FortiGate CLI Commands for Troubleshooting

zero comment
Firewall FortiGate
Fortigate CLI

Basic Configuration Commands:

Fortigate firewall is delivered with default settings of

Management IP Address: 192.168.1.99 / 255.255.255.0
Credentials: admin with no password

1. Configure Host Name:

FW# config system global
(global)# set hostname FG100D
FW# end

2. Configure MGMT Interface

FW# config system interface
(interface)# edit mgmt
(mgmt)# set ip 192.168.80.254 255.255.255.0
(mgmt)# set allowaccess ping https ssh
(mgmt)# end

3. Configure DNS

FW# config system dns
(dns)# set primary 192.168.80.150
(dns)# set secondary 192.168.80.151
(dns)# set domain “itadminguide.com”
(dns)# end

4. Configure NTP Server

FW# config system ntp
(ntp)# set server 192.168.80.10
(ntp)# set status enable
(ntp)# end

 

Basic Troubleshooting Commands:

5. Ping and Traceroute host name or IP address

FW# execute ping

//ping from a specific firewall interface
FW# execute ping-options source <interface ip>
FW# execute ping <IP>

//traceroute from a specific firewall interface
FW# execute traceroute-options source <interface_ip>
FW# execute traceroute <IP>

All in One WordPress Hosting Starts at 30$ per month
All in One WordPress Hosting
WordPress
High optimized WordPress hosting, secure firewall, HTTPS, Backup, hack-fix guarantee and many others at 30$ per month
Go to the deal

 

6. ARP

FW# get system arp

// clear arp table
FW# execute clear system arp table

7. Routing

//similar to “show ip route” in Cisco
FW# get router info routing-table all

//route cache, current session with routing information
FW# diagnose ip rtcache list

 

Automatic Backup Configuration:

8. Automatic Configuration Backup after each logout

FW# config system global
FW# set revision-backup-on-logout enable
FW# end

All backup revisions can be seen in GUI > admin (top right) > Configuration > Revisions

 

Troubleshooting IPSec VPN tunnel logs

When troubleshooting site-to-site IPSEC VPN tunnels in FortiGate firewalls, these commands enable debugging on the firewall console and provide detailed information to identify the problem.

  • Login to CLI as admin
  • Disable any debug that are currently running

diagnose debug disable

  • Clear any debug filters that are previously applied

diagnose vpn ike log-filter clear

  • Set filter to show debug logs of a specific VPN tunnel. This is especially helpful if you have several VPN tunnels and facing problem with only one peer.

diagnose vpn ike log-filter dst-addr4 10.10.10.1

  • Enable debug mode on IKE handshaking process.

diagnose debug app ike 255

  • Enable debug logging to console

diagnose debug enable

After you fix the problem, don’t forget to disable debug

diagnose debug disable

cli FortiGate

Administrator

Related Articles

Palo Alto Firewall Command Line Reference
Read More
Reset Paloalto Firewall Interface to Default State of Not Configured
Read More
Fortigate CLI
Commands to enable debug logs for troubleshooting IPSec VPN Tunnel in FortiGate
Read More