Basic Fortinet Firewall Fortigate CLI Commands (Tips and Tricks)

1. FGT30D # config system interface

FGT30D (interface) # show

config system interface
edit "wan"
set ip 10.99.142.1 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type physical
set snmp-index 2
next
.....
edit "lan"
set ip 192.168.100.1 255.255.255.0
set allowaccess ping https ssh http fgfm capwap
set type physical
set snmp-index 1
next
end

2. Change System Hostname

FGT30D # config system global
FGT30D (global) # set hostname FGT30D
FGT30D (global) # end

3. Configure System DHCP Server

on Interface "lan":

FGT30D # config system dhcp server

config system dhcp server

edit 1
set default-gateway 192.168.100.1
set dns-service default
set interface "lan"
config ip-range
edit 1
set end-ip 192.168.100.200
set start-ip 192.168.100.80
next
end
set netmask 255.255.255.0
next
end

4. Configure Firewall Policy

FGT30D # config firewall policy

config firewall policy

edit 1
set srcintf "lan"
set dstintf "wan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

5. Configure static gateway

FGT30D # config router static

config router static

edit 1
set device "wan"
set gateway 10.99.142.6
next
end

FGT30D3X1401796 $ conf router static

FGT30D3X1401796 (static) $ edit 2
new entry '2' added
FGT30D3X1401796 (2) $ set device "lan"
FGT30D3X1401796 (2) $ set dst 10.9.9.0 255.255.255.0
FGT30D3X1401796 (2) $ set gateway 10.9.13.1
FGT30D3X1401796 (2) $ end

6. Configure system DNS host

FGT30D # config system dns

config system dns

set primary 208.91.112.53
set secondary 208.91.112.52
end

7. Set System Users

FGT30D # config system admin

config system admin

edit admin
set password <psswrd>
 config system admin
edit "admin"
set accprofile "super_admin"
....
set password ENC AK1TDEt3tvzlnXWgK7ZjkFDgEisgltyWyK2/lnOYtvcl28=
next
edit "superadmin1"
set accprofile "super_admin"
....
set password ENC AK1eDVLPbT+qARqmQ5r0ituEhnmu9xVwdAbo2puf9TZofo=
next
edit "testadmin"
set accprofile "prof_admin"
set password ENC AK1JB0gM4GKvhld20nMmfFbhnictGo/+oUIqAaGTGlb+vg=
next
end

8. Configure Syslog Settings

config log syslogd(2|3) setting
set status enable
set server 10.99.1.1
set port 514
set facility user
end

diagnose log test // Test logging

9. Execure Command - Ping

FGT30D # execute ping www.google.ca
PING www.google.ca (173.194.46.111): 56 data bytes
64 bytes from 173.194.46.111: icmp_seq=0 ttl=57 time=20.7 ms
64 bytes from 173.194.46.111: icmp_seq=1 ttl=57 time=22.7 ms
64 bytes from 173.194.46.111: icmp_seq=2 ttl=57 time=20.6 ms
--- www.google.ca ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 20.6/21.3/22.7 ms

Set Ping Source:

FGT30D # execute ping-options source 192.168.1.1

FGT30D # execute ping-options viewPing Options:
Repeat Count: 5
Data Size: 56
Timeout: 2
Interval: 1
TTL: 64
TOS: 0
DF bit: unset
Source Address: 192.168.1.1
Pattern:
Pattern Size in Bytes: 0
 Validate Reply: no
Note: ping-options will reset when session closed

10. Time Out Configuration

FGT30D3X13001834 # show system session-ttl

config system session-ttl
set default 30000
config port
edit 23
set timeout 72000
next
end
end

11. Debugging

diag debug enable

diag debug console timestamp enable
diag sniffer packet wan 'host 8.8.8.8' 1
diag debug disable
diag debug reset

12. Backup/Restore Configuration to Flash

FGT30D # execute backup config flash

Please wait...
Config backed up to flash disk done.
Setting timestamp
FGT30D # execute revision list config
Last Firmware Version: V0.0.0-build000-REL0
ID TIME ADMIN FIRMWARE VERSION COMMENT
1 2015-02-10 13:39:29 jn V5.0.0-build292-REL0
2 2015-02-10 13:42:15 jn V5.0.0-build292-REL0 20140210

Restore Configuration from Flash:

FGT30D # execute restore config flash
<revision> Revision ID on the flash.

FGT30D # execute restore config flash 2

This operation will overwrite the current settings!
Do you want to continue? (y/n)y
 Please wait...
Get config from local disk OK.
File check OK.

13. Get system configuraiton

get system arp // ARP Table
get system dns // DNS Configuration
get system dhcp server // DHCP server configuration

FGT30D # get system setting

opmode : nat
firewall-session-dirty: check-all
bfd : disable
utf8-spam-tagging : enable
wccp-cache-engine : disable
vpn-stats-log :
vpn-stats-period : 0
v4-ecmp-mode : source-ip-based
gui-default-policy-columns:
asymroute : disable
ses-denied-traffic : disable
strict-src-check : disable
asymroute6 : disable
per-ip-bandwidth : disable
sip-helper : enable
sip-nat-trace : enable
status : enable
sip-tcp-port : 5060
sip-udp-port : 5060
sccp-port : 2000
multicast-forward : enable
multicast-ttl-notchange: disable
allow-subnet-overlap: disable
deny-tcp-with-icmp : disable
ecmp-max-paths : 10
discovered-device-timeout: 28
email-portal-check-dns: enable

show system interface wan1 | grep -A2 ip // Show WAN and interface information.
get system info admin status // Show logged in users
get system status // Show system hardware/software update versions
get hardware status // Detailed hardware model information
get system performance status // Check System Uptime

FGT30D3X12001671 $ get system performance status

CPU states: 0% user 0% system 0% nice 100% idle
CPU0 states: 0% user 0% system 0% nice 100% idle
Memory states: 21% used
 Average network usage: 3 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes
Average sessions: 14 sessions in 1 minute, 11 sessions in 10 minutes, 11 sessions in 30 minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last
10 minutes, 0 sessions per second in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 106 days, 0 hours, 8 minutes

get system performance top

show system interface
diagnose hardware deviceinfo nic // Interface Statistics/Settings
diagnose hardware sysinfo memory
diag debug crashlog read
diag hardware sysinfo shm // Device should be in 0, if (>0) then conservemode
get system global | grep -i timer // Show tcp and udp timers for halfopen and idle
get system session-ttl // System default tcp-idle session timeout
get hardware nic
get system interface physical
diagnose ip address list

diagnose ip arp list

diagnose sys session list
diagnose sys session clear
diagnose sys kill 9 <id>

14. Change Bult-in Internal Switch to Interface mode

In Switch mode, all the internal interfaces are part of the same subnet and treated as a single interface, called either lan or
internal by default, depending on the FortiGate model. Switch mode is used when the network layout is basic, with most
users being on the same subnet.

In Interface mode, the physical interfaces of the FortiGate unit are handled individually, with each interface having its own IP
address. Interfaces can also be combined by configuring them as part of either hardware or software switches, which allow
multiple interfaces to be treated as a single interface.

a. Command to change the FortiGate to switch mode:

config system global
set internal-switch-mode switch
end
b. Command to change the FortiGate to interface mode:
config system global
set internal-switch-mode interface
end

After changed internal switch from switch mode to interface mode, you will be able to move some interface out of Internal
switch and they will become routing interfaces for you to do configuration.
Here is a user case. HA implementation will need two routing ports. If you change your switch to interface mode, you will be
able to use two LAN ports for HA purpose.

Note: How to Change Switch Mode to Interface Mode in Fortigate FortiOS 5

15. Reset System to Factory

FGT60D # execute factoryreset

This operation will reset the system to factory default!
Do you want to continue? (y/n)y

System is resetting to factory default...

The system is going down NOW !!

FGT60D #
Please stand by while rebooting the system.
Restarting system.

FortiGate-60D (10:49-11.12.2014)
Ver:04000024
Serial number: FGT60D4P14005710
CPU(00): 800MHz
Total RAM: 2GB
Initializing boot device...
Initializing MAC... nplite#0
Please wait for OS to boot, or press any key to display configuration menu......

Booting OS...
Reading boot image... 1278067 bytes.
Initializing firewall...

System is starting...

16. Daily System Scheduled Reboot

config system global

set daily-restart enable
set restart-time 05:06
end

Note: For weekly reboot, you will need expect command with a script.

17. Check Interface Status (Speed / Duplex)

FGT30D3X1502126 $ get system interface physical
== [onboard]
==[lan]
mode: static
ip: 10.9.14.8 255.255.255.0
ipv6: ::/0
status: up
speed: 1000Mbps (Duplex: full)
==[wan]
mode: static
ip: 10.9.16.8 255.255.255.0
ipv6: ::/0
status: up
speed: 1000Mbps (Duplex: full)
==[modem]
mode: pppoe
ip: 0.0.0.0 0.0.0.0
ipv6: ::/0
status: down
speed: n/a

FGT30D3X1502126 $ get hardware nic lan

Driver Name :Fortinet NP4Lite Driver
Version :1.0.1
Admin :up
Current_HWaddr 90:6c:ac:13:45:88
Permanent_HWaddr 90:6c:ac:13:45:88
Status :up
Speed :1000
Duplex :Full
 Host Rx Pkts :1252679
Host Rx Bytes :91142924
Host Tx Pkts :88665
Host Tx Bytes :11744688
Rx Pkts :1211790
Rx Bytes :106073828
Tx Pkts :75589
Tx Bytes :111560468
rx_buffer_len :2048
Hidden :No
cmd_in_list : 0
promiscuous : 1
FGT30D3X1502126 $ diag netlink interface list lan

if=lan family=00 type=1 index=3 mtu=1500 link=0 master=0

ref=16 state=start present fw_flags=8000 flags=up broadcast run allmulti multicast
Qdisc=pfifo_fast hw_addr=90:6c:ac:13:45:88 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=1218030 txp=75593 rxb=106620201 txb=111560708 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0 stop=0
input_type=0 state=6 arp_entry=5 refcnt=16

19.Time and Date, or NTP

To configure NTP via the CLI

To synchronize with an NTP server, enter the following commands:
config system global
set ntpsync enable
set timezone <timezone_index>
set ntpserver {<server_fqdn> | <server_ipv4>}
end

To manually set the date and time via the CLI

To manually configure the FortiWeb appliance’s system time and disable the connection to an NTP server, enter the
following commands:
config system global
set ntpsync disable
set timezone <timezone_index>
set dst {enable | disable}
end
execute time 12:03:01
execute date 2016-10-09

20. Some HA Commands

Manual Failover HA

diagnose sys ha reset-uptime

Mange Cluster Member from Console

Test-1 # get system ha status
Model: FortiGate-60D
Mode: a-p
Group: 0
Debug: 0
ses_pickup: disable
Master:250 Test-1 FGT60D4614041798 1
Slave : 50 Test-2 FGT60D4Q15005710 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Master:0 FGT60D4614041798
Slave :1 FGT60D4Q15005710

Test-1 # execute ha manage 0

Test-2 $

Test-2 $ execute reboot

This operation will reboot the system !
Do you want to continue? (y/n)y

Configuration Example
Fortigate Device Information:
LAN : 192.168.200.1/24
WAN : 85.86.87.2/29
Default Gateway to ISP: 85.86.87.1

config system global

# Set the http admin port to 80/tcp
set admin-port 80
# Set the https admin port to 443/tcp
set admin-sport 443
# Set the ssh admin port to 22/tcp
set admin-ssh-port 22
# Set the telnet admin port to 23/tcp
set admin-telnet-port 23
# Set the hostname
set hostname “FW-Office-1”
# Set the ntp server to “0.ca.pool.ntp.org” and enable it
set ntpserver “0.ca.pool.ntp.org”
set ntpsync enable
# Set to 43200 seconds the tcp-halfclose timer
set tcp-halfclose-timer 43200
end
# Set the telnet 23/tcp port timeout to 43200 seconds.
config system session-ttl
set default 43200
config port
edit 23
set timeout 43200
next
end
# Set the IP address and administrative access options (ping https http) for lan interface.
config system interface
edit “lan”
set ip 192.168.200.1 255.255.255.0
set allowaccess ping https http
set type physical
next
# Set the IP address and administrative access options (ping https) for wan interface.
# Set “gateway Detect” option enable and set the “Ping Server” destination.
# Set the interface speed to 10 Mb/s Half Duplex, this is useful for some connections like radio bridge.
edit “wan1″
set ip 85.86.87.2 255.255.255.248
set allowaccess ping https
set gwdetect enable
set detectserver “85.86.87.23″
set type physical
set speed 10half
next
end
# Set DNS Servers and DNS options
config system dns
set primary 192.168.200.3
set secondary 8.8.8.8
set domain ”
set autosvr disable
set dns-cache-limit 5000
set cache-notfound-responses disable
end
# Set a firewall policy to enable traffic from lan TO WAN using NAT
# Set a protection profile (a default one) called “scan”
config firewall policy
edit 1
set srcintf “lan”
set dstintf “wan″
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set profile-status enable
set profile “scan”
set nat enable
next
end
# Set a default gateway on the WAN interface
config router static
edit 1
set device “wan″
set gateway 85.86.87.1
end

Reference:
Online Demo Read Access for Fortinet Products
Fortigate:

user:demo
password: demo
fortigate.com

ForiAnalyzer:

user:demo
password: demo
fortianalyzer.com

FortiManager:

user:demo
password: demo
fortimanager.com
 FortiMail

user:demo
password: demo
https://209.87.230.132/admin

FortiWeb

user:demo
password: demo
http://fortiweb.fortinet.com/

FortiDB

user:demo
password: demo
http://www.fortidb.com/

Forticloud
https://www.forticloud.com

Online Resources
CLI Reference for FortiOS 5.0

Fortinet Product Demo Center

The Fortinet Cookbook