If you administer FortiGate firewalls in production environments, mastering the Command Line Interface (CLI) is one of the fastest ways to improve operational efficiency. While the graphical interface in FortiOS is intuitive for day-to-day management, many advanced administrative tasks, troubleshooting procedures, automation workflows, and disaster recovery operations are considerably faster and more precise through the CLI.
Experienced firewall administrators rarely depend exclusively on the GUI. During high-pressure incidents such as VPN outages, routing failures, High Availability (HA) failovers, CPU spikes, or unexpected traffic drops, the CLI provides immediate visibility into the firewall’s internal state. Commands such as diagnose, get, show, and execute expose information that is either unavailable or difficult to locate in the graphical interface.
This comprehensive guide brings together 75 essential FortiGate CLI commands every firewall administrator should know in 2026. Rather than presenting a simple list, each command includes its purpose, syntax, practical example, expected output, and real-world use case. Whether you are preparing for Fortinet certification, managing enterprise networks, or supporting multi-site environments with SD-WAN, IPSec VPN, SSL VPN, VLANs, OSPF, BGP, and Security Fabric, this guide serves as a practical reference for both daily administration and advanced troubleshooting.
Why Every FortiGate Administrator Should Master CLI
Many engineers begin managing FortiGate appliances through the web interface. However, as deployments grow in complexity, relying solely on the GUI becomes limiting. Enterprise environments often require automation, scripting, rapid diagnostics, and configuration management—areas where the CLI excels.
Some tasks are significantly easier or only possible through the CLI:
- Viewing detailed routing information
- Capturing live packet traces
- Monitoring real-time sessions
- Performing advanced debugging
- Backing up and restoring configurations
- Troubleshooting VPN negotiations
- Diagnosing High Availability synchronization
- Automating repetitive administrative tasks
- Verifying Security Fabric connectivity
- Collecting logs for technical support
From an operational perspective, CLI proficiency reduces Mean Time to Resolution (MTTR), minimizes configuration errors, and supports Infrastructure as Code (IaC) practices commonly adopted by NetDevOps teams.
Key Benefits of Using the FortiGate CLI
| Benefit | Practical Value |
|---|---|
| Faster troubleshooting | Immediate access to diagnostic information |
| Complete visibility | Displays low-level system details unavailable in the GUI |
| Automation friendly | Supports scripting and orchestration |
| Remote administration | Efficient management over SSH |
| Disaster recovery | Enables rapid backup and restoration |
| Enterprise scalability | Essential for large multi-site deployments |
| Certification preparation | Frequently tested in NSE/FCP/FCE exams |
FortiGate CLI Basics
Before working with commands, it’s important to understand how the FortiGate CLI is organized. The interface follows a structured hierarchy that separates operational commands from configuration commands.
Ways to Access the CLI
Administrators typically connect using one of the following methods:
| Access Method | Typical Use Case |
|---|---|
| Console Cable | Initial deployment and recovery |
| SSH | Daily remote administration |
| Web GUI CLI Console | Quick administrative tasks |
| FortiManager | Centralized enterprise management |
| Automation Scripts | Configuration deployment |
SSH is generally recommended because it provides secure remote administration and supports automation tools such as Ansible, Terraform wrappers, and Python scripts.
CLI Modes
FortiGate uses several command contexts.
| Mode | Purpose |
|---|---|
| Operational | Execute monitoring commands |
| Configuration | Modify firewall settings |
| Diagnostic | Troubleshooting |
| Debug | Advanced analysis |
Understanding which mode a command belongs to prevents accidental configuration changes during production maintenance.
Common CLI Navigation Commands
| Command | Purpose |
|---|---|
? | Show available options |
Tab | Auto-complete command |
Up Arrow | Previous command |
Down Arrow | Next command |
Ctrl+C | Cancel current operation |
These shortcuts become invaluable when navigating lengthy configuration hierarchies.
Understanding FortiGate Command Families
FortiGate commands are organized into several primary families. Recognizing the purpose of each family helps administrators locate the right command more quickly.
| Command Family | Purpose |
|---|---|
get | Display current system information |
show | Display configuration |
config | Enter configuration mode |
edit | Modify an object |
set | Assign values |
unset | Remove values |
next | Save current object |
end | Exit configuration mode |
execute | Perform operational actions |
diagnose | Troubleshoot and inspect system state |
get vs show
This distinction often confuses new administrators.
| Command | Displays |
|---|---|
get | Runtime system information |
show | Saved configuration |
For example:
get system status Displays the current operational status.
Whereas:
show system interface Displays the configured interfaces stored in the running configuration.
Command Syntax Explained
Most FortiGate CLI commands follow a predictable structure.
Configuration Workflow
config firewall policy edit 10 set name "Internet Access" set srcintf "LAN" set dstintf "WAN" next end This workflow consists of:
- Entering a configuration section.
- Selecting or creating an object.
- Modifying parameters.
- Saving the object.
- Exiting configuration mode.
Maintaining this sequence helps prevent incomplete or inconsistent configurations.
75 Essential FortiGate CLI Commands
The commands in this guide are grouped by administrative function. This first part focuses on the most frequently used System Administration commands that every FortiGate administrator should know.
System Administration Commands
Command 1 — Display System Status
Purpose
Displays comprehensive information about the appliance, including FortiOS version, serial number, uptime, licensing status, and operational mode.
Syntax
get system status Example
FGT01 # get system status Typical Output
- Hostname
- Version
- Build number
- Serial number
- Current operation mode
- Virtual domains
- System time
- Uptime
Real-World Use Case
This is usually the first command executed when connecting to an unfamiliar firewall. It immediately confirms firmware version, licensing, HA role, and operational status.
Command 2 — Display System Performance
Purpose
Provides an overview of CPU utilization, memory usage, sessions, and system health.
Syntax
get system performance status Example
get system performance status Practical Use
Before investigating network issues, administrators often verify whether high CPU or memory utilization is contributing to degraded performance.
Command 3 — View Current Time
Purpose
Displays the current system date and time.
Syntax
get system status Why It Matters
Incorrect time settings can cause:
- VPN failures
- Authentication problems
- Certificate validation errors
- Log inconsistencies
Always verify time synchronization before troubleshooting security services.
Command 4 — Check Firmware Version
Purpose
Identifies the installed FortiOS version.
Syntax
get system status Example Output
Version: FortiGate-200F v7.4.x Practical Use
Support engineers typically request firmware information before beginning troubleshooting because command behavior can differ between FortiOS releases.
Command 5 — Display Hostname
Syntax
get system status Use Case
Verifies that administrators are connected to the correct production firewall before making configuration changes.
Command 6 — Display Interface Summary
Purpose
Lists interfaces and their operational state.
Syntax
get system interface Practical Example
get system interface Why It Matters
This command quickly identifies:
- Down interfaces
- Incorrect IP addresses
- Administrative shutdowns
- VLAN assignments
Command 7 — Display ARP Table
Purpose
Shows learned MAC-to-IP mappings.
Syntax
get system arp Real-World Use
Useful when diagnosing Layer 2 connectivity problems or verifying neighboring devices.
Command 8 — Display Routing Table
Purpose
Shows all active routes.
Syntax
get router info routing-table all Example
get router info routing-table all Practical Use
One of the most frequently used commands during routing incidents involving static routes, OSPF, or BGP.
Command 9 — Display Default Route
Syntax
get router info routing-table details Use Case
Confirms which gateway is currently forwarding Internet-bound traffic.
Command 10 — Display DNS Settings
Purpose
Shows configured DNS servers.
Syntax
get system dns Practical Importance
DNS misconfiguration often causes software updates, FortiGuard communication failures, and authentication issues.
Command 11 — Test Network Connectivity
Purpose
Tests reachability to another host.
Syntax
execute ping <IP_Address> Example
execute ping 8.8.8.8 Common Scenario
Before investigating routing or VPN issues, verify basic IP connectivity.
Command 12 — Perform a Traceroute
Purpose
Displays the network path to a destination.
Syntax
execute traceroute <Destination> Example
execute traceroute 1.1.1.1 Real-World Use
Helps identify routing loops, ISP issues, or asymmetric paths.
Command 13 — Restart the Firewall
Purpose
Performs a controlled reboot.
Syntax
execute reboot Best Practice
Always save configuration changes and notify stakeholders before rebooting production devices.
Command 14 — Shut Down the Appliance
Syntax
execute shutdown Use Case
Recommended before planned hardware maintenance or physical relocation.
Command 15 — Back Up Configuration
Purpose
Exports the running configuration.
Syntax
execute backup config Why It Matters
Regular backups are a fundamental component of disaster recovery, change management, and compliance frameworks.
Command 16 — Restore Configuration
Purpose
Imports a previously saved configuration.
Syntax
execute restore config Practical Use
Used after hardware replacement, lab migrations, or recovery from configuration corruption.
Command 17 — List Logged-In Administrators
Purpose
Displays active administrative sessions.
Syntax
get system admin list Example
get system admin list Operational Benefit
Before making major changes, verify whether other administrators are simultaneously working on the firewall.
Command 18 — Display Current Configuration
Purpose
Displays the complete running configuration.
Syntax
show Practical Use
Useful for audits, documentation, and configuration reviews.
Command 19 — Display Configuration of a Specific Section
Purpose
Shows configuration for a selected feature.
Syntax
show firewall policy Example
show firewall policy Practical Use
Allows administrators to inspect only the relevant portion of the configuration without scrolling through thousands of lines.
Command 20 — Save Configuration Changes
Purpose
Completes configuration changes and exits configuration mode.
Syntax
end Example
config system interface edit port1 set alias "LAN Interface" next end Best Practice
Always verify the resulting configuration after issuing end, particularly when modifying production firewalls. A quick review helps confirm that intended changes have been committed correctly and reduces the risk of introducing configuration drift.
Key Takeaways
The first 20 commands form the foundation of effective FortiGate administration. They cover system visibility, operational health, connectivity testing, routing verification, configuration management, and safe administrative workflows. Mastering these commands enables administrators to diagnose common issues rapidly, validate system state before implementing changes, and establish a solid operational baseline before moving on to more advanced topics such as interfaces, firewall policies, VPNs, NAT, SD-WAN, High Availability, and deep diagnostic commands, which are covered in the next part of this guide.
Interface Configuration Commands
Network interfaces are the foundation of every FortiGate deployment. Whether you are configuring physical interfaces, VLANs, loopbacks, or aggregate links, understanding the CLI provides greater flexibility than relying solely on the graphical interface.
The following commands cover the most common interface administration tasks performed in production environments.
Command 21 — Display Interface Configuration
Purpose
Displays the saved configuration for all interfaces.
Syntax
show system interface Example
show system interface Real-World Use Case
Before modifying an interface, administrators typically review its current configuration to avoid overwriting existing settings.
Command 22 — Configure an Interface IP Address
Purpose
Assigns an IPv4 address to a physical interface.
Syntax
config system interface edit port1 set ip 192.168.10.1 255.255.255.0 next end Practical Use
Common during initial firewall deployment or when creating new network segments.
Command 23 — Enable Administrative Access
Purpose
Defines which management protocols are permitted on an interface.
Syntax
config system interface edit port1 set allowaccess ping https ssh snmp next end Best Practice
Only enable the management protocols actually required. Avoid exposing Telnet or HTTP in production environments.
Command 24 — Create a VLAN Interface
Purpose
Creates an IEEE 802.1Q VLAN.
Syntax
config system interface edit VLAN100 set interface port1 set vlanid 100 set ip 192.168.100.1 255.255.255.0 next end Real-World Use Case
Used extensively in enterprise campus networks, data centers, branch offices, and SD-WAN deployments.
Command 25 — Display Interface Status
Purpose
Displays operational status, speed, duplex, and link information.
Syntax
diagnose hardware deviceinfo nic port1 Practical Use
Ideal for identifying:
- Link failures
- Duplex mismatches
- Speed negotiation problems
- Interface errors
Routing Commands
Routing issues account for a significant percentage of firewall support cases. The following commands help administrators validate routing behavior and troubleshoot traffic flow.
Command 26 — Display Static Routes
Purpose
Shows configured static routes.
Syntax
show router static Practical Use
Useful after migration projects or Internet circuit changes.
Command 27 — Configure a Static Route
Syntax
config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway 192.168.1.1 set device port1 next end Best Practice
Always verify route priority and administrative distance before deploying redundant Internet connections.
Command 28 — Display OSPF Information
Purpose
Displays learned OSPF routes and neighbor information.
Syntax
get router info ospf neighbor Practical Use
Useful during routing convergence troubleshooting.
Command 29 — Display BGP Neighbors
Syntax
get router info bgp summary Typical Use
Verifies:
- Established sessions
- Prefix counts
- Neighbor uptime
- Session resets
Command 30 — Verify the Routing Decision
Purpose
Determines which route FortiGate will use for a destination.
Syntax
diagnose ip route list Practical Use
One of the fastest ways to verify why traffic is leaving through an unexpected interface.
Firewall Policy Commands
Firewall policies control traffic flow through the appliance. These commands are among the most frequently used by security administrators.
Command 31 — Display Firewall Policies
Syntax
show firewall policy Practical Use
Allows administrators to review policy order, interfaces, NAT settings, and security profiles.
Command 32 — Create a Firewall Policy
Syntax
config firewall policy edit 100 set name "Internet Access" set srcintf "LAN" set dstintf "WAN" set srcaddr "all" set dstaddr "all" set action accept set schedule always set service ALL set nat enable next end Best Practice
Always apply the principle of least privilege rather than allowing unrestricted access.
Command 33 — Display Address Objects
Syntax
show firewall address Real-World Use Case
Helpful during firewall audits and migration projects.
Command 34 — Create an Address Object
Syntax
config firewall address edit Server01 set subnet 192.168.50.10 255.255.255.255 next end Practical Use
Using named objects instead of raw IP addresses improves policy readability and simplifies future maintenance.
Command 35 — Display Service Objects
Syntax
show firewall service custom Practical Use
Verifies custom services used by specialized enterprise applications.
NAT Commands
Network Address Translation is fundamental to Internet connectivity, server publishing, and multi-WAN deployments.
Command 36 — Configure Source NAT
Syntax
config firewall policy edit 100 set nat enable next end Practical Use
Allows internal clients to access external networks using translated addresses.
Command 37 — Configure a Virtual IP (VIP)
Purpose
Publishes internal servers to external networks.
Syntax
config firewall vip edit WebServer set extip 203.0.113.10 set mappedip 192.168.10.20 next end Typical Use
Publishing:
- Web servers
- Mail servers
- VPN gateways
- Remote desktop services
Command 38 — Display Virtual IP Configuration
Syntax
show firewall vip Practical Use
Useful during troubleshooting of inbound connectivity issues.
Command 39 — Display Central NAT Configuration
Syntax
show firewall central-snat-map Best Practice
Verify Central NAT rules after firmware upgrades because processing order directly affects traffic behavior.
Command 40 — Verify Active Sessions
Purpose
Displays active firewall sessions.
Syntax
diagnose sys session list Practical Use
One of the most valuable troubleshooting commands available.
Administrators use it to verify:
- NAT translations
- Session states
- Policy IDs
- Source and destination addresses
- Timeout values
VPN Commands
Virtual Private Networks remain one of the primary services hosted on FortiGate appliances. These commands help verify tunnel health and simplify troubleshooting.
Command 41 — Display IPSec Tunnel Status
Syntax
diagnose vpn tunnel list Practical Use
Shows:
- Tunnel state
- Encryption algorithms
- SPI values
- Peer IP addresses
- Packet counters
Command 42 — Restart an IPSec Tunnel
Syntax
diagnose vpn tunnel reset Practical Use
Useful after changing Phase 1 or Phase 2 parameters without rebooting the firewall.
Command 43 — Display SSL VPN Settings
Syntax
show vpn ssl settings Real-World Use Case
Confirms authentication portals, address pools, and portal mappings.
Command 44 — Display VPN Phase 1 Configuration
Syntax
show vpn ipsec phase1-interface Why It Matters
Allows engineers to verify:
- Authentication methods
- Peer addresses
- Encryption proposals
- Dead Peer Detection (DPD)
- Interface bindings
Command 45 — Display VPN Phase 2 Configuration
Syntax
show vpn ipsec phase2-interface Practical Use
Verifies:
- Encryption domains
- Perfect Forward Secrecy (PFS)
- Lifetime values
- Proposal mismatches
Practical Administration Workflow
The commands covered in this section are often executed together during routine administration. The following workflow illustrates a common sequence when deploying a new branch office.
| Step | Task | Primary Command |
|---|---|---|
| 1 | Configure LAN interface | config system interface |
| 2 | Create VLANs | edit VLAN |
| 3 | Configure static route | config router static |
| 4 | Verify routing | get router info routing-table all |
| 5 | Create address objects | config firewall address |
| 6 | Create firewall policies | config firewall policy |
| 7 | Enable NAT | set nat enable |
| 8 | Configure IPSec VPN | config vpn ipsec phase1-interface |
| 9 | Verify tunnel status | diagnose vpn tunnel list |
| 10 | Validate sessions | diagnose sys session list |
Following a structured workflow minimizes configuration errors and ensures that dependencies—such as interfaces, routes, objects, policies, and VPNs—are implemented in the correct order.
Common Mistakes During Interface and Policy Configuration
Even experienced administrators occasionally encounter avoidable issues. The following practices help reduce operational risk.
| Mistake | Potential Impact | Recommended Practice |
|---|---|---|
| Modifying production interfaces without backups | Network outage | Export configuration before changes |
| Allowing unnecessary management protocols | Increased attack surface | Restrict to HTTPS and SSH where possible |
| Using IP addresses directly in policies | Difficult maintenance | Use address objects |
| Creating overly permissive firewall rules | Security exposure | Apply least-privilege access |
| Ignoring policy order | Unexpected traffic blocking | Review rule sequence before deployment |
| Forgetting NAT settings | Loss of Internet connectivity | Verify NAT requirements for each policy |
| Overlapping static routes | Unpredictable forwarding | Validate administrative distance and priority |
| Inconsistent VPN proposals | Tunnel negotiation failures | Standardize encryption and authentication settings |
Key Takeaways
Commands 21 through 45 introduce the operational tasks that firewall administrators perform most frequently: configuring interfaces, validating routing, creating firewall policies, managing NAT, and maintaining VPN connectivity. Together, these commands form the core of day-to-day FortiGate administration and provide the foundation for secure, scalable network deployments.
In the next part of this guide, we will cover commands 46 through 75, focusing on High Availability (HA), SD-WAN, user authentication, security profiles, monitoring, logging, packet diagnostics, debugging, performance analysis, automation, troubleshooting workflows, and advanced operational best practices that distinguish experienced FortiGate administrators from beginners.
High Availability (HA) Commands
High Availability (HA) is a critical capability in enterprise FortiGate deployments. By clustering two or more firewalls, organizations can achieve redundancy, minimize downtime, and ensure business continuity during hardware failures, maintenance windows, or unexpected outages.
When troubleshooting HA environments, administrators frequently use the following commands to verify cluster health, synchronization, heartbeat status, and failover readiness.
Command 46 — Display High Availability Status
Purpose
Displays the current HA cluster status, including the primary and secondary units, synchronization state, cluster uptime, and operating mode.
Syntax
get system ha status Example
FGT-HA # get system ha status Typical Output
The output typically includes:
- HA Mode (Active-Passive or Active-Active)
- Cluster Group ID
- Primary unit
- Secondary members
- Synchronization status
- Cluster uptime
- Heartbeat interfaces
Real-World Use Case
After scheduled maintenance or firmware upgrades, administrators should always verify that every cluster member has successfully rejoined the HA cluster and that configuration synchronization is complete.
Command 47 — Display HA Checksum
Purpose
Compares configuration synchronization between HA members.
Syntax
diagnose sys ha checksum cluster Practical Use
A checksum mismatch often indicates configuration drift between cluster members, which may lead to unexpected failovers or inconsistent policy behavior.
Command 48 — Display HA Heartbeat Status
Purpose
Displays heartbeat interface statistics.
Syntax
diagnose sys ha status Why It Matters
Heartbeat failures are one of the most common causes of unnecessary HA failovers. This command helps verify heartbeat communication and detect interface problems before they impact production traffic.
Command 49 — Force HA Failover
Purpose
Transfers the primary role to another cluster member.
Syntax
execute ha failover set 1 Best Practice
Only perform manual failovers during approved maintenance windows or controlled testing. Always notify stakeholders before initiating the operation.
Command 50 — Verify HA Synchronization
Purpose
Confirms that all cluster members have synchronized configurations.
Syntax
diagnose sys ha status Practical Use
Following policy changes, firmware upgrades, or interface modifications, this command ensures that every node is operating with identical configurations.
SD-WAN Commands
Software-Defined Wide Area Networking (SD-WAN) has become a standard feature in modern FortiGate deployments. The CLI provides detailed visibility into SD-WAN health, performance, and member status.
Command 51 — Display SD-WAN Status
Purpose
Shows the operational status of the SD-WAN configuration.
Syntax
get system sdwan Practical Use
Administrators use this command to verify:
- Active members
- Performance SLA status
- Link priorities
- Traffic steering decisions
Command 52 — Display SD-WAN Health
Purpose
Displays health check results for WAN members.
Syntax
diagnose sys sdwan health-check Typical Output
Health checks generally include:
- Latency
- Packet loss
- Jitter
- Reachability
- SLA compliance
Real-World Use Case
This command quickly identifies degraded ISP circuits before users begin reporting application performance issues.
Command 53 — Display SD-WAN Members
Purpose
Lists all interfaces participating in the SD-WAN zone.
Syntax
show system sdwan Practical Use
Useful when validating newly added Internet circuits or verifying interface priorities after configuration changes.
User Authentication Commands
Enterprise firewalls frequently integrate with authentication platforms such as LDAP, RADIUS, TACACS+, Microsoft Active Directory, and FortiAuthenticator. The following commands assist with user authentication verification.
Command 54 — Display Authentication Settings
Syntax
show user setting Practical Use
Verifies the global authentication configuration before troubleshooting remote access or identity-based firewall policies.
Command 55 — Display Active Authenticated Users
Purpose
Lists users currently authenticated to the firewall.
Syntax
diagnose firewall auth list Typical Information
The output commonly includes:
- Username
- Source IP address
- Authentication method
- Login duration
- Group membership
Real-World Use Case
During remote access support calls, administrators can immediately determine whether a user’s authentication request has successfully reached the firewall.
Security Profile Commands
FortiGate’s Next-Generation Firewall capabilities depend heavily on security profiles such as IPS, Antivirus, Application Control, Web Filtering, DNS Filtering, SSL Inspection, and Data Loss Prevention (DLP).
Command 56 — Display IPS Configuration
Purpose
Displays Intrusion Prevention System settings.
Syntax
show ips sensor Practical Use
Useful for confirming which IPS sensors are assigned to firewall policies.
Command 57 — Display Antivirus Profiles
Syntax
show antivirus profile Why It Matters
Ensures malware inspection profiles are correctly configured before troubleshooting blocked downloads or email scanning.
Command 58 — Display Web Filter Profiles
Syntax
show webfilter profile Practical Use
Allows administrators to verify:
- Category filtering
- URL filters
- Safe Search enforcement
- HTTPS inspection dependencies
Command 59 — Display Application Control Profiles
Syntax
show application list Real-World Use Case
When users report that applications such as Microsoft Teams, Zoom, Dropbox, or BitTorrent are unexpectedly blocked, this command helps identify the responsible Application Control profile.
Monitoring and Performance Commands
Effective firewall administration requires continuous monitoring of resource utilization. Performance-related commands allow administrators to identify bottlenecks before they affect production services.
Command 60 — Display Real-Time System Processes
Purpose
Displays CPU utilization, memory consumption, and active processes in real time.
Syntax
diagnose sys top Example
diagnose sys top Typical Output
Administrators can monitor:
- CPU utilization
- Memory usage
- Running processes
- Process IDs
- CPU-intensive services
- Memory allocation
Real-World Use Case
During periods of high CPU utilization, this command quickly identifies processes responsible for resource consumption. For example, unusually high IPS, antivirus, SSL inspection, or routing processes may indicate excessive traffic loads, configuration issues, or ongoing security events requiring further investigation.
Monitoring Workflow for Production Firewalls
The following operational workflow helps administrators perform a structured health assessment before escalating incidents.
| Step | Verification | Recommended Command |
|---|---|---|
| 1 | Verify system health | get system status |
| 2 | Check CPU and memory | diagnose sys top |
| 3 | Verify interfaces | get system interface |
| 4 | Review routing | get router info routing-table all |
| 5 | Confirm HA synchronization | get system ha status |
| 6 | Validate SD-WAN health | diagnose sys sdwan health-check |
| 7 | Review authenticated users | diagnose firewall auth list |
| 8 | Verify IPSec tunnels | diagnose vpn tunnel list |
| 9 | Review active sessions | diagnose sys session list |
| 10 | Escalate to advanced diagnostics if required | diagnose debug commands |
Following this sequence allows administrators to eliminate common infrastructure issues before moving into deeper packet analysis or debugging.
Expert Best Practices
Experienced FortiGate administrators consistently apply several operational practices to reduce risk and improve troubleshooting efficiency:
- Verify the firmware version before executing version-specific commands.
- Export a configuration backup before making production changes.
- Confirm HA synchronization after modifying firewall policies or interfaces.
- Monitor SD-WAN health proactively rather than waiting for user reports.
- Use descriptive names for interfaces, address objects, services, and policies to simplify troubleshooting.
- Apply the principle of least privilege when creating firewall rules and administrative access policies.
- Validate routing decisions before assuming VPN or firewall policy problems.
- Document significant configuration changes as part of change management procedures.
- Periodically review security profiles to ensure they align with current organizational security policies and compliance requirements.
Key Takeaways
Commands 46 through 60 extend the administrator’s toolkit beyond basic configuration into enterprise operations. High Availability commands help maintain resilient firewall clusters, SD-WAN commands provide visibility into multi-WAN performance, authentication commands simplify identity troubleshooting, security profile commands verify advanced threat protection settings, and monitoring commands expose the firewall’s real-time operational health.
In the final part of this guide, we will cover Commands 61 through 75, including advanced logging, diagnostic and debug commands, packet capture techniques, automation recommendations, CLI best practices, GUI versus CLI comparisons, troubleshooting workflows, frequently asked questions, and publication-ready SEO metadata to complete this comprehensive FortiGate CLI reference.
Logging and Diagnostic Commands
Comprehensive logging and diagnostics are essential for maintaining the security, availability, and performance of a FortiGate firewall. While dashboard widgets provide a high-level overview, the CLI offers significantly deeper visibility into sessions, packet processing, routing decisions, authentication events, VPN negotiations, and system performance.
The following commands are among the most valuable tools used by experienced firewall administrators during production troubleshooting.
Command 61 — Display System Event Logs
Purpose
Displays system-related log entries, including administrator logins, configuration changes, interface events, and system notifications.
Syntax
execute log display Practical Use
This command is often used immediately after an incident to determine:
- Administrative login activity
- Configuration changes
- Interface state transitions
- HA events
- System alerts
Real-World Use Case
Suppose Internet connectivity is interrupted immediately after a maintenance window. Reviewing system logs can quickly reveal whether an administrator modified routing, firewall policies, or interface configurations before the outage occurred.
Command 62 — Display Forward Traffic Logs
Purpose
Displays traffic logs generated by firewall policies.
Syntax
execute log display | grep traffic Practical Use
Forward traffic logs help determine:
- Whether traffic matched a firewall policy
- Which policy processed the session
- Source and destination addresses
- Service information
- Session actions (Accept or Deny)
Best Practice
Always verify that logging is enabled within the firewall policy; otherwise, expected traffic entries will not appear.
Command 63 — Capture Live Packets
Purpose
Captures packets traversing a specified interface in real time.
Syntax
diagnose sniffer packet any "host 192.168.10.10" 4 Example
diagnose sniffer packet port1 "host 8.8.8.8" 4 Explanation
The packet sniffer displays:
- Source IP
- Destination IP
- Protocol
- Port numbers
- Packet direction
- Interface information
Real-World Use Case
Packet captures are invaluable when users report intermittent connectivity problems. Administrators can immediately verify whether packets are arriving at the firewall, leaving the correct interface, or being dropped before reaching their destination.
Command 64 — Display Active Firewall Sessions
Purpose
Displays all active sessions currently tracked by the FortiGate session table.
Syntax
diagnose sys session list Practical Use
Session information includes:
- Source address
- Destination address
- NAT translation
- Policy ID
- Interface information
- Session timers
- Protocol state
Why It Matters
Nearly every advanced troubleshooting scenario eventually involves examining the session table. Whether diagnosing NAT, asymmetric routing, VPN traffic, or policy matching, session information provides invaluable insight.
Command 65 — Filter the Session Table
Purpose
Limits displayed sessions based on a specified IP address.
Syntax
diagnose sys session filter src 192.168.10.25 diagnose sys session list Additional Filters
Administrators may filter by:
- Source IP
- Destination IP
- Interface
- Port
- Policy ID
- Protocol
Practical Use
Filtering dramatically reduces output in large enterprise environments that may contain hundreds of thousands of concurrent sessions.
Advanced Diagnose Commands
The diagnose command family provides low-level operational visibility that extends well beyond the capabilities of the graphical interface. These commands are indispensable during advanced troubleshooting.
Command 66 — Display Routing Lookup Results
Purpose
Shows the route selected for a destination address.
Syntax
diagnose ip route list Practical Use
Administrators use this command to verify:
- Route selection
- Administrative distance
- Next-hop gateway
- Outgoing interface
Real-World Scenario
If traffic exits through the wrong ISP in a multi-WAN deployment, this command helps determine whether the routing table is responsible or whether SD-WAN policy steering is influencing the forwarding decision.
Command 67 — Perform Flow Debugging
Purpose
Displays how FortiGate processes traffic through its packet flow engine.
Syntax
diagnose debug enable diagnose debug flow trace start 10 Example
diagnose debug reset diagnose debug flow filter addr 192.168.10.100 diagnose debug flow trace start 20 diagnose debug enable Typical Information
Flow debugging reveals:
- Route lookup results
- Firewall policy matching
- NAT processing
- Session creation
- Interface selection
- Drop reasons
Expert Insight
Flow debugging is considered one of the most powerful troubleshooting capabilities available in FortiOS. Rather than guessing why traffic is failing, administrators can observe each stage of packet processing and identify the precise point at which the firewall accepts or rejects the connection.
Command 68 — Display Process-Level Resource Usage
Purpose
Provides detailed information about CPU utilization and running system processes.
Syntax
diagnose sys top-summary Typical Output
The command reports:
- Overall CPU utilization
- Memory consumption
- Process counts
- Interrupt activity
- System load
- Resource allocation
Practical Use
Unlike basic performance summaries, this command offers a broader view of system resource utilization and is particularly useful when investigating intermittent performance degradation.
Common Troubleshooting Workflow Using Commands 61–68
Experienced FortiGate administrators rarely rely on a single command when diagnosing issues. Instead, they follow a structured process that narrows the scope of investigation and minimizes unnecessary configuration changes.
| Step | Investigation | Recommended Command |
|---|---|---|
| 1 | Verify system events | execute log display |
| 2 | Review traffic logs | execute log display |
| 3 | Confirm session creation | diagnose sys session list |
| 4 | Filter specific sessions | diagnose sys session filter |
| 5 | Verify routing decision | diagnose ip route list |
| 6 | Capture packets | diagnose sniffer packet |
| 7 | Trace packet flow | diagnose debug flow |
| 8 | Review CPU and process health | diagnose sys top-summary |
Following this workflow allows administrators to determine whether an issue is related to routing, firewall policies, NAT, interface connectivity, VPN processing, or system resource constraints before making production changes.
Best Practices for Logging and Diagnostics
Effective troubleshooting depends not only on knowing the commands but also on applying them methodically. Consider the following recommendations:
- Enable logging for critical firewall policies to ensure sufficient visibility during incident investigations.
- Clear any previous debug filters before starting a new troubleshooting session to avoid misleading results.
- Use packet captures with specific filters rather than capturing all traffic, which can overwhelm the console and consume system resources.
- Review routing information before modifying firewall policies, as many connectivity issues originate from incorrect routing decisions.
- Filter session output whenever possible to reduce analysis time in environments with large numbers of concurrent connections.
- Disable debugging immediately after collecting the required information to prevent unnecessary CPU utilization.
- Document diagnostic findings alongside change records to support future troubleshooting and knowledge sharing.
Key Takeaways
Commands 61 through 68 provide the visibility needed to investigate complex networking and security issues. System and traffic logs reveal historical events, packet captures confirm whether traffic reaches the firewall, session tables expose active connection states, routing diagnostics explain forwarding decisions, and flow debugging uncovers exactly how FortiGate processes packets. Together, these commands form the foundation of effective incident response and advanced operational troubleshooting.
In the final section of this guide, we will cover Commands 69 through 75, advanced debug techniques, automation recommendations, CLI best practices, GUI versus CLI comparisons, a comprehensive troubleshooting checklist, frequently asked questions, publication-ready SEO metadata, and the concluding recommendations that complete this definitive FortiGate CLI reference.
Advanced Debug and Automation Commands
The final group of commands focuses on advanced debugging, configuration automation, backup validation, and operational efficiency. While administrators may not use these commands every day, they become indispensable during major incidents, firmware upgrades, enterprise migrations, and proactive maintenance.
Command 69 — Reset Debug Configuration
Purpose
Clears any previously configured debug filters and settings before starting a new troubleshooting session.
Syntax
diagnose debug reset Practical Use
Always execute this command before enabling a new debug session. Residual filters from earlier troubleshooting can produce misleading output and complicate root cause analysis.
Command 70 — Disable Debugging
Purpose
Stops all active debugging processes.
Syntax
diagnose debug disable Best Practice
Leaving debug enabled unnecessarily can increase CPU utilization and generate excessive console output. Disable debugging immediately after collecting the required information.
Command 71 — Display Configuration Changes
Purpose
Review the current configuration for auditing or change verification.
Syntax
show full-configuration Practical Use
This command is particularly useful after:
- Major firewall migrations
- Firmware upgrades
- Security audits
- Change management reviews
- Disaster recovery testing
Compared to a standard show, the full configuration provides additional default values that may influence system behavior.
Command 72 — Export Configuration via TFTP
Purpose
Creates an external configuration backup.
Syntax
execute backup config tftp FortiGate_Backup.conf 192.168.10.5 Real-World Use Case
Organizations implementing disaster recovery plans typically schedule regular configuration exports to secure backup repositories.
Expert Recommendation
Maintain multiple backup generations and store them separately from the firewall itself. Configuration backups should be encrypted and protected according to organizational security policies.
Command 73 — Verify FortiGuard Connectivity
Purpose
Confirms communication with FortiGuard services.
Syntax
diagnose debug rating Practical Use
When IPS signatures, Antivirus updates, Web Filtering categories, or Application Control databases fail to update, this command assists in determining whether connectivity to FortiGuard services is functioning correctly.
Command 74 — Display Running Configuration for a Specific Feature
Purpose
Displays configuration for an individual feature without reviewing the complete firewall configuration.
Syntax
show firewall policy Other common examples include:
show router static show vpn ipsec phase1-interface show system interface Practical Use
Reviewing only the relevant configuration section improves troubleshooting efficiency and simplifies peer reviews during change management.
Command 75 — Exit the CLI
Purpose
Ends the administrative CLI session.
Syntax
exit Best Practice
Always close administrative sessions after completing maintenance activities, particularly when connected through shared management workstations or jump servers.
GUI vs CLI: Which Should You Use?
Both the FortiGate graphical interface and CLI have important roles in firewall administration. Understanding when to use each improves operational efficiency.
| Task | GUI | CLI |
|---|---|---|
| Initial deployment | Excellent | Excellent |
| Policy creation | Excellent | Good |
| Interface configuration | Excellent | Excellent |
| VPN troubleshooting | Moderate | Excellent |
| Packet capture | Limited | Excellent |
| Session analysis | Limited | Excellent |
| Routing verification | Moderate | Excellent |
| Automation | Limited | Excellent |
| Large-scale configuration | Moderate | Excellent |
| Performance diagnostics | Moderate | Excellent |
| Deep debugging | Limited | Excellent |
Practical Guidance
Use the GUI when:
- Creating new policies
- Reviewing dashboards
- Performing routine administration
- Training junior engineers
Use the CLI when:
- Troubleshooting production issues
- Investigating VPN failures
- Diagnosing routing problems
- Performing packet captures
- Collecting information for vendor support
- Automating repetitive tasks
In mature enterprise environments, experienced administrators routinely combine both interfaces rather than treating them as competing management methods.
FortiGate CLI Best Practices
Adopting consistent operational practices reduces risk and simplifies ongoing administration.
Before Making Changes
- Export a configuration backup.
- Verify the active firewall in HA deployments.
- Review the current configuration before editing.
- Confirm the FortiOS version if using version-specific commands.
- Schedule maintenance windows for production environments.
During Configuration
- Use descriptive names for interfaces, policies, address objects, and services.
- Follow organizational naming standards.
- Apply the principle of least privilege.
- Validate syntax before exiting configuration mode.
- Document significant configuration changes.
After Configuration
- Verify routing and connectivity.
- Test firewall policies.
- Confirm VPN status.
- Check HA synchronization.
- Review system logs for unexpected events.
- Update operational documentation.
Automation Recommendations
Modern enterprise networks increasingly integrate FortiGate firewalls into Infrastructure as Code (IaC) and NetDevOps workflows. Although manual CLI administration remains valuable, automation improves consistency and reduces human error.
Common automation approaches include:
| Tool | Typical Use Case |
|---|---|
| Ansible | Configuration deployment |
| Terraform | Infrastructure provisioning |
| Python | Custom automation scripts |
| REST API | Integration with enterprise platforms |
| FortiManager | Centralized policy management |
| Git | Configuration version control |
| Jenkins | CI/CD pipelines |
| GitHub Actions | Automated deployment workflows |
Recommended Automation Workflow
- Export the current configuration.
- Store configuration files in a version-controlled repository.
- Validate proposed changes in a laboratory environment.
- Deploy using approved automation tools.
- Verify production health using CLI commands.
- Monitor logs after deployment.
- Maintain rollback procedures for every production change.
Common CLI Mistakes
Even experienced administrators occasionally encounter preventable issues.
| Mistake | Consequence | Recommendation |
|---|---|---|
| Editing the wrong firewall | Production outage | Verify hostname and serial number first |
| Forgetting configuration backups | Difficult recovery | Export backups before every maintenance activity |
| Leaving debug enabled | Increased CPU utilization | Disable debugging immediately after use |
| Ignoring HA synchronization | Cluster inconsistency | Verify synchronization after changes |
| Overlooking policy order | Unexpected traffic behavior | Review rule sequence carefully |
| Using “allow all” policies | Security exposure | Implement least-privilege access |
| Neglecting routing validation | Connectivity failures | Check routing before modifying policies |
| Inconsistent object naming | Difficult administration | Adopt standardized naming conventions |
Enterprise Troubleshooting Workflow
The following structured process reflects how experienced firewall engineers investigate production issues.
| Step | Action | Recommended Commands |
|---|---|---|
| 1 | Verify system health | get system status |
| 2 | Review CPU and memory | diagnose sys top |
| 3 | Confirm interface status | get system interface |
| 4 | Validate routing | get router info routing-table all |
| 5 | Review firewall policies | show firewall policy |
| 6 | Verify NAT configuration | show firewall vip |
| 7 | Check VPN tunnels | diagnose vpn tunnel list |
| 8 | Review sessions | diagnose sys session list |
| 9 | Capture packets | diagnose sniffer packet |
| 10 | Perform flow debugging | diagnose debug flow |
| 11 | Review logs | execute log display |
| 12 | Disable debugging | diagnose debug disable |
Following a repeatable methodology reduces troubleshooting time, minimizes unnecessary configuration changes, and improves operational consistency across engineering teams.
Frequently Asked Questions
What are the most important FortiGate CLI commands?
The commands most administrators use daily include:
get system statusdiagnose sys topget router info routing-table allshow firewall policydiagnose vpn tunnel listdiagnose sys session listdiagnose sniffer packetdiagnose debug flowexecute pingexecute traceroute
Is the CLI better than the GUI?
Neither interface is universally better. The GUI simplifies routine administration, while the CLI provides superior visibility, troubleshooting capabilities, automation support, and access to advanced features.
Are CLI commands the same across FortiOS versions?
Most commands remain consistent across FortiOS releases. However, some commands, parameters, and output formats change between major versions. Always consult the documentation for your installed FortiOS release before implementing production changes.
Is CLI knowledge necessary for Fortinet certification?
Yes. Professional-level Fortinet certifications expect candidates to understand CLI navigation, troubleshooting, configuration, and diagnostic procedures in addition to GUI administration.
Can FortiGate CLI be automated?
Absolutely. FortiGate supports automation through REST APIs, Ansible, Python, Terraform, FortiManager, and other orchestration platforms commonly used in enterprise environments.
Conclusion
Mastering the FortiGate Command Line Interface is one of the most valuable investments a firewall administrator can make. While graphical management simplifies many routine tasks, the CLI remains the primary interface for advanced troubleshooting, performance analysis, automation, disaster recovery, and enterprise-scale operations.
The 75 commands presented throughout this guide represent the foundation of effective FortiGate administration. Together, they cover system management, interface configuration, routing, firewall policies, NAT, VPNs, High Availability, SD-WAN, authentication, security profiles, monitoring, logging, packet analysis, debugging, and operational best practices.
Rather than memorizing every command, focus on understanding when and why each command is appropriate. As your operational experience grows, these commands will become part of a structured troubleshooting methodology that reduces downtime, accelerates incident resolution, and improves the overall security and reliability of your network infrastructure.
Whether you are preparing for a Fortinet certification, supporting enterprise data centers, managing branch office deployments, or implementing NetDevOps automation, developing strong CLI proficiency will continue to be a valuable skill throughout your networking and cybersecurity career.

