Listen to this Post

Introduction:
In enterprise network security, operational excellence isn’t defined by deploying next-generation firewalls—it’s measured by how efficiently teams troubleshoot, recover, and maintain resilience when incidents occur. While FortiGate’s graphical interface simplifies daily management, the Command Line Interface (CLI) remains the definitive tool for precision, speed, and deep visibility during critical incidents. This article delivers a comprehensive operational reference across seven essential command groups—from system health diagnostics to VPN troubleshooting—empowering security engineers to reduce Mean Time to Resolution (MTTR) and strengthen cyber defense through command-line proficiency.
Learning Objectives:
- Master FortiGate CLI commands for system health monitoring, performance diagnostics, and hardware validation
- Execute interface troubleshooting, routing verification, and network-layer analysis using diagnostic tools
- Apply firewall policy inspection, session management, and traffic flow debugging techniques
- Troubleshoot IPsec and SSL VPN connectivity issues using IKE debugging and tunnel analysis
- Validate NAT, VIP, and policy configurations while implementing logging and maintenance best practices
You Should Know:
- System Health and Device Diagnostics – The First Five Commands
When any FortiGate issue arises, these five commands provide a complete snapshot of the device’s state before touching any configuration:
Display FortiOS version, serial number, HA mode, and license status get system status Real-time CPU, memory, session count, and uptime summary get system performance status List all interfaces with IP addresses, states, and speeds get system interface Show the complete routing table get router info routing-table all Display session table statistics (count, capacity) diagnose sys session stat
For deeper process-level analysis, use diagnose sys top—similar to Linux’s `top` command—to view running processes sorted by CPU or memory usage. Press `Shift + P` to sort by CPU consumption or `Shift + M` for memory ordering. Common high-CPU culprits include `ipsengine` (IPS processing), `sslvpnd` (SSL VPN), `httpsd` (GUI/API activity), and `scanunitd` (AV scanning).
Hardware diagnostics provide essential visibility into physical components:
View power supply status diagnose hardware deviceinfo psu Check fan status and CPU temperature execute sensor list Display disk status and partitions diagnose hardware deviceinfo disk diagnose sys flash list execute disk list Read crash logs for stability analysis diagnose debug crashlog read Identify configuration parsing errors after upgrades diagnose debug config-error-log read
The `execute tac report` command generates an extensive system snapshot, running dozens of diagnostic commands and recording the current state of every feature—invaluable when submitting support tickets to Fortinet TAC.
Step‑by‑Step: System Health Assessment
- Connect via SSH or console to the FortiGate CLI
- Run `get system status` to verify firmware version and HA role
- Execute `get system performance status` to check CPU/memory utilization
- If CPU is elevated, run `diagnose sys top 5 20` to identify resource-heavy processes
- Use `diagnose debug crashlog read` to review any recent system crashes
- Generate `execute tac report` for documentation or support escalation
2. Network Interfaces and Routing Verification
Interface and routing issues are among the most frequent operational challenges. The CLI provides granular visibility that the GUI often obscures:
Display detailed interface status with IPs and statistics get system interface Show interface error counters and physical statistics diagnose hardware deviceinfo nic <interface_name> Display low-level interface information including physical links diagnose netlink interface list View ARP table (filtered by IP) get system arp | grep <ip_address> Show optical transceiver status (fiber interfaces) get system interface transceiver Display aggregate interface (LAG) status diagnose netlink aggregate list View VLAN interface status diagnose sys vlan list
Routing validation requires multiple diagnostic perspectives:
Complete routing table get router info routing-table all Underlying routing database get router info routing-table database Active routes currently in use by the kernel diagnose ip route list Filter route display using prefix lists config router setting set show-filter <prefix-list-1ame> end
Step‑by‑Step: Interface Troubleshooting
- Run `get system interface` to verify all interfaces are `up`
2. If an interface shows errors, use `diagnose hardware deviceinfo nic port1` to examine error counters - For fiber interfaces, check optical levels with `get system interface transceiver`
4. Verify ARP entries with `get system arp | grep`
5. Confirm routing with `diagnose ip route list` to see active forwarding decisions
3. Firewall Policies and Security Inspection
Firewall policy verification is critical for security operations. The `iprope` table represents the structured internal format of all configured firewall policies, organized into functional groups that are evaluated sequentially:
List all firewall policies show firewall policy Display complete policy configuration with comments show full-configuration firewall policy View static SNAT policies diagnose firewall iprope list 100002 View VIP (DNAT) policies diagnose firewall iprope list 100000 View standard Forward policies diagnose firewall iprope list 100004 View system-generated Local-In policies (management protocols) diagnose firewall iprope list 10000e View Traffic Shaping policies diagnose firewall iprope list 100015 View simple ZTNA policies diagnose firewall iprope list 100017
For security inspection mode control, FortiGate supports flow-based and proxy-based inspection:
Configure global inspection mode
config system settings
set inspection-mode {flow | proxy}
set ngfw-mode {profile-based | policy-based}
end
Disable Server Response Inspection (DSRI) per policy
config firewall policy
edit <policy_id>
set dsri {enable | disable}
end
Step‑by‑Step: Policy Validation
- Run `diagnose firewall iprope list 100004` to examine forward policies in evaluation order
- Note the `action=accept` or `action=drop` flags and zone assignments
3. Verify source/destination address ranges and service/port matches
- For NAT issues, check `diagnose firewall iprope list 100002` (SNAT) and `100000` (DNAT/VIP)
- Use `diagnose debug flow` to trace packet processing through each policy stage
4. Session Management and Traffic Analysis
Session table analysis is fundamental to understanding traffic flow, identifying anomalies, and detecting potential DoS attacks. The session table contains an entry for each traffic session passing through a security policy:
View session table statistics diagnose sys session stat Display detailed session statistics (ephemeral, NPU-offloaded, etc.) diagnose sys session full-stat List all active sessions with filters diagnose sys session list Filter sessions by source or destination diagnose sys session filter src <ip_address> diagnose sys session filter dst <ip_address> diagnose sys session list Clear filtered sessions diagnose sys session clear View expectation session statistics (ALG-related) diagnose sys session exp-stat
Key metrics from `diagnose sys session full-stat` include:
ephemeral: Half-open TCP sessions or UDP sessions with only unidirectional traffic—common DoS targetsmemory_tension_drop: Sessions dropped due to low memory (oldest sessions removed)npu_session_count: Sessions offloaded to NPU processors for hardware accelerationnturbo_session_count: Sessions accelerated by nTurbo technologyflush: Sessions deleted by admin action or IPS rules
For packet-level analysis, the packet sniffer provides granular visibility:
Capture packets on any interface with filter diagnose sniffer packet any 'host <ip_address>' 4 Capture IPv6 traffic diagnose sniffer packet any 'host 2001:aa:1::10' 4 Debug packet flow through the firewall diagnose debug enable diagnose debug flow show console enable diagnose debug flow show function enable diagnose debug flow filter saddr <source_ip> diagnose debug flow filter daddr <destination_ip> diagnose debug flow trace start 10 diagnose debug reset
Step‑by‑Step: Session Analysis
- Run `diagnose sys session stat` to check total session count against capacity
- Execute `diagnose sys session full-stat` to examine ephemeral session counts (potential DoS)
- Filter sessions of interest: `diagnose sys session filter src 10.0.0.1` then `diagnose sys session list`
4. For traffic that isn’t being correctly forwarded, use `diagnose debug flow` to trace packet path - Always run `diagnose debug reset` after debugging to prevent performance degradation
5. VPN Troubleshooting (IPsec & SSL VPN)
VPN issues demand systematic CLI debugging. For IPsec VPNs, the IKE daemon controls tunnel establishment:
Display IPsec Phase 1 status diagnose vpn ike gateway list Display Phase 2 tunnels (shows NPU offload flag) diagnose vpn tunnel list Flush a specific Phase 1 gateway diagnose vpn ike gateway flush name <phase1_name> Bring up a Phase 2 tunnel manually diagnose vpn tunnel up <phase2_name> Debug IKE negotiations with filters diagnose debug reset diagnose debug application ike -1 diagnose vpn ike log-filter daddr <peer_ip> diagnose debug enable After capturing output, stop debugging diagnose debug reset
For SSL VPN troubleshooting:
Check SSL VPN status and connected users diagnose vpn ssl status Verify SSL VPN configuration show vpn ssl settings Debug SSL VPN authentication diagnose debug application sslvpn -1 diagnose debug enable
Important Note: Starting from FortiOS 7.6.x, SSL VPN web and tunnel mode features are no longer available from GUI or CLI for FortiGates with 2GB RAM or below—use IPsec dial-up tunnels as an alternative.
Step‑by‑Step: VPN Troubleshooting
- Run `diagnose vpn ike gateway list` to verify Phase 1 status
- Check `diagnose vpn tunnel list` for Phase 2 status and NPU offload indication
- Enable IKE debugging with `diagnose debug application ike -1` and `diagnose debug enable`
4. Apply filters to limit debug output: `diagnose vpn ike log-filter daddr`
5. Analyze the debug output for IKE negotiation failures (proposal mismatches, authentication errors)
6. Always run `diagnose debug reset` when complete
6. NAT, VIP, and Policy Validation
NAT and VIP configurations are frequent sources of connectivity issues. Understanding the packet processing order is essential: DNAT occurs before policy lookup. If a VIP applies port translation, ensure the firewall policy includes the destination port in the Services field.
View VIP (DNAT) policies in iprope format diagnose firewall iprope list 100000 View static SNAT policies diagnose firewall iprope list 100002 Show all VIP configurations show firewall vip Show all IP pools (for SNAT) show firewall ippool Verify Central NAT configuration show firewall central-1at Test connectivity through NAT (use packet sniffer) diagnose sniffer packet any 'host <external_ip>' 4
For Central NAT environments, DNAT and VIP policies are managed centrally:
Configure a virtual IP in CLI config firewall vip edit "web-server-vip" set extip <external_ip> set mappedip <internal_ip> set extintf <interface> set portforward enable set protocol tcp set extport 443 set mappedport 443 end
Step‑by‑Step: NAT/VIP Validation
1. Verify VIP exists: `show firewall vip`
- Confirm DNAT policy in iprope: `diagnose firewall iprope list 100000`
3. Verify the firewall policy referencing the VIP includes correct destination service - Use packet sniffer to confirm traffic reaches the VIP: `diagnose sniffer packet any ‘host
‘ 4`
5. Check session table for the translated session: `diagnose sys session filter dst` then `diagnose sys session list`
7. Logging, Monitoring, and Maintenance Operations
Effective logging and maintenance are foundational to operational resilience:
Display filtered log entries (first 10 messages)
execute log filter
execute log display
Configure syslog server
config log syslogd setting
set status enable
set server <syslog_server_ip>
set format {default | cef}
end
Enable CLI command auditing
config system global
set cli-audit-log enable
end
Enable brief traffic logging format
config log setting
set brief-traffic-format enable
end
Maintenance commands ensure system health and configuration integrity:
Backup current configuration execute backup config tftp <filename> <tftp_server> Restore configuration (reboots device) execute restore config tftp <filename> <tftp_server> Factory reset (use keepvmlicense for VM) execute factoryreset [bash] Factory reset keeping system settings, interfaces, VDOMs, and static routes execute factoryreset2 [bash] Select partition for next reboot execute setnextreboot ? Format log disk execute formatlogdisk Force AV/IPS database update execute update-1ow Check FortiGuard connectivity diagnose autoupd status diagnose debug rating
Step‑by‑Step: Maintenance Checklist
- Regularly backup config: `execute backup config tftp FGT-backup.conf
`
2. Monitor disk health: `diagnose hardware deviceinfo disk`
3. Verify FortiGuard updates: `diagnose autoupd status`
- Check for configuration errors after upgrades: `diagnose debug config-error-log read`
5. Enable CLI audit logging for change tracking: `set cli-audit-log enable`
What Undercode Say:
- CLI proficiency directly correlates with operational resilience – The ability to diagnose and resolve issues via command line consistently reduces MTTR and minimizes business impact during security incidents.
- Effective engineers understand when and why to use commands, not just memorize syntax – The most valuable operational skill is contextual understanding: knowing which diagnostic tool to deploy for each scenario and interpreting output meaningfully.
- Debug commands require discipline – Always set filters before enabling debug, and never forget `diagnose debug reset` after completion. Leaving debug active on a busy FortiGate can seriously degrade performance.
- The iprope table reveals how policies truly evaluate – Understanding the internal policy groups (100000 for DNAT, 100002 for SNAT, 100004 for forward policies) provides unparalleled insight into traffic processing.
- Session statistics expose security threats – Monitoring ephemeral session counts and memory_tension_drop metrics can reveal DoS attacks before they impact production.
Prediction:
- +1 CLI proficiency will become a mandatory competency for SOC analysts as automation and AI-assisted troubleshooting tools increasingly rely on command-line interfaces for integration and data extraction.
- +1 The shift toward infrastructure-as-code will accelerate FortiGate CLI adoption, with configuration scripts and automated remediation workflows replacing point-and-click management in mature security operations.
- -1 Organizations that neglect CLI training will face extended outage durations as GUI-only administrators struggle to diagnose complex issues during critical incidents, widening the operational gap between security teams.
- +1 Fortinet’s continued investment in CLI capabilities—including enhanced debug flows, session analytics, and API-driven automation—will reinforce the command line as the definitive interface for enterprise-grade security operations.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Yasinagirbas Fortinet – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


