Commands (FortiGate)
Commands (FortiGate)
Enable/Disable Debugging
| Command | Description |
|---|---|
diagnose debug reset |
Stop all the prior debugs that were enabled and running in the foreground or background. |
diagnose debug enable |
Start printing debugs in the console. |
diagnose debug disable |
Stop printing debugs in the console. The debugs are still running in the background; use diagnose debug reset to completely stop them. |
diagnose debug duration 0 |
Start debugging for infinite duration. By default, debug is set for 30 minutes. |
System
System
| Command | Description |
|---|---|
get system status |
Show system information. |
execute time |
Show current system time. |
get system performance status |
Show CPU and memory utilization. |
execute tac report |
Execute TAC report used to open a support ticket with Fortinet Support. |
diagnose sys top {s} {n} {i} |
Show a list of the first n processes every s seconds for i iterations. |
Shift +C |
Sort by highest CPU |
Shift + M |
Sort by highest memory |
diagnose debug crashlog read |
Show system and application crashes. |
diagnose sys process pidof <daemon> |
Show PID of the daemon that is running. The names of currently running daemons can be found using diagnose sys top. |
diagnose sys kill 11 <pid> |
Kill the PID with signal 11. |
diagnose sys session stat |
Show session statistics. |
diagnose sys session exp-stat |
Show expectation session statistics. |
diagnose sys vd list |
Show virtual domain information and system statistics. |
diagnose sys cmdb info |
Show information about the latest configuration change performed by the daemon. |
execute factoryreset [keepvmlicense] |
Immediately reset to factory defaults and reboot. If keepvmlicense is specified (VM models only), the VM license is retained after reset. |
execute factoryreset-shutdown [keepvmlicense] |
Immediately reset to factory defaults and shutdown. If keepvmlicense is specified (VM models only), the VM license is retained after reset. |
execute factoryreset2 [keepvmlicense] |
Reset to factory default, except system settings, system interfaces, VDOMs, static routes, and virtual switches. If keepvmlicense is specified (VM models only), the VM license is retained after reset. |
diagnose debug config-error-log read |
Show errors in the configuration file. |
diagnose snmp ip frags |
Show fragmentation and reassembly information. |
diagnose sys process dump <PID> |
Show essential process related information for a particular process PID. |
diagnose sys process pstack <PID> |
Show essential process related information for a particular process PID. |
diagnose sys process trace <PID> |
Show essential process related information for a particular process PID. |
diagnose sys mpstat {n} |
Show CPU usage every n seconds. |
diagnose hardware sysinfo memory |
Show system memory information. |
diagnose firewall packet distribution |
Show packet distribution statistics. |
execute reboot |
Reboot the device. |
Hardware
| Command | Description |
|---|---|
diagnose hardware sysinfo interrupts |
Show hardware interrupts statistics. |
diagnose hardware test suite all |
Execute a hardware diagnostic test, also known as an HQIP test. |
diagnose hardware deviceinfo disk |
Show disk information. |
diagnose sys flash list |
Show flash partitions. |
execute disk list |
Show available mounted disks. |
execute disk format <partition ref> |
Format the referenced partition. |
diagnose disktest device <device> |
Execute a disk check to check if disk is faulty. |
diagnose disktest block <block> |
Execute a disk check to check if disk is faulty. |
diagnose disktest size <mb> |
Execute a disk check to check if disk is faulty. |
diagnose disk test run |
Execute a disk check to check if disk is faulty. |
execute formatlogdisk |
Format the log disk. |
diagnose hardware sysinfo cpu |
Show CPU information. |
diagnose sys modem detect |
Detect the modem and start real-time debugging of the modem daemon. |
diagnose debug application modemd -1 |
Start real-time debugging of the modem daemon. |
diagnose debug enable |
Start real-time debugging of the modem daemon. |
FortiGuard
| Command | Description |
|---|---|
diagnose webfilter fortiguard statistics |
Show rating cache and daemon statistics. |
diagnose debug rating |
Show web filter rating server information. |
diagnose debug application update -1 |
Start debugging for updated daemon to troubleshoot FortiGuard update issues. |
diagnose debug enable |
Start debugging for updated daemon to troubleshoot FortiGuard update issues. |
execute update-now |
Execute the FortiGuard update manually. |
diagnose autoupdate status |
Show license information. |
diagnose autoupdate versions |
Show license information. |
Session table
| Command | Description |
|---|---|
diagnose sys session filter <filter> |
Set session table filters. |
diagnose sys session filter |
Show session filters, if set. |
diagnose sys session list |
Show session table after filtering. |
diagnose sys session clear |
Clear the session table for the specified filter. |
diagnose firewall iprope list |
Show FortiGate’s internal firewall table. |
Network Diagnostics
| Command | Description |
|---|---|
execute ping-options {options} |
Ping IP address |
execute ping <x.x.x.x> |
Ping IP address |
execute ssh-options {options} |
SSH to IP address |
execute ssh <x.x.x.x> |
SSH to IP address |
execute traceroute-options {options} |
Traceroute IP address |
execute traceroute <x.x.x.x> |
Traceroute IP address |
get system arp |
Show ARP entries. |
diagnose ip arp list |
Show ARP entries. |
diagnose netlink brctl list |
Show the names of all of the switches on the FortiGate. |
diagnose netlink brctl name host <switch-name> |
Show the switching table of the specified switch. |
get system interface |
Show a summary of interface details, including IP address information. |
get sys interface physical |
Show a summary of interface details, including IP address information. |
diagnose ip address list |
Show IP address information. |
diagnose hardware deviceinfo nic <interface> |
Show detailed interface information. |
get hardware nic <interface> |
Show detailed interface information. |
get sys interface transceiver |
Show connected transceivers. |
Packet Sniffer
| Command | Description |
|---|---|
diagnose sniffer packet <interface> <'filter'> <verbose> <count> <a\|l> |
Execute the inbuilt packet sniffer, filtered on a particular interface with the specified filter. For more information, see Performing a sniffer trace or packet capture. |
Debug Flow
| Command | Description |
|---|---|
diagnose debug reset |
Stop all the prior debugs that were enabled and running in the foreground or background. |
diagnose debug flow filter clear |
Clear any IPv4 debug flow filters. |
diagnose debug flow filter6 clear |
Clear any IPv6 debug flow filters. |
diagnose debug flow filter <filter> |
Set a filter for running IPv4 traffic debug flows. |
diagnose debug flow filter6 <filter> |
Set a filter for running IPv6 traffic debug flows. |
diagnose debug flow show function-name enable |
Show the function name of the code that the traffic accesses. |
diagnose debug flow show iprope enable |
Show which internal firewall policy that the traffic is going through. |
diagnose debug console timestamp enable |
Start printing timestamps on debugs. |
diagnose debug flow trace start <n> |
Show n lines of IPv4 debugs. |
diagnose debug flow trace start6 <n> |
Show n lines of IPv6 debugs. |
diagnose debug enable |
Start printing debugs in the console. |
UTM
| Command | Description |
|---|---|
diagnose debug urlfilter <filter> |
|
diagnose debug application urlfilter -1 |
|
diagnose debug enable |
Start real-time debugging for web filter traffic. |
diagnose debug enable |
|
diagnose test application urlfilter |
List the web filter debug outputs. |
diagnose test application urlfilter <option> |
Show the web filter debug output for the specified option. |
diagnose debug application dnsproxy -1 |
|
diagnose debug enable |
Start real-time debugging for DNS proxy. DNS proxy is responsible for DNS filter, DNS translation, DNS resolution etc. |
diagnose debug enable |
|
diagnose test application dnsproxy |
List the DNS proxy debug outputs. |
diagnose test application dnsproxy <option> |
Show the DNS proxy debug output for the specified option. |
diagnose ips filter set "host <x.x.x.x> and port <port>" |
|
diagnose ips debug enable all |
|
diagnose debug enable |
Start IPS engine debugs for Application Control and IPS Security profile |
diagnose ips debug enable av |
|
diagnose ips debug status show |
|
diagnose sys scanunit debug all enable |
|
diagnose sys scanunit debug level verbose |
|
diagnose sys scanunit debug show |
|
diagnose debug enable |
Start real-time debugging for antivirus profile when antivirus profile is configured in flow mode. |
diagnose wad debug enable category scan |
|
diagnose wad stream-scan av-test "debug enable" |
|
diagnose wad stream-scan av-test "debug all:debug" |
|
diagnose sys scanunit debug all enable |
|
diagnose sys scanunit debug level verbose |
|
diagnose sys scanunit debug show |
|
diagnose debug enable |
IPS Engine
| Command | Description |
|---|---|
diagnose test application ipsmonitor 1 |
Show IPS engine information |
diagnose test application ipsmonitor 2 |
Set the IPS engine enable/disable status. |
diagnose test application ipsmonitor 99 |
Restart all IPS engines and monitor. |
diagnose test application ipsmonitor 97 |
Start all IPS engines. |
diagnose test application ipsmonitor 98 |
Stop all IPS engines. |
diagnose ips session list |
Show the IPS sessions in each engine’s memory space. |
diagnose test application ipsmonitor 13 |
|
diagnose ips filter set "host <x.x.x.x> and port <port>" |
Show IPS engine debugs for the traffic specified by the filter. |
diagnose ips debug enable all |
|
diagnose debug enable |
WAD
| Command | Description |
|---|---|
diagnose test application wad 1000 |
Show all WAD processes. |
diagnose test application wad 2 |
Show total memory usage. |
diagnose test application wad 99 |
Restart all WAD processes. |
diagnose wad debug display pid enable |
Start real-time debugging of the traffic processed by WAD daemon. |
diagnose wad filter <filter> |
|
diagnose wad filter list |
|
diagnose wad debug enable level <level> |
|
diagnose wad debug enable category <category> |
|
diagnose debug enable |
|
diagnose wad filter <filter> |
Set the filter for the WAD debugs. |
diagnose wad filter list |
Show all the filters that have been set for debugging. |
diagnose wad filter clear |
Clear the WAD filter settings. |
diagnose wad debug enable level <level> |
Set the verbosity level of the debugs. |
diagnose wad debug enable category <category> |
Set the traffic category. |
diagnose wad debug display pid enable |
Show the WAS worker PID in debugs that handle the session request. |
diagnose debug enable |
Start printing debugs in the console. |
CPU Profiling
| Command | Description |
|---|---|
diagnose sys profile cpumask <cpu_id> |
Set the CPU core to profile. |
diagnose sys profile start |
Start CPU profiling and wait for one to two minutes to stop. |
diagnose sys profile stop |
Stop CPU profiling. |
diagnose sys profile module |
Show the applied kernel modules. |
diagnose sys profile show detail |
Show the CPU profiling result for the respective core. |
diagnose sys profile show order |
Tree
| Command | Description |
|---|---|
tree |
Show the entire command tree. |
tree execute |
Show the execute command tree. |
tree diagnose |
Show the diagnose command tree. |
Routing
IPv4 and IPv6 Routing
| Command | Description |
|---|---|
get router info routing-table all |
Show routing table. |
get router info routing-table database |
Show IPv4 and IPv6 routing database information. |
get router info6 routing-table database |
|
diagnose ip route list |
Show the IPv4 and IPv6 kernel routing table. |
get router info kernel |
|
diagnose ipv6 route list |
|
get router info6 kernel |
|
get router info protocols |
Show routing protocol information for IPv4 and IPv6. |
get router info6 protocols |
|
execute router restart |
Restart the routing daemon |
get router info ospf status |
Show OSPF status for IPv4 and IPv6. |
get router info6 ospf status |
|
get router info ospf neighbor |
Show OSPF neighbors for IPv4 and IPv6. |
get router info6 ospf neighbor |
|
get router info ospf database brief |
Show OSPF database in brief. |
get router info bfd neighbor |
Show BFD neighbors for IPv4 and IPv6. |
get router info6 bfd neighbor |
|
diagnose test application bfd 1 |
Show BFD statistics. |
diagnose test application bfd 2 |
|
diagnose test application bfd 3 |
|
diagnose debug application bfdd <debug level> |
Start real-time BFD debugging. |
diagnose debug enable |
|
get router info bgp summary |
Show BGP summary for IPv4 and IPv6. |
get router info6 bgp summary |
|
get router info bgp neighbors |
Show BGP peer and the advertised and received routes from the BGP peer. |
get router info6 bgp neighbors |
|
get router info bgp neighbors <x.x.x.x> advertised-routes |
- Substitute |
get router info6 bgp neighbors <x:x::x:x/m> advertised-routes |
- Substitute <x:x::x:x/m> with IPv6 address of the peer. |
get router info bgp neighbors <x.x.x.x> received-routes |
|
get router info6 bgp neighbors <x:x::x:x/m> received-routes |
|
get router info bgp neighbors <x.x.x.x> routes |
|
get router info6 bgp neighbors <x:x::x:x/m> routes |
|
diagnose ip router bgp all enable |
Start real-time BGP debugging. |
diagnose ip router bgp level info |
|
diagnose debug enable |
|
execute router clear bgp {all \| as <ASN> \| ip x.x.x.x \| ipv6 y:y:y:y:y:y:y:y} |
Execute a hard reset based on the specified parameters: |
| - all: all BGP peers | |
| - as |
|
| - ip x.x.x.x: BGP peer specified by IPv4 address (x.x.x.x) | |
| - ipv6 y:y:y:y:y:y:y:y: BGP peer specified by IPv6 address (y:y:y:y:y:y:y:y) | |
execute router clear bgp {all \| ip x.x.x.x \| ipv6 y:y:y:y:y:y:y:y} soft {in\|out} |
Executes soft reset based on the specified parameter: |
| - all: all BGP peers | |
| - ip x.x.x.x: BGP peer specified by IPv4 address (x.x.x.x) | |
| - ipv6 y:y:y:y:y:y:y:y: BGP peer specified by IPv6 address (y:y:y:y:y:y:y:y) | |
| - in: received BGP routes only | |
| - out: advertised BGP routes only | |
| - A soft reset will occur in both directions if neither in nor out is specified. | |
get router info ospf status |
Show OSPF status for IPv4 and IPv6. |
get router info6 ospf status |
|
get router info ospf interface |
Show OSPF running on interface for IPv4 and IPv6. |
get router info6 ospf interface |
|
get router info ospf neighbor all |
Show OSFP neighbor information for IPv4 and IPv6. |
get router info6 ospf neighbor all |
|
get router info ospf database brief |
Show OSPF database in brief for IPv4 and IPv6. |
get router info6 ospf database brief |
|
diagnose ip router ospf all enable |
Start real-time OSPF debugging. |
diagnose ip router ospf level info |
|
diagnose debug enable |
Multicast Routing
| Command | Description |
|---|---|
get router info multicast igmp interface |
Show IGMP statistics for an interface. |
get router info multicast igmp groups |
Show multicast groups subscribed to with IGMP. |
diagnose ip multicast get-igmp-limit |
Show maximum IGMP states. |
diagnose ip router igmp decode enable |
Start real-time debugging of IGMP daemon. |
diagnose ip router igmp level info |
|
diagnose debug console timestamp enable |
|
diagnose debug enable |
|
execute mrouter clear igmp-interface <interface> |
Clear all IGMP entries from one interface. |
execute mrouter clear igmp-group <group-address> |
Clear all IGMP entries for one or all groups. |
get router info multicast pim sparse-mode <interface> |
Show sparse-mode interface information. |
get router info multicast pim sparse-mode <neighbor> |
Show sparse-mode neighbor information. |
get router info multicast pim sparse-mode rp-mapping |
Show RP to group mapping information. |
get router info multicast pim sparse-mode table |
Show sparse-mode routing table. |
diagnose ip router pim-sm events enable |
Start real-time debugging of PIM sparse mode. |
diagnose ip router pim-sm all enable |
|
diagnose ip router pim-sm level info |
|
diagnose debug enable |
SD-WAN
| Command | Description |
|---|---|
diagnose sys sdwan health-check status |
Show SD-WAN health check statistics. |
diagnose sys sdwan service |
Show SD-WAN rules in control plane. |
diagnose sys sdwan member |
Show SD-WAN members. |
diagnose firewall proute list |
Show SDWAN rule and policy routes in the data plane. |
diagnose sys link-monitor status |
Show link monitoring statistics. |
diagnose sys link-monitor interface <interface> |
|
diagnose debug application link-monitor -1 |
Start real-time link monitor debugging. |
diagnose debug enable |
|
diagnose test application lnkmtd 1 |
Show link monitoring statistics. |
diagnose test application lnkmtd 2 |
|
diagnose test application lnkmtd 3 |
Authentication
| Command | Description |
|---|---|
diagnose firewall auth filter <filter> |
Set the filter used to list entries. |
diagnose firewall auth list |
List filtered, authenticated IPv4 users. |
diagnose wad user list |
List current users authenticated by proxy (wad daemon). |
diagnose debug application fnbamd -1 |
Start real-time debugging for remote and local authentication. |
diagnose debug application authd -1 |
|
diagnose debug enable |
|
diagnose test authserver <auth_protocol> <server_name> <user> <password> |
Test authentication directly from the CLI. Caution: The password is visible in clear text; be careful when capture this command to a log file. |
diagnose test authserver ldap <server_name> <user> <password> |
Test user authentication using an LDAP server. Caution: The password is visible in clear text; be careful when capture this command to a log file. |
diagnose test authserver radius <server_name> <auth_type> <user> <password> |
Test user authentication using a Radius server. Caution: The password is visible in clear text; be careful when capture this command to a log file. |
diagnose debug fsso-polling detail |
Show information about the polls from FortiGate to DC. |
diagnose debug fsso-polling summary |
|
diagnose debug fsso-polling user |
Show FSSO logged on users when Fortigate polls the DC. |
diagnose debug authd fsso list |
|
diagnose debug application fssod -1 |
Start real-time debugging when the FortiGate is used for FSSO polling. |
diagnose debug application smbcd -1 |
|
diagnose debug enable |
|
diagnose debug fsso-polling refresh-user |
Refresh the current logged on FSSO users and refresh the list. Caution: This command can cause an outage, use it carefully. |
execute fsso refresh |
|
diagnose debug authd fsso server-status |
Show current status of connection between FortiGate and the collector agent. |
diagnose debug application authd 8256 |
Start real-time debugging for the connection between FortiGate and the collector agent. |
diagnose debug enable |
|
diagnose debug authd fsso refresh-logons |
Resend the logged-on users list to FortiGate from the collector agent. |
diagnose debug application authd 8256 |
Start real-time debugging for the connection between FortiGate and the collector agent. |
diagnose debug enable |
|
diagnose debug application samld -1 |
Start real-time SAML debugging. |
diagnose debug enable |
VPN
IPsec
| Command | Description |
|---|---|
diagnose vpn ike gateway list |
Show IPsec phase 1 information. |
diagnose vpn tunnel list |
Show IPsec phase 2 information. |
get vpn ipsec tunnel summary |
Show summary and detailed information about IPsec tunnels. |
get vpn ipsec tunnel details |
|
diagnose vpn ipsec status |
Show information about encryption counters. |
diagnose vpn ike log filter <filter> |
Set a filter for IKE daemon debugs. |
diagnose debug application ike -1 |
Start real-time debugging of IKE daemon with the filter set. |
diagnose debug enable |
|
diagnose vpn ike restart |
Restart the IKE process. |
diagnose vpn ike counts |
Show other information, such as IKE counts, routes, errors, and statistics. |
diagnose vpn ike routes |
|
diagnose vpn ike errors |
|
diagnose vpn ike stats |
|
diagnose vpn ike status |
|
diagnose vpn ike crypto |
SSL VPN
| Command | Description |
|---|---|
diagnose vpn ssl debug-filter list |
Show any filters that are set for SSL VPN debug. |
diagnose vpn ssl debug-filter clear |
Clear any filters that are set for SSL VPN daemon debug. |
diagnose vpn ssl debug-filter <filter> |
Set a filter for SSL VPN debugs. |
diagnose debug application sslvpn -1 |
Start SSL VPN debugs for traffic that the filter is applied to. |
diagnose debug enable |
|
diagnose vpn ssl list |
Show the current SSL VPN sessions for both web and tunnel mode. |
get vpn ssl monitor |
|
execute vpn sslvpn list |
|
diagnose vpn ssl statistics |
Show the SSL VPN statistics. |
diagnose vpn ssl mux-stat |
|
execute vpn sslvpn list |
Show all SSL VPN web and tunnel mode connections. |
execute vpn sslvpn del-tunnel |
Disconnect the users from tunnel mode SSL VPN connection. |
execute vpn sslvpn del-web |
Disconnect the users from web mode SSL VPN connection. |
Managed Devices
Managed FortiSwitches
| Command | Description |
|---|---|
diagnose switch-controller switch-info mac-table |
Show managed FortiSwitch MAC address list. |
diagnose switch-controller switch-info port-stats |
Show managed FortiSwitch port statistics. |
diagnose switch-controller switch-info trunk status |
Show managed FortiSwitch trunk information. |
diagnose switch-controller switch-info mclag |
Show MCLAG related information from FortiSwitch. |
diagnose switch-controller switch-info poe |
Show POE-related information. |
diagnose switch-controller switch-info lldp |
Show LLDP-related information. |
diagnose switch-controller switch-info port-properties |
Show managed FortiSwitch port properties. |
diagnose switch-controller switch-info acl-counters |
Show managed FortiSwitch port ACL counters information. |
diagnose switch-controller switch-info pdu-counters-list |
Show managed FortiSwitch pdu-counters information. |
diagnose switch-controller switch-info flapguard |
Show managed FortiSwitch flapguard information. |
diagnose switch-controller switch-info qos-stats |
Show managed FortiSwitch QoS statistics. |
diagnose switch-controller switch-info modules |
Show modules related information from FortiSwitch. |
diagnose switch-controller switch-info stp |
Show managed FortiSwitch STP instance status. |
diagnose switch-controller switch-info bpdu-guard-status |
Show managed FortiSwitch STP BPDU guard status. |
diagnose switch-controller switch-info igmp-snooping |
Show managed FortiSwitch IGMP snooping information. |
diagnose switch-controller switch-info loop-guard |
Show managed FortiSwitch loop-guard status. |
diagnose switch-controller switch-info dhcp-snooping |
Show managed FortiSwitch DHCP snooping interface list. |
diagnose switch-controller switch-info arp-inspection |
Show managed FortiSwitch ARP inspection interface list. |
diagnose switch-controller switch-info option82-mapping |
Show managed FortiSwitch DHCP option 82 mapping information. |
diagnose switch-controller switch-info 802.1X |
Show managed FortiSwitch port 802.1X status. |
diagnose switch-controller switch-info 802.1X-dacl |
Show managed FortiSwitch port 802.1X dynamic ACL status. |
diagnose switch-controller switch-info mac-limit-violations |
Show managed FortiSwitch violated MACs information. |
diagnose switch-controller switch-info flow-tracking |
Show managed FortiSwitch flow information. |
diagnose switch-controller switch-info mirror |
Show managed FortiSwitch mirror information. |
diagnose switch-controller switch-info ip-source-guard |
Show managed FortiSwitch source guard information in hardware. |
diagnose switch-controller switch-info rpvst |
Show managed FortiSwitch STP port information when inter-operating with rapid PVST network. |
execute switch-controller get-conn-status <FortiSwitch-SN> |
Show FortiSwitch connection status. |
execute switch-controller get-physical-conn standard <FortiSwitch-SN> |
Show FortiLink connectivity graph. |
execute switch-controller diagnose-connection <FortiSwitch-SN> |
Show FortiSwitch connection diagnostics. |
Managed FortiAPs
| Command | Description |
|---|---|
diagnose wireless-controller wlac -c wtp |
Show information about the FortiAP devices. |
diagnose wireless-controller wlac -d wtp |
|
diagnose wireless-controller wlac -c sta |
Show information about the wireless clients connected to the FortiAP devices. |
diagnose wireless-controller wlac -d sta |
|
diagnose wireless-controller wlac help |
Show a list of debug options available for the wireless controller. |
diagnose wireless-controller wlac sta_filter |
Start real-time debugging of a wireless client/station that connects to the FortiAP. |
diagnose wireless-controller wlac sta_filter clear |
|
diagnose wireless-controller wlac sta_filter <aa:bb:cc:dd:ee:ff> 255 |
|
diagnose debug enable |
|
diagnose wireless-controller wlac -c vap |
Show virtual access point information, including its MAC address, BSSID, SSID, the interface name, and the IP address of the APs that are broadcasting it. |
diagnose wireless-controller wlac wtp_filter |
Show the wireless termination point (WTP), or FortiAP, debugging on the wireless controller if FortiAP is failing to connect to FortiGate. |
diagnose wireless-controller wlac wtp_filter clear |
|
diagnose wireless-controller wlac wtp_filter <FAP-SN> 0-<x.x.x.x>:5246 255 |
|
diagnose debug application cw_acd 0x7ff |
Other Services
High Availability
| Command | Description |
|---|---|
diagnose system ha status |
Show HA status and information. |
get system ha status |
|
execute ha manage <index> <username> |
Log into and manage a specific HA member. |
diagnose sys ha checksum cluster |
Show checksum information of all cluster members. |
diagnose sys ha checksum show <vdom> |
Show detailed checksum information for a VDOM. |
diagnose sys ha checksum recalculate |
Recalculate HA checksums. |
diagnose sys ha recalculate-extfile-signature |
Recalculate HA external files signatures. |
diagnose sys ha reset-uptime |
Reset the HA uptime. This is used to test failover. |
diagnose debug application hatalk -1 |
Start real-time debugging of HA daemons. |
diagnose debug application hasync -1 |
|
diagnose debug application harelay -1 |
|
diagnose debug enable |
|
diagnose sys ha history read |
Show HA history. |
execute ha synchronize stop |
Manually start and stop HA synchronization. |
execute ha synchronize start |
ZTNA
| Command | Description |
|---|---|
diagnose endpoint fctems test-connectivity <EMS> |
Test FortiGate to FortiClient EMS connectivity. |
execute fctems verify <EMS> |
Verify FortiClient EMS’s certificate. |
diagnose test application fcnacd 2 |
Show EMS connectivity information. |
diagnose debug application fcnacd -1 |
Start real-time debugging of FortiClient NAC daemon. |
diagnose debug enable |
|
diagnose endpoint record list <ip> |
Show the endpoint record list. Optionally, filter by the endpoint IP address. |
diagnose endpoint wad-comm find-by uid <uid> |
Query endpoints by client UID. |
diagnose endpoint wad-comm find-by ip-vdom <ip> <vdom> |
Query endpoints by the client IP-VDOM pair. |
diagnose wad dev query-by uid <uid> |
Query from WAD diagnose command by UID. |
diagnose wad dev query-by ipv4 <ip> |
Query from WAD diagnose command by IP address. |
diagnose firewall dynamic list |
Show EMS ZTNA tags and all dynamic IP and MAC addresses. |
diagnose test application fcnacd 7 |
Show the FortiClient NAC daemon ZTNA and route cache. |
diagnose test application fcnacd 8 |
|
diagnose wad debug display pid enable |
Start real-time debugging of the traffic processed by WAD daemon. |
diagnose wad filter <filter> |
|
diagnose wad filter list |
|
diagnose wad debug enable level <level> |
|
diagnose wad debug enable category <category> |
|
diagnose debug enable |
Logging
| Command | Description |
|---|---|
diagnose log test |
Generate logs for testing. |
execute log filter <filter> |
Set log filters. |
execute log filter |
Show log filters. |
exec log display |
Show filtered logs. |
execute log delete |
Delete filtered logs. |
diagnose debug application miglogd -1 |
Start real-time debugging of logging process miglogd. |
diagnose debug enable |
|
execute log fortianalyzer test-connectivity |
Test connectivity between FortiGate and FortiAnalyzer. |
Traffic Shaping
| Command | Description |
|---|---|
diagnose firewall shaper traffic-shaper list |
Show configured traffic shapers. |
diagnose firewall shaper traffic-shaper stats list |
Show traffic shaper statistics. |
SIP Session Helper
| Command | Description |
|---|---|
diagnose sys sip status |
Show SIP status. |
diagnose sys sip mapping list |
Show SIP mapping list. |
diagnose sys sip dialog list |
Show SIP dialogue list. |
diagnose debug application sip -1 |
Start real-time SIP debugging. |
diagnose debug enable |
SIP ALG
| Command | Description |
|---|---|
diagnose sys sip-proxy calls list |
Show list of active SIP proxy calls. |
diagnose sys sip-proxy stats |
Show SIP proxy statistics. |
diagnose sys sip-proxy session list |
Show SIP proxy session list. |
diagnose debug application sip -1 |
Start real-time SIP debugging. |
diagnose debug enable |
Source
This post is licensed under
CC BY 4.0
by the author.