FortiOS
Various FortiOS notes I've made for myself over the years.
I've been working with Fortinet firewalls now since v5.0.0. Mostly small deployments (F-60 class) but I have worked with larger devices. My main bread-and-butter firewalls was a cluster of FGT-300D units, which were replaced by a cluster of FGT-600F units. These clusters were run in a multi-customer environment without excessive reliance on vdoms. I've also worked with FGT-200F clusters in intercontinental scenarios and 10G scenarios.
v5.0.x
arp
(2015-04-20) Show the arp table: # get system arp
Backup ISP with some traffic selection
(2013-08-26) Problem: My scenario is that I have a FortiGate 60D with two ISPs: a static DSL, and...
crashlog
(2015-04-22) List the firewall's internal crashlog: # di de crashlog read
DHCP and PPPoE
Problem: Cannot set mode to DHCP or PPPoE when HA is on. It doesn't work. Note: this is ...
DHCP Client Leases
(2015-04-22) List the DHCP leases handed out on $INTERFACE. # exec dhcp lease-list $INTERFACE
DHCP Reservation
(2015-01-29) Warning: this method does not work in 5.2 (and presumably higher). config system dhc...
HA Cluster Member Firmware Revisions
(2014-11-20) Verify the firmware versions of cluster members: fw-ottawa-A # get syste...
Interface Duplex
(2013-12-17) Problem Need to force speed/duplex on a physical interface. Solution There's no GUI ...
Interface Mode
(2014-06-24) To set interface mode: make sure the default Internal interface has no DHCP server ...
Interface Status
(2015-04-01) Interface State Show IP, status, speed/duplex: get system interface physical Show p...
Memory Logging
(2015-03-12) Problem By default, baby firewalls (which seems to mean up to and including F90Ds ) ...
Packet Capture
(2013-07-18) Show information of packets seen on an interface: # diag sniffer packet internal non...
Radius Server Definition
(2014-06-14) On the smaller FortiGates, the GUI doesn't include the ability to define Radius serv...
Reset Admin Password
(2014-07-03) Problem Nobody remembers the password for a given admin account. We have another sup...
Reset to Factory Defaults
(2013-08-28) Reset To Factory Defaults You have two minutes from power reset to perform this task...
Routing Table
(2013-08-26) Display the routing table: # get router info routing-table all
Simple Commands
(2013-11-13) Ping # exec ping $TARGET Routes # get router info routing-table all
Syslog
(2014-08-22) To enable logging to a syslog server: config log syslogd setting set status enab...
Test Authentication Servers
Testing authentication These cli commands can help you test your radius or ldap server: # diag te...
v5.2.x
Configuration Preparation
(2015-08-24) This is the recipe that I use when configuring out-of-box systems for the first time...
DHCP Reservation
(2015-01-29) New way: config system dhcp server edit <instance_int> config reserved-address ...
Dual-WAN Gateways
Rules For Multiple Default Gateways If the two routes have different Administrative Distance set...
EXT3 fs error (device)
(2015-10-02) Problem: Error or errors like EXT3-fs error (device sd(8,1)): ext3_free_blocks: Free...
HA Cluster Status
(2015-09-14) Problem What's the status of my 5.2.x cluster? Solution Verify cluster status: fw-ot...
HA Cluster Synchronization
(2015-10-02) Problem Check synchronization status. Solution FGT_1# di sys ha clustercsum =======...
Management Access
(2015-08-13) Problem Need to enable remote management through the CLI. Solution config system int...
VoIP Clients with Fortigates
(2017-01-11) Problem VoIP Clients with FortiGates Solution Disable the SIP ALG config system sett...
VPN Fragmentation
(2017-04-12) Problem VPN throughput is slow and you suspect fragmentation. Solution You can influ...
VPN Tunnel Details
(2015-10-19) Problem I want details about a VPN tunnel. Solution # diag vpn tunnel list list all ...
v5.4.x
CLI Disk Scan FSCK
(2018-08-22) Problem It is a good idea to run a disk check before doing a firmware upgrade, espec...
CLI Upgrade Firmware
Problem Upgrading firmwares via the web UI is tedious, especially when you have 50 or 60+ of thes...
Connecting Multiple vDOMs to the same VLAN
(2018-02-26) Problem I have more vDOMs to connect to a VLAN than I have physical interfaces. (The...
CPU is pinned
(2018-06-11) Problem CPU on Fortigate is maxed out for a long period of time (hours, days). Solut...
Debug Flow
(2018-01-30) Debugging Flow Example: diag debug enable diag debug flow filter addr 203.160.224.97...
Debug Session
(2018-01-30) Session operations di sys session list Set a filter: di sys session filter di sys s...
Debug Sniffer
(2017-11-23) Problem Want to sniff traffic flow. Solution # diag sniffer packet <interface> <'fil...
Factory Reset
(2018-03-01) Problem The reset to factory settings using the GUI is not available in v5.4. Soluti...
Fixing HA Sync Problems
(2017-11-13) Problem: fgt300d-b (global) # get system ha status HA Health Status: OK Model: Forti...
Forticlient Registering To Fortigate
(2018-02-02) Problem My FortiClient users are getting prompted to "register" their FortiClients a...
List DHCP Client Leases
(2018-08-15) Problem Find the current list of DHCP clients for a Fortigate DHCP server. Solution ...
List SSLVPN Users
(2018-06-11) Problem List connected SSLVPN users. Solution exec vpn sslvpn list
RTC Power Status Failed
(2018-12-03) Problem Firewall doesn't boot. When you hook a console up to it, it says: Error: RTC...
SSLVPN Logs Out After 8 Hours
(2018-01-26) Problem SSLVPN disconnects after 8 hours. Solution config vpn ssl settings set auth-...
System Time
(2018-12-03) Problem Show system time on a FortiGate. Solution # exec time current time is: 19:0...
VPN Flapping Leads To Bogus Routing
(2018-01-30) Problem Two computers, A and B, trying to connect across a site-to-site VPN to compu...
Wifi Clients Connect But Can't Get DHCP Lease
(2019-04-17) Problem Wifi clients connect but can't get DHCP lease from either the Fortigate or f...
v5.6.x
BGP Neighbors
(2020-06-18) BGP Neighbor status? # get router info bgp neighbors … # get router info bgp neighbo...
BGP Sessions
(2020-06-24) Problem Soft-bounce bgp sessions. This should cause peers to hold on to the routes w...
DH Selection for VPNs
(2019-03-13) Problem What are the recommended settings for IPSEC VPNs? Updated 25 April 2023 IKE:...
FortiCloud Debug Commands
(2019-10-30) FortiCloud Debug Commands fgt300d-a (global) # di test app forticldd 1. dump fds set...
FortiOS LLDP
(2019-01-22) Solution So apparently FortiGates can do LLDP, you just have to turn it on. config s...
IPsec Not Passing Packets
(2019-09-12) Problem IPsec tunnel to another device (in this case, a Watchguard). Tunnel shows as...
List DHCP Clients CLI
(2019-02-13) Problem Using the CLI, list current assigned DHCP leases. Solution For interface "in...
Microsoft Office Whitelisting
(2020-03-13) Creating Whitelists For Microsoft Internet Services See: (https://docs.microsoft.com...
Routing Table
(2019-05-28) Problem Routing table? Solution get router info routing-table all get router info ...
SSH Pubkey Login
(2018-12-19) Problem Want SSH Pubkey authentication for my AD-backed administrative user. Specifi...
SSL Security Settings
(2019-03-13) Problem Standard configuration for (more) secure crypto Solution config sys global ...
SSLVPN DNS Suffix
(2019-03-13) Problem SSLVPN users have to use FQDNs instead of short names when connecting to off...
System Version from CLI
(2019-01-10) What firmware am I running? # get system status Version: FortiGate-60D v5.6.2,build1...
Traffic Shaping Policy
(2019-07-08) Problem Traffic shaping wtf? Solution In 5.6, traffic shaping was removed from IPv4 ...
v6.0.x
CLI Restore Configuration
(2020-09-14) CLI Restore Configuration > execute restore config tftp <filename> <ip> > execute re...
Displaying Logs From Console
(2021-07-20) Problem Display logs from a console session. Solution Select log source: # execute l...
iPerf3 on Fortigates
(2021-06-16) Limited iPerf3 on Fortigates # diag traffictest client-intf port1 <----- Defi...
IPSA self test failed, disable IPSA!
(2022-01-17) Problem IPSA self test failed, disable IPSA! Solution FW # conf ips global FW (globa...
LDAP lookup account considerations
(2022-02-08) Problem What do we have to do to permit the LDAP lookup account to be able to change...
List Connected Users
(2021-10-07) Problem Who's logged in from where? Solution # di firewall auth list
Read-Only Admin Profile
(2022-02-15) Problem I want a (or a bunch of) read-only admin(s) with global scope. Solution # co...
SD-WAN Diagnostics
(2022-06-17) Problem SD-WAN no workie. Solution You can probably figure out information from some...
VPN Debug
(2018-08-02) Problem Site to site VPN not coming up. Solution it depends what you would like to t...
VPN Tunnel Interface Address
(2020-01-11) Problem If you try to put an IP address on a VPN tunnel interface, the minimum netma...
Wifi 802.1x with LDAP Groups
(2019-04-10) Problem Wifi WPA/WPA2 access tests that depend on a LDAP (Active Directory) user gro...
v6.2.x
v6.4.x
v7.0.x
CLI Policy Lookup
(2024-02-06) Problem CLI way to duplicate the "policy lookup" tool Solution diagnose firewall ipr...
IPsec MTU Adjustments
MTU can be adjusted via three ways: Adjusting the MTU of the physical interface where the IPsec...
IPsec MTU Varies By Encryption Algorythm
(2024-11-13) Stronger encryption algorithms equals to lower MTU values. For example, the FortiGat...
Link Monitor
(2023-11-15) Example Link Monitor Configuration config system link-monitor edit "VLAN601" set src...
Looking at logs via CLI
(2024-11-28) fw # exec log filter category Category. device Device to ...