Scribd Logo
Upload

Welcome to Scribd!

  • Fortinet Firewall Commands

    Uploaded by

    Raja Athi
    220 views4 pages
    This document provides a summary of firewall commands for Fortinet devices. It lists commands for checking health and status, troubleshooting sessions and traffic, restoring firmware images, and provisioning configurations for interfaces, routing, DNS, logging, and zones. Examples are given for most commands. The document also provides links to Fortinet documentation for additional reference.

    Original Description:

    Notes Fortinet CLI Commands

    Original Title

    Notes Fortinet CLI Commands

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides a summary of firewall commands for Fortinet devices. It lists commands for checking health and status, troubleshooting sessions and traffic, restoring firmware images, and provisioning configurations for interfaces, routing, DNS, logging, and zones. Examples are given for most commands. The document also provides links to Fortinet documentation for additional reference.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    220 views4 pages

    Fortinet Firewall Commands

    Uploaded by

    Raja Athi
    This document provides a summary of firewall commands for Fortinet devices. It lists commands for checking health and status, troubleshooting sessions and traffic, restoring firmware images, and provisioning configurations for interfaces, routing, DNS, logging, and zones. Examples are given for most commands. The document also provides links to Fortinet documentation for additional reference.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    **********************

    Fortinet Firewall Commands


    **********************
    // Health and Status
    show [enter] //Note that output is only non-default values.
    show full-configuration // Show all configurations on the device.
    show system interface wan1 | grep -A2 ip // Show WAN and interface information.
    get system info admin status // Show logged in users
    get system status // Show system hardware/software update versions
    get hardware status // Detailed hardware model information
    get system performance status
    get system performance top
    show system interface // Interface Configuration
    diagnose hardware deviceinfo nic // Interface Statistics/Settings
    diagnose hardware sysinfo memory
    diag debug crashlog read
    diag hardware sysinfo shm // Device should be in 0, if (>0) then conservemode
    get system global | grep -i timer // Show tcp and udp timers for halfopen and idle
    get system session-ttl // System default tcp-idle session timeout
    execute ha manage <devid> // send heartbeat accross management link.
    get hardware nic
    diagnose ip address list
    get system interface physical
    // ARP
    diagnose ip arp list

    // Track and Troubleshoot


    get system session status // Connection count for ingress/egress
    get system session-info full-stat // Displays session status with breakdown by state
    get system session list // Session list, protocol, expire, src nat, dst nat
    diag sys session // Basic output with no filters of diag sys session
    diag sys session filter <option> <value> // Capture filter based on src, dst, duraction, policy id, vd
    // Packet capture
    diag debug info // Displays active debug
    diag debug enable // Enable debug
    #diagnose debug flow filter (shows what filters are configured)
    #diagnose debug flow filter clear (clear all filter)
    #diagnose debug flow filter <options> <value> (configures the filter)

    #diagnose
    #diagnose
    #diagnose
    #diagnose

    debug
    debug
    debug
    debug

    Example:
    diagnose debug
    diagnose debug
    diagnose debug
    diagnose debug
    diagnose debug
    diagnose debug
    diagnose debug
    diagnose debug

    flow
    flow
    flow
    flow

    show
    show
    trace
    trace

    con enable <show output on console>


    fun enable <show functions>
    start <number of lines> (to start the trace)
    stop (to stop the trace)

    reset
    enable
    flow filter clear
    flow filter saddr 192.168.10.1
    flow filter dport 80
    flow show con enable
    flow show fun enable
    flow trace start 20

    diagnose sniffer packet <interface or ANY> <arguments> <level 1-6>


    example:
    diagnose sniffer packet ANY net 192.168.10.0/24 and not host 192.168.10.1 and port 80 and TCP 6
    Syn packets only:
    diag sniffer packet internal tcp[13] == 2
    to stop:
    diagnose debug reset
    diagnose debug disable
    // Enable packet capture in GUI
    System -> Config -> Advanced
    Setup packet capture filter, Check box to start, Uncheck to stop.
    Download Debug Log
    // Show identified devices
    diag user device list
    // Routes

    Interface Up -> Multiple: Select lowest distance -> Dynamic: If same distance choose lowest metric ->
    Route lookups are only for the first packet of each session.
    All packets will use same path.
    After topology change, routes are flushed and sessions relearned.
    get system arp // ARP Table

    get router info routing-table all // All routing table entries


    get router info routing-table details <ip> // Shows if custom static ordynamic routes exist for des
    get router info kernel // Raw kernel routing table
    show router static // Display static routes

    // Restore image
    execute restore image <firmware_file_name> <TFTP server_ipaddress> // Restore an image from TF
    // Provisioning
    config system settings // Configure for layer-3
    set opmode nat
    end
    config system settings // Configure transparent
    set opmode transparent
    end
    config system global // Set port for admin if VPN is sharing
    set admin-sport 8443
    set sslvpn-sport 443
    end
    config system global // Enable SCP
    set admin-scp enable
    cofng system ntp // Setup NTP
    config ntpserver
    edit 1
    set server 10.0.0.0
    end
    edit 2
    set server 10.0.0.1
    end
    set ntpsync enable
    end
    execute time
    config system dns // Setup DNS
    set primary 0.0.0.0
    set secondary 0.0.00
    config log syslogd(2|3) setting // Enable syslog
    set status enable
    set server <IP address>
    set port 514

    set facility user


    end
    diagnose log test // Test logging
    config system interface // Setup IP Address
    edit wan1
    set mode static
    set ip 172.16.0.0 255.255.255.0
    set vlan id 50
    end
    config system interface // LACP port aggregation
    edit aggr1
    set member port8 port9
    end
    config system zone // Add interfaces to zone
    edit outside
    set interface internal1 internal 2
    enable intrazone traffic
    set intrazone allow
    end
    config router static // Add default route
    edit 1
    set gateway 172.16.0.0
    end
    config router static // Static route
    edit2
    set device port1
    set dst 10.0.0.0 255.0.0.0
    set gateway 10.0.1.1
    // Vendor Notes
    http://docs.fortinet.com/fgt.html
    http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-cli-40-mr3.pdf
    http://docs.fortinet.com/fgt50.html

    You might also like