CLI Love

Full Configuration

show full-configuration

q to quit out

Just link linux you can grep through the configuration

show full-configuration | grep interface

show full-configuration | grep ssl

Ingress and Egress same logical interface.


This article describes default behavior of how packets are treated by FortiGate once packet should ingress and egress same logical interface.


By design and by default, if during routing decision is determined that packet which ingress over port1 should egress as well over port1 (with no vlan tag change, no DNAT or no IPSEC encapsulation/decapsulation) packet is send back over port1 and such packet is not checked against firewall policy.

It simplifies the configuration to avoid unnecessary policy creation which will be sourced from interface port1 to destination interface port1.

This behavior is by default enabled, but it can be modified under system global settings.

# config system global

set allow-traffic-redirect enable*|disable <----- Default value.



get router info bgp summary

MNK_FW # get router info bgp summary

BGP router identifier, local AS number 64551

BGP table version is 1

0 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 4 65101 0 0 0 0 0 never Active 4 64561 7 6 0 0 0 00:03:30 0

get router info bgp neighbors <neighbor IP> advertised-routes

get router info bgp neighbors <neighbor IP> received-routes

get router info bgp neighbors <neighbor IP> routes


config neighbor


set soft-reconfiguration enable


configure BGP route-maps and neighbors

System Status

get system status

get system ha status

Firewall Policy

show firewall policy

config firewall policy

edit 0 # edit 0 uses the next available rule number

get # show all setting you can set on a policy, more than you see in the GUI


get router info routing-table details

get router info routing-table details

get router info routing-table all


VPN Tshoot

Phase 1

diagnose debug enable

diagnose vpn ike log filter name FP_VPN

diagnose vpn ike log-filter dst-addr4 (vpn end point IP)

diagnose debug app ike 255

diagnose debug disable

f the status of Phase 1 is in established state, then focus on Phase 2. To do so, issue the command:

#diagnose vpn tunnel list name <tunnel-name>

list all ipsec tunnel in vd 0

name=to10.189.0.182 ver=1 serial=2>

bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu

proxyid_num=1 child_num=0 refcnt=10 ilast=25 olast=25 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=534

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=to10.189.0.182 proto=0 sa=0 ref=1 serial=4

src: 0:

dst: 0:

The important field from the particular output is the ‘’sa’’. SA can have three values:

a) sa=0 indicates there is mismatch between selectors or no traffic is being initiated

b) sa=1 indicates IPsec SA is matching and there is traffic between the selectors

c) sa=2 is only visible during IPsec SA rekey