FortiGate CLI Mastery: The 7 Essential Command Groups Every Security Engineer Must Know for Zero-Downtime Operations + Video

Listen to this Post

Featured Image

Introduction:

In enterprise network security, operational excellence isn’t defined by deploying next-generation firewalls—it’s measured by how efficiently teams troubleshoot, recover, and maintain resilience when incidents occur. While FortiGate’s graphical interface simplifies daily management, the Command Line Interface (CLI) remains the definitive tool for precision, speed, and deep visibility during critical incidents. This article delivers a comprehensive operational reference across seven essential command groups—from system health diagnostics to VPN troubleshooting—empowering security engineers to reduce Mean Time to Resolution (MTTR) and strengthen cyber defense through command-line proficiency.

Learning Objectives:

  • Master FortiGate CLI commands for system health monitoring, performance diagnostics, and hardware validation
  • Execute interface troubleshooting, routing verification, and network-layer analysis using diagnostic tools
  • Apply firewall policy inspection, session management, and traffic flow debugging techniques
  • Troubleshoot IPsec and SSL VPN connectivity issues using IKE debugging and tunnel analysis
  • Validate NAT, VIP, and policy configurations while implementing logging and maintenance best practices

You Should Know:

  1. System Health and Device Diagnostics – The First Five Commands

When any FortiGate issue arises, these five commands provide a complete snapshot of the device’s state before touching any configuration:

 Display FortiOS version, serial number, HA mode, and license status
get system status

Real-time CPU, memory, session count, and uptime summary
get system performance status

List all interfaces with IP addresses, states, and speeds
get system interface

Show the complete routing table
get router info routing-table all

Display session table statistics (count, capacity)
diagnose sys session stat

For deeper process-level analysis, use diagnose sys top—similar to Linux’s `top` command—to view running processes sorted by CPU or memory usage. Press `Shift + P` to sort by CPU consumption or `Shift + M` for memory ordering. Common high-CPU culprits include `ipsengine` (IPS processing), `sslvpnd` (SSL VPN), `httpsd` (GUI/API activity), and `scanunitd` (AV scanning).

Hardware diagnostics provide essential visibility into physical components:

 View power supply status
diagnose hardware deviceinfo psu

Check fan status and CPU temperature
execute sensor list

Display disk status and partitions
diagnose hardware deviceinfo disk
diagnose sys flash list
execute disk list

Read crash logs for stability analysis
diagnose debug crashlog read

Identify configuration parsing errors after upgrades
diagnose debug config-error-log read

The `execute tac report` command generates an extensive system snapshot, running dozens of diagnostic commands and recording the current state of every feature—invaluable when submitting support tickets to Fortinet TAC.

Step‑by‑Step: System Health Assessment

  1. Connect via SSH or console to the FortiGate CLI
  2. Run `get system status` to verify firmware version and HA role
  3. Execute `get system performance status` to check CPU/memory utilization
  4. If CPU is elevated, run `diagnose sys top 5 20` to identify resource-heavy processes
  5. Use `diagnose debug crashlog read` to review any recent system crashes
  6. Generate `execute tac report` for documentation or support escalation

2. Network Interfaces and Routing Verification

Interface and routing issues are among the most frequent operational challenges. The CLI provides granular visibility that the GUI often obscures:

 Display detailed interface status with IPs and statistics
get system interface

Show interface error counters and physical statistics
diagnose hardware deviceinfo nic <interface_name>

Display low-level interface information including physical links
diagnose netlink interface list

View ARP table (filtered by IP)
get system arp | grep <ip_address>

Show optical transceiver status (fiber interfaces)
get system interface transceiver

Display aggregate interface (LAG) status
diagnose netlink aggregate list

View VLAN interface status
diagnose sys vlan list

Routing validation requires multiple diagnostic perspectives:

 Complete routing table
get router info routing-table all

Underlying routing database
get router info routing-table database

Active routes currently in use by the kernel
diagnose ip route list

Filter route display using prefix lists
config router setting
set show-filter <prefix-list-1ame>
end

Step‑by‑Step: Interface Troubleshooting

  1. Run `get system interface` to verify all interfaces are `up`
    2. If an interface shows errors, use `diagnose hardware deviceinfo nic port1` to examine error counters
  2. For fiber interfaces, check optical levels with `get system interface transceiver`
    4. Verify ARP entries with `get system arp | grep `
    5. Confirm routing with `diagnose ip route list` to see active forwarding decisions

3. Firewall Policies and Security Inspection

Firewall policy verification is critical for security operations. The `iprope` table represents the structured internal format of all configured firewall policies, organized into functional groups that are evaluated sequentially:

 List all firewall policies
show firewall policy

Display complete policy configuration with comments
show full-configuration firewall policy

View static SNAT policies
diagnose firewall iprope list 100002

View VIP (DNAT) policies
diagnose firewall iprope list 100000

View standard Forward policies
diagnose firewall iprope list 100004

View system-generated Local-In policies (management protocols)
diagnose firewall iprope list 10000e

View Traffic Shaping policies
diagnose firewall iprope list 100015

View simple ZTNA policies
diagnose firewall iprope list 100017

For security inspection mode control, FortiGate supports flow-based and proxy-based inspection:

 Configure global inspection mode
config system settings
set inspection-mode {flow | proxy}
set ngfw-mode {profile-based | policy-based}
end

Disable Server Response Inspection (DSRI) per policy
config firewall policy
edit <policy_id>
set dsri {enable | disable}
end

Step‑by‑Step: Policy Validation

  1. Run `diagnose firewall iprope list 100004` to examine forward policies in evaluation order
  2. Note the `action=accept` or `action=drop` flags and zone assignments

3. Verify source/destination address ranges and service/port matches

  1. For NAT issues, check `diagnose firewall iprope list 100002` (SNAT) and `100000` (DNAT/VIP)
  2. Use `diagnose debug flow` to trace packet processing through each policy stage

4. Session Management and Traffic Analysis

Session table analysis is fundamental to understanding traffic flow, identifying anomalies, and detecting potential DoS attacks. The session table contains an entry for each traffic session passing through a security policy:

 View session table statistics
diagnose sys session stat

Display detailed session statistics (ephemeral, NPU-offloaded, etc.)
diagnose sys session full-stat

List all active sessions with filters
diagnose sys session list

Filter sessions by source or destination
diagnose sys session filter src <ip_address>
diagnose sys session filter dst <ip_address>
diagnose sys session list

Clear filtered sessions
diagnose sys session clear

View expectation session statistics (ALG-related)
diagnose sys session exp-stat

Key metrics from `diagnose sys session full-stat` include:

  • ephemeral: Half-open TCP sessions or UDP sessions with only unidirectional traffic—common DoS targets
  • memory_tension_drop: Sessions dropped due to low memory (oldest sessions removed)
  • npu_session_count: Sessions offloaded to NPU processors for hardware acceleration
  • nturbo_session_count: Sessions accelerated by nTurbo technology
  • flush: Sessions deleted by admin action or IPS rules

For packet-level analysis, the packet sniffer provides granular visibility:

 Capture packets on any interface with filter
diagnose sniffer packet any 'host <ip_address>' 4

Capture IPv6 traffic
diagnose sniffer packet any 'host 2001:aa:1::10' 4

Debug packet flow through the firewall
diagnose debug enable
diagnose debug flow show console enable
diagnose debug flow show function enable
diagnose debug flow filter saddr <source_ip>
diagnose debug flow filter daddr <destination_ip>
diagnose debug flow trace start 10
diagnose debug reset

Step‑by‑Step: Session Analysis

  1. Run `diagnose sys session stat` to check total session count against capacity
  2. Execute `diagnose sys session full-stat` to examine ephemeral session counts (potential DoS)
  3. Filter sessions of interest: `diagnose sys session filter src 10.0.0.1` then `diagnose sys session list`
    4. For traffic that isn’t being correctly forwarded, use `diagnose debug flow` to trace packet path
  4. Always run `diagnose debug reset` after debugging to prevent performance degradation

5. VPN Troubleshooting (IPsec & SSL VPN)

VPN issues demand systematic CLI debugging. For IPsec VPNs, the IKE daemon controls tunnel establishment:

 Display IPsec Phase 1 status
diagnose vpn ike gateway list

Display Phase 2 tunnels (shows NPU offload flag)
diagnose vpn tunnel list

Flush a specific Phase 1 gateway
diagnose vpn ike gateway flush name <phase1_name>

Bring up a Phase 2 tunnel manually
diagnose vpn tunnel up <phase2_name>

Debug IKE negotiations with filters
diagnose debug reset
diagnose debug application ike -1
diagnose vpn ike log-filter daddr <peer_ip>
diagnose debug enable

After capturing output, stop debugging
diagnose debug reset

For SSL VPN troubleshooting:

 Check SSL VPN status and connected users
diagnose vpn ssl status

Verify SSL VPN configuration
show vpn ssl settings

Debug SSL VPN authentication
diagnose debug application sslvpn -1
diagnose debug enable

Important Note: Starting from FortiOS 7.6.x, SSL VPN web and tunnel mode features are no longer available from GUI or CLI for FortiGates with 2GB RAM or below—use IPsec dial-up tunnels as an alternative.

Step‑by‑Step: VPN Troubleshooting

  1. Run `diagnose vpn ike gateway list` to verify Phase 1 status
  2. Check `diagnose vpn tunnel list` for Phase 2 status and NPU offload indication
  3. Enable IKE debugging with `diagnose debug application ike -1` and `diagnose debug enable`
    4. Apply filters to limit debug output: `diagnose vpn ike log-filter daddr `
    5. Analyze the debug output for IKE negotiation failures (proposal mismatches, authentication errors)

6. Always run `diagnose debug reset` when complete

6. NAT, VIP, and Policy Validation

NAT and VIP configurations are frequent sources of connectivity issues. Understanding the packet processing order is essential: DNAT occurs before policy lookup. If a VIP applies port translation, ensure the firewall policy includes the destination port in the Services field.

 View VIP (DNAT) policies in iprope format
diagnose firewall iprope list 100000

View static SNAT policies
diagnose firewall iprope list 100002

Show all VIP configurations
show firewall vip

Show all IP pools (for SNAT)
show firewall ippool

Verify Central NAT configuration
show firewall central-1at

Test connectivity through NAT (use packet sniffer)
diagnose sniffer packet any 'host <external_ip>' 4

For Central NAT environments, DNAT and VIP policies are managed centrally:

 Configure a virtual IP in CLI
config firewall vip
edit "web-server-vip"
set extip <external_ip>
set mappedip <internal_ip>
set extintf <interface>
set portforward enable
set protocol tcp
set extport 443
set mappedport 443
end

Step‑by‑Step: NAT/VIP Validation

1. Verify VIP exists: `show firewall vip`

  1. Confirm DNAT policy in iprope: `diagnose firewall iprope list 100000`
    3. Verify the firewall policy referencing the VIP includes correct destination service
  2. Use packet sniffer to confirm traffic reaches the VIP: `diagnose sniffer packet any ‘host ‘ 4`
    5. Check session table for the translated session: `diagnose sys session filter dst ` then `diagnose sys session list`

7. Logging, Monitoring, and Maintenance Operations

Effective logging and maintenance are foundational to operational resilience:

 Display filtered log entries (first 10 messages)
execute log filter
execute log display

Configure syslog server
config log syslogd setting
set status enable
set server <syslog_server_ip>
set format {default | cef}
end

Enable CLI command auditing
config system global
set cli-audit-log enable
end

Enable brief traffic logging format
config log setting
set brief-traffic-format enable
end

Maintenance commands ensure system health and configuration integrity:

 Backup current configuration
execute backup config tftp <filename> <tftp_server>

Restore configuration (reboots device)
execute restore config tftp <filename> <tftp_server>

Factory reset (use keepvmlicense for VM)
execute factoryreset [bash]

Factory reset keeping system settings, interfaces, VDOMs, and static routes
execute factoryreset2 [bash]

Select partition for next reboot
execute setnextreboot ?

Format log disk
execute formatlogdisk

Force AV/IPS database update
execute update-1ow

Check FortiGuard connectivity
diagnose autoupd status
diagnose debug rating

Step‑by‑Step: Maintenance Checklist

  1. Regularly backup config: `execute backup config tftp FGT-backup.conf `

2. Monitor disk health: `diagnose hardware deviceinfo disk`

3. Verify FortiGuard updates: `diagnose autoupd status`

  1. Check for configuration errors after upgrades: `diagnose debug config-error-log read`
    5. Enable CLI audit logging for change tracking: `set cli-audit-log enable`

What Undercode Say:

  • CLI proficiency directly correlates with operational resilience – The ability to diagnose and resolve issues via command line consistently reduces MTTR and minimizes business impact during security incidents.
  • Effective engineers understand when and why to use commands, not just memorize syntax – The most valuable operational skill is contextual understanding: knowing which diagnostic tool to deploy for each scenario and interpreting output meaningfully.
  • Debug commands require discipline – Always set filters before enabling debug, and never forget `diagnose debug reset` after completion. Leaving debug active on a busy FortiGate can seriously degrade performance.
  • The iprope table reveals how policies truly evaluate – Understanding the internal policy groups (100000 for DNAT, 100002 for SNAT, 100004 for forward policies) provides unparalleled insight into traffic processing.
  • Session statistics expose security threats – Monitoring ephemeral session counts and memory_tension_drop metrics can reveal DoS attacks before they impact production.

Prediction:

  • +1 CLI proficiency will become a mandatory competency for SOC analysts as automation and AI-assisted troubleshooting tools increasingly rely on command-line interfaces for integration and data extraction.
  • +1 The shift toward infrastructure-as-code will accelerate FortiGate CLI adoption, with configuration scripts and automated remediation workflows replacing point-and-click management in mature security operations.
  • -1 Organizations that neglect CLI training will face extended outage durations as GUI-only administrators struggle to diagnose complex issues during critical incidents, widening the operational gap between security teams.
  • +1 Fortinet’s continued investment in CLI capabilities—including enhanced debug flows, session analytics, and API-driven automation—will reinforce the command line as the definitive interface for enterprise-grade security operations.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Yasinagirbas Fortinet – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky