CLI Love

Full Configuration

show full-configuration

q to quit out

Just link linux you can grep through the configuration

show full-configuration | grep interface

show full-configuration | grep ssl

Ingress and Egress same logical interface.


This article describes default behavior of how packets are treated by FortiGate once packet should ingress and egress same logical interface.


By design and by default, if during routing decision is determined that packet which ingress over port1 should egress as well over port1 (with no vlan tag change, no DNAT or no IPSEC encapsulation/decapsulation) packet is send back over port1 and such packet is not checked against firewall policy.

It simplifies the configuration to avoid unnecessary policy creation which will be sourced from interface port1 to destination interface port1.

This behavior is by default enabled, but it can be modified under system global settings.

# config system global

set allow-traffic-redirect enable*|disable <----- Default value.



get router info bgp summary

MNK_FW # get router info bgp summary

BGP router identifier, local AS number 64551

BGP table version is 1

0 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 4 65101 0 0 0 0 0 never Active 4 64561 7 6 0 0 0 00:03:30 0

get router info bgp neighbors <neighbor IP> advertised-routes

get router info bgp neighbors <neighbor IP> received-routes

get router info bgp neighbors <neighbor IP> routes


config neighbor


set soft-reconfiguration enable


configure BGP route-maps and neighbors

System Status

get system status

get system ha status

Tshoot IPS

diag autoupdate versions | grep "IPS Attack" -A 6 # check IPS version

diag ips pme debug enable

diag de en # enable

diag de dis # disbale

diagnose test application ipsmonitor 99 # restart IPS


Firewall Policy

show firewall policy

config firewall policy

edit 0 # edit 0 uses the next available rule number

get # show all setting you can set on a policy, more than you see in the GUI


get router info routing-table details

get router info routing-table details

get router info routing-table all


VPN Tshoot

List VPN

diagnose vpn tunnel list

diagnose vpn tunnel list name vpn1

show vpn ipsec phase2-interface dc-vpn

Shut VPN down

execute vpn ipsec tunnel down Shut down the specified IPsec tunnel.

{phase2} Phase2 name.

{phase1} Phase1 name.

{serial} Phase2 serial number.

Phase 1

diagnose debug enable

diagnose vpn ike log filter name FP_VPN

diagnose vpn ike log-filter dst-addr4 (vpn end point IP)

diagnose debug app ike 255

diagnose debug disable

if the status of Phase 1 is in established state, then focus on Phase 2. To do so, issue the command:

#diagnose vpn tunnel list name <tunnel-name>

list all ipsec tunnel in vd 0

name=to10.189.0.182 ver=1 serial=2>

bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu

proxyid_num=1 child_num=0 refcnt=10 ilast=25 olast=25 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=534

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=to10.189.0.182 proto=0 sa=0 ref=1 serial=4

src: 0:

dst: 0:

The important field from the particular output is the ‘’sa’’. SA can have three values:

a) sa=0 indicates there is mismatch between selectors or no traffic is being initiated

b) sa=1 indicates IPsec SA is matching and there is traffic between the selectors

c) sa=2 is only visible during IPsec SA rekey

# diagnose vpn ike gateway list (or diagnose vpn ike gateway list name <tunnel-name>)

# diagnose debug console timestamp enable

# diagnose debug application ike -1

# diagnose debug enable

TCPdump / Sniffer

diag sniffer packet <interface> <'filter'> <verbose> <count> a

<interface> can be an interface name or "any" for all interfaces

<'filter'> is a very powerful filter functionality which will be described in more detail

<verbose> means the level of verbosity as described already

<count> the number of packets the sniffer reads before stopping.

a – timestamps the packets with the absolute UTC time

l - (small letter L) timestamps the packets with LOCAL time on the unit

(blank/no letter) – relative to the beginning of the capture

Note: for parallel captures on multiple interfaces/SSH sessions on Fortigate, please use “a” or “l”, do not leave blank

diag sniffer packet <interface> <'filter'> <verbose> <count> a


diag sniffer packet wan1 'src host and dst host' 1 3

Flush phase 1

diagnose vpn tunnel flush my-phase1-name

TCPdump examples

diagnose sniffer packet <interface> "<filter>"


diagnose sniffer packet any

diagnose sniffer packet any "src" 4 0 a (just source , so only one way)

diagnose sniffer packet any "host" 4 0 a (both directions)

diagnose sniffer packet any "port 53" 4 0 a (port e.g. DNS)

diagnose sniffer packet any "host and port 80" 6 0 a

diagnose sniffer packet any "host and not port 80" 6 0 a