Fortigate Commands

I configure/support Fortigate firewalls on a daily basis, the baby 60DSL’s, the  200A’s, but mostly the big 3016B’s.

Although I do use the Fortimanager front-end extensively for revision history, I still prefer and often do work from the command line, so I tought I’ll share the commands I use often.

Monitoring commands:


  • Show global or vdom config

sh system interface

  • Equivalent to show run interface

diagnose hardware deviceinfo nic

  • Equivalent to show interface

get system status

  • show version information

sh firewall policy 6

  • show firewall rule numer 6

sh router policy

  • Show Policy Routing rules

diagnose system session list

  • Show the excisting translations

diagnose system session clear

  • Clears all xlate/translations

diagnose ip arp list

  • Shows the arp table of connected hosts

get router info routing-table all

  • Equivalent to ‘show ip route’

diagnose system top

  • Show System Processes running with PIDs

diagnose system kill 9 <id>

  • Kill the specific PID

diag test auth ldap <server_name> <username> <password>

  • Ldap test query from the Forti to the AD


8 thoughts on “Fortigate Commands

  1. Hi,

    I am migrating the configuration from a Fortigate-100A to a new Fortigate-100D. Is there a way to copy the full configuration from one box to another via cli?

    I have got the ” show full-configuration” command output from the 100A. Is it possible to dump this full configuration on to the new 100D ? Ofcourse, there are a lot of things that will need to be tweaked, but I assume that the bulk of the rules and routing will be able to be migrated on to the new hardware.

    Is there any migration documents for Fortigates? I have very limited experience on this and every/any help will be appreciated.


    1. Migrating between boxes is fairly straight forward–providing your software versions match. The 100D and 100A both can run up to 4.0MR3p12 (build0656), so match the firmware between them and then export the config from the 100A. You can actually get away with being in the same MR, but to be safe matching is best. Sometimes they change things in the same MR that breaks old configs

      The trick here is to open the config and adjust the port names to match the new device. The fortigate 100A has DMZ1 and 2 but the 100D only has a single DMZ port. If you were actively using DMZ2 to, you’d need to rename any instances in the config to that of another port.

      Once the ports are correct, you have to change the first line in the config to match the correct model. If the model doesn’t match, it will reject the config every time.

      …or something similar would be changed to…

      If you’re not sure of the model number prefix on a Fortigate, just export the config from the destination device and look at that first line.

      Save the modified config and you should be able to import it to the new device via the GUI, or via the CLI using the “exec restore config …” command.

      There could possibly be a few errors once the firewall reboots, so be sure to check via the CLI with “diagnose debug config-error-log read”. A lot of times the errors are irrelevant (something the old device had that the new one doesn’t) but pay attention for anything that could be important.

      The next time you reboot the device, those errors should be gone as they were parameters or values that couldn’t be applied to the new device.

      At this point the new device should be functioning like the old one–but much faster.

      I’ve used this technique to go from FGT60 (max 3.0 MR7p10) to 60B (which can go back to 3.0 MR5p2) to 60C (which can only do 4.0MR2p2+) and between many different devices (60B to 80C, 200D to 300C, etc).

  2. Hi, good info. By the way, the dashboard CLI, what’s the commandline to show which host IP uses lots of bandwidth ? Thanks in advance

Please leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.