FortiGate CLI Commands: 75 Essential Commands Every Firewall Administrator Should Know (2026 Guide)

FortiGate firewall administrator using essential CLI commands for FortiOS management, VPN troubleshooting, routing, SD-WAN, High Availability, and enterprise network security.

If you administer FortiGate firewalls in production environments, mastering the Command Line Interface (CLI) is one of the fastest ways to improve operational efficiency. While the graphical interface in FortiOS is intuitive for day-to-day management, many advanced administrative tasks, troubleshooting procedures, automation workflows, and disaster recovery operations are considerably faster and more precise through the CLI.

Experienced firewall administrators rarely depend exclusively on the GUI. During high-pressure incidents such as VPN outages, routing failures, High Availability (HA) failovers, CPU spikes, or unexpected traffic drops, the CLI provides immediate visibility into the firewall’s internal state. Commands such as diagnose, get, show, and execute expose information that is either unavailable or difficult to locate in the graphical interface.

This comprehensive guide brings together 75 essential FortiGate CLI commands every firewall administrator should know in 2026. Rather than presenting a simple list, each command includes its purpose, syntax, practical example, expected output, and real-world use case. Whether you are preparing for Fortinet certification, managing enterprise networks, or supporting multi-site environments with SD-WAN, IPSec VPN, SSL VPN, VLANs, OSPF, BGP, and Security Fabric, this guide serves as a practical reference for both daily administration and advanced troubleshooting.

Why Every FortiGate Administrator Should Master CLI

Many engineers begin managing FortiGate appliances through the web interface. However, as deployments grow in complexity, relying solely on the GUI becomes limiting. Enterprise environments often require automation, scripting, rapid diagnostics, and configuration management—areas where the CLI excels.

Some tasks are significantly easier or only possible through the CLI:

  • Viewing detailed routing information
  • Capturing live packet traces
  • Monitoring real-time sessions
  • Performing advanced debugging
  • Backing up and restoring configurations
  • Troubleshooting VPN negotiations
  • Diagnosing High Availability synchronization
  • Automating repetitive administrative tasks
  • Verifying Security Fabric connectivity
  • Collecting logs for technical support

From an operational perspective, CLI proficiency reduces Mean Time to Resolution (MTTR), minimizes configuration errors, and supports Infrastructure as Code (IaC) practices commonly adopted by NetDevOps teams.

Key Benefits of Using the FortiGate CLI

BenefitPractical Value
Faster troubleshootingImmediate access to diagnostic information
Complete visibilityDisplays low-level system details unavailable in the GUI
Automation friendlySupports scripting and orchestration
Remote administrationEfficient management over SSH
Disaster recoveryEnables rapid backup and restoration
Enterprise scalabilityEssential for large multi-site deployments
Certification preparationFrequently tested in NSE/FCP/FCE exams

FortiGate CLI Basics

Before working with commands, it’s important to understand how the FortiGate CLI is organized. The interface follows a structured hierarchy that separates operational commands from configuration commands.

Ways to Access the CLI

Administrators typically connect using one of the following methods:

Access MethodTypical Use Case
Console CableInitial deployment and recovery
SSHDaily remote administration
Web GUI CLI ConsoleQuick administrative tasks
FortiManagerCentralized enterprise management
Automation ScriptsConfiguration deployment

SSH is generally recommended because it provides secure remote administration and supports automation tools such as Ansible, Terraform wrappers, and Python scripts.

CLI Modes

FortiGate uses several command contexts.

ModePurpose
OperationalExecute monitoring commands
ConfigurationModify firewall settings
DiagnosticTroubleshooting
DebugAdvanced analysis

Understanding which mode a command belongs to prevents accidental configuration changes during production maintenance.

Common CLI Navigation Commands

CommandPurpose
?Show available options
TabAuto-complete command
Up ArrowPrevious command
Down ArrowNext command
Ctrl+CCancel current operation

These shortcuts become invaluable when navigating lengthy configuration hierarchies.

Understanding FortiGate Command Families

FortiGate commands are organized into several primary families. Recognizing the purpose of each family helps administrators locate the right command more quickly.

Command FamilyPurpose
getDisplay current system information
showDisplay configuration
configEnter configuration mode
editModify an object
setAssign values
unsetRemove values
nextSave current object
endExit configuration mode
executePerform operational actions
diagnoseTroubleshoot and inspect system state

get vs show

This distinction often confuses new administrators.

CommandDisplays
getRuntime system information
showSaved configuration

For example:

get system status

Displays the current operational status.

Whereas:

show system interface

Displays the configured interfaces stored in the running configuration.

Command Syntax Explained

Most FortiGate CLI commands follow a predictable structure.

Configuration Workflow

config firewall policy edit 10 set name "Internet Access" set srcintf "LAN" set dstintf "WAN" next end

This workflow consists of:

  1. Entering a configuration section.
  2. Selecting or creating an object.
  3. Modifying parameters.
  4. Saving the object.
  5. Exiting configuration mode.

Maintaining this sequence helps prevent incomplete or inconsistent configurations.

75 Essential FortiGate CLI Commands

The commands in this guide are grouped by administrative function. This first part focuses on the most frequently used System Administration commands that every FortiGate administrator should know.

System Administration Commands

Command 1 — Display System Status

Purpose

Displays comprehensive information about the appliance, including FortiOS version, serial number, uptime, licensing status, and operational mode.

Syntax

get system status

Example

FGT01 # get system status

Typical Output

  • Hostname
  • Version
  • Build number
  • Serial number
  • Current operation mode
  • Virtual domains
  • System time
  • Uptime

Real-World Use Case

This is usually the first command executed when connecting to an unfamiliar firewall. It immediately confirms firmware version, licensing, HA role, and operational status.

Command 2 — Display System Performance

Purpose

Provides an overview of CPU utilization, memory usage, sessions, and system health.

Syntax

get system performance status

Example

get system performance status

Practical Use

Before investigating network issues, administrators often verify whether high CPU or memory utilization is contributing to degraded performance.

Command 3 — View Current Time

Purpose

Displays the current system date and time.

Syntax

get system status

Why It Matters

Incorrect time settings can cause:

  • VPN failures
  • Authentication problems
  • Certificate validation errors
  • Log inconsistencies

Always verify time synchronization before troubleshooting security services.

Command 4 — Check Firmware Version

Purpose

Identifies the installed FortiOS version.

Syntax

get system status

Example Output

Version: FortiGate-200F v7.4.x

Practical Use

Support engineers typically request firmware information before beginning troubleshooting because command behavior can differ between FortiOS releases.

Command 5 — Display Hostname

Syntax

get system status

Use Case

Verifies that administrators are connected to the correct production firewall before making configuration changes.

Command 6 — Display Interface Summary

Purpose

Lists interfaces and their operational state.

Syntax

get system interface

Practical Example

get system interface

Why It Matters

This command quickly identifies:

  • Down interfaces
  • Incorrect IP addresses
  • Administrative shutdowns
  • VLAN assignments

Command 7 — Display ARP Table

Purpose

Shows learned MAC-to-IP mappings.

Syntax

get system arp

Real-World Use

Useful when diagnosing Layer 2 connectivity problems or verifying neighboring devices.

Command 8 — Display Routing Table

Purpose

Shows all active routes.

Syntax

get router info routing-table all

Example

get router info routing-table all

Practical Use

One of the most frequently used commands during routing incidents involving static routes, OSPF, or BGP.

Command 9 — Display Default Route

Syntax

get router info routing-table details

Use Case

Confirms which gateway is currently forwarding Internet-bound traffic.

Command 10 — Display DNS Settings

Purpose

Shows configured DNS servers.

Syntax

get system dns

Practical Importance

DNS misconfiguration often causes software updates, FortiGuard communication failures, and authentication issues.

Command 11 — Test Network Connectivity

Purpose

Tests reachability to another host.

Syntax

execute ping <IP_Address>

Example

execute ping 8.8.8.8

Common Scenario

Before investigating routing or VPN issues, verify basic IP connectivity.

Command 12 — Perform a Traceroute

Purpose

Displays the network path to a destination.

Syntax

execute traceroute <Destination>

Example

execute traceroute 1.1.1.1

Real-World Use

Helps identify routing loops, ISP issues, or asymmetric paths.

Command 13 — Restart the Firewall

Purpose

Performs a controlled reboot.

Syntax

execute reboot

Best Practice

Always save configuration changes and notify stakeholders before rebooting production devices.

Command 14 — Shut Down the Appliance

Syntax

execute shutdown

Use Case

Recommended before planned hardware maintenance or physical relocation.

Command 15 — Back Up Configuration

Purpose

Exports the running configuration.

Syntax

execute backup config

Why It Matters

Regular backups are a fundamental component of disaster recovery, change management, and compliance frameworks.

Command 16 — Restore Configuration

Purpose

Imports a previously saved configuration.

Syntax

execute restore config

Practical Use

Used after hardware replacement, lab migrations, or recovery from configuration corruption.

Command 17 — List Logged-In Administrators

Purpose

Displays active administrative sessions.

Syntax

get system admin list

Example

get system admin list

Operational Benefit

Before making major changes, verify whether other administrators are simultaneously working on the firewall.

Command 18 — Display Current Configuration

Purpose

Displays the complete running configuration.

Syntax

show

Practical Use

Useful for audits, documentation, and configuration reviews.

Command 19 — Display Configuration of a Specific Section

Purpose

Shows configuration for a selected feature.

Syntax

show firewall policy

Example

show firewall policy

Practical Use

Allows administrators to inspect only the relevant portion of the configuration without scrolling through thousands of lines.

Command 20 — Save Configuration Changes

Purpose

Completes configuration changes and exits configuration mode.

Syntax

end

Example

config system interface edit port1 set alias "LAN Interface" next end

Best Practice

Always verify the resulting configuration after issuing end, particularly when modifying production firewalls. A quick review helps confirm that intended changes have been committed correctly and reduces the risk of introducing configuration drift.

Key Takeaways

The first 20 commands form the foundation of effective FortiGate administration. They cover system visibility, operational health, connectivity testing, routing verification, configuration management, and safe administrative workflows. Mastering these commands enables administrators to diagnose common issues rapidly, validate system state before implementing changes, and establish a solid operational baseline before moving on to more advanced topics such as interfaces, firewall policies, VPNs, NAT, SD-WAN, High Availability, and deep diagnostic commands, which are covered in the next part of this guide.

Interface Configuration Commands

Network interfaces are the foundation of every FortiGate deployment. Whether you are configuring physical interfaces, VLANs, loopbacks, or aggregate links, understanding the CLI provides greater flexibility than relying solely on the graphical interface.

The following commands cover the most common interface administration tasks performed in production environments.

Command 21 — Display Interface Configuration

Purpose

Displays the saved configuration for all interfaces.

Syntax

show system interface

Example

show system interface

Real-World Use Case

Before modifying an interface, administrators typically review its current configuration to avoid overwriting existing settings.

Command 22 — Configure an Interface IP Address

Purpose

Assigns an IPv4 address to a physical interface.

Syntax

config system interface edit port1 set ip 192.168.10.1 255.255.255.0 next end

Practical Use

Common during initial firewall deployment or when creating new network segments.

Command 23 — Enable Administrative Access

Purpose

Defines which management protocols are permitted on an interface.

Syntax

config system interface edit port1 set allowaccess ping https ssh snmp next end

Best Practice

Only enable the management protocols actually required. Avoid exposing Telnet or HTTP in production environments.

Command 24 — Create a VLAN Interface

Purpose

Creates an IEEE 802.1Q VLAN.

Syntax

config system interface edit VLAN100 set interface port1 set vlanid 100 set ip 192.168.100.1 255.255.255.0 next end

Real-World Use Case

Used extensively in enterprise campus networks, data centers, branch offices, and SD-WAN deployments.

Command 25 — Display Interface Status

Purpose

Displays operational status, speed, duplex, and link information.

Syntax

diagnose hardware deviceinfo nic port1

Practical Use

Ideal for identifying:

  • Link failures
  • Duplex mismatches
  • Speed negotiation problems
  • Interface errors

Routing Commands

Routing issues account for a significant percentage of firewall support cases. The following commands help administrators validate routing behavior and troubleshoot traffic flow.

Command 26 — Display Static Routes

Purpose

Shows configured static routes.

Syntax

show router static

Practical Use

Useful after migration projects or Internet circuit changes.

Command 27 — Configure a Static Route

Syntax

config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway 192.168.1.1 set device port1 next end

Best Practice

Always verify route priority and administrative distance before deploying redundant Internet connections.

Command 28 — Display OSPF Information

Purpose

Displays learned OSPF routes and neighbor information.

Syntax

get router info ospf neighbor

Practical Use

Useful during routing convergence troubleshooting.

Command 29 — Display BGP Neighbors

Syntax

get router info bgp summary

Typical Use

Verifies:

  • Established sessions
  • Prefix counts
  • Neighbor uptime
  • Session resets

Command 30 — Verify the Routing Decision

Purpose

Determines which route FortiGate will use for a destination.

Syntax

diagnose ip route list

Practical Use

One of the fastest ways to verify why traffic is leaving through an unexpected interface.

Firewall Policy Commands

Firewall policies control traffic flow through the appliance. These commands are among the most frequently used by security administrators.

Command 31 — Display Firewall Policies

Syntax

show firewall policy

Practical Use

Allows administrators to review policy order, interfaces, NAT settings, and security profiles.

Command 32 — Create a Firewall Policy

Syntax

config firewall policy edit 100 set name "Internet Access" set srcintf "LAN" set dstintf "WAN" set srcaddr "all" set dstaddr "all" set action accept set schedule always set service ALL set nat enable next end

Best Practice

Always apply the principle of least privilege rather than allowing unrestricted access.

Command 33 — Display Address Objects

Syntax

show firewall address

Real-World Use Case

Helpful during firewall audits and migration projects.

Command 34 — Create an Address Object

Syntax

config firewall address edit Server01 set subnet 192.168.50.10 255.255.255.255 next end

Practical Use

Using named objects instead of raw IP addresses improves policy readability and simplifies future maintenance.

Command 35 — Display Service Objects

Syntax

show firewall service custom

Practical Use

Verifies custom services used by specialized enterprise applications.

NAT Commands

Network Address Translation is fundamental to Internet connectivity, server publishing, and multi-WAN deployments.

Command 36 — Configure Source NAT

Syntax

config firewall policy edit 100 set nat enable next end

Practical Use

Allows internal clients to access external networks using translated addresses.

Command 37 — Configure a Virtual IP (VIP)

Purpose

Publishes internal servers to external networks.

Syntax

config firewall vip edit WebServer set extip 203.0.113.10 set mappedip 192.168.10.20 next end

Typical Use

Publishing:

  • Web servers
  • Mail servers
  • VPN gateways
  • Remote desktop services

Command 38 — Display Virtual IP Configuration

Syntax

show firewall vip

Practical Use

Useful during troubleshooting of inbound connectivity issues.

Command 39 — Display Central NAT Configuration

Syntax

show firewall central-snat-map

Best Practice

Verify Central NAT rules after firmware upgrades because processing order directly affects traffic behavior.

Command 40 — Verify Active Sessions

Purpose

Displays active firewall sessions.

Syntax

diagnose sys session list

Practical Use

One of the most valuable troubleshooting commands available.

Administrators use it to verify:

  • NAT translations
  • Session states
  • Policy IDs
  • Source and destination addresses
  • Timeout values

VPN Commands

Virtual Private Networks remain one of the primary services hosted on FortiGate appliances. These commands help verify tunnel health and simplify troubleshooting.

Command 41 — Display IPSec Tunnel Status

Syntax

diagnose vpn tunnel list

Practical Use

Shows:

  • Tunnel state
  • Encryption algorithms
  • SPI values
  • Peer IP addresses
  • Packet counters

Command 42 — Restart an IPSec Tunnel

Syntax

diagnose vpn tunnel reset

Practical Use

Useful after changing Phase 1 or Phase 2 parameters without rebooting the firewall.

Command 43 — Display SSL VPN Settings

Syntax

show vpn ssl settings

Real-World Use Case

Confirms authentication portals, address pools, and portal mappings.

Command 44 — Display VPN Phase 1 Configuration

Syntax

show vpn ipsec phase1-interface

Why It Matters

Allows engineers to verify:

  • Authentication methods
  • Peer addresses
  • Encryption proposals
  • Dead Peer Detection (DPD)
  • Interface bindings

Command 45 — Display VPN Phase 2 Configuration

Syntax

show vpn ipsec phase2-interface

Practical Use

Verifies:

  • Encryption domains
  • Perfect Forward Secrecy (PFS)
  • Lifetime values
  • Proposal mismatches

Practical Administration Workflow

The commands covered in this section are often executed together during routine administration. The following workflow illustrates a common sequence when deploying a new branch office.

StepTaskPrimary Command
1Configure LAN interfaceconfig system interface
2Create VLANsedit VLAN
3Configure static routeconfig router static
4Verify routingget router info routing-table all
5Create address objectsconfig firewall address
6Create firewall policiesconfig firewall policy
7Enable NATset nat enable
8Configure IPSec VPNconfig vpn ipsec phase1-interface
9Verify tunnel statusdiagnose vpn tunnel list
10Validate sessionsdiagnose sys session list

Following a structured workflow minimizes configuration errors and ensures that dependencies—such as interfaces, routes, objects, policies, and VPNs—are implemented in the correct order.

Common Mistakes During Interface and Policy Configuration

Even experienced administrators occasionally encounter avoidable issues. The following practices help reduce operational risk.

MistakePotential ImpactRecommended Practice
Modifying production interfaces without backupsNetwork outageExport configuration before changes
Allowing unnecessary management protocolsIncreased attack surfaceRestrict to HTTPS and SSH where possible
Using IP addresses directly in policiesDifficult maintenanceUse address objects
Creating overly permissive firewall rulesSecurity exposureApply least-privilege access
Ignoring policy orderUnexpected traffic blockingReview rule sequence before deployment
Forgetting NAT settingsLoss of Internet connectivityVerify NAT requirements for each policy
Overlapping static routesUnpredictable forwardingValidate administrative distance and priority
Inconsistent VPN proposalsTunnel negotiation failuresStandardize encryption and authentication settings

Key Takeaways

Commands 21 through 45 introduce the operational tasks that firewall administrators perform most frequently: configuring interfaces, validating routing, creating firewall policies, managing NAT, and maintaining VPN connectivity. Together, these commands form the core of day-to-day FortiGate administration and provide the foundation for secure, scalable network deployments.

In the next part of this guide, we will cover commands 46 through 75, focusing on High Availability (HA), SD-WAN, user authentication, security profiles, monitoring, logging, packet diagnostics, debugging, performance analysis, automation, troubleshooting workflows, and advanced operational best practices that distinguish experienced FortiGate administrators from beginners.

High Availability (HA) Commands

High Availability (HA) is a critical capability in enterprise FortiGate deployments. By clustering two or more firewalls, organizations can achieve redundancy, minimize downtime, and ensure business continuity during hardware failures, maintenance windows, or unexpected outages.

When troubleshooting HA environments, administrators frequently use the following commands to verify cluster health, synchronization, heartbeat status, and failover readiness.

Command 46 — Display High Availability Status

Purpose

Displays the current HA cluster status, including the primary and secondary units, synchronization state, cluster uptime, and operating mode.

Syntax

get system ha status

Example

FGT-HA # get system ha status

Typical Output

The output typically includes:

  • HA Mode (Active-Passive or Active-Active)
  • Cluster Group ID
  • Primary unit
  • Secondary members
  • Synchronization status
  • Cluster uptime
  • Heartbeat interfaces

Real-World Use Case

After scheduled maintenance or firmware upgrades, administrators should always verify that every cluster member has successfully rejoined the HA cluster and that configuration synchronization is complete.

Command 47 — Display HA Checksum

Purpose

Compares configuration synchronization between HA members.

Syntax

diagnose sys ha checksum cluster

Practical Use

A checksum mismatch often indicates configuration drift between cluster members, which may lead to unexpected failovers or inconsistent policy behavior.

Command 48 — Display HA Heartbeat Status

Purpose

Displays heartbeat interface statistics.

Syntax

diagnose sys ha status

Why It Matters

Heartbeat failures are one of the most common causes of unnecessary HA failovers. This command helps verify heartbeat communication and detect interface problems before they impact production traffic.

Command 49 — Force HA Failover

Purpose

Transfers the primary role to another cluster member.

Syntax

execute ha failover set 1

Best Practice

Only perform manual failovers during approved maintenance windows or controlled testing. Always notify stakeholders before initiating the operation.

Command 50 — Verify HA Synchronization

Purpose

Confirms that all cluster members have synchronized configurations.

Syntax

diagnose sys ha status

Practical Use

Following policy changes, firmware upgrades, or interface modifications, this command ensures that every node is operating with identical configurations.

SD-WAN Commands

Software-Defined Wide Area Networking (SD-WAN) has become a standard feature in modern FortiGate deployments. The CLI provides detailed visibility into SD-WAN health, performance, and member status.

Command 51 — Display SD-WAN Status

Purpose

Shows the operational status of the SD-WAN configuration.

Syntax

get system sdwan

Practical Use

Administrators use this command to verify:

  • Active members
  • Performance SLA status
  • Link priorities
  • Traffic steering decisions

Command 52 — Display SD-WAN Health

Purpose

Displays health check results for WAN members.

Syntax

diagnose sys sdwan health-check

Typical Output

Health checks generally include:

  • Latency
  • Packet loss
  • Jitter
  • Reachability
  • SLA compliance

Real-World Use Case

This command quickly identifies degraded ISP circuits before users begin reporting application performance issues.

Command 53 — Display SD-WAN Members

Purpose

Lists all interfaces participating in the SD-WAN zone.

Syntax

show system sdwan

Practical Use

Useful when validating newly added Internet circuits or verifying interface priorities after configuration changes.

User Authentication Commands

Enterprise firewalls frequently integrate with authentication platforms such as LDAP, RADIUS, TACACS+, Microsoft Active Directory, and FortiAuthenticator. The following commands assist with user authentication verification.

Command 54 — Display Authentication Settings

Syntax

show user setting

Practical Use

Verifies the global authentication configuration before troubleshooting remote access or identity-based firewall policies.

Command 55 — Display Active Authenticated Users

Purpose

Lists users currently authenticated to the firewall.

Syntax

diagnose firewall auth list

Typical Information

The output commonly includes:

  • Username
  • Source IP address
  • Authentication method
  • Login duration
  • Group membership

Real-World Use Case

During remote access support calls, administrators can immediately determine whether a user’s authentication request has successfully reached the firewall.

Security Profile Commands

FortiGate’s Next-Generation Firewall capabilities depend heavily on security profiles such as IPS, Antivirus, Application Control, Web Filtering, DNS Filtering, SSL Inspection, and Data Loss Prevention (DLP).

Command 56 — Display IPS Configuration

Purpose

Displays Intrusion Prevention System settings.

Syntax

show ips sensor

Practical Use

Useful for confirming which IPS sensors are assigned to firewall policies.

Command 57 — Display Antivirus Profiles

Syntax

show antivirus profile

Why It Matters

Ensures malware inspection profiles are correctly configured before troubleshooting blocked downloads or email scanning.

Command 58 — Display Web Filter Profiles

Syntax

show webfilter profile

Practical Use

Allows administrators to verify:

  • Category filtering
  • URL filters
  • Safe Search enforcement
  • HTTPS inspection dependencies

Command 59 — Display Application Control Profiles

Syntax

show application list

Real-World Use Case

When users report that applications such as Microsoft Teams, Zoom, Dropbox, or BitTorrent are unexpectedly blocked, this command helps identify the responsible Application Control profile.

Monitoring and Performance Commands

Effective firewall administration requires continuous monitoring of resource utilization. Performance-related commands allow administrators to identify bottlenecks before they affect production services.

Command 60 — Display Real-Time System Processes

Purpose

Displays CPU utilization, memory consumption, and active processes in real time.

Syntax

diagnose sys top

Example

diagnose sys top

Typical Output

Administrators can monitor:

  • CPU utilization
  • Memory usage
  • Running processes
  • Process IDs
  • CPU-intensive services
  • Memory allocation

Real-World Use Case

During periods of high CPU utilization, this command quickly identifies processes responsible for resource consumption. For example, unusually high IPS, antivirus, SSL inspection, or routing processes may indicate excessive traffic loads, configuration issues, or ongoing security events requiring further investigation.

Monitoring Workflow for Production Firewalls

The following operational workflow helps administrators perform a structured health assessment before escalating incidents.

StepVerificationRecommended Command
1Verify system healthget system status
2Check CPU and memorydiagnose sys top
3Verify interfacesget system interface
4Review routingget router info routing-table all
5Confirm HA synchronizationget system ha status
6Validate SD-WAN healthdiagnose sys sdwan health-check
7Review authenticated usersdiagnose firewall auth list
8Verify IPSec tunnelsdiagnose vpn tunnel list
9Review active sessionsdiagnose sys session list
10Escalate to advanced diagnostics if requireddiagnose debug commands

Following this sequence allows administrators to eliminate common infrastructure issues before moving into deeper packet analysis or debugging.

Expert Best Practices

Experienced FortiGate administrators consistently apply several operational practices to reduce risk and improve troubleshooting efficiency:

  • Verify the firmware version before executing version-specific commands.
  • Export a configuration backup before making production changes.
  • Confirm HA synchronization after modifying firewall policies or interfaces.
  • Monitor SD-WAN health proactively rather than waiting for user reports.
  • Use descriptive names for interfaces, address objects, services, and policies to simplify troubleshooting.
  • Apply the principle of least privilege when creating firewall rules and administrative access policies.
  • Validate routing decisions before assuming VPN or firewall policy problems.
  • Document significant configuration changes as part of change management procedures.
  • Periodically review security profiles to ensure they align with current organizational security policies and compliance requirements.

Key Takeaways

Commands 46 through 60 extend the administrator’s toolkit beyond basic configuration into enterprise operations. High Availability commands help maintain resilient firewall clusters, SD-WAN commands provide visibility into multi-WAN performance, authentication commands simplify identity troubleshooting, security profile commands verify advanced threat protection settings, and monitoring commands expose the firewall’s real-time operational health.

In the final part of this guide, we will cover Commands 61 through 75, including advanced logging, diagnostic and debug commands, packet capture techniques, automation recommendations, CLI best practices, GUI versus CLI comparisons, troubleshooting workflows, frequently asked questions, and publication-ready SEO metadata to complete this comprehensive FortiGate CLI reference.

Logging and Diagnostic Commands

Comprehensive logging and diagnostics are essential for maintaining the security, availability, and performance of a FortiGate firewall. While dashboard widgets provide a high-level overview, the CLI offers significantly deeper visibility into sessions, packet processing, routing decisions, authentication events, VPN negotiations, and system performance.

The following commands are among the most valuable tools used by experienced firewall administrators during production troubleshooting.

Command 61 — Display System Event Logs

Purpose

Displays system-related log entries, including administrator logins, configuration changes, interface events, and system notifications.

Syntax

execute log display

Practical Use

This command is often used immediately after an incident to determine:

  • Administrative login activity
  • Configuration changes
  • Interface state transitions
  • HA events
  • System alerts

Real-World Use Case

Suppose Internet connectivity is interrupted immediately after a maintenance window. Reviewing system logs can quickly reveal whether an administrator modified routing, firewall policies, or interface configurations before the outage occurred.

Command 62 — Display Forward Traffic Logs

Purpose

Displays traffic logs generated by firewall policies.

Syntax

execute log display | grep traffic

Practical Use

Forward traffic logs help determine:

  • Whether traffic matched a firewall policy
  • Which policy processed the session
  • Source and destination addresses
  • Service information
  • Session actions (Accept or Deny)

Best Practice

Always verify that logging is enabled within the firewall policy; otherwise, expected traffic entries will not appear.

Command 63 — Capture Live Packets

Purpose

Captures packets traversing a specified interface in real time.

Syntax

diagnose sniffer packet any "host 192.168.10.10" 4

Example

diagnose sniffer packet port1 "host 8.8.8.8" 4

Explanation

The packet sniffer displays:

  • Source IP
  • Destination IP
  • Protocol
  • Port numbers
  • Packet direction
  • Interface information

Real-World Use Case

Packet captures are invaluable when users report intermittent connectivity problems. Administrators can immediately verify whether packets are arriving at the firewall, leaving the correct interface, or being dropped before reaching their destination.

Command 64 — Display Active Firewall Sessions

Purpose

Displays all active sessions currently tracked by the FortiGate session table.

Syntax

diagnose sys session list

Practical Use

Session information includes:

  • Source address
  • Destination address
  • NAT translation
  • Policy ID
  • Interface information
  • Session timers
  • Protocol state

Why It Matters

Nearly every advanced troubleshooting scenario eventually involves examining the session table. Whether diagnosing NAT, asymmetric routing, VPN traffic, or policy matching, session information provides invaluable insight.

Command 65 — Filter the Session Table

Purpose

Limits displayed sessions based on a specified IP address.

Syntax

diagnose sys session filter src 192.168.10.25 diagnose sys session list

Additional Filters

Administrators may filter by:

  • Source IP
  • Destination IP
  • Interface
  • Port
  • Policy ID
  • Protocol

Practical Use

Filtering dramatically reduces output in large enterprise environments that may contain hundreds of thousands of concurrent sessions.

Advanced Diagnose Commands

The diagnose command family provides low-level operational visibility that extends well beyond the capabilities of the graphical interface. These commands are indispensable during advanced troubleshooting.

Command 66 — Display Routing Lookup Results

Purpose

Shows the route selected for a destination address.

Syntax

diagnose ip route list

Practical Use

Administrators use this command to verify:

  • Route selection
  • Administrative distance
  • Next-hop gateway
  • Outgoing interface

Real-World Scenario

If traffic exits through the wrong ISP in a multi-WAN deployment, this command helps determine whether the routing table is responsible or whether SD-WAN policy steering is influencing the forwarding decision.

Command 67 — Perform Flow Debugging

Purpose

Displays how FortiGate processes traffic through its packet flow engine.

Syntax

diagnose debug enable diagnose debug flow trace start 10

Example

diagnose debug reset diagnose debug flow filter addr 192.168.10.100 diagnose debug flow trace start 20 diagnose debug enable

Typical Information

Flow debugging reveals:

  • Route lookup results
  • Firewall policy matching
  • NAT processing
  • Session creation
  • Interface selection
  • Drop reasons

Expert Insight

Flow debugging is considered one of the most powerful troubleshooting capabilities available in FortiOS. Rather than guessing why traffic is failing, administrators can observe each stage of packet processing and identify the precise point at which the firewall accepts or rejects the connection.

Command 68 — Display Process-Level Resource Usage

Purpose

Provides detailed information about CPU utilization and running system processes.

Syntax

diagnose sys top-summary

Typical Output

The command reports:

  • Overall CPU utilization
  • Memory consumption
  • Process counts
  • Interrupt activity
  • System load
  • Resource allocation

Practical Use

Unlike basic performance summaries, this command offers a broader view of system resource utilization and is particularly useful when investigating intermittent performance degradation.

Common Troubleshooting Workflow Using Commands 61–68

Experienced FortiGate administrators rarely rely on a single command when diagnosing issues. Instead, they follow a structured process that narrows the scope of investigation and minimizes unnecessary configuration changes.

StepInvestigationRecommended Command
1Verify system eventsexecute log display
2Review traffic logsexecute log display
3Confirm session creationdiagnose sys session list
4Filter specific sessionsdiagnose sys session filter
5Verify routing decisiondiagnose ip route list
6Capture packetsdiagnose sniffer packet
7Trace packet flowdiagnose debug flow
8Review CPU and process healthdiagnose sys top-summary

Following this workflow allows administrators to determine whether an issue is related to routing, firewall policies, NAT, interface connectivity, VPN processing, or system resource constraints before making production changes.

Best Practices for Logging and Diagnostics

Effective troubleshooting depends not only on knowing the commands but also on applying them methodically. Consider the following recommendations:

  • Enable logging for critical firewall policies to ensure sufficient visibility during incident investigations.
  • Clear any previous debug filters before starting a new troubleshooting session to avoid misleading results.
  • Use packet captures with specific filters rather than capturing all traffic, which can overwhelm the console and consume system resources.
  • Review routing information before modifying firewall policies, as many connectivity issues originate from incorrect routing decisions.
  • Filter session output whenever possible to reduce analysis time in environments with large numbers of concurrent connections.
  • Disable debugging immediately after collecting the required information to prevent unnecessary CPU utilization.
  • Document diagnostic findings alongside change records to support future troubleshooting and knowledge sharing.

Key Takeaways

Commands 61 through 68 provide the visibility needed to investigate complex networking and security issues. System and traffic logs reveal historical events, packet captures confirm whether traffic reaches the firewall, session tables expose active connection states, routing diagnostics explain forwarding decisions, and flow debugging uncovers exactly how FortiGate processes packets. Together, these commands form the foundation of effective incident response and advanced operational troubleshooting.

In the final section of this guide, we will cover Commands 69 through 75, advanced debug techniques, automation recommendations, CLI best practices, GUI versus CLI comparisons, a comprehensive troubleshooting checklist, frequently asked questions, publication-ready SEO metadata, and the concluding recommendations that complete this definitive FortiGate CLI reference.

Advanced Debug and Automation Commands

The final group of commands focuses on advanced debugging, configuration automation, backup validation, and operational efficiency. While administrators may not use these commands every day, they become indispensable during major incidents, firmware upgrades, enterprise migrations, and proactive maintenance.

Command 69 — Reset Debug Configuration

Purpose

Clears any previously configured debug filters and settings before starting a new troubleshooting session.

Syntax

diagnose debug reset

Practical Use

Always execute this command before enabling a new debug session. Residual filters from earlier troubleshooting can produce misleading output and complicate root cause analysis.

Command 70 — Disable Debugging

Purpose

Stops all active debugging processes.

Syntax

diagnose debug disable

Best Practice

Leaving debug enabled unnecessarily can increase CPU utilization and generate excessive console output. Disable debugging immediately after collecting the required information.

Command 71 — Display Configuration Changes

Purpose

Review the current configuration for auditing or change verification.

Syntax

show full-configuration

Practical Use

This command is particularly useful after:

  • Major firewall migrations
  • Firmware upgrades
  • Security audits
  • Change management reviews
  • Disaster recovery testing

Compared to a standard show, the full configuration provides additional default values that may influence system behavior.

Command 72 — Export Configuration via TFTP

Purpose

Creates an external configuration backup.

Syntax

execute backup config tftp FortiGate_Backup.conf 192.168.10.5

Real-World Use Case

Organizations implementing disaster recovery plans typically schedule regular configuration exports to secure backup repositories.

Expert Recommendation

Maintain multiple backup generations and store them separately from the firewall itself. Configuration backups should be encrypted and protected according to organizational security policies.

Command 73 — Verify FortiGuard Connectivity

Purpose

Confirms communication with FortiGuard services.

Syntax

diagnose debug rating

Practical Use

When IPS signatures, Antivirus updates, Web Filtering categories, or Application Control databases fail to update, this command assists in determining whether connectivity to FortiGuard services is functioning correctly.

Command 74 — Display Running Configuration for a Specific Feature

Purpose

Displays configuration for an individual feature without reviewing the complete firewall configuration.

Syntax

show firewall policy

Other common examples include:

show router static show vpn ipsec phase1-interface show system interface

Practical Use

Reviewing only the relevant configuration section improves troubleshooting efficiency and simplifies peer reviews during change management.

Command 75 — Exit the CLI

Purpose

Ends the administrative CLI session.

Syntax

exit

Best Practice

Always close administrative sessions after completing maintenance activities, particularly when connected through shared management workstations or jump servers.

GUI vs CLI: Which Should You Use?

Both the FortiGate graphical interface and CLI have important roles in firewall administration. Understanding when to use each improves operational efficiency.

TaskGUICLI
Initial deploymentExcellentExcellent
Policy creationExcellentGood
Interface configurationExcellentExcellent
VPN troubleshootingModerateExcellent
Packet captureLimitedExcellent
Session analysisLimitedExcellent
Routing verificationModerateExcellent
AutomationLimitedExcellent
Large-scale configurationModerateExcellent
Performance diagnosticsModerateExcellent
Deep debuggingLimitedExcellent

Practical Guidance

Use the GUI when:

  • Creating new policies
  • Reviewing dashboards
  • Performing routine administration
  • Training junior engineers

Use the CLI when:

  • Troubleshooting production issues
  • Investigating VPN failures
  • Diagnosing routing problems
  • Performing packet captures
  • Collecting information for vendor support
  • Automating repetitive tasks

In mature enterprise environments, experienced administrators routinely combine both interfaces rather than treating them as competing management methods.

FortiGate CLI Best Practices

Adopting consistent operational practices reduces risk and simplifies ongoing administration.

Before Making Changes

  • Export a configuration backup.
  • Verify the active firewall in HA deployments.
  • Review the current configuration before editing.
  • Confirm the FortiOS version if using version-specific commands.
  • Schedule maintenance windows for production environments.

During Configuration

  • Use descriptive names for interfaces, policies, address objects, and services.
  • Follow organizational naming standards.
  • Apply the principle of least privilege.
  • Validate syntax before exiting configuration mode.
  • Document significant configuration changes.

After Configuration

  • Verify routing and connectivity.
  • Test firewall policies.
  • Confirm VPN status.
  • Check HA synchronization.
  • Review system logs for unexpected events.
  • Update operational documentation.

Automation Recommendations

Modern enterprise networks increasingly integrate FortiGate firewalls into Infrastructure as Code (IaC) and NetDevOps workflows. Although manual CLI administration remains valuable, automation improves consistency and reduces human error.

Common automation approaches include:

ToolTypical Use Case
AnsibleConfiguration deployment
TerraformInfrastructure provisioning
PythonCustom automation scripts
REST APIIntegration with enterprise platforms
FortiManagerCentralized policy management
GitConfiguration version control
JenkinsCI/CD pipelines
GitHub ActionsAutomated deployment workflows

Recommended Automation Workflow

  1. Export the current configuration.
  2. Store configuration files in a version-controlled repository.
  3. Validate proposed changes in a laboratory environment.
  4. Deploy using approved automation tools.
  5. Verify production health using CLI commands.
  6. Monitor logs after deployment.
  7. Maintain rollback procedures for every production change.

Common CLI Mistakes

Even experienced administrators occasionally encounter preventable issues.

MistakeConsequenceRecommendation
Editing the wrong firewallProduction outageVerify hostname and serial number first
Forgetting configuration backupsDifficult recoveryExport backups before every maintenance activity
Leaving debug enabledIncreased CPU utilizationDisable debugging immediately after use
Ignoring HA synchronizationCluster inconsistencyVerify synchronization after changes
Overlooking policy orderUnexpected traffic behaviorReview rule sequence carefully
Using “allow all” policiesSecurity exposureImplement least-privilege access
Neglecting routing validationConnectivity failuresCheck routing before modifying policies
Inconsistent object namingDifficult administrationAdopt standardized naming conventions

Enterprise Troubleshooting Workflow

The following structured process reflects how experienced firewall engineers investigate production issues.

StepActionRecommended Commands
1Verify system healthget system status
2Review CPU and memorydiagnose sys top
3Confirm interface statusget system interface
4Validate routingget router info routing-table all
5Review firewall policiesshow firewall policy
6Verify NAT configurationshow firewall vip
7Check VPN tunnelsdiagnose vpn tunnel list
8Review sessionsdiagnose sys session list
9Capture packetsdiagnose sniffer packet
10Perform flow debuggingdiagnose debug flow
11Review logsexecute log display
12Disable debuggingdiagnose debug disable

Following a repeatable methodology reduces troubleshooting time, minimizes unnecessary configuration changes, and improves operational consistency across engineering teams.

Frequently Asked Questions

What are the most important FortiGate CLI commands?

The commands most administrators use daily include:

  • get system status
  • diagnose sys top
  • get router info routing-table all
  • show firewall policy
  • diagnose vpn tunnel list
  • diagnose sys session list
  • diagnose sniffer packet
  • diagnose debug flow
  • execute ping
  • execute traceroute

Is the CLI better than the GUI?

Neither interface is universally better. The GUI simplifies routine administration, while the CLI provides superior visibility, troubleshooting capabilities, automation support, and access to advanced features.

Are CLI commands the same across FortiOS versions?

Most commands remain consistent across FortiOS releases. However, some commands, parameters, and output formats change between major versions. Always consult the documentation for your installed FortiOS release before implementing production changes.

Is CLI knowledge necessary for Fortinet certification?

Yes. Professional-level Fortinet certifications expect candidates to understand CLI navigation, troubleshooting, configuration, and diagnostic procedures in addition to GUI administration.

Can FortiGate CLI be automated?

Absolutely. FortiGate supports automation through REST APIs, Ansible, Python, Terraform, FortiManager, and other orchestration platforms commonly used in enterprise environments.

Conclusion

Mastering the FortiGate Command Line Interface is one of the most valuable investments a firewall administrator can make. While graphical management simplifies many routine tasks, the CLI remains the primary interface for advanced troubleshooting, performance analysis, automation, disaster recovery, and enterprise-scale operations.

The 75 commands presented throughout this guide represent the foundation of effective FortiGate administration. Together, they cover system management, interface configuration, routing, firewall policies, NAT, VPNs, High Availability, SD-WAN, authentication, security profiles, monitoring, logging, packet analysis, debugging, and operational best practices.

Rather than memorizing every command, focus on understanding when and why each command is appropriate. As your operational experience grows, these commands will become part of a structured troubleshooting methodology that reduces downtime, accelerates incident resolution, and improves the overall security and reliability of your network infrastructure.

Whether you are preparing for a Fortinet certification, supporting enterprise data centers, managing branch office deployments, or implementing NetDevOps automation, developing strong CLI proficiency will continue to be a valuable skill throughout your networking and cybersecurity career.

Picture of Martin Kelly
Martin Kelly

We hired CWNx to revamp our company website and run a few ad campaigns. The new design is sleek and professional, and the campaigns brought in a noticeable uptick in qualified leads. Communication was smooth throughout the project. I'm docking one star only because the initial timeline slipped by a few days, but the final output was absolutely worth the wait.

Leave a Reply

Your email address will not be published. Required fields are marked *