Fortigate Command Reference

CommandUseOutputRemarks
CommandUseOutputRemarks
execute ping 1.1.1.1Ping an IP
execute traceroute 1.1.1.1Trace route to an IP
execute shutdownShuts down the device
execute rebootReboots the device
execute log filter dumpDisplays the current log display settingscategory: traffic
device: disk
start-line: 15
view-lines: 50
max-checklines: 1000
execute log filter start-line 1
execute log filter view-lines 100
execute log filter max-checklines 50000
Changes the log display settingsSets the start-line to Line 1
Sets the number of lines to be displayed as 100
Sets the number of lines to be checked as 50000
execute log filter category 0Sets the log display category as “Traffic”.

Replace "0" with the desired category for which log is required
Available categories:
16: netscan
10: application control
9: dlp
6: content
5: spam
4: ids
3: webfilter
2: virus
1: event
0: traffic
execute log displayDisplays the log based on the configured settings
get firewall addressDisplays a list of addresses (only names, not the configuration)
get firewall addrgrpDisplays a list of address groups (only names, not the configuration)
get firewall policyDisplays a list of policies (only names)
get router info routing-table allDisplays the entire routing table
get router info routing-table details 10.1.1.5Displays the routing for the specified IP - 10.1.1.5 in this case
get router info routing-table staticDisplays the static routes
get router info routing-table connectedDisplays the directly connected routes
get router info routing-table {rip | ospf | bgp | isis}Displays the routes based on the chosen option
get system arpDisplays the dynamically learnt IP-to-MAC mappings
get system arp-tableDisplays the statically configured IP-to-MAC mappings
get system ha statusDisplays the high availability status of the Fortigate firewall.FORTIGATE-FW-1 # get system ha status
Model: 300
Mode: a-p
Group: 0
Debug: 0
ses_pickup: enable, ses_pickup_delay=disable
Master:150 FORTIGATE-FW-1 AB-5KB3D10700369 1
Slave :200 FORTIGATE-FW-2 AB-5KB3D10800490 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master:0 AB-5KB3D10700369
Slave :1 AB-5KB3D10800490
Within a cluster, to determine the primary firewall, first use "get system ha status" to know the serial number of the primary firewall. Then use "get system status" (shown below) to know the serial number of current firewall.
get system statusDisplays firewall information like serial number, software version etc.Version: Fortigate-5001B v4.0,build0458,110627 (MR3 Patch 1)
Virus-DB: 11.00679(2010-04-09 13:44)
Extended DB: 1.00234(2010-04-09 16:38)
Extreme DB: 1.00234(2010-04-09 16:37)
IPS-DB: 3.00000(2011-05-18 15:09)
FortiClient application signature package: 1.421(2011-09-14 20:27)
Serial-Number: AB-5KB3D10700369
BIOS version: 04000004
Log hard disk: Available
Hostname: AB-5KB3D10700369
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, master
Distribution: International
Branch point: 458
Release Version Information: MR3 Patch 1
FortiOS x86-64: Yes
System time: Wed Sep 14 20:53:41 2011
get vpn ssl settingsDisplays the SSL VPN settingssslvpn-enable : enable
sslv3 : enable
dns-server1 : 10.1.1.1
dns-server2 : 10.1.1.2
route-source-interface: disable
reqclientcert : disable
sslv2 : disable
force-two-factor-auth: disable
force-utf8-login : disable
allow-unsafe-legacy-renegotiation: disable
servercert : self-sign
algorithm : default
idle-timeout : 300
auth-timeout : 28800
tunnel-ip-pools:
== [ SSL-VPN-POOL ]
name: SSL-VPN-POOL
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
url-obscuration : disable
http-compression : disable
port : 443
show firewall ippoolDisplays the IP Pool configurationconfig firewall ippool
   edit “nat_pool”
      set endip 192.168.1.10
      set startip 192.168.1.10
   next
end
show firewall policyDisplays all the configured policiesconfig firewall policy
   edit 1024
      set srcintf “port10”
      set dstintf “port11”
         set srcaddr “ip-10.1.1.5” “ip-10.1.1.6”
         set dstaddr “ip-11.11.11.5”
      set action accept
      set schedule always
         set service “HTTP” HTTPS”
      set status enable
      set logtraffic enable
      set comments “Test Policy”
      set nat enable
      set ippool enable
         set poolname “nat_pool”
      next
end
show firewall service customDisplays all the user-defined servicesconfig firewall service custom
   edit “TCP-8443-8445”
      set protocol TCP/UDP/SCTP
      set tcp-portrange 8443-8445
      set comment “Test Service”
   next
end
show firewall service groupDisplays the configured service-groupsconfig firewall service group
   edit “HTTP-SERVICES”
      set member “HTTP” “HTTPS” “TCP-8443”
      set comment “HTTP Ports”
   next
end
show firewall vipDisplays the virtual IP configurationconfig firewall vip
   edit “vip_172.16.1.50”
      set extip 200.1.1.10
      set extintf “port10”
      set mappedip 172.16.1.50
   next
end
show router staticShows the static route configurationconfig router static
   edit 10
      set device “port10”
      set dst 172.16.1.0 255.255.255.0
      set gateway 192.168.3.2
      set distance 1
   next
end
show system arp-tableShows the static IP-to-MAC configurationconfig system arp-table
   edit 1
      set interface “port10”
      set ip 172.16.1.12
      set mac 00:09:0f:69:00:7c
   next
end
show system interfaceShows the configured interfacesconfig system interface
   edit “port10”
      set vdom “root”
      set allowaccess http https ssh telnet
      set type physical
      set status down
      set ip 172.16.1.15 255.255.255.0
      set mtu 1500
      set speed 100full
   next
end
show system dnsShows the DNS settingsconfig system dns
    set primary 4.2.2.2
    set secondary 8.8.8.8
end
show system global
Shows the global firewall settings like management portconfig system global
      set admin-scp enable
      set admin-port 80
      set admin-sport 443
      set dst disable
      set fgd-alert-subscription advisory latest-threat
      set fwpolicy-implicit-log enable
      set hostname "Certvides-FW"
      set timezone 25
end
show system sflowShows the sflow settingsconfig system sflow
      set collector-ip 10.1.1.1
      set collector-port 2055
end
show system snmp communityShows the SNMP settingsconfig system snmp community
   edit 1
     set events cpu-high mem-low fm-if-change
       config hosts
         edit 1
           set ip 10.1.1.1 255.255.255.255
         next
       end
     set name "certvideos"
     set trap-v1-status disable
     set trap-v2c-status disable
   next
end
show vpn ipsec phase1-interfaceShows the phase 1 interfaces configured for IPSec VPN tunnelconfig vpn ipsec phase1-interface
   edit “test_vpn”
      set interface “port10”
      set dhgrp 2
      set keylife 3600
      set proposal 3des-sha1 aes128-sha1
      set authmethod psk
      set dpd disable
      set ike-version 1
      set ip-version 4
      set keepalive 10
      set mode main
      set nattraversal enable
      set remote-gw 172.16.1.50
      set psksecret ENC ASDavbdgfadfadf
      next
end
show vpn ipsec phase2-interfaceShows the phase 2 interfaces configured for IPSec VPN tunnelconfig vpn ipsec phase2-interface
   edit “test_vpn_phase2”
      set phase1name “test_vpn”
      set proposal 3des-sha1 aes128-sha1
      set keepalive enable
      set pfs enable
      set src-addr-type ip
      set dst-addr-type ip
      set keylifeseconds 3600
      set src-start-ip 172.16.1.10
      set dst-start-ip 172.16.1.100
   next
end
diagnose vpn tunnel up Activates the phase 2 tunnelThis command manually activates the phase 2 tunnel

Example: diagnose vpn tunnel up certvideos-tunnel-phase2
The above Fortigate command reference is only a partial list. For a full list of commands and syntax, please refer to the official Fortigate documentation located at http://docs.fortinet.com/fgt.html
Getting started with Fortigate is a recommended book for learning about Fortigate configuration and commands
If you think I've missed something that should be in here, leave a comment and I'll be glad to include that in the list. All information and/or output available on this page is from publicly available information on the Internet.