cli-commands-for-troubleshooting-fortigate-firewalls

CLI Commands for Troubleshooting FortiGate Firewalls

This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff. I am using it personally as a cheat sheet / quick reference and will update it from time to time.

Coming from Cisco, everything is “show”. With Fortinet you have the choice confusion between show | get | diagnose | execute. Not that easy to remember. It is “get router info6 routing-table” to show the routing table but “diagnose firewall proute6 list” for the PBF rules. Likewise the sys | system keyword. It is always “diagnose sys” but “execute system”.

#show system interface port1
#get system global
#diagnose fmnetwork netstat list
#get system status
#execute lvm info
#execute add-vm-license "-----BEGIN FAZ VM LICENSE---- ---"

https://docs.fortinet.com/document/fortianalyzer/7.2.0/cli-reference/486545/add-vm-license

https://help.fortinet.com/fdb/5-0-0/html/source/tasks/t_network_configuration_cli.html

Configuring Network Settings using the CLI

This topic describes the steps to configure your network settings using the CLI. For details about each command, refer to the Command Line Interface section.

  1. Set the IP address and netmask of the LAN interface:
    config system interface
      edit <port>
      set ip <ip_address> <netmask>
      set allowaccess (http https ping ssh telnet)
    end
    

    where:

    • <port> can be one of port1- port4.
    • <ip_address> is the interface IP address.
    • <netmask> is the interface netmask.

    Sample Command:

    config system interface
     edit port1
     set ip 192.168.100.159 255.255.255.0
     set allowaccess ping https ssh
    end
    
  2. Set the primary and optionally the secondary DNS server:
    config system dns
      set primary <dns-server_ip>
      set secondary <dns-server_ip>
    end
    

    where:

    • <dns-server_ip> is the primary or secondary DNS IP server address

    Sample Command:

    config system dns
     set primary 65.39.139.52
     set secondary 65.39.139.62
    end
    
  3. Set the default gateway:
    config system route
      edit <seq_num>
      set device <port>
      set gateway <gateway_ip>
    end
    

    where:

    • <seq_num> is an unused routing sequence number starting from 1 to create a new route.
    • <port> is the port used for this route.
    • <gateway_ip> is the default gateway IP address for this network.

    Sample Command:

    config system route
     edit 1
     set device port1
     set gateway 172.30.62.254
    end
    
  4. Set a network protocol (NTP) server:
    config system ntp
        set server <server_ip>
        set status (enable | disable)
    end
    

    where:

    • <server_ip> is the IP address or fully qualified domain name of the NTP server.

    Sample Command:

    config system ntp
     set server 172.30.62.81
     set status enable
    end

Entering the correct vdom/gobal config

Remember to enter the correct vdom or global configuration tree before configuring anything:

To execute any “show” command from any context use the sudo keyword with the global/vdom-name context followed by the normal commands (except “config”) such as:

Show running-config & grep & scp

To show the running configuration (such as “show run” on Cisco) simply type:

To show the entire running configuration with default values use:

When you are in a config submenu you can list the subsequent configuration options with all further submenus with:

For example:

To omit the “–More–” stops when displaying many lines, you can set the terminal output to the following, which will display all lines at once. This is similar to “terminal length 0” from Cisco. Be careful with it, because this command is persistent. Set it to default after usage!

To find a CLI command within the configuration, you can use the pipe sign “|” with “grep” (similar to “include” on Cisco devices). Note the “-f” flag to show the whole config tree in which the keywords was found, e.g.:

Example with grep but WITHOUT the -f option (which makes no sense at all):

Now with the -f option. Note the “<—” at the end of every line that has the “ipv6” keyword in it, while the full configuration part around it is listed.

You can even extend your grepping by using multiple expressions to grep, wrapped into single quotes and \|, such as: (Thanks to Ulrich’s comment!)

 

In order to copy the configuration via SCP from a backup server you must first enable the SCP protocol for the admin:

before you can grab it from the backup server, e.g. Linux with:

 

To save your config through the CLI in order to have it in the GUI under <username> -> Configuration -> Revisions, use:

Even better, you should enable the following feature which saves a backup of your configuration after each logout automatically:

 

General Information

The very basics:

 

After rebooting a fresh device which is already licensed, it takes some time until it is “green” at the dashboard. The following commands can troubleshoot and start the “get license” process. Use the first three to enable debugging and start the process, while the last one disables the debugging again:

To reboot your device, use:

To shutdown your device, use:

 

General Network Troubleshooting

Which is basically ping and traceroute. Unluckily it is shitty difficult to use those commands since you need a couple of subcommands to source pings from a different interface, and so on. Furthermore, the traceroute for IPv6 uses its options on the CLI directly such as “-i <interface>”, while traceroute for IPv4 uses the “traceroute-options …” subcommands:

To view the current …-options, use this:

 

Routing

Routing table, RIB, FIB, policy routes, routing protocols, route cache, and much more. 😉 Note the differences between IPv6 and legacy IP.

High Availability

Diagnose and managing: (Just another **** example on how “get | diagnose | execute” is mixed along with “sys | system”.)

Manually test a failover by decreasing the priority of the current master (since highest priority wins):

Don’t forget to restore the priority value to your original one!

Start a sync at a secondary device to (from?) the master: (Honestly, I am not sure what “synchronize” means in this command. I would like to decide which config to push to the other device. The Fortinet documentation reads: “Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with the
primary unit or to stop a synchronization process that is in progress.”)

 

Session Table

Display the current active sessions:

 

Remote Server Authentication Test

In order to test user credentials against some (remote) authentication servers such as LDAP or RADIUS or even local:

 

FSSO User Authentication

When you’re using some kind of Fortinet single sign-on (FSSO) features such as the agentless/agent polling mode to a Windows AD you can use the following commands to get some information about the recognized users and agent servers:

The first one shows all monitored users with details concerning their LDAP groups:

while the last one shows the users with their corresponding FortiGate user groups and traffic counters:

If you need further debugging messages you can enable it for the Fortigate non-blocking auth daemon and the FSSO daemon:

 

Sniffer / Packet Capture

Sniff packets like tcpdump does. (Only if the built-in packet capture feature in the GUI does not meet your requirements.) This can be used for investigating connection problems between two hosts. There are no details of the firewall policy decisions. Use the debug flow (next paragraph) for analysis about firewall policies, etc.

with:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name <<<<<< good default choice
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

Examples: (Thanks to the comment from Ulrich for the IPv6 example)

Here are two more examples on how to show LLDP or CDP packets in order to reveal the connected layer 2 ports from switches. Kudos to Joachim Schwierzeck.

 

Flow

If you want to see the FortiGate details about a connection, use this kind of debug. E.g., it shows the routing decision and the policy, which allowed the connection.

Example:

 

VPN

To show details about IKE/IPsec connections, use these commands:

To debug IKE/IPsec sessions, use the VPN debug:

To reset a certain VPN connection, use this (Credit):

 

Log

For investigating the log entries (similar to the GUI), use the following filters, etc.:

 

Defaults

Just a reminder for myself:

  • IP: 192.168.1.99
  • Login: admin
  • Password: <blank>

To change the IP address of the mgmt interface (or any other) via the CLI, these commands can be used:

Password Recovery & Factory Reset

Just the links here: Resetting a lost Admin password and How to reset a FortiGate with the default factory settings.

Links