fnsysctl.net — FortiGate CLI Reference

Default Device Information

Item	Default Value	Notes
Management IP	`192.168.1.99`	port1 (Software Switch LAN1–LANX) or dedicated MGMT port
Admin username	`admin`	—
Admin password	none (blank)	Set a password immediately after first login
HTTPS GUI	`https://192.168.1.99`	—

Serial Console / PuTTY Settings

Device	Baud Rate	Data Bits	Parity	Stop Bits	Flow Control
FortiGate (FGT)	`9600`	8	N (None)	1	Disabled (no RTS/CTS)
FortiSwitch (FSW)	`115200`	8	N (None)	1	Disabled (no RTS/CTS)

Baud rate — transmission speed in bits per second
Data bits: 8 — each packet contains 8 bits of data
Parity: N — no parity bit used for error checking
Stop bits: 1 — one stop bit signals the end of each data packet
Flow control: Disabled — no RTS/CTS hardware handshaking

CLI Command Trees & Abbreviations

FortiOS accepts shortened command prefixes — type just enough letters to be unambiguous:

Full Command	Short Form	Purpose	Example
`get`	`ge`	Read running/compiled state	`ge sys status`
`show`	`sh`	Display saved config (NVRAM)	`sh sys interface`
`diagnose`	`diag` / `di`	Diagnostics, debug, real-time views	`di sys top`
`execute`	`exec` / `ex`	One-shot actions & maintenance	`ex ping 8.8.8.8`
`config`	`con` / `co`	Enter a config context to change settings	`co sys interface`

Configuration Verbs

Verb	Meaning
`set`	Assigns a value to a config parameter. Overwrites any existing value.
`unset`	Reverts a config parameter to its factory default value.
`append`	Adds to a multi-value parameter without overwriting existing entries (e.g., adding a DNS server).
`unselect`	Deselects a specific item from a multi-select list without clearing the whole set.

CLI Navigation & Keyboard Shortcuts

Shortcut	Action
`?` after a command	List available sub-commands or arguments at the current level
`Tab`	Auto-complete the current command or argument
`Ctrl` + `A`	Jump to the start of the line
`Ctrl` + `E`	Jump to the end of the line
`Ctrl` + `R`	Reverse search through command history
`Ctrl` + `C`	Abort current command or stop debug output

# Output filtering (pipe to grep)
show full-configuration | grep <pattern>
get system interface | grep -f port1      ← -f includes surrounding context lines

# See GUI wizard steps as CLI commands in real time
diagnose debug cli 7
diagnose debug enable

VDOM Context

# List and switch VDOMs
config vdom
    edit <vdom-name>   ← switch CLI context into VDOM
    next
end

# Access global or specific VDOM directly via sudo (7.2+)
sudo global
sudo <vdom-name>

# Check current VDOM context
get system status | grep VDOM

System status & performance

```
get system status
```
firmware version, serial number, hostname, HA mode, uptime
```
get system performance status
```
CPU load, memory %, active sessions, network throughput — one-shot snapshot
```
diagnose sys top 3 30
```
live process monitor — refresh every 3 s, show 30 rows; P=sort CPU M=sort memory q=quit
```
diagnose sys top-mem
```
one-shot process list sorted by memory consumption

Support report

```
execute tac report
```
generate a compressed support report and upload it to FortiCloud / send to TAC

Process management

```
diagnose sys process sock-mem
```
per-process socket memory usage — useful for detecting memory-leaking daemons
```
diagnose sys process pstack <pid>
```
dump userspace call stack of a running process (for Fortinet TAC)
```
diagnose sys kill <signal> <pid>
```
send signal to process — 11=SIGSEGV (restart), 9=SIGKILL (force kill)

Killing critical daemons (iked, scanunitd, sslvpnd) will disrupt traffic.

Crash & config error logs

```
diagnose debug crashlog read
```
view crash log — daemon name, PID, signal received, timestamp
```
diagnose debug config-error-log read
```
view config parse errors — useful after firmware upgrades with deprecated syntax

Firmware upgrade

execute restore image tftp <filename> <tftp-ip>

upload and apply firmware image via TFTP

execute restore image ftp <filename> <ftp-ip>[:<port>] [<user> <pass>]

upload and apply firmware image via FTP

Device reboots immediately after image validation. Verify model compatibility first.

Backup & restore config

execute backup config tftp <filename> <tftp-ip>

backup running config to TFTP server

execute backup config ftp <filename> <ftp-ip> [<user> <pass>]

backup running config to FTP server

```
execute restore config tftp <filename> <tftp-ip>
```
restore config from TFTP server (device reboots after load)

Factory reset

```
execute factoryreset
```
wipe entire configuration
```
execute factoryreset2
```
wipe config but retain admin account, interfaces & static routes
```
execute factoryreset-shutdown
```
factory reset then power off
```
execute factoryreset keepvmlicense
```
wipe config but keep VM licence (VM platforms only)

All configuration is lost. Requires console access to reconfigure.

Conserve mode (low memory)

```
diagnose hardware sysinfo conserve
```
show current memory state, free %, and conserve-mode thresholds
```
diagnose sys scanunit restart
```
restart AV/IPS scan daemon to free memory when stuck in conserve mode

# memory conserve mode:             off
# total RAM:                        2043 MB
# memory used:                       666 MB    32% of total RAM
# memory freeable:                   317 MB    15% of total RAM
# memory used + freeable threshold extreme:  1940 MB  95%  ← sessions dropped
# memory used threshold red:        1797 MB   88%          ← conserve mode ON
# memory used threshold green:      1675 MB   82%          ← conserve mode OFF

Thresholds: Green (82%) = exits conserve mode. Red (88%) = enters conserve mode (new UTM scanning skipped). Extreme (95%) = new sessions are dropped. All percentages configurable 70–97%.

Debug output control

```
diagnose debug enable
```
start streaming debug output to the current CLI session
```
diagnose debug disable
```
stop debug output (debug levels are preserved)
```
diagnose debug reset
```
reset ALL debug levels to 0
```
diagnose debug console timestamp enable
```
prepend a timestamp to every debug line
```
diagnose debug cli 7
```
echo GUI / WebUI config changes as CLI commands in real time (run with debug enable)

Reboot / shutdown

```
execute reboot
```
gracefully reboot the device
```
execute shutdown
```
power off the device

Interface & IP lists

```
get system interface physical
```
all physical interfaces with IP/status
```
diagnose ip address list
```
all IPs assigned to FGT interfaces
```
diagnose firewall iplist list
```
IPs used in VIPs (Virtual IPs)
```
diagnose firewall ippool list
```
IPs used in IP pools (SNAT pools)
```
diagnose netlink interface list
```
kernel-level list: includes MTU & device ID

Physical NIC detail & transceivers

```
get hardware nic <interface>
```
driver info, speed, duplex, error counters
```
diagnose hardware deviceinfo nic <intf>
```
detailed NIC stats from OS perspective
```
get system interface physical
```
includes transceiver signal info for SFP/SFP+

ARP table

```
diagnose ip arp list
```
show ARP cache entries
```
get system arp
```
alternative ARP table view
```
execute clear system arp table
```
flush entire ARP cache

Ping

```
execute ping x.x.x.x
```
basic ICMP ping to target IP
```
execute ping-options source <src-ip>
```
set source IP for ping (must set BEFORE execute ping)
```
execute ping-options repeat-count 10
```
set number of ping packets to send
```
execute ping-options data-size 1400
```
set ping payload size in bytes
```
execute ping-options df-bit yes
```
set DF bit to test path MTU
```
execute ping-options timeout 5
```
set ping timeout in seconds

Traceroute

```
execute traceroute x.x.x.x
```
trace route to destination IP

execute traceroute-options source <src-ip>

set source IP for traceroute

execute traceroute-options use-sdwan enable

traceroute follows SD-WAN policy path

Telnet (connectivity test)

```
execute telnet x.x.x.x <port>
```
test TCP connectivity to host and port
```
execute telnet-options source <src-ip>
```
set source IP for telnet test

Integrated iPerf utility 7.4+

```
diagnose traffictest server-intf <intf>
```
set iPerf server interface
```
diagnose traffictest client-intf <intf>
```
set iPerf client interface
```
diagnose traffictest port <port>
```
set iPerf port (default 5001)

diagnose traffictest run -c <iperf-server-ip>

run iPerf client test against server IP

```
execute iperf3 server start
```
start iPerf3 server (7.4+ syntax)

execute iperf3 client <server-ip> bw 1G duration 30

run iPerf3 client test at 1 Gbps for 30 seconds

```
execute speed-test start
```
start built-in Internet speed test (7.4+)
```
execute speed-test status
```
show speed test result

DNS resolution

```
execute nslookup name <hostname>
```
resolve hostname using configured DNS servers

execute nslookup name <hostname> server <dns-ip>

resolve hostname using a specific DNS server

```
diagnose test application dnsproxy 6
```
dump DNS proxy cache

Interface RX/TX counters

```
diagnose netlink interface stats <intf>
```
rx_packets, rx_bytes, rx_dropped, tx_packets, tx_bytes, tx_dropped, collisions

LLDP / CDP

```
diagnose netlink lldp list
```
list LLDP neighbors
```
diagnose netlink lldp summary
```
summary of LLDP neighbor information

Fabric topology & neighbors

```
diagnose system csf upstream
```
list upstream Fabric devices
```
diagnose system csf downstream
```
list downstream Fabric devices
```
diagnose system csf neighbor list
```
MAC/IP list of connected FortiGate devices

Security Fabric daemon debug

```
diagnose test appl csfd 1
```
display Security Fabric statistics
```
diagnose debug appl csfd -1
```
real-time csf daemon debugger
```
diagnose debug enable
```
start streaming debug output to current CLI session

Automation stitches

```
diagnose automation test <stitch_name>
```
manually trigger an automation stitch for testing

Endpoint records

```
diagnose endpoint record list
```
all endpoint records on this FortiGate
```
diagnose endpoint record list <ip>
```
filter endpoint records by IP

Security rating

diagnose report-runner trigger security-rating-reports

manually trigger security rating check

Modem detection

```
diagnose system modem detect
```
detect attached USB modem
```
diagnose debug appl modemd 3
```
modem daemon debugger

Phase 1 status

```
diagnose vpn ike gateway list
```
list all P1 gateways
```
diagnose vpn ike gateway list name <p1>
```
show specific P1 gateway details
```
get vpn ike gateway
```
detailed gateway config + runtime info

Phase 2 / SA status

```
diagnose vpn tunnel list
```
list all P2 tunnels
```
diagnose vpn tunnel list name <p2>
```
show specific P2 tunnel details
```
get vpn ipsec tunnel summary
```
IPsec tunnel summary with SA counts
```
get vpn ipsec tunnel details
```
includes SPI, bytes, lifetime
```
get vpn ipsec stats tunnel
```
detailed tunnel statistics
```
diagnose vpn ipsec status
```
IPsec crypto status overview

Sample: `diagnose vpn ike gateway list` output

vd: root/0
name: to_HQ2
version: 1
interface: port1 11
addr: 172.16.200.1:500 -> 172.16.202.1:500    ← local:remote IP:port
created: 5s ago
IKE SA:    created 1/1  established 1/1  time 0/0/0 ms
IPsec SA:  created 2/2  established 2/2  time 0/0/0 ms
id/spi: 12  6e8d0532e7fe8d84 / 3694ac323138a024
direction: responder                           ← this unit answered the IKE request
status: established 5-5s ago = 0ms
proposal: aes128-sha256
lifetime/rekey: 86400 / 86124                  ← total SA lifetime / seconds until rekey
DPD sent/recv: 00000000 / 00000000

Field	Meaning
IKE SA created/established	Number of IKE SAs created vs successfully established (want equal)
IPsec SA created/established	Number of child (data-plane) SAs. Typically 2 (one each direction)
direction: responder	Remote peer initiated the IKE exchange; this unit responded
lifetime/rekey	SA valid for 86400 s (24 h); rekeying starts at 86124 s remaining
DPD sent/recv	Dead Peer Detection counters — 0/0 = healthy, no DPD failures

Sample: `diagnose vpn tunnel list` output

name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0 tun_id=172.16.202.1
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0
natt: mode=none
SA: ref=3 options=18227 type=00 mtu=1438 expire=42927/0B replaywin=2048
life: type=01 bytes=0/0 timeout=42930/43200
dec: spi=ef9ca700 esp=aes key=16 ...
enc: spi=791e898e esp=aes key=16 ...

Field	Meaning
mtu=1438	Effective MTU inside tunnel (after ESP/IP overhead)
replaywin=2048	Anti-replay window size in packets
natt: mode=none	NAT-Traversal not active (no NAT between peers)
dpd: mode=on-demand	DPD only sent when traffic needs to flow but peer appears silent
dec: spi / enc: spi	Security Parameter Index for inbound (decrypt) / outbound (encrypt) SA

IKE Debug (full workflow)

diagnose vpn ike log-filter dst-addr4 <remote-ip>

scope IKE debug to one peer (prevents log flood)

```
diagnose debug appl ike 63
```
enable IKE debug verbosity (63 = all IKE events)
```
diagnose debug enable
```
start streaming debug output to current CLI session

diagnose vpn ike gateway flush name <p1-name>

flush SA to force re-negotiation

```
diagnose debug disable
```
stop debug output
```
diagnose debug reset
```
reset all debug levels to 0
```
diagnose vpn ike log-filter clear
```
clear IKE log filter

On a busy device with many tunnels use log-filter to scope to one peer. Level -1 or 63 is very verbose.

Flush / reset tunnels

diagnose vpn ike gateway flush name <p1-name>

delete Phase 1 SA

diagnose vpn tunnel flush name <p2-name>

delete Phase 2 SA

```
execute vpn ike restart
```
restart iked daemon (ALL tunnels drop)

SSL-VPN status & debug

```
diagnose vpn ssl list
```
list active SSL-VPN sessions
```
diagnose vpn ssl statistics
```
SSL-VPN connection statistics
```
get vpn ssl monitor
```
SSL-VPN monitor with user and tunnel details
```
diagnose debug application sslvpn -1
```
enable SSL-VPN debug (all events)
```
diagnose debug enable
```
start streaming debug output to current CLI session

Common IPsec Error Codes

Error / Message	Likely Cause	Fix
`NO_PROPOSAL_CHOSEN`	Phase 1/2 proposal mismatch	Align encryption/hash/DH group on both peers
`INVALID_ID_INFORMATION`	Local/remote ID mismatch	Check `localid` / peer-id settings
`AUTHENTICATION_FAILED`	PSK mismatch or cert issue	Re-verify PSK; check cert serial & CA chain
`TS_UNACCEPTABLE`	Traffic selector (Phase 2 subnet) mismatch	Verify Phase 2 subnets match exactly on both sides
`INVALID_PAYLOAD_TYPE`	IKE version mismatch (v1 vs v2)	Set both ends to the same IKE version
`DPD timeout`	Peer unreachable or MTU issue	Check routing; try reducing MTU to 1400
`delete_ike_sa: error`	iked restarted mid-negotiation	Flush SA and retry; check daemon stability

Routing table

```
get router info routing-table all
```
full routing table (active routes only)
```
get router info routing-table connected
```
show connected routes only
```
get router info routing-table static
```
show static routes only

get router info routing-table details <x.x.x.x>

routing decision for a specific IP

```
get router info routing-table database
```
includes inactive (not-best) routes
```
get router info kernel
```
kernel FIB — what is actually used for forwarding
```
get router info protocols
```
overview of dynamic routing protocol config

Routing table route type codes

Code	Meaning
K	Kernel route (directly connected, OS-generated)
C	Connected network (interface has IP in this subnet)
S	Static route (manually configured)
R	RIP — Routing Information Protocol
B	BGP — Border Gateway Protocol
O	OSPF — Open Shortest Path First
IA	OSPF inter-area route
E1 / E2	OSPF external type 1 / type 2
N1 / N2	OSPF NSSA external type 1 / type 2
i / L1 / L2 / ia	IS-IS / level-1 / level-2 / inter-area
V	BGP VPNv4 route
*	Candidate default route

Route cache & policy routing

```
diagnose ip rtcache list
```
route cache entries (fast-path lookups)
```
diagnose firewall proute list
```
policy-based route (PBR) entries with priority/gateway/intf
```
execute router restart
```
restart the routing process (brief interruption)

Link monitor

```
diagnose system link-monitor status
```
overall link-monitor state
```
diagnose system link-monitor interface
```
per-interface link-monitor detail
```
diagnose system link-monitor launch
```
trigger WAN LLB (link load balance)

BGP

```
get router info bgp summary
```
BGP neighbor summary with state and prefixes
```
get router info bgp neighbors
```
detailed BGP neighbor information

get router info bgp neighbors <peer-ip> advertised-routes

routes advertised to a specific BGP peer

get router info bgp neighbors <peer-ip> received-routes

routes received from a specific BGP peer

```
get router info bgp network
```
BGP network table
```
diagnose ip router bgp all enable
```
enable real-time BGP debug output
```
diagnose ip router bgp level info
```
set BGP debug verbosity to info level
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
execute router clear bgp all
```
reset all BGP sessions

execute router clear bgp neighbor <peer-ip>

reset BGP session with a specific peer

OSPF

```
get router info ospf status
```
OSPF process status and router ID
```
get router info ospf neighbor
```
OSPF neighbor adjacency state
```
get router info ospf interface
```
OSPF per-interface details
```
get router info ospf database brief
```
LSDB summary

get router info ospf database router lsa

detailed LSA entries

get router info ospf database self-originate

LSAs originated by this unit

```
diagnose ip router ospf all enable
```
enable real-time OSPF debug output
```
diagnose ip router ospf level info
```
set OSPF debug verbosity to info level
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
execute router clear ospf process
```
restart OSPF (brief neighbor drop)

SD-WAN

```
diagnose sys sdwan health-check status
```
SLA states for all health checks

diagnose sys sdwan health-check status filter <name>

SLA state for a specific health-check

```
diagnose sys sdwan member
```
interface details (bandwidth, latency, jitter)
```
diagnose sys sdwan service <rule-id>
```
SD-WAN rule state for specific rule

diagnose sys sdwan intf-sla-log <intf-name>

link traffic history per interface

diagnose sys sdwan sla-log <sla> <link_id>

SLA log on a specific interface/link

```
get system sdwan
```
show SD-WAN configuration
```
diagnose test appl lnkmtd 0
```
link-monitor stats (0=reset, 1=print, 2=debug)
```
diagnose debug appl link-mon -1
```
real-time link-monitor debugger
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
diagnose sys sdwan passive-health-check <member>
```
show passive health-check state for a member (7.4+)

ECMP vs SD-WAN Load-Balancing Algorithms

ECMP Mode	SD-WAN Equivalent	Behavior
Source IP-based	Source IP	All sessions from the same source IP use the same path (default)
Weight-based	Sessions	Workload distributed proportionally by configured weight / session count
Usage-based	Spillover	Path used until bandwidth threshold exceeded; traffic spills to next path
Source-Destination IP	Source-Destination IP	Hash on src+dst IP pair; same src+dst always use the same path

ECMP requires all routes to have the same distance and priority. If one route has a lower distance, it wins exclusively — ECMP does not apply.

Policy lookup (which policy matches traffic)

diagnose firewall iprope lookup <src-ip> <dst-ip> <proto> <src-port> <dst-port> <in-intf>

find which policy matches given traffic parameters

diagnose firewall iprope lookup 10.1.1.10 8.8.8.8 6 12345 80 port1

example: HTTP from 10.1.1.10 to 8.8.8.8 via port1

Policy hit counts & counter reset

```
diagnose firewall iprope show 100004
```
show all policies with hit counters (table 100004)
```
diagnose firewall iprope clear 100004
```
reset all policy hit counters

diagnose firewall iprope clear 100004 <id>

reset counters for a specific policy ID

IPS debug

```
diagnose test application ipsmonitor 1
```
show IPS engine status
```
diagnose ips filter src-ip <ip>
```
scope IPS debug filter to source IP
```
diagnose ips filter enable
```
enable IPS debug filter
```
diagnose debug application ipsengine 7
```
enable IPS engine debug at level 7
```
diagnose debug enable
```
start streaming debug output to current CLI session

AV / scanning

```
diagnose antivirus version
```
show AV engine and signature database version
```
diagnose test application scanunitd 1
```
scanunit status
```
diagnose test application scanunitd 3
```
scanunit stats & memory usage
```
diagnose debug application scanunitd 7
```
enable scanunit debug at level 7
```
diagnose debug enable
```
start streaming debug output to current CLI session

Web filter & application control

```
diagnose debug application urlfilter -1
```
enable URL filter debug (all events)
```
diagnose debug enable
```
start streaming debug output to current CLI session

diagnose test application urlfilter 2 <url>

FortiGuard category lookup for a URL

NAT / IP pool

```
diagnose firewall ippool-all list
```
list all IP pool entries across all VDOMs

diagnose firewall ippool list <pool-name>

list IP pool entries for a specific pool

diagnose sys session filter natsrcip <nat-ip>

filter sessions by NAT source IP

```
diagnose sys session list
```
list sessions matching current filter

DPI / SSL inspection

```
diagnose debug application ssl -1
```
enable SSL inspection debug (all events)
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
diagnose test application sslworker 1
```
show SSL worker daemon status

HA status overview

```
get system ha status
```
mode, group, heartbeat intf, master/slave priority
```
diagnose system ha history read
```
details about past HA events (failovers, etc.)
```
diagnose system ha dump-by vcluster
```
show cluster member uptime per vcluster

HA sync checksums

```
diagnose sys ha checksum cluster
```
compare checksums across all members
```
diagnose sys ha checksum show [vdom]
```
detailed checksum for local unit or specific VDOM
```
diagnose sys ha checksum recalculate
```
force recalculation when master/slave are out of sync

When checksums differ, the output identifies the specific config table that is out of sync (e.g., firewall.policy).

Failover & member management

```
diagnose system ha reset-uptime
```
lower local uptime to trigger re-election
```
execute ha failover status
```
view current failover status
```
execute ha failover set <cluster_id>
```
force specific device into failover state (becomes standby)

execute ha ignore-hardware-revision status

view HW revision ignore setting

```
execute ha ignore-hardware-revision enable
```
allow HA between different HW revisions (labs/RMA)

execute ha ignore-hardware-revision disable

re-enable HW revision check for HA

```
execute ha manage <member-id> <username>
```
connect to secondary via HA management tunnel
```
diagnose sys ha dump-by-vcluster
```
list member IDs

Triggering failover causes a brief traffic interruption during master re-election.

HA sync debug

```
diagnose debug appl hasync -1
```
enable HA sync daemon debug (all events)
```
diagnose debug appl hatalk -1
```
enable HA talk daemon debug (all events)
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
diagnose debug disable
```
stop debug output
```
diagnose debug reset
```
reset all debug levels to 0

Manual HA re-sync (last resort)

```
execute ha synchronize stop
```
stop HA configuration synchronisation
```
execute ha synchronize start
```
start HA configuration synchronisation

HA Status Fields

Field	Meaning
`is_root_master`	This unit is the active (master) member
`override`	Master override enabled — highest-priority device always wins elections
`ses_pickup`	Session pickup enabled — standby syncs active sessions for graceful failover
`load_balance_all`	FGCP A-A load balancing mode active
`vcluster_state`	Per-VDOM cluster state (used in A-A VDOM mode)

Log config overview

```
show log setting
```
show logging configuration
```
show log fortianalyzer setting
```
show FortiAnalyzer log forwarding settings
```
show log syslogd setting
```
show syslog forwarding settings

View disk logs

```
execute log filter category 1
```
set log category filter (1=traffic, 2=event, 3=virus, etc.)
```
execute log filter start-line 1
```
set start line for log display
```
execute log filter max-checklines 50
```
set maximum number of log lines to display
```
execute log display
```
display logs matching current filter

FortiAnalyzer & test log

```
diagnose test application miglogd 6
```
FAZ connection status
```
diagnose log test
```
send a test log entry to all configured targets
```
diagnose debug application miglogd 255
```
enable log forwarding daemon debug (all events)
```
diagnose debug enable
```
start streaming debug output to current CLI session

Log disk usage

```
diagnose sys logdisk usage
```
show log disk usage percentage
```
diagnose sys logdisk stat
```
detailed log disk statistics

Log Category IDs

ID	Category	Description
0000	traffic	Forward, local, sniffer traffic logs
0001	event	System, VPN, user, router, WAD events
0002	virus	AV detections
0003	webfilter	URL category blocks/monitors
0004	ips	IPS detections & anomalies
0005	emailfilter	Spam detections
0006	anomaly	DoS policy anomalies
0008	voip	VoIP session tracking
0009	dlp	Data loss prevention hits
0011	app-ctrl	Application control hits
0012	waf	Web application firewall events
0059	ssh	SSH inspection events
0061	ssl	SSL inspection events

Log Severity Levels

Level	Value	Meaning
emergency	0	System unusable
alert	1	Immediate action needed
critical	2	Critical conditions
error	3	Error conditions
warning	4	Warning conditions
notice	5	Normal significant events
information	6	Informational
debug	7	Debug-level messages

Packet Sniffer Syntax

diagnose sniffer packet <interface> '<bpf-filter>' <verbose> <count> <timestamp>

# <interface>  : interface name or  any
# <bpf-filter> : BPF expression in single quotes; '' = no filter (all traffic)
# <verbose>    : 1–6 (see table below)
# <count>      : number of packets then stop; 0 = infinite (Ctrl+C to stop)
# <timestamp>  : a = absolute UTC  |  l = local time  |  (blank) = relative from start

Verbose levels

Level	Output
1	One-line summary (protocol, src/dst, length)
2	IP header detail
3	IP header + Ethernet header + hex dump
4	One-line summary + interface name
5	IP header + interface name
6	IP + Ethernet + hex + interface name (convertible to .pcap via Perl script)

BPF filter options

Filter	Description
host x.x.x.x	Match packets where src OR dst = x.x.x.x
src x.x.x.x	Match packets where source IP = x.x.x.x
dst x.x.x.x	Match packets where destination IP = x.x.x.x
net x.x.x.x/24	Match any address within the subnet
port xx	Match TCP or UDP packets on port xx
src port xx	Match packets originating from source port xx
dst port xx	Match packets destined to port xx
tcp	TCP packets only
udp	UDP packets only
icmp	ICMP packets only
arp	ARP packets only
ip proto <n>	Match by IP protocol number
ether proto <n>	Match by Ethernet protocol type
less <n>	Packets smaller than n bytes
greater <n>	Packets larger than n bytes

Combine with: and, or, not — e.g., 'src x.x.x.x and tcp port 443'

Examples

```
diagnose sniffer packet any 'host 1.2.3.4' 1 0 a
```
all traffic to/from 1.2.3.4 on any interface, 1-line, forever

diagnose sniffer packet port1 'tcp port 443' 4 100 l

100 packets for HTTPS on port1, with local timestamp

diagnose sniffer packet any 'host 10.0.1.1 and host 10.0.2.1' 1 0 a

traffic between two specific hosts

diagnose sniffer packet any 'not icmp' 1 0 a

all traffic except ICMP

diagnose sniffer packet any 'src 10.1.1.5 and tcp port 80' 1 0 a

source IP 10.1.1.5 to TCP port 80

diagnose sniffer packet any 'net 192.168.10.0/24' 2 50 a

full subnet capture, 50 packets, with IP header detail

Debug Flow (full sequence)

```
diagnose debug flow filter addr <src-or-dst-ip>
```
scope debug flow to an IP (mandatory — prevents output flood)

diagnose debug flow filter saddr <src-ip>

filter debug flow by source IP

diagnose debug flow filter daddr <dst-ip>

filter debug flow by destination IP

diagnose debug flow filter net <x.x.x.x/mask>

filter debug flow by subnet

```
diagnose debug flow filter port <port>
```
filter debug flow by port number

diagnose debug flow filter proto tcp|udp|icmp

filter debug flow by protocol

```
diagnose debug flow show iprop enable
```
enable IP routing display in debug flow output

diagnose debug flow show function-name enable

show function names in debug flow output

```
diagnose debug flow trace start 100
```
start debug flow trace, limit to 100 packets
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
diagnose debug flow trace stop
```
stop debug flow trace
```
diagnose debug disable
```
stop debug output
```
diagnose debug flow filter clear
```
clear debug flow filter

Debug flow adds per-packet CPU overhead. Always set a tight filter and stop promptly on production devices.

Key Debug Flow Messages

Message	Meaning
`allocate a new session`	New session created in session table
`find a route: gw-> <ip> via <intf>`	Routing lookup result — packet will exit this interface
`Denied by forward policy check`	No matching allow policy found (implicit deny)
`iprope_in_check() check failed`	Packet blocked at policy check (implicit deny)
`SNAT <src> to <nat-ip>`	Source NAT applied
`DNAT <dst> to <real-ip>`	Destination NAT (VIP) applied
`reverse path check fail`	RPF check failed — asymmetric routing
`drop by ips`	IPS engine blocked the packet
`offload to npu`	Session handed to hardware NP processor
`nturbo route`	NTurbo (SW fast-path) is handling this session

Session filter & list

```
diagnose sys session filter src <ip>
```
filter sessions by source IP
```
diagnose sys session filter dst <ip>
```
filter sessions by destination IP

diagnose sys session filter dport <port>

filter sessions by destination port

diagnose sys session filter sport <port>

filter sessions by source port

diagnose sys session filter proto <6|17|1>

filter sessions by protocol (TCP/UDP/ICMP)

```
diagnose sys session filter policy <id>
```
filter sessions matching a specific policy ID

diagnose sys session filter natsrcip <ip>

filter sessions with this NAT source IP

```
diagnose sys session list
```
list sessions matching current filter
```
diagnose sys session stat
```
show session statistics and memory usage
```
diagnose sys session full-stat
```
session counts per VDOM
```
diagnose sys session filter clear
```
clear all session filters
```
diagnose system session filter src <ip>
```
alternative syntax: filter sessions by source IP
```
diagnose system session list
```
alternative syntax: list matching sessions

Clear sessions

```
diagnose sys session clear
```
clears ALL sessions (NEVER on production without filter first)
```
diagnose sys session filter src 10.1.1.100
```
set source IP filter before clearing (safe approach)

Clearing all sessions drops every active connection, including your management session.

Policy counter reset

```
diagnose firewall iprope clear 100004
```
reset hit counters for all policies

diagnose firewall iprope clear 100004 <id>

reset counter for one specific policy

Session Flag Bitmask

Flag	Hex	Meaning
`may_dirty`	0x01	Session may need policy re-evaluation
`dirty`	0x02	Session flagged for re-check on next packet
`npu`	0x08	Session offloaded to NP hardware
`nturbo`	0x10	NTurbo (CPU fast-path) offload active
`synced`	0x20	Session synced to HA peer
`log`	0x40	Session logging enabled for this flow
`auth`	0x100	Session authenticated — user identity known
`redir`	0x400	Session redirected (WAD/proxy)

proto_state (TCP)

proto_state	TCP State	Notes
0/0	NONE	SYN not yet seen
1/0	SYN_SENT	SYN seen, SYN-ACK not yet received
1/1	SYN_RCVD	SYN + SYN-ACK seen
2/2	ESTABLISHED	Full 3-way handshake complete
3/x	FIN_WAIT	FIN sent by client
5/5	CLOSE_WAIT	Both FINs seen
6/6	TIME_WAIT	Awaiting timer expiry

Test auth servers

diagnose test authserver ldap <server-name> <username> <password>

test LDAP authentication with specific credentials

diagnose test authserver radius <server-name> <auth-type> <username> <password>

test RADIUS auth (auth-type: pap | chap | mschapv2)

Active users & server config

```
diagnose firewall auth list
```
authenticated firewall users with group membership
```
get user radius
```
show RADIUS server configuration
```
get user ldap
```
show LDAP server configuration
```
get user local
```
show local user accounts

FSSO

```
diagnose debug authd fsso list
```
FSSO sessions (who is logged in)
```
diagnose debug authd fsso server-status
```
connectivity to FSSO Collector Agent

diagnose debug authd fsso refresh-logons

force re-poll of logon events

fnbamd (auth daemon) debug

```
diagnose debug application fnbamd -1
```
enable auth daemon debug (all events)
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
diagnose debug disable
```
stop debug output
```
diagnose debug reset
```
reset all debug levels to 0

EMS connectivity

diagnose endpoint fctems test connectivity <EMS-name>

verify FGT to EMS reachability

```
diagnose test app fcnacd 2
```
dump EMS connectivity info
```
execute fctems verify <EMS-name>
```
verify EMS certificate

FortiClient NAC daemon debug

```
diagnose debug application fcnacd -1
```
enable FortiClient NAC daemon debug (all events)
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
diagnose debug disable
```
stop debug output

Endpoint records & ZTNA tags

```
diagnose endpoint record list <ip>
```
endpoint record for a specific IP
```
diagnose wad dev query-by ipv4 <ip>
```
WAD device info for an IP address
```
diagnose firewall dynamic list
```
EMS ZTNA tags + dynamic IP and MAC addresses

System hardware info

```
diagnose hardware sysinfo cpu
```
CPU type, core count, utilisation
```
diagnose hardware sysinfo memory
```
total/used/free RAM
```
diagnose hardware sysinfo shm
```
shared memory usage (inter-process)
```
diagnose hardware sysinfo conserve
```
conserve mode thresholds & current state
```
diagnose hardware test suite all
```
full hardware self-test (newer models)
```
get hardware status
```
ASIC & NP processor info

SSL-VPN hardware acceleration

get vpn status ssl hw-acceleration-status

shows whether SSL crypto is NP-offloaded

NP6 offload stats

```
diagnose npu np6 port-list
```
list NP6 ports and their assignments
```
diagnose npu np6 session-stats
```
NP6 offloaded session statistics
```
diagnose npu np6 stats <np-id>
```
detailed stats for a specific NP6 processor
```
diagnose npu np6 dce <np-id>
```
drop/error counters for a specific NP6 processor

NP7 offload stats 7.4+

```
diagnose npu np7 port-list
```
list NP7 ports and their assignments
```
diagnose npu np7 session-stats
```
NP7 offloaded session statistics
```
diagnose npu np7 stats <np-id>
```
detailed stats for a specific NP7 processor
```
diagnose npu np7 sse-stats <np-id>
```
Session Scheduling Engine stats

Disable NP offload (troubleshooting)

config firewall policy
    edit <policy-id>
        set auto-asic-offload disable
    next
end

disable NP offload per-policy (preferred — no global CPU impact)

config vpn ipsec phase1-interface
    edit <p1-name>
        set npu-offload disable
    next
end

disable NP offload for a specific IPsec VPN Phase 1

```
config system settings
    set np-offload-threshold 0
end
```
disable NP offload globally (AVOID on high-throughput devices)

Disabling NP offload globally can max out CPU. Always scope to a specific policy or VPN for debugging.

Disk Management

Disk info & maintenance

```
diagnose sys logdisk usage
```
show log disk usage percentage
```
diagnose sys logdisk stat
```
detailed log disk statistics
```
diagnose hardware deviceinfo disk
```
list all disks and partitions
```
execute disk list
```
disk and partition summary
```
execute disk scan [ref_int]
```
scan and repair disk errors
```
execute disk format [ref_int]
```
format a specific disk/partition (data loss!) then reboot
```
execute formatlogdisk
```
format log disk and reboot (clears all logs)

Format operations erase all data on the target disk/partition. Backup logs before proceeding.

FortiSwitch

Switch status & connections

```
get switch-controller managed-switch
```
list all managed FortiSwitch devices

diagnose switch-controller switch-info <sw-serial>

detailed info for a specific managed switch

diagnose switch-controller switch-info all

detailed info for all managed switches

```
execute switch-controller get-conn-status
```
connection status for all managed switches

execute switch-controller diagnose-connection <switch>

connectivity diagnostics for a specific switch

Switch port stats & table

diagnose switch-controller switch-info mac-table

MAC address table for all managed switches

diagnose switch-controller switch-info port-stats

per-port RX/TX/error statistics

diagnose switch-controller switch-info trunk

trunk (LAG) information

diagnose switch-controller switch-info mclag

MC-LAG information

diagnose switch-controller switch-info poe <sw-serial>

PoE status per port

FortiAP (via Wireless Controller)

AP & client status

```
get wireless-controller wtp
```
managed AP list

diagnose wireless-controller wlac -c ap-list

AP details

diagnose wireless-controller wlac -c sta-list

associated client list

diagnose wireless-controller wlac -c ap-rogue

rogue AP list

Wireless controller operations

```
execute wireless-controller restart-acd
```
restart wireless controller daemon
```
execute wireless-controller reset-wtp
```
restart all managed FortiAPs

Spectrum analysis

execute wireless-controller spectral-scan <wtp-id> <radio-id> on <duration> <channel> <interval>

start RF spectrum scan on a specific AP and radio

diagnose wireless-controller wlac -c rf-sa <wtp-id> <radio-id> <channel>

show spectrum analysis results for an AP radio

get wireless-controller spectral-info <wtp-id> <radio-id>

show spectral info for a specific AP radio

AP wireless debug

diagnose wireless-controller wlac -d capwap <ap-name>

CAPWAP debug for a specific AP

```
diagnose debug application cw_acd -1
```
enable CAPWAP AC daemon debug (all events)
```
diagnose debug enable
```
start streaming debug output to current CLI session

FortiAP CLI (direct commands on the AP itself)

FortiAP CLI commands

```
cfg -a ADDR_MODE=DHCP
```
set IP mode to DHCP
```
cfg -a ADDR_MODE=STATIC
```
set IP mode to static
```
cfg -a AP_IPADDR="x.x.x.x"
```
set static IP address
```
cfg -a AP_NETMASK="255.255.255.0"
```
set subnet mask
```
cfg -a IPGW="y.y.y.y"
```
set gateway address
```
cfg -a AC_IPADDR_1="z.z.z.z"
```
set Wireless Controller IP
```
cfg -s
```
list current AP configuration
```
cfg -c
```
commit (save) configuration
```
cfg -x
```
reset AP to factory default

FortiExtender

FortiExtender status & operations

diagnose extender-controller extender list

list all managed FortiExtender devices

diagnose extender-controller extender detail <serial>

detailed info for a specific FortiExtender

diagnose extender-controller extender modem-status <serial>

modem status for a specific FortiExtender

```
get extender sys-info <ext-sn>
```
FortiExtender system info
```
get extender modem-status <ext-sn>
```
detailed modem status
```
execute extender reset-fortiextender
```
restart managed FortiExtender

execute extender restart-fortiextender-daemon

restart FortiExtender daemon

```
diagnose debug appl extenderd -1
```
FortiExtender debugging (~5 min capture)

LTE modem commands

```
diagnose system lte-modem signal-info
```
signal strength (RSSI, RSRQ, RSRP, SNR)

diagnose system lte-modem traffic-status

TX/RX packet and byte counts

```
diagnose system lte-modem modem-details
```
hardware/firmware detail
```
diagnose system lte-modem sim-info
```
SIM card information

diagnose system lte-modem data-session-info

active data session details

```
diagnose system lte-modem gps-info
```
GPS coordinates (if supported)
```
diagnose system lte-modem data-usage
```
cumulative data usage
```
diagnose system modem detect
```
detect USB modem attached to FGT

Configure APN

```
config system lte-modem
    set status enable
    set apn "internet"
end
```
enable LTE modem and set carrier APN (replace "internet" with your carrier's APN)

Signal info output explained

# diagnose system lte-modem signal-info
WCDMA:
    RSSI: -57      ← Received Signal Strength; higher (less negative) = stronger
    ECIO: 12       ← Energy-to-Interference ratio; higher = cleaner signal

LTE:
    RSSI: -67      ← LTE received signal strength (dBm)
    RSRQ: -13      ← Reference Signal Received Quality (dB); above -10 = good
    RSRP: -98      ← Reference Signal Received Power (dBm); above -100 = acceptable
    SNR:   44      ← Signal-to-Noise Ratio (dB); higher = better

Metric	Good	Acceptable	Poor
LTE RSRP (dBm)	> -80	-80 to -100	< -100
LTE RSRQ (dB)	> -10	-10 to -15	< -15
LTE SNR (dB)	> 20	0 to 20	< 0

Traffic status output explained

# diagnose system lte-modem traffic-status
TX packets OK:        8513     ← successfully transmitted packets
RX packets OK:       10842     ← successfully received packets
TX packets error:        0     ← transmission errors (non-zero = investigate)
RX packets error:        0     ← receive errors
TX/RX overflows:         0     ← buffer overflows (non-zero = congestion)
TX bytes OK:        748973     ← bytes transmitted successfully
RX bytes OK:       8770104     ← bytes received successfully
TX/RX packets dropped:   0     ← dropped packets (non-zero = congestion or policy)

VDOM Commands

VDOM context switching

```
config vdom
    edit <vdom-name>
end
```
enter a VDOM context
```
sudo <vdom-name> diagnose sys top
```
run diagnose command in a specific VDOM from global scope
```
sudo <vdom-name> execute ping 8.8.8.8
```
run execute command in a specific VDOM from global scope
```
sudo global show system interface
```
run command in global context

Transparent Mode

Bridge MAC table

diagnose netlink brctl name host <bridge-name>

show MAC table for a transparent-mode bridge

Workspace Mode (GUI Multi-Admin)

Workspace operations

```
execute config-transaction start
```
start a workspace session (lock config for editing)
```
execute config-transaction commit
```
commit workspace changes and release lock
```
execute config-transaction abort
```
abort workspace session and discard all uncommitted changes
```
diagnose system config-transaction status
```
show workspace mode enabled/disabled state

diagnose system config-transaction show txn-info

show all active workspace locks

diagnose system config-transaction show txn-cli-commands

show pending CLI commands in workspace

Workspace Mode locks config objects so multiple admins cannot overwrite each other. The abort command discards all uncommitted changes.

Syntax

```
diagnose debug application <app_name> <level>
```
enable debug for a specific application daemon
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
diagnose debug disable
```
stop debug output
```
diagnose debug reset
```
reset all debug levels to 0
```
diagnose debug appl <app_name> <level>
```
alternative (older) syntax for enabling application debug
```
diagnose test appl <app_name> <test_level>
```
query daemon status (non-debug); does not require debug enable

Debug Levels

Level	Output Verbosity
`-1`	Most verbose — all available debug info. Use for deep troubleshooting; generates a lot of output quickly.
`0`	Disable debug for this application.
`1`	Basic — high-level operations and errors. Good for initial diagnosis.
`2`	Medium verbosity — more detail without overwhelming output.
`3–7`	Increasingly detailed. Exact granularity depends on the daemon.
`63`	IKE-specific: all IKE negotiation events (equivalent to `-1` for ike).

Common Debuggable Applications

App Name	Daemon / Function	Typical Use
`ike`	IKE daemon (iked)	IPsec VPN tunnel negotiation failures
`sslvpn`	SSL-VPN proxy daemon	SSL-VPN connection / access control issues
`fnbamd`	Auth daemon	RADIUS, LDAP, FSSO auth failures
`radiusd`	RADIUS daemon	RADIUS server communication issues
`dnsproxy`	DNS proxy	DNS resolution and split-DNS issues
`dhcp`	DHCP server/relay/client	DHCP lease assignment failures
`httpsd`	HTTPS management daemon	Web GUI access issues
`sshd`	SSH daemon	SSH management access issues
`hasync`	HA sync daemon	HA configuration synchronisation
`hatalk`	HA talk daemon	HA heartbeat / election issues
`csfd`	Security Fabric daemon	Fabric topology and communication
`fcnacd`	FortiClient NAC daemon	EMS / ZTNA connectivity
`miglogd`	Log forwarding daemon	FAZ / syslog forwarding issues
`scanunitd`	UTM scanning daemon	AV/IPS/proxy scanning performance
`ipsengine`	IPS engine	IPS signature matching and drops
`urlfilter`	URL filter daemon	FortiGuard web category lookup
`ntpd`	NTP daemon	Time sync issues (affects cert validation, logs)
`link-mon`	Link monitor	SD-WAN health-check and WAN failover
`cw_acd`	CAPWAP AC daemon	FortiAP management tunnel issues
`extenderd`	FortiExtender daemon	FortiExtender management issues
`modemd`	Modem daemon	USB modem / LTE connectivity
`forticldd`	FortiCloud daemon	FortiCloud / licence connectivity
`wad`	WAD proxy daemon	Explicit proxy, WCCP, SSL deep inspection

Examples

```
diagnose debug application ike -1
```
enable IKE debug for IPsec/IKE negotiation issues
```
diagnose debug application sslvpn -1
```
enable SSL-VPN debug for login issues
```
diagnose debug application fnbamd -1
```
enable auth daemon debug for LDAP/RADIUS failures
```
diagnose debug application dnsproxy -1
```
enable DNS proxy debug for resolution issues
```
diagnose debug application dhcp -1
```
enable DHCP debug for lease problems
```
diagnose debug enable
```
start streaming debug output to current CLI session
```
diagnose debug disable
```
stop debug output
```
diagnose debug reset
```
reset all debug levels to 0

Requirements & Restrictions:

Must be logged in with a super_admin profile account.
On FortiGate VMs: requires a paid licence — free evaluation VMs return Unknown action 0.
CLI-only — no GUI equivalent.
Executes locally on the unit where the session is initiated. To run on a passive HA member, log in directly to that unit.
Tab completion does not work with this command.
Can be used in automation stitches via set action-type cli-script.
Not available when FIPS-CC mode is enabled — verify with get system status.

fnsysctl ifconfig — physical interface detail

```
fnsysctl ifconfig
```
all interfaces with detailed IP, MAC, MTU, RX/TX, errors, drops
```
fnsysctl ifconfig port1
```
specific interface detail (more detailed than get system interface physical)

port1   Link encap:Ethernet  HWaddr 0A:7C:2A:D2:17:6F
        inet addr:10.100.100.227  Bcast:10.100.100.255  Mask:255.255.255.0
        link-local6: fe80::87c:2aff:fed2:176f prefixlen 64
        UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
        RX packets:3537 errors:0 dropped:0 overruns:0 frame:0
        TX packets:5436 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:1000
        RX bytes:1340257 (1.3 MB)  TX bytes:4360502 (4.2 MB)

fnsysctl ls — filesystem listing

```
fnsysctl ls /tmp
```
list directory contents
```
fnsysctl ls -al /tmp
```
all files, long format (timestamps, sizes, permissions)
```
fnsysctl ls -a /tmp
```
all files including dot-files (useful for IOC forensics)

fnsysctl ls -al /tmp

drwxr-xr-x    2 0   0   Wed Oct 23 01:53:42 2024    40 $$auto-script$$
drwxrwxrwt   60 0   0   Wed Oct 23 02:03:46 2024  4780 .
drwxr-xr-x   18 0   0   Wed Oct 23 01:53:40 2024     0 ..
srwxr-xr-x    1 0   0   Wed Oct 23 01:53:42 2024     0 .auto_script_server
-rw-r--r--    1 0   0   Wed Oct 23 01:53:42 2024     0 .aws_addrs
srwxr-xr-x    1 0   0   Wed Oct 23 01:53:42 2024     0 .cloudapi_fconv.sock
srwxr-xr-x    1 0   0   Wed Oct 23 01:53:42 2024     0 .dhcpd.msg
srwxr-xr-x    1 0   0   Wed Oct 23 01:53:42 2024     0 .dns_local_server

fnsysctl cat — read file contents

```
fnsysctl cat /proc/net/tcp
```
open TCP connections (output in hex; alternative: diagnose sys tcpsock)
```
fnsysctl cat /proc/cpuinfo
```
CPU model, core count, and capabilities
```
fnsysctl cat /proc/interrupts
```
per-CPU interrupt counters (useful for RSS/IRQ balancing)
```
fnsysctl cat /proc/meminfo
```
detailed memory information
```
fnsysctl cat /proc/nturbo/0/drv
```
NTurbo acceleration stats for queue 0

Not all files are accessible. Protected files return: cat: /tmp/cw_ac_key_bak.pem: Not allowed

Sample: `/proc/interrupts`

       CPU0      CPU1      CPU2      CPU3
142: 3506701         0         0         0   PCI-MSI-edge np6_0-tx-rx0
143:       1    742138         0         0   PCI-MSI-edge np6_0-tx-rx1
144:       1         0   3850634         0   PCI-MSI-edge np6_0-tx-rx2
145:       1         0         0   3319842   PCI-MSI-edge np6_0-tx-rx3
# Each row: interrupt ID, per-CPU count, type, source
# Useful for verifying NP/NIC interrupts are spread across CPUs

Sample: `/proc/nturbo/0/drv` — NTurbo queue stats

Turbo interface ID: 0
Driver RX/TX:      760818543 / 759413272
Free/Used buffers: 109675 / 2965    Alloc fail: 0

RXQ_0(0,20806): IN 64201109  OUT 64201142  DROP 0  NRDY 0  Fullness 0  Peak 282
TXQ_0(0,20806): IN 64083848  OUT 64083848  DROP 0  SHAPER_DROP 0  USR_DROP 117056  BUFERR 0

RXQ_1(1,20808): IN 62241175  OUT 62241191  DROP 0  NRDY 0  Fullness 0  Peak 444
TXQ_1(1,20808): IN 62092654  OUT 62092654  DROP 0  SHAPER_DROP 0  USR_DROP 148288  BUFERR 0
# USR_DROP = packets dropped by the upper-layer user-space process (normal at high rates)
# SHAPER_DROP = dropped by traffic shaper (indicates congestion)

fnsysctl date — Linux system date

```
fnsysctl date
```
show kernel date/time in Linux format (e.g. Wed Oct 23 02:11:03 PDT 2024)

fnsysctl df — filesystem disk usage

```
fnsysctl df -h
```
filesystem usage with human-readable sizes (monitor /var/log fill)

Filesystem              Size    Used  Available  Use%  Mounted on
none                    1.3G   81.6M      1.2G     6%  /tmp
none                    1.3G    4.7M      1.3G     0%  /dev/shm
/dev/nvme0n1p1        231.9M  129.2M     89.9M    59%  /data
/dev/nvme0n1p2          1.6G  141.7M      1.4G     9%  /data2
/dev/nvme1n1p1         29.4G   54.8M     27.8G     0%  /var/log

fnsysctl du — directory size usage

```
fnsysctl du -s
```
summary: total size of current directory tree
```
fnsysctl du -d 1 -a
```
1 level deep, include files (find biggest top-level directories)
```
fnsysctl du -L
```
follow symlinks when calculating directory sizes

71960   ./new_root
20488   ./migadmin
5344    ./node-scripts
113596  ./bin
131464  ./data
142520  ./data2
147440  ./tmp
715324  .               ← total

fnsysctl pwd — current working directory

```
fnsysctl pwd
```
show working directory (always / — cd is not available)

fnsysctl ps — process list

```
fnsysctl ps
```
full process list with PID, UID, GID, state, and command

Lists all running processes with PID, UID, GID, state, and command. Most FortiGate daemons are managed by a watchdog — killing them causes an immediate automatic restart.

PID    UID   GID  STATE  CMD
1      0     0    S      /bin/init
2026   0     0    S      /bin/dnsproxy
2045   0     0    S      /bin/wad 4
2053   0     0    S      /bin/miglogd 1
2095   0     0    S      /bin/ipsengine
2119   0     0    S      /bin/urlfilter 0
2124   0     0    R      /bin/sshd
2125   0     0    S      /bin/newcli
2325   0     0    S      /bin/httpsd     ← S=sleeping R=running I=idle kernel thread

Process state codes

State	Meaning
R	Running (actively using CPU)
S	Sleeping (waiting for event)
I	Idle kernel thread
Z	Zombie (exited but not reaped)

fnsysctl kill / killall — terminate processes

```
fnsysctl kill 2325
```
send SIGTERM (default) to PID 2325
```
fnsysctl kill -s 9 2325
```
send specific signal to PID (9=SIGKILL)
```
fnsysctl killall httpsd
```
restart the HTTPS management daemon
```
fnsysctl killall dnsproxy
```
restart DNS proxy daemon
```
fnsysctl killall miglogd
```
restart log forwarding daemon

killall is NOT recorded in the crash log (diagnose debug crashlog read). Not all processes can be killed this way (e.g., hasync is protected). Most daemons are watched — they restart automatically within seconds.

fnsysctl mv — move/rename files

fnsysctl mv /tmp/ipsshm.urldb-whitelist /tmp/ipsshm.urldb-whitelist.orig

move/rename a file in /tmp (most directories are read-only)

fnsysctl ls -al /tmp/ipsshm.urldb-whitelist.orig

verify file was moved successfully

Warning: Moving or deleting critical system files can cause FortiGate to stop functioning and may require a factory reset. This command is also a known vector for attackers to hide traces of compromise after gaining access.

fnsysctl grep — search file contents

```
fnsysctl grep <pattern> <file>
```
search file contents for a pattern

fnsysctl grep -i "error" /var/log/messages

case-insensitive search

```
fnsysctl grep -n "sshd" /proc/net/tcp
```
search with line numbers shown
```
fnsysctl grep -v "DROP" /tmp/somefile
```
invert match — show lines that do NOT contain pattern
```
fnsysctl grep -c "ACCEPT" /tmp/somefile
```
count matching lines only

fnsysctl grep -A 3 "crash" /var/log/messages

show 3 lines of trailing context after match

fnsysctl grep -B 3 "crash" /var/log/messages

show 3 lines of leading context before match

```
fnsysctl grep -C 3 "crash" /var/log/messages
```
show 3 lines of context on both sides of match

Flag	Description
-i	Ignore case distinctions
-l	List only filenames of files containing a match
-H	Prefix each output line with the filename
-h	Suppress filename prefix
-n	Print line number alongside each match
-q	Quiet — exit 0 if match found, no output
-v	Invert — show lines that do NOT match
-s	Suppress file open/read error messages
-c	Print only a count of matching lines
-A N	Print N lines of trailing context after match
-B N	Print N lines of leading context before match
-C N	Print N lines of context on both sides of match

fnsysctl printenv — environment variables

```
fnsysctl printenv
```
show environment variables (very limited — only TERM=vt220 typically visible)

Quick Reference — All fnsysctl Sub-commands

Sub-command	Use Case	Key Flags
`ifconfig [intf]`	Interface stats: errors, drops, MTU, RX/TX	interface name (optional)
`ls [flags] [path]`	Filesystem listing; forensic IOC hunting	`-a` `-l` `-A`
`cat <file>`	Read /proc files: cpuinfo, meminfo, interrupts, tcp, nturbo	—
`date`	Show kernel date/time in Linux format	—
`df [-h]`	Filesystem usage (disk partitions, /var/log fill)	`-h`
`du [flags] [path]`	Directory size breakdown	`-d` `-a` `-s` `-L`
`pwd`	Show working directory (always `/`)	—
`ps`	Full process list with PID, state, command	—
`kill [-s N] <pid>`	Send signal to process by PID	`-s <signal>`
`killall <name>`	Kill all instances of a daemon by name (watchdog restarts)	process name
`mv <src> <dst>`	Move/rename files in writable dirs (e.g., /tmp)	—
`grep [flags] <pat> <file>`	Search file contents	`-i -n -v -c -A -B -C`
`printenv`	Show environment variables (limited)	—

Scenario 1 — IPsec Tunnel Not Coming Up

Verify Phase 1 state:

diagnose vpn ike gateway list name <p1-name>

Enable IKE debug scoped to peer:

diagnose vpn ike log-filter dst-addr4 <remote-ip>

diagnose debug application ike 63

diagnose debug enable

Flush SA to force re-negotiation:

diagnose vpn ike gateway flush name <p1-name>

Interpret output: NO_PROPOSAL_CHOSEN → align proposals. AUTHENTICATION_FAILED → verify PSK. TS_UNACCEPTABLE → check Phase 2 subnets.

Clean up:

diagnose debug disable

diagnose vpn ike log-filter clear

Scenario 2 — Traffic Blocked, No Log

Run debug flow:

diagnose debug flow filter addr <client-ip>

diagnose debug flow show function-name enable

diagnose debug flow trace start 50

diagnose debug enable

Send test traffic. Look for: Denied by forward policy check (no policy), reverse path check fail (RPF/asymmetric routing), iprope_in_check() check failed (implicit deny).

Verify which policy matches:

diagnose firewall iprope lookup <src> <dst> 6 12345 80 <in-intf>

Stop debug:

diagnose debug flow trace stop

diagnose debug disable

Scenario 3 — HA Sync Issue

Check HA status:

get system ha status

diagnose system ha history read

Compare checksums — look for mismatched table (e.g., firewall.policy):
```
diagnose sys ha checksum cluster
```

Enable sync debug:

diagnose debug appl hasync -1

diagnose debug appl hatalk -1

diagnose debug enable

Force checksum recalculation:
```
diagnose sys ha checksum recalculate
```
If secondary is fully out of sync, re-sync from secondary:
```
execute ha synchronize stop
```
```
execute ha synchronize start
```

Scenario 4 — High Memory / Conserve Mode

Check state and thresholds:

diagnose hardware sysinfo conserve

get system performance status

Find top consumers:
```
diagnose sys top-mem
```
Check scan unit stats:
```
diagnose test application scanunitd 3
```

Reduce session TTL to flush stale entries:

config system session-ttl
    set default 300
end

Restart scan unit to release memory (UTM resumes automatically):
```
diagnose sys scanunit restart
```

Scenario 5 — Slow Throughput

Check CPU:

diagnose sys top 1 20

get system performance status

Verify sessions have npu flag (NP-offloaded):

diagnose sys session filter dport 443

diagnose sys session list | grep flags

Check NP drop counters:
```
diagnose npu np7 stats 0
```
Check interface errors:
```
diagnose netlink interface stats <intf>
```
Look for non-zero rx_dropped, rx_errors, tx_dropped.

Run iPerf baseline:

diagnose traffictest run -c <iperf-server-ip>

Scenario 6 — User Auth Failure

Test credentials directly:

diagnose test authserver ldap <server> <user> <pass>

Enable fnbamd debug:

diagnose debug application fnbamd -1

diagnose debug enable

Have user attempt authentication. Watch for LDAP bind errors, group membership failures, or RADIUS timeout messages.

Check FSSO if using SSO:

diagnose debug authd fsso list

diagnose debug authd fsso server-status

Clean up:
```
diagnose debug disable
```

Use before sharing configs publicly or with support. The script below replaces sensitive values with anonymised placeholders.

Regex Patterns

Pattern	Matches	Replacement
`set password ENC .*`	Encrypted passwords	`set password ENC <REDACTED>`
`set psksecret .*`	IPsec PSK	`set psksecret <REDACTED>`
`\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b`	IPv4 addresses	`<IP>`
`set sn .*`	Serial numbers	`set sn <SERIAL>`
`([0-9a-fA-F]{2}:){5}…`	MAC addresses	`<MAC>`

Python Sanitizer Script

#!/usr/bin/env python3
"""Sanitize FortiGate config for safe sharing."""
import re, sys, argparse

RULES = [
    (r'(set (?:password|passwd)\s+ENC\s+)\S+',    r'\1<REDACTED>'),
    (r'(set psksecret\s+)\S+',                     r'\1<REDACTED>'),
    (r'(set (?:secret|key|authkey)\s+)\S+',        r'\1<REDACTED>'),
    (r'(set sn\s+)\S+',                            r'\1<SERIAL>'),
    (r'(set (?:hostname|alias)\s+)"?([^"\n]+)"?',  r'\1"<HOSTNAME>"'),
    (r'\b(\d{1,3}\.){3}\d{1,3}\b',                '<IP>'),
    (r'\b([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}\b',  '<MAC>'),
]

def sanitize(text):
    for pattern, repl in RULES:
        text = re.sub(pattern, repl, text)
    return text

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument('infile', nargs='?', default='-')
    ap.add_argument('-o', '--out', default='-')
    args = ap.parse_args()
    src = open(args.infile) if args.infile != '-' else sys.stdin
    dst = open(args.out, 'w') if args.out != '-' else sys.stdout
    dst.write(sanitize(src.read()))

if __name__ == '__main__':
    main()

Usage: python3 sanitize.py config.conf -o safe_config.conf

REST API — Authentication

# 1. Create REST API admin: System → Administrators → REST API Admin
# 2. Copy the API key (shown only once)
# 3. Use Bearer token in every request:
curl -sk -H "Authorization: Bearer <api-key>" \
     https://<fgt-ip>/api/v2/cmdb/system/status | python3 -m json.tool

Key REST API Endpoints

Endpoint	Method	Description
`/api/v2/cmdb/system/status`	GET	Firmware version, serial, HA status
`/api/v2/cmdb/firewall/policy`	GET/POST/PUT/DELETE	CRUD on firewall policies
`/api/v2/cmdb/system/interface`	GET/PUT	Interface configuration
`/api/v2/monitor/firewall/session`	GET	Active session table
`/api/v2/monitor/vpn/ipsec`	GET	IPsec tunnel status
`/api/v2/monitor/system/ha-checksums`	GET	HA sync checksum state
`/api/v2/monitor/router/ipv4`	GET	IPv4 routing table
`/api/v2/cmdb/router/static`	GET/POST	Static routes
`/api/v2/cmdb/log/setting`	GET/PUT	Log settings

Python API Helper

#!/usr/bin/env python3
import requests, urllib3, json
urllib3.disable_warnings()

class FortiGate:
    def __init__(self, host, token, verify=False):
        self.base = f"https://{host}/api/v2"
        self.s = requests.Session()
        self.s.headers['Authorization'] = f"Bearer {token}"
        self.s.verify = verify

    def get(self, path, **params):
        r = self.s.get(f"{self.base}{path}", params=params)
        r.raise_for_status(); return r.json()

    def put(self, path, data):
        r = self.s.put(f"{self.base}{path}", json=data)
        r.raise_for_status(); return r.json()

if __name__ == '__main__':
    fgt = FortiGate('192.168.1.1', 'YOUR_API_TOKEN')
    print(json.dumps(fgt.get('/cmdb/system/status'), indent=2))

Paramiko SSH

#!/usr/bin/env python3
import paramiko, time

def run_commands(host, user, password, commands, port=22):
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    client.connect(host, port=port, username=user, password=password,
                   look_for_keys=False, allow_agent=False)
    shell = client.invoke_shell(width=220, height=50)
    time.sleep(1); shell.recv(4096)
    results = {}
    for cmd in commands:
        shell.send(cmd + '\n'); time.sleep(0.8)
        out = b''
        while shell.recv_ready(): out += shell.recv(65535)
        results[cmd] = out.decode('utf-8', errors='replace')
    client.close(); return results

if __name__ == '__main__':
    cmds = ['get system status', 'diagnose sys top 1 3']
    for cmd, out in run_commands('192.168.1.1', 'admin', '', cmds).items():
        print(f"\n=== {cmd} ===\n{out}")

FortiOS CLI Auto-Script

# Upload: execute restore script tftp <filename> <tftp-ip>
# Or paste via GUI: System → Scripts

config system interface
    edit port1
        set alias "WAN1"
    next
end

Ansible — fortinet.fortios Collection

---
- name: Configure FortiGate static route
  hosts: fortigates
  collections: [fortinet.fortios]
  vars:
    vdom: "root"
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Add static route
      fortios_router_static:
        vdom: "{{ vdom }}"
        state: present
        router_static:
          seq_num: 1
          dst: "10.10.0.0/16"
          gateway: "192.168.1.254"
          device: "port1"

Default FortiGate Service Ports

Port	Protocol	Service	Direction
22	TCP	SSH management	Inbound to FGT
23	TCP	Telnet (disabled by default)	Inbound to FGT
80	TCP	HTTP management / captive portal	Inbound to FGT
443	TCP	HTTPS management / SSL-VPN	Inbound to FGT
500	UDP	IKE (IPsec)	Both
514	UDP/TCP	Syslog / FortiAnalyzer log	Outbound from FGT
541	TCP	FortiManager policy push	Inbound to FGT
703	UDP	HA heartbeat	Between FGT members
1812	UDP	RADIUS auth	Outbound from FGT
1813	UDP	RADIUS accounting	Outbound from FGT
4500	UDP	IKE NAT-T (IPsec)	Both
5246	UDP	CAPWAP control (FortiAP)	AP → FGT
5247	UDP	CAPWAP data (FortiAP)	AP → FGT
8008/8009	TCP	FortiGuard updates / licensing	Outbound from FGT
8890	TCP	FortiCloud / FortiGate Cloud	Outbound from FGT
10443	TCP	SSL-VPN (alternate port)	Inbound to FGT

ICMP Type / Code Reference

Type	Code	Meaning
0	0	Echo Reply (ping reply)
3	0	Destination Unreachable — Net Unreachable
3	1	Destination Unreachable — Host Unreachable
3	3	Destination Unreachable — Port Unreachable
3	4	Fragmentation Needed (MTU discovery)
3	13	Administratively Prohibited (firewall block)
5	1	Redirect — Redirect for Host
8	0	Echo Request (ping)
11	0	TTL Exceeded in Transit (traceroute hop)
11	1	Fragment Reassembly Time Exceeded

Debug Flow Action Codes

Action	Debug Flow String	Meaning
ACCEPT	`iprope_in_check: check passed`	Policy matched and allowed
DENY	`Denied by forward policy check`	Explicit deny or no matching allow policy
DROP	`drop`	Silent drop (no ICMP unreachable sent)
SNAT	`SNAT … to …`	Source NAT applied
DNAT	`DNAT … to …`	Destination NAT (VIP) applied
OFFLOAD	`offload to npu`	Session handed to hardware NP processor
RPF	`reverse path check fail`	RPF check failed — asymmetric routing
IPS	`drop by ips`	IPS engine blocked the packet

IPsec Error Code Quick Reference

Error	Cause	Fix
`NO_PROPOSAL_CHOSEN`	Encryption/hash/DH group mismatch	Align proposals on both peers
`INVALID_ID_INFORMATION`	Local/remote ID mismatch	Check `localid` / peer-id
`AUTHENTICATION_FAILED`	Wrong PSK or bad certificate	Re-verify PSK; check CA chain
`TS_UNACCEPTABLE`	Phase 2 subnet mismatch	Match Phase 2 selectors exactly
`INVALID_PAYLOAD_TYPE`	IKE v1 vs v2 mismatch	Set same IKE version both ends
`DPD timeout`	Peer unreachable or MTU issue	Check routing; try MTU 1400

FortiGate CLI Reference

General Info & Architecture 0

Default Device Information

Serial Console / PuTTY Settings

CLI Command Trees & Abbreviations

Configuration Verbs

CLI Navigation & Keyboard Shortcuts

VDOM Context

System & Maintenance 0

Network Interfaces & Diagnostics 0

Security Fabric 0

VPN & IPsec 0

Sample: diagnose vpn ike gateway list output

Sample: diagnose vpn tunnel list output

Common IPsec Error Codes

Routing & Networking 0