Fortigate Firewall General Troubleshooting

For the CLI use SSH or the console port whenever possible. The CLI widget in the browser got some limitations with scrolling, cut and paste as with special characters.

 

Default User, IP, Console Settings

admin / no passwordDefault user
192.168.1.99/24Default IP on port1, internal, lan or mgmt Port
9600/8-N-1, hardware flow control disabledDefault serial console settings

Keyboard Shortcuts

Fortinet offers some shortcuts to position the cursor on the CLI

up arrow, CTRL-PPrevious command
down arrow, CTRL+N Next command
CTRL-A Beginning of line
CTRL-E End of line
CTRL-B Back one word
CTRL-F Forward one word
CTRL-D Delete current Character
CTRL-C Abort Command and exit Branch(be careful: CTRL-C is context sensitive. It moves you up to the previous command branch level. If you are already at the top, it logs you out
CTRL-L Clear screen
TAB keyCompletes the current word or iterates through the folioing words
?Possible commands

Official documentation and information in the Internet

docs.fortinet.comDokumentation
kb.fortinet.comKnowledge base
cookbook.fortinet.comCookbooks
support.fortinet.comSupport site (Login required)
forum.fortinet.comUser forum
wiki.diagnose.fortinet.comDiagnose wiki (outdated)

Show the configuration

show displays what is different from default. show full shows all parameters, defaults included.

show

show full-configuration

show displays “-More-“. To suppress it:

config system console
   set output standard
end

Revert the setting back to “more” if you don’t require it anymore.

Config save manually (revert) or automatically

If the configuration is not saved within 10 minutes, it will be reverted.

config system global
   set cfg-save revert
   set cfg-revert-timeout 600
end

exec cfg save

Save the configuration automatically

config system global
   set cfg-save automatic
end

Find a specific expression with grep

grep finds all the lines containing the expression you are re looking for.  grep -f only works with show. It displays the whole config block, where the expression is found.

diag sys session list | grep 10.1.2.3

show full | grep -f ip

Config save with SCP

It is possible to save your configuration from a remote device using scp.

config system global
   set admin-scp enable
end
scp admin@<firewall-ip-address>:sys_config fortigate-config-<datum>.txt

Using VDOMs

Enable VDOMs

config system global
   set vdom-admin enable
end

Enter the global part or a VDOM

config global

config vdom
   edit <vdom>

Execute commands in a different VDOM

sudo {global|vdom-name} {diag|exec|show|get}

Factory Reset

A complete reset

exec factoryreset

Admin user, interface settings and static routing remain unchanged

exec factoryreset2

Show Config Errors after a firmware upgrade

Config errors after a firmware upgrade

diag debug config-error-log read

System Status

General  system information

get system status

Complete report required by Fortinet support

exec tac report