FortiGate troubleshooting and verification commands

This post represents a list of common troubleshooting and verification commands for FortiGate Firewalls. These commands help you check system status, interfaces, routing, policies, sessions, logs, and more.

General System and Hardware Info

  • get system status
    Shows FortiGate firmware version, uptime, serial number, and system info.

  • diagnose hardware deviceinfo
    Displays hardware status like CPU, memory, and temperature.

  • get system performance status
    Provides CPU, memory usage, sessions, and throughput info.

Interface and Network Verification

  • get system interface physical
    Lists all physical interfaces with status and link info.

  • show system interface
    Displays all configured interfaces and their IP addresses.

  • diagnose netlink interface list
    Lists interfaces with status and link-layer info.

  • execute ping <IP>
    Sends ping to test network connectivity.

  • execute traceroute <IP>
    Traces the route packets take to a destination.

Routing and Firewall Policies

  • get router info routing-table all
    Shows all routing table entries.

  • get router info routing-table details <IP>
    Displays detailed routing info for a specific IP.

  • show firewall policy
    Displays all firewall policies.

  • diagnose firewall policy list
    Shows firewall policies with counters and details.

  • diagnose firewall iprope lookup <src_ip> <dst_ip> <service>
    Checks which policy applies for specific traffic.

Session and Traffic Debugging

  • diagnose sys session list
    Lists all active sessions.

  • diagnose sys session filter
    Sets filters for session commands (e.g., src, dst, dport).

  • diagnose sys session stat
    Shows session statistics.

  • diagnose sys session clear
    Clears all sessions.

  • diagnose debug enable
    Enables debug mode.

  • diagnose debug disable
    Disables debug mode.

  • diagnose debug flow filter add <ip>
    Adds IP filter to debug flow.

  • diagnose debug flow show console enable
    Shows debug flow output on console.

  • diagnose debug flow trace start <number_of_packets>
    Starts traffic debug for specified number of packets.

VPN Troubleshooting

  • get vpn ipsec tunnel summary
    Shows status of IPsec VPN tunnels.

  • diagnose vpn ike gateway list
    Lists IKE gateway status.

  • diagnose vpn ike log-filter
    Sets filter for IKE debug logs.

  • diagnose debug application ike -1
    Enables detailed IKE debug logs.

Logs and Event Verification

  • execute log display
    Shows logs on CLI (if local logging is enabled).

  • execute log filter
    Applies filter to logs (e.g., by type, level, date).

  • diagnose log test
    Tests logging configuration.

HA (High Availability) Commands

  • get system ha status
    Shows HA status.

  • diagnose sys ha status
    Displays detailed HA info.

Miscellaneous Useful Commands

  • diagnose firewall ippool list
    Shows configured IP pools.

  • diagnose test application ipsmonitor 99
    Runs IPS monitor test.

  • diagnose debug crashlog read
    Reads crash log.

Tags: ,