CLI troubleshooting cheat sheet Command Description

If keepvmlicense is specified (VM

This reference lists some important command line interface (CLI) commands models only), the VM license is
that can be used for log gathering, analysis, and troubleshooting. retained after reset.
diagnose debug config-error-log Show errors in the configuration file.
It provides a basic understanding of CLI usage for users with different skill read
levels. Exploring additional commands beyond the ones listed here to gain a
diagnose snmp ip frags Show fragmentation and reassembly
comprehensive understanding of the CLI is recommended.
information.
Enable/Disable debugging diagnose sys process dump <PID> Show essential process related
diagnose sys process pstack <PID> information for a particular process
diagnose sys process trace <PID> PID.
Command Description
diagnose debug reset Stop all the prior debugs that were diagnose sys mpstat {n} Show CPU usage every n seconds.
enabled and running in the foreground diagnose hardware sysinfo memory Show system memory information.
or background. diagnose firewall packet Show packet distribution statistics.
diagnose debug enable Start printing debugs in the console. distribution
diagnose debug disable Stop printing debugs in the console. execute reboot Reboot the device.
The debugs are still running in the
background; use diagnose debug Hardware
reset to completely stop them.
diagnose debug duration 0 Start debugging for infinite duration. By Command Description
default, debug is set for 30 minutes. diagnose hardware sysinfo Show hardware interrupts statistics.
interrupts
System Execute a hardware diagnostic test,
diagnose hardware test suite all
also known as an HQIP test.
Command Description diagnose hardware deviceinfo disk Show disk information.
get system status Show system information. diagnose sys flash list Show flash partitions.
execute time Show current system time. execute disk list Show available mounted disks.
get system performance status Show CPU and memory utilization. execute disk format <partition ref> Format the referenced partition.
execute tac report Execute TAC report used to open a diagnose disktest device <device> Execute a disk check to check if disk is
support ticket with Fortinet Support. diagnose disktest block <block> faulty.
diagnose disktest size <mb> l <device>: Device to test
diagnose sys top {s} {n} {i} Show a list of the first n processes
diagnose disk test run
every s seconds for i iterations. l <block>: Block size of each

l Shift +C: Sort by highest CPU read/write operation.

l Shift + M: Sort by highest memory l <mb>: Test size limit for each

diagnose debug crashlog read Show system and application crashes. cycle
diagnose sys process pidof <daemon> Show PID of the daemon that is execute formatlogdisk Format the log disk.
running. The names of currently diagnose hardware sysinfo cpu Show CPU information.
running daemons can be found using diagnose sys modem detect Detect the modem and start real-time
diagnose sys top. diagnose debug application modemd - debugging of the modem daemon.
For example: diagnose sys 1
diagnose debug enable
process pidof httpsd
diagnose sys kill 11 <pid> Kill the PID with signal 11.
FortiGuard
diagnose sys session stat Show session statistics.
diagnose sys session exp-stat Show expectation session statistics. Command Description
diagnose sys vd list Show virtual domain information and diagnose webfilter fortiguard Show rating cache and daemon
system statistics. statistics statistics.
diagnose sys cmdb info Show information about the latest diagnose debug rating Show web filter rating server
configuration change performed by the information.
daemon.
diagnose debug application update - Start debugging for updated daemon to
execute factoryreset Immediately reset to factory defaults 1 troubleshoot FortiGuard update issues.
[keepvmlicense] and reboot. diagnose debug enable
If keepvmlicense is specified (VM execute update-now Execute the FortiGuard update
models only), the VM license is manually.
retained after reset. diagnose autoupdate status Show license information.
execute factoryreset-shutdown Immediately reset to factory defaults diagnose autoupdate versions
[keepvmlicense] and shutdown.
If keepvmlicense is specified (VM Session table
models only), the VM license is
retained after reset. Command Description
execute factoryreset2 Reset to factory default, except system diagnose sys session filter Set session table filters.
[keepvmlicense] settings, system interfaces, VDOMs, <filter>
static routes, and virtual switches. diagnose sys session filter Show session filters, if set.

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 01-760-1051988-20240725

Command Description Command Description
diagnose sys session list Show session table after filtering. diagnose debug application
urlfilter -1
diagnose sys session clear Clear the session table for the
diagnose debug enable
specified filter.
diagnose debug enable List the web filter debug outputs.
diagnose firewall iprope list Show FortiGate’s internal firewall table. diagnose test application urlfilter
diagnose test application urlfilter Show the web filter debug output for
Network diagnostics <option> the specified option.
diagnose debug application dnsproxy Start real-time debugging for DNS
Command Description -1 proxy. DNS proxy is responsible for
execute ping-options {options} Ping IP address <x.x.x.x> using the diagnose debug enable DNS filter, DNS translation, DNS
execute ping <x.x.x.x> specified options. resolution etc.
execute ssh-options {options} SSH to IP address <x.x.x.x> using the diagnose debug enable List the DNS proxy debug outputs.
execute ssh <x.x.x.x> specified options. diagnose test application dnsproxy
execute traceroute-options Traceroute IP address <x.x.x.x> using diagnose test application dnsproxy Show the DNS proxy debug output for
{options} the specified options. <option> the specified option.
execute traceroute <x.x.x.x>
diagnose ips filter set "host Start IPS engine debugs for
get system arp Show ARP entries. <x.x.x.x> and port <port>" Application Control and IPS Security
diagnose ip arp list diagnose ips debug enable all profile
diagnose netlink brctl list Show the names of all of the switches diagnose debug enable
on the FortiGate. diagnose ips debug enable av Start real-time debugging for antivirus
diagnose netlink brctl name host Show the switching table of the diagnose ips debug status show profile when antivirus profile is
<switch-name> specified switch. diagnose sys scanunit debug all configured in flow mode.
enable
get system interface Show a summary of interface details, diagnose sys scanunit debug level
get sys interface physical including IP address information. verbose
diagnose ip address list Show IP address information. diagnose sys scanunit debug show
diagnose debug enable
diagnose hardware deviceinfo nic Show detailed interface information.
<interface> diagnose wad debug enable category Start real time debugging for antivirus
get hardware nic <interface> scan profile when antivirus profile is
diagnose wad stream-scan av-test configured in proxy mode.
get sys interface transceiver Show connected transceivers.
"debug enable"
diagnose wad stream-scan av-test
Packet sniffer "debug all:debug"
diagnose sys scanunit debug all
Command Description enable
diagnose sys scanunit debug level
diagnose sniffer packet <interface> Execute the inbuilt packet sniffer,
verbose
<'filter'> <verbose> <count> filtered on a particular interface with the diagnose sys scanunit debug show
<a|l> specified filter. For more information, diagnose debug enable
see Performing a sniffer trace or
packet capture.
IPS engine
Debug flow The IPS engine handles traffic related to flow-based processing.

Command Description Real-time debugs are CPU intensive tasks. Running real-time
diagnose debug reset Stop all the prior debugs that were IPS engine debugs with proper filters can result in high CPU
enabled and running in the foreground usage.
or background.
diagnose debug flow filter clear Clear any IPv4 debug flow filters. Command Description
diagnose debug flow filter6 clear Clear any IPv6 debug flow filters. diagnose test application Show IPS engine information
diagnose debug flow filter <filter> Set a filter for running IPv4 traffic ipsmonitor 1
debug flows. diagnose test application Set the IPS engine enable/disable
diagnose debug flow filter6 Set a filter for running IPv6 traffic ipsmonitor 2 status.
<filter> debug flows. diagnose test application Restart all IPS engines and monitor.
diagnose debug flow show function- Show the function name of the code ipsmonitor 99
name enable that the traffic accesses. diagnose test application Start all IPS engines.
ipsmonitor 97
diagnose debug flow show iprope Show which internal firewall policy that
enable the traffic is going through. diagnose test application Stop all IPS engines.
ipsmonitor 98
diagnose debug console timestamp Start printing timestamps on debugs.
enable diagnose ips session list Show the IPS sessions in each
diagnose test application engine's memory space.
diagnose debug flow trace start <n> Show n lines of IPv4 debugs.
ipsmonitor 13
diagnose debug flow trace start6 Show n lines of IPv6 debugs. diagnose ips filter set "host Show IPS engine debugs for the traffic
<n>
<x.x.x.x> and port <port>" specified by the filter.
diagnose debug enable Start printing debugs in the console. diagnose ips debug enable all
diagnose debug enable
UTM

Command Description
diagnose debug urlfilter <filter> Start real-time debugging for web filter
traffic.

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 2

WAD Command Description
The WAD daemon handles proxy related processing. get router info6 ospf status
get router info ospf neighbor Show OSPF neighbors for IPv4 and
get router info6 ospf neighbor IPv6.
Real-time debugs are CPU intensive tasks. Running real-time get router info ospf database brief Show OSPF database in brief.
WAD debugs with proper filters can result in high CPU usage.
get router info bfd neighbor Show BFD neighbors for IPv4 and
get router info6 bfd neighbor IPv6.
Command Description
diagnose test application bfd 1 Show BFD statistics.
diagnose test application bfd 2
diagnose test application wad 1000 Show all WAD processes. diagnose test application bfd 3
diagnose test application wad 2 Show total memory usage. diagnose debug application bfdd Start real-time BFD debugging .
diagnose test application wad 99 Restart all WAD processes. <debug level>
diagnose debug enable
diagnose wad debug display pid Start real-time debugging of the traffic
enable processed by WAD daemon.
get router info bgp summary Show BGP summary for IPv4 and
diagnose wad filter <filter> get router info6 bgp summary IPv6.
diagnose wad filter list get router info bgp neighbors Show BGP peer and the advertised
diagnose wad debug enable level get router info6 bgp neighbors and received routes from the BGP
<level> get router info bgp neighbors peer.
diagnose wad debug enable category <x.x.x.x> advertised-routes l Substitute <x.x.x.x> with IPv4
<category> get router info6 bgp neighbors
diagnose debug enable address of the peer.
<x:x::x:x/m> advertised-routes
l Substitute <x:x::x:x/m> with IPv6
diagnose wad filter <filter> Set the filter for the WAD debugs. get router info bgp neighbors
<x.x.x.x> received-routes address of the peer.
diagnose wad filter list Show all the filters that have been set get router info6 bgp neighbors
for debugging. <x:x::x:x/m> received-routes
diagnose wad filter clear Clear the WAD filter settings. get router info bgp neighbors
diagnose wad debug enable level Set the verbosity level of the debugs. <x.x.x.x> routes
<level> get router info6 bgp neighbors
<x:x::x:x/m> routes
diagnose wad debug enable category Set the traffic category.
<category> diagnose ip router bgp all enable Start real-time BGP debugging.
diagnose ip router bgp level info
diagnose wad debug display pid Show the WAS worker PID in debugs diagnose debug enable
enable that handle the session request.
execute router clear bgp {all | as Execute a hard reset based on the
diagnose debug enable Start printing debugs in the console. <ASN> | ip x.x.x.x | ipv6 specified parameters:
y:y:y:y:y:y:y:y} l all: all BGP peers
CPU profiling as <ASN>: BGP peers specified
l

by AS number
Command Description l ip x.x.x.x: BGP peer
diagnose sys profile cpumask <cpu_ Set the CPU core to profile. specified by IPv4 address
id> (x.x.x.x)
diagnose sys profile start Start CPU profiling and wait for one to l ipv6 y:y:y:y:y:y:y:y: BGP

two minutes to stop. peer specified by IPv6 address

diagnose sys profile stop Stop CPU profiling. (y:y:y:y:y:y:y:y)
diagnose sys profile module Show the applied kernel modules. execute router clear bgp {all | ip Executea soft reset based on the
x.x.x.x | ipv6 y:y:y:y:y:y:y:y} specified parameter:
diagnose sys profile show detail Show the CPU profiling result for the soft {in|out} l all: all BGP peers
diagnose sys profile show order respective core.
l ip x.x.x.x: BGP peer

specified by IPv4 address

Tree
(x.x.x.x)
l ipv6 y:y:y:y:y:y:y:y: BGP
Command Description
peer specified by IPv6 address
tree Show the entire command tree. (y:y:y:y:y:y:y:y)
tree execute Show the execute command tree. l in: received BGP routes only

tree diagnose Show the diagnose command tree. l out: advertised BGP routes only

A soft reset will occur in both

IPv4 and IPv6 routing directions if neither in nor out is
specified.
Command Description get router info ospf status Show OSPF status for IPv4 and IPv6.
get router info6 ospf status
get router info routing-table all Show routing table. get router info ospf interface Show OSPF running on interface for
get router info routing-table Show IPv4 and IPv6 routing database get router info6 ospf interface IPv4 and IPv6.
database information.
get router info6 routing-table
get router info ospf neighbor all Show OSFP neighbor information for
get router info6 ospf neighbor all IPv4 and IPv6.
database
diagnose ip route list Show the IPv4 and IPv6 kernel routing get router info ospf database brief Show OSPF database in brief for IPv4
get router info kernel get router info6 ospf database and IPv6.
table.
diagnose ipv6 route list brief
get router info6 kernel diagnose ip router ospf all enable Start real-time OSPF debugging.
get router info protocols Show routing protocol information for diagnose ip router ospf level info
get router info6 protocols diagnose debug enable
IPv4 and IPv6.
execute router restart Restart the routing daemon
get router info ospf status Show OSPF status for IPv4 and IPv6.

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 3

Multicast routing Command Description
Caution: The password is visible in
Command Description clear text; be careful when capture this
get router info multicast igmp Show IGMP statistics for an interface. command to a log file.
interface diagnose test authserver ldap Test user authentication using an
get router info multicast igmp Show multicast groups subscribed to <server_name> <user> <password> LDAP server.
groups with IGMP. Caution: The password is visible in
diagnose ip multicast get-igmp- Show maximum IGMP states. clear text; be careful when capture this
limit command to a log file.
diagnose ip router igmp decode Start real-time debugging of IGMP diagnose test authserver radius Test user authentication using a
enable daemon. <server_name> <auth_type> <user> Radius server.
diagnose ip router igmp level info <password>
diagnose debug console timestamp Caution: The password is visible in
enable clear text; be careful when capture this
diagnose debug enable command to a log file.
execute mrouter clear igmp- Clear all IGMP entries from one diagnose debug fsso-polling detail Show information about the polls from
interface <interface> interface. diagnose debug fsso-polling summary FortiGate to DC.
execute mrouter clear igmp-group Clear all IGMP entries for one or all diagnose debug fsso-polling user Show FSSO logged on users when
<group-address> groups. diagnose debug authd fsso list Fortigate polls the DC.
get router info multicast pim Show sparse-mode interface diagnose debug application fssod -1 Start real-time debugging when the
sparse-mode <interface>. information. diagnose debug application smbcd -1 FortiGate is used for FSSO polling.
diagnose debug enable
get router info multicast pim Show sparse-mode neighbor
sparse-mode <neighbor> information. diagnose debug fsso-polling Refresh the current logged on FSSO
refresh-user users and refresh the list.
get router info multicast pim Show RP to group mapping execute fsso refresh
sparse-mode rp-mapping information. Caution: This command can cause an
outage, use it carefully.
get router info multicast pim Show sparse-mode routing table.
sparse-mode table diagnose debug authd fsso server- Show current status of connection
status between FortiGate and the collector
diagnose ip router pim-sm events Start real-time debugging of PIM
enable sparse mode. agent.
diagnose ip router pim-sm all diagnose debug application authd Start real-time debugging for the
enable 8256 connection between FortiGate and the
diagnose ip router pim-sm level diagnose debug enable collector agent.
info
diagnose debug authd fsso refresh- Resend the logged-on users list to
diagnose debug enable
logons FortiGate from the collector agent.
SD-WAN diagnose debug application authd Start real-time debugging for the
8256 connection between FortiGate and the
diagnose debug enable collector agent.
Command Description
diagnose debug application samld -1 Start real-time SAML debugging.
diagnose sys sdwan health-check Show SD-WAN health check statistics. diagnose debug enable
status
diagnose sys sdwan service Show SD-WAN rules in control plane. IPsec
diagnose sys sdwan member Show SD-WAN members.
diagnose firewall proute list Show SDWAN rule and policy routes in Command Description
the data plane. diagnose vpn ike gateway list Show IPsec phase 1 information.
diagnose sys link-monitor status Show link monitoring statistics. diagnose vpn tunnel list Show IPsec phase 2 information.
diagnose sys link-monitor interface
<interface> get vpn ipsec tunnel summary Show summary and detailed
get vpn ipsec tunnel details information about IPsec tunnels.
diagnose debug application link- Start real-time link monitor debugging.
monitor -1 diagnose vpn ipsec status Show information about encryption
diagnose debug enable counters.
diagnose test application lnkmtd 1 Show link monitoring statistics. diagnose vpn ike log filter Set a filter for IKE daemon debugs.
diagnose test application lnkmtd 2 <filter>
diagnose test application lnkmtd 3 diagnose debug application ike -1 Start real-time debugging of IKE
diagnose debug enable daemon with the filter set.
Authentication diagnose vpn ike restart Restart the IKE process.
diagnose vpn ike counts Show other information, such as IKE
Command Description diagnose vpn ike routes counts, routes, errors, and statistics.
diagnose firewall auth filter Set the filter used to list entries. diagnose vpn ike errors
<filter> diagnose vpn ike stats
diagnose firewall auth list List filtered, authenticated IPv4 users. diagnose vpn ike status
diagnose vpn ike crypto
diagnose wad user list List current users authenticated by
proxy (wad daemon).
diagnose debug application fnbamd - Start real-time debugging for remote
SSL VPN
1 and local authentication.
diagnose debug application authd -1 Command Description
diagnose debug enable diagnose vpn ssl debug-filter list Show any filters that are set for SSL
diagnose test authserver <auth_ Test authentication directly from the VPN debug.
protocol> <server_name> <user> CLI. diagnose vpn ssl debug-filter clear Clear any filters that are set for SSL
<password>
VPN daemon debug.

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 4

Command Description High availability
diagnose vpn ssl debug-filter Set a filter for SSL VPN debugs.
<filter> Command Description
diagnose debug application sslvpn - Start SSL VPN debugs for traffic that diagnose system ha status Show HA status and information.
1 the filter is applied to. get system ha status
diagnose debug enable execute ha manage <index> Log into and manage a specific HA
diagnose vpn ssl list Show the current SSL VPN sessions <username> member.
get vpn ssl monitor for both web and tunnel mode. diagnose sys ha checksum cluster Show checksum information of all
execute vpn sslvpn list
cluster members.
diagnose vpn ssl statistics Show the SSL VPN statistics.
diagnose vpn ssl mux-stat
diagnose sys ha checksum show Show detailed checksum information
<vdom> for a VDOM.
execute vpn sslvpn list Show all SSL VPN web and tunnel
mode connections. diagnose sys ha checksum Recalculate HA checksums.
recalculate
execute vpn sslvpn del-tunnel Disconnect the users from tunnel mode
diagnose sys ha recalculate- Recalculate HA external files
SSL VPN connection. extfile-signature signatures.
execute vpn sslvpn del-web Disconnect the users from web mode
diagnose sys ha reset-uptime Reset the HA uptime. This is used to
SSL VPN connection.
test failover.
diagnose debug application hatalk - Start real-time debugging of HA
Managed FortiSwitches 1 daemons.
diagnose debug application hasync -
Command Description 1
diagnose switch-controller switch- Show managed FortiSwitch MAC diagnose debug application harelay
info mac-table address list. -1
diagnose debug enable
diagnose switch-controller switch- Show managed FortiSwitch port
info port-stats statistics.
diagnose sys ha history read Show HA history.
diagnose switch-controller switch- Show managed FortiSwitch trunk
execute ha synchronize stop Manually start and stop HA
execute ha synchronize start synchronization.
info trunk status information.
diagnose switch-controller switch- Show MCLAG related information from
info mclag FortiSwitch.
ZTNA
execute switch-controller get-conn- Show FortiSwitch connection status.
status <FortiSwitch-SN> The WAD daemon handles proxy related processing.
execute switch-controller get- Show FortiLink connectivity graph. The FortiClient NAC daemon (fcnacd) handles FortiGate to
physical-conn standard EMS connectivity.
<FortiSwitch-SN>
execute switch-controller diagnose- Show FortiSwitch connection
Command Description
connection <FortiSwitch-SN> diagnostics.
diagnose endpoint fctems test- Verify FortiGate to FortiClient EMS
connectivity <EMS> connectivity.
Managed FortiAPs
execute fctems verify <EMS> Verify the FortiClient EMS’s certificate.
Command Description diagnose test application fcnacd 2 Dump the EMS connectivity

diagnose wireless-controller wlac - Show information about the FortiAP information.

c wtp devices. diagnose debug app fcnacd -1 Run real-time FortiClient NAC daemon
diagnose wireless-controller wlac - diagnose debug enable debugs.
d wtp diagnose endpoint ec-shm list <ip> Show the endpoint record list.
diagnose wireless-controller wlac - Show information about the wireless <mac> <EMS_serial_number> <EMS_ Optionally, add filters.
c sta clients connected to the FortiAP tenant_id>
diagnose wireless-controller wlac - devices. diagnose endpoint lls-comm send Query endpoints by client UID, EMS
d sta ztna find-uid <uid> <EMS_serial_ serial number, and EMS tenant ID.
diagnose wireless-controller wlac Show a list of debug options available number> <EMS_tenant_id>
help for the wireless controller. diagnose endpoint lls-comm send Query endpoints by the client IP-
diagnose wireless-controller wlac Start real-time debugging of a wireless ztna find-ip-vdom <ip> <vdom> VDOM pair.
sta_filter client/station that connects to the diagnose wad dev query-by uid <uid> Query from WAD diagnose command
diagnose wireless-controller wlac FortiAP. <EMS_serial_number> <EMS_tenant_ by UID, EMS serial number, and EMS
sta_filter clear l <aa:bb:cc:dd:ee:ff>: MAC id> tenant ID.
diagnose wireless-controller wlac
address of endpoint/station diagnose wad dev query-by ipv4 <ip> Query from WAD diagnose command
sta_filter <aa:bb:cc:dd:ee:ff>
255 by IP address.
diagnose debug enable diagnose firewall dynamic list List EMS security posture tags and all
diagnose wireless-controller wlac - Show virtual access point information, dynamic IP and MAC addresses.
c vap including its MAC address, BSSID, diagnose test application fcnacd 7 Check the FortiClient NAC daemon
SSID, the interface name, and the diagnose test application fcnacd 8 ZTNA and route cache.
IP address of the APs that are diagnose wad worker policy list Display statistics associated with
broadcasting it.
application gateway rules.
diagnose wireless-controller wlac Show the wireless termination point diagnose wad debug enable category Run real-time WAD debugs.
wtp_filter (WTP), or FortiAP, debugging on the all
diagnose wireless-controller wlac wireless controller if FortiAP is failing to diagnose wad debug enable level
wtp_filter clear connect to FortiGate. verbose
diagnose wireless-controller wlac
l <FAP-SN>: FortiAP serial diagnose debug enable
wtp_filter <FAP-SN> 0-
<x.x.x.x>:5246 255 number diagnose debug reset Reset debugs when completed
l <x.x.x.x>: FortiAP IP address
diagnose debug application cw_acd
0x7ff

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 5

Logging

Command Description
diagnose log test Generate logs for testing.
execute log filter <filter> Set log filters.
execute log filter Show log filters.
exec log display Show filtered logs.
execute log delete Delete filtered logs.
diagnose debug application miglogd Start real-time debugging of logging
-1 process miglogd.
diagnose debug enable
execute log fortianalyzer test- Test connectivity between FortiGate
connectivity and FortiAnalyzer.

Traffic shaping

Command Description
diagnose firewall shaper traffic- Show configured traffic shapers.
shaper list
diagnose firewall shaper traffic- Show traffic shaper statistics.
shaper stats list

SIP session helper

Command Description
diagnose sys sip status Show SIP status.
diagnose sys sip mapping list Show SIP mapping list.
diagnose sys sip dialog list Show SIP dialogue list.
diagnose debug application sip -1 Start real-time SIP debugging.
diagnose debug enable

SIP ALG

Command Description
diagnose sys sip-proxy calls list Show list of active SIP proxy calls.
diagnose sys sip-proxy stats Show SIP proxy statistics.
diagnose sys sip-proxy session list Show SIP proxy session list.
diagnose debug application sip -1 Start real-time SIP debugging.
diagnose debug enable

FortiOS 7.6 Troubleshooting Cheat Sheet Fortinet Inc. 6