have a disk.
diagnose autoupdate versions Update object versions.
diagnose sys session full-stat It’s going to display the session stat(i.e ESTABLISHED state ,SYN_SENT state, etc).
diagnose debug crashlog read To get the Crash log info.
diagnose user banned-ip list. Display Quarantined Devices
diagnose user quarantine delete src4 x.x.x.x Delete a banned IP
show firewall acl Display the local ACLs to the FortiGate

---

Referenced Objects
diagnose sys cmdb refcnt show system.interface.name %object-name% # Check references and dependencies
diag sys cmdb refcnt show system.interface.name <interface name>
diag sys cmdb refcnt show firewall.address:name <address name>
diag sys cmdb refcnt show firewall.profile: <profile name>
diag sys cmdb refcnt show firewall.service.group:name <servicegroup name>
diagnose sys cmdb info #Show information about the latest configuration change performed by the daemon.

exec tac report #Generate a TAC report
diag debug crashlog read # shows the crashlog in a readable format.
diag debug crashlog get # shows the crashlog in an encrypted format

---

Command Line Shortcuts
up arrow, CTRL-P      Previous command
down arrow, CTRL+N     Next command
CTRL-A                             Beginning of line
CTRL-E                                 End of line
CTRL-B                                 Back one word
CTRL-F                                Forward one word
CTRL-D                                Delete current Character
CTRL-C                               Abort Command and exit Branch (Can disconnect you)
CTRL-L                              Clear screen
TAB key                           Completes the current word or iterates through the folioing words
?                                          Possible commands

Performance Commands

get system status Displays versions of firmware and FortiGuard engines, and other system information.
get system performance status ( Run for 5 times): Displays CPU and memory states, average network usage, average sessions, and session setup rate, the virus caught, IPS attacks blocked, and uptime
di sys top 2 50 (Run for 30 Sec and CTRL C to stop): Show top processes information. You can use the di sys top command from the FortiOS CLI to list the processes running on your FortiGate unit.
di sys top-all Show top threads information.
diagnose sys mpstat  CPU information.
diagnose hardware sysinfo interrupts Display system interrupts information.
diagnose hardware sysinfo memory Display system memory information.
diag hardware sysinfo slab Display memory allocation information.
diagnose sys top-mem Display processes with the most used memory (default 5 processes).
diagnose hardware sys conserve Diagnose command to aid in conserver mode issues.
diagnose hardware deviceinfo nic %portx% Display stats on interfaces

---

Enabling / Disabling Features
Overlapping IP addresses
config system settings
set allow-subnet-overlap [enable/disable]
end

Enabling Async on FortiGate
conf sys setting
   set asymroute enable
end

Cisco Security Tag (SGT)
On the VWire, you must have “wildcard VLAN enabled”
set wildcard-vlan enable

On the policy, you must have the SGT
config firewall policy
   edit 76
      set sgt-check enable
      set sgt 30
    next
end

Enabling LLDP on FortiGate
**Globally**
config system global
  set lldp-reception enable
   set lldp-transmission enable
end

**Per Interface **
config system interface
    edit <port>
       set lldp-reception enable
       set lldp-transmission enable
    next
end

Showing LLDP Neighbors
diagnose lldprx neighbor {summary | details | clear}
diagnose lldprx port {details | summary | neighbor | filter}
diagnose lldprx port neighbor {summary | details}

---

Admin Connections

Showing Admin Connections

get system info admin status

Disconnect Admin Connection from CLI
execute disconnect-admin-session

---

Terminal Length on Console 

Similar to term length 0 In Cisco

config system console
  set output standard
end

---

Sniffer

I wrote a detailed blog post about sniffer and TCP flags

dia sniffer packet %int-name% 'host|net %ip|subnet% and|or %host|net% %ip|subnet% and proto|' 4 l 0

diagnose sniffer packet <interface> "<options>" <verbosity level> <count> <timestamp format>

Lets break this down:
diagnose sniffer packet - this is the base command 
interface - # You can either choose the interface specifically or use the keyword any
options - # here you can filter the capture by IP, protocol, etc.
verbosity level - #how much information you are collecting (1-6 See below)
count - #the number of packets you want to capture (0 = Unlimited)
timestamp - #the format of the timestamps on the capture

Here are the verbosity level
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf

diag sniffer packet any "src 10.1.105.3 and icmp" 4 l 0
diag sniffer packet any "dst 8.8.8.8 and icmp" 4 l 0
dia sniff packet any "(src 10.1.105.3 or src 10.1.105.1) and icmp" 4 l 0
dia sniffer packet any 'host 10.1.105.3 and !port 22' 4 l 0
diag sniffer packet wan1 'host 10.109.16.137 and (icmp or tcp)' 1
diag sniffer packet wan1 'host 10.109.16.137 and host 172.26.48.21 and tcp port 80' 1 3

Host
src
dst
net
src net
dst net
and/or

Proto
port
!port 
tcp
tcp port
udp 
udp port

Use verbostiy 3 or 6 when capturing traffic to convert to PCAP
fgt2eth.pl -in ~/Desktop/diadebug.txt -out /Users/fernandezm/Desktop/remote4.pcap

It is possible to create a per-interface PCAP file by adding a -demux argument while converting text to a pcap file. It will create two separate files. Good for T-Shooting pre/post NAT issues.

---

Session

I have another post I did about sessions

diagnose sys session filter clear
diagnose sys session filter ?
diagnose sys session filter dst 8.8.8.8
diagnose sys session filter dport 53
diagnose sys session list #show the session table with the filter just set

clear  clear session filter
dport dest port
dst dest ip address
negate inverse filter
policy policy id
proto protocol number
sport source port
src source ip address
vd index of virtual domain. -1 matches all

TCP States
State Value Expire Timer (default)
NONE 0 10 s
ESTABLISHED 1 3600 s
SYN_SENT 2 10 s
SYN & SYN/ACK 3 10 s
FIN_WAIT 4 120 s
TIME_WAIT 5 1 s
CLOSE 6 10 s
CLOSE_WAIT 7 120 s
LAST_ACK 8 30 s
LISTEN 9 120 s

---

Flow

Packet flow debug – Equivalent to FW Monitor in Check Point, to evaluate the packet being accepted, forwarded or denied:

diag debug flow show function enable
diag debug flow filter saddr X.X.X.X
diag debug flow filter saddr Y.Y.Y.Y
diag debug flow filter port N
diag debug flow trace start 100
diag debug enable
diag debug disable

---

IPerf

diag traffictest server-intf
diag traffictest client-intf
diag traffictest port [port]
diag traffictest run -c [public_iperf_server_ip]

---

VPN

VPN debug commands:
diag vpn tunnel list
diag vpn ike log filter name
diag vpn ike log filter src-addr4 X.X.X.X
diag vpn ike log filter dst-addr4 Y.Y.Y.Y
diag debug application ike -1 (or 255)
diag debug enable
diag vpn tunnel flush
diag vpn tunnel reset
diag debug disable

Reset/Clear VPN Tunnels
diagnose vpn ike gateway list
diag vpn ike gateway clear name
diag vpn ike gateway flush name #tears down the specified phase1.
diag vpn tunnel up|down <phase2-name> #bring the specified phase2 up|down.
diag vpn ike restart #All Tunnels restart

Disable VPN offloading per Phase 1
config vpn ipsec phase-1-int
set npu-offload disable

---

HA

BGP

get router info bgp summary
get router info routing-table bgp
get router info bgp neighbors 10.125.113.2 received-routes
get router info bgp neighbors 10.125.113.2 advertised-routes
!! Requires graceful restart !!

diagnose ip router bgp all enable
diagnose ip router bgp level info

TTL Security (Don’t know why this is not under BGP)
config firewall ttl-policy
    edit 0
       set status enable
       set action deny
       set srcintf "any"
       set srcaddr "all"
       set service "BGP"
       set schedule "always"
       set ttl 1-252
    next
end

BGP Attribute
Priority Attribute
1 Weight
2 Local Preference
3 Originate
4 AS path length
5 Origin code
6 MED
7 eBGP path over iBGP path
8 Shortest IGP path to BGP next hop
9 Oldest path
10 Router ID
11 Neighbor IP address

---

Security Profile

diag test application ipsmonitor 1-display engine information 2-enable/disable IPS engine 5-Toggle bypass status 99-restart IPS engines/monitor

diag test application ipsengine 99 #Restart IPS Engine

Contract and License check
exec log fortiguard test-connectivity
get system fortiguard-service status

Verifying FortiGuard Labs
diagnose autoupdate status
diagnose autoupdate versions

---

Log

exec log

backup backup
delete Delete local logs of one category.
delete-all Delete all local logs and recreate report database.
detail Display utm log entries for a particular traffic log.
display Display filtered log entries.
filter filter
flush-cache Write disk log cache of current category to disk in compressed format.
flush-cache-all Write disk log cache of all categories to disk in compressed format.
fortianalyzer fortianalyzer
fortianalyzer-cloud fortianalyzer-cloud
fortianalyzer2 fortianalyzer2
fortianalyzer3 fortianalyzer3
fortiguard fortiguard
list List current and rolled log files info.
raw-backup raw-backup
roll Roll log files now.

exec log filter %

category          Category.
device            Device to get log from.
dump              Dump current filter settings.
field             Filter by field.
free-style        Filter by free-style expression.
ha-member         HA member.
local-search-mode local log search mode
max-checklines    Maximum number of lines to check.
pre-fetch-pages   Number of pages to check in advance under on-demand log search mode.
reset             Reset filter.
start-line        Start line to display.
view-lines        Lines per view.

execute log filter category  0: traffic  1: event  2: utm-virus  3: utm-webfilter  4: utm-ips  5: utm-emailfilter  7: utm-anomaly  8: utm-voip  9: utm-dlp 10: utm-app-ctrl 12: utm-waf 15: utm-dns 16: utm-ssh 17: utm-ssl 19: utm-file-filter 20: utm-icap 22: utm-sctp-filter

diag log test

execute log filter reset
execute log filter category event
execute log filter field            #press enter for options
execute log filter field dstport 8001
execute log filter view-lines 1000
execute log filter start-line 1
execute log display

---

To the FortiGate

See established TCP/UDP session TO the FGT
diagnose sys tcpsock | grep %IP/PORT%.
diagnose sys udpsock| grep %IP/PORT%

Firewall Interface Policy

Create a Firewall Address for the public IP
config firewall address
    edit "ISP Internet" 
    set associated-interface "port1X”
    set subnet X.X.X.X 255.255.255.255
next
end

Create an IP Sensor to block Offending IPs
config ips sensor
   edit "Interface-Firewall-Sensor"
        set comment "Blocks all Critical/High/Medium and some Low severity vulnerabilities"
        set block-malicious-url enable
        set scan-botnet-connections block
   config entries
       edit 1
          set severity high critical
          set status enable
          set action block
          set quarantine attacker
          set quarantine-expiry 10d
        next
       edit 2
          set severity low medium
       next
   end
next
end

Create the Interface policy

config firewall interface-policy
    edit 1
       set logtraffic all
       set interface "port16"
       set srcaddr "all"
       set dstaddr "ISP Internet"
       set service "ALL"
       set ips-sensor-status enable
       set ips-sensor "Interface-Firewall-Sensor"
    next
end

---

FortiSwitch

diag switch-controller switch-info mac-table Managed FortiSwitch MAC address list
diag switch-controller switch-info port-stats Managed FortiSwitch port statistics
diag switch-controller switch-info trunk Trunk information
diag switch-controller switch-info mclag Dumps MCLAG releated information from FortiSwitch
execute switch-controller get-conn-status Get FortiSwitch connection status
execute switch-controller diagnose-connection Get FortiSwitch connection diagnostics