martes, 20 de octubre de 2015


Fortinet Firewall Commands

// Health and Status

show [enter] //Note that output is only non-default values.
show full-configuration // Show all configurations on the device.
show system interface wan1 | grep -A2 ip // Show WAN and interface information.
get system info admin status // Show logged in users
get system status // Show system hardware/software update versions
get hardware status // Detailed hardware model information
get system performance status
get system performance top
show system interface // Interface Configuration
diagnose hardware deviceinfo nic // Interface Statistics/Settings
diagnose hardware sysinfo memory
diag debug crashlog read
diag hardware sysinfo shm // Device should be in 0, if (>0) then conservemode
get system global | grep -i timer // Show tcp and udp timers for halfopen and idle
get system session-ttl // System default tcp-idle session timeout
execute ha manage <devid> // send heartbeat accross management link.
get hardware nic
diagnose ip address list
get system interface physical

// ARP

diagnose ip arp list

// Track and Troubleshoot
get system session status // Connection count for ingress/egress
get system session-info full-stat // Displays session status with breakdown by state
get system session list // Session list, protocol, expire, src nat, dst nat
diag sys session // Basic output with no filters of diag sys session
diag sys session filter <option> <value> // Capture filter based on src, dst, duraction, policy id, vd

// Packet capture

diag debug info // Displays active debug
diag debug enable // Enable debug

#diagnose debug flow filter (shows what filters are configured)
#diagnose debug flow filter clear (clear all filter)
#diagnose debug flow filter <options> <value> (configures the filter)
#diagnose debug flow show con enable <show output on console>
#diagnose debug flow show fun enable <show functions>
#diagnose debug flow trace start <number of lines> (to start the trace)
#diagnose debug flow trace stop (to stop the trace)

diagnose debug reset
diagnose debug enable
diagnose debug flow filter clear
diagnose debug flow filter saddr
diagnose debug flow filter dport 80
diagnose debug flow show con enable
diagnose debug flow show fun enable
diagnose debug flow trace start 20

diagnose sniffer packet <interface or ANY> ‘<arguments>’ <level 1-6>

diagnose sniffer packet ANY ‘net and not host and port 80 and TCP’ 6

Syn packets only:
diag sniffer packet internal ‘tcp[13] == 2'

to stop:
diagnose debug reset
diagnose debug disable

// Enable packet capture in GUI

System -> Config -> Advanced
Setup packet capture filter, Check box to start, Uncheck to stop.
Download Debug Log

by Jonathan Rennie

get sys status
diagnose hardware sysinfo memory
diagnose hardware sysinfo shm
diagnose ips dissector status
get sys perf status
diag sys session full-stat
diag sys session6 full-stat
dia netlink device list
dia test app http 4
dia test app proxyworker 4
diag firewall statistic show
diag firewall packet distribution
dia stats per-ip-bw
diagnose hardware sysinfo shm
diag sys top