IDEA I/O home  | about  | cheat sheets  | github

Cheatsheet FortiGate CLI

Cheatsheet for FortiGate Command Line Interface CLI.

This article contains some useful FortiGate commands. Please note that not all commands work on all FortiGate versions. Not all commands are supported and some do change.

General Tips

External support (Fortinet)



Open Network Connections



LDAP / Radius Authentication

diagnose debug enable
diagnose debug application fnbamd -1 

High Availability

Object Management


Layer 1 (Physical Layer)

Network Interface Card

Layer 2 (Data Link Layer)

Address Resolution Protocol (ARP)

Layer 3 (Network Layer)

Internet Protocol


Poor man’s traceroute

If you would like to test a traceroute for a different source IP than the one assigned to your outbound interface you can use poor-mans-traceroute.

Use this procedure:

  1. Open a second ssh session and filter on the outbound interface for icmp
  2. Set the execute ping-options timeout to 1.
  3. Set the execute ping-options source to your source IP.
  4. Ping the target host.
  5. Observer the ICMP time to live exceeded message you get from the first router.
  6. Increase the timeout to 2 and repeat from step 4.


Use Fortinet’s recommended procedure to debug OSPF:


Look for:

Geo IP Information

Layer 4 (Transport Layer)


Session List Filters

It is possible to set filters for the session list.

Traffic Flow through FortiGate

        diagnose debug enable
        diagnose debug flow show console enable
        Diag debug flow show function enable
        diagnose debug flow filter add
        diagnose debug flow trace start 100


Packets with TCP RST flag set:

diagnose sniffer packet internal ‘tcp[13] & 4 != 0’

Packets with TCP SYN flag set:

diagnose sniffer packet internal 'tcp[13] & 2 != 0'

Packets with TCP SYN ACK flag set:

diagnose sniffer packet internal 'tcp[13]=18'

Packets with TCP SYN and TCP ACK

diagnose sniffer packet internal 'tcp[13] = 18'

Layer 5 (Session Layer)


Fortinet Single Sing On (FSSO)

diag debug enable
diag debug authd fsso list
diag debug authd fsso server-status
diag debug authd fsso-summary

Layer 7 (Application Layer)


        execute log filter dump
        execute log filter category 0
        execute log filter field hostname
        execute log display