Introduction

This article will gather some useful CLI commands for Fortigate firewalls configuration and diagnostic.

Useful Resources

• Tutorial for DHCP relay over an IPSec tunnel.

Toolbox

Filter

Any command result can be filtered like in a linux shell, using pipe and grep:

# <command> | grep <pattern>

Show a configuration when configuring

# config <menu> <submenu>
<submenu># show

To see even default options:

# show fu

(for full-configuration)

List device interfaces

# show system interface

Debug

See this debug cheatsheet.

Or this one from Fortinet Community.

# diag vpn tunnel list name <name_of_tunnel>

IPsec tunnel establishment diagnostic

Phase1

# diag debug application ike -1
# diag vpn ike log-filter name <name_of_a_IPSec_tunnel>

or

# diag vpn ike log-filter dst-addr4 <remote_IP>
# diag debug app ike 255

and then

# diag debug enable

Indentify tunnel and filter list

# get vpn ipsec tunnel summary

# diag vpn ike log-filter list

Debug disable

# diag debug disable

Firewalling

Addresses management

# config firewall address
# edit "<name_of_object>"
# set subnet <ip> <netmask>
# next
# end

Address groups management

# config firewall addrgrp
# edit "<group_name>"
# set member "<address_object_1>" ... "<address_object_n>"
# set comment "<your_comment>"
# next
# end

Custom service management

# config firewall service custom
# edit "<name_of_custom_service>"
# set comment "<your_comment>"
# set tcp-portrange <portStart>[-<portEnd>]
# next
# end

Service group management

# config firewall service group
# edit "<service_group_name>"
# set member "<member1>" ... "<membern>"
# set comment "<your_comment>"
# next
# end

Policy management

# show firewall policy

# config firewall policy
# edit 0
# set srcintf "<name_of_source_itf>"
# set dstintf "<name_of_dest_itf>"
# set srcaddr "all"|"<address_or_group>"
# set dstaddr "<address_or_group>"
# set action accept
# set schedule "always"
# set service "<service_or_servicegroup>"
# set utm-status enable
# set logtraffic all
# set ips-sensor "<ips_configuration_profile>"
# set ssl-ssh-profile "<inspection_configuration_profile>"
# set nat enable|disable
# next
# end

Routing

See all routes (whatever the protocol being used)

# get router info routing-table all

NB: you can replace "all" with "bgp" or "static" or "ospf" to list only those routes.

See all BGP neighbors

# get router info bgp neighbors

or

# get router info bgp summary

See advertised routes from a neighbor

# get router info bgp neighbors <neighbor_IP> advertised-routes

See received routes from a neighbor

# get router info bgp neighbors <neighbor_IP> received-routes

Enable soft reconfiguration

# config router bgp
# edit "<neighbor_IP>"
# set soft-reconfiguration enable
# next
# end

Disable network-import-check

See this article for information on the use case.

# config router bgp
# set network-import-check disable

NB: this is not a best practice, prefer to announce some network (and network ranges) according to existing routes on the device.

Internet Services

Links

• Fortinet Docs Policy with Internet Service.
• Protocol numbers.
• Community article on how to search ISDB using IP.
• Community article on ISDB.

Identify an Internet Service ID

# diagnose internet-service id | grep <name_of_service>

List IPs and ports allowed by an Internet Service

# diagnose internet-service id <ID>

Check in which Internet Service an IP address or subnet is involved

# diagnose internet-service match root <ip> <netmask>

Check if flow for some protocols are opened to some destination IPs

# diagnose internet-service info root <proto> <port> <IP>

Proto:

• 17: UDP
• 6: TCP

Result if found:

Internet Service: <ID and name of the service>

Result if not found:

Can not find Internet Service ID and name. ret=-1