Fortinet’s FortiGate firewalls are known for their robust security features and high performance. While the graphical user interface (GUI) is user-friendly, the command-line interface (CLI) offers deeper control, greater flexibility, and faster troubleshooting.

In this comprehensive guide, you’ll learn how to monitor and troubleshoot your FortiGate firewall using CLI commands. Whether you’re a network administrator, security engineer, or IT professional, mastering the FortiGate CLI will enhance your ability to diagnose and resolve network issues efficiently.

Trending

FortiGate vs. Cisco ASA: Which Firewall is Best for Your Business?

Why Use the FortiGate CLI for Monitoring and Troubleshooting?

Using the CLI for firewall management has several advantages:

• More Detailed Information: CLI commands provide deeper insights than the GUI.
• Faster Troubleshooting: Commands execute instantly without GUI lag.
• Automation Potential: Scripts can be used for repetitive tasks.
• Access to Hidden Features: Some settings and logs are only available via CLI.

Now, let’s dive into how you can leverage CLI for real-time monitoring and troubleshooting.

1. Essential FortiGate CLI Monitoring Commands

Monitoring your firewall in real time is critical for maintaining security and performance. Here are some fundamental CLI commands for system diagnostics:

1.1 Checking System Status

To get an overview of your FortiGate device:

get system status

This command displays:

• Firmware version
• Serial number
• System uptime
• Configuration mode
• System time and date
• VPN and license information

1.2 Checking Network Interfaces

To check the status of all network interfaces:

get system interface

To check a specific interface:

get system interface <interface-name>

To check link status and errors:

diag netlink interface list

This helps identify dropped packets, collisions, or interface errors.

1.3 Monitoring CPU and Memory Usage

To check CPU usage:

diag sys top

To check memory utilization:

get system performance status

For historical performance statistics:

diag hardware sysinfo memory

1.4 Checking Sessions and Active Connections

To monitor active sessions:

diagnose sys session list

To view session statistics:

diag sys session stat

To clear all sessions:

diag sys session clear

1.5 Viewing Real-Time Traffic Logs

To see real-time traffic logs:

diag debug enable
diag debug console timestamp enable
diag debug application sslvpn -1

To disable debugging:

diag debug disable

For web filtering logs:

diag debug application urlfilter -1

2. FortiGate CLI Troubleshooting Techniques

When issues arise, CLI commands help diagnose and resolve them quickly. Here are some common troubleshooting scenarios and their solutions.

2.1 Troubleshooting Interface Issues

If an interface is down or not functioning correctly, use:

get system interface physical

To check if the interface is administratively down:

config system interface
edit <interface-name>
set status up
end

To restart an interface:

diag hardware device reset <interface-name>

2.2 Diagnosing Connectivity Issues

Use the ping command to test connectivity:

execute ping <destination-IP>

For deeper analysis, use traceroute:

execute traceroute <destination-IP>

To check if the firewall is blocking traffic:

diag debug flow filter addr <destination-IP>
diag debug flow trace start 100

2.3 Checking Firewall Policies

To check firewall policies in detail:

show firewall policy

To verify which policies are applied to traffic:

diag firewall policy list

To find a specific policy based on source or destination:

diag firewall policy lookup <source-IP> <destination-IP>

2.4 Debugging VPN Issues

To check IPSec VPN status:

diagnose vpn tunnel list

To debug VPN logs:

diag debug enable
diag debug application ike -1

To verify VPN encryption settings:

get vpn ipsec tunnel details

2.5 Resolving High CPU Utilization

To identify high CPU processes:

diag sys top 5

To restart a problematic process:

execute reboot

If high CPU is due to a DDoS attack, block suspicious IPs:

config firewall address
edit "Blocked-IP"
set subnet <attacker-IP> 255.255.255.255
end
config firewall policy
edit <policy-ID>
set action deny
set srcaddr "Blocked-IP"
end

3. Advanced CLI Monitoring and Automation

For power users, FortiGate CLI allows advanced monitoring and automation techniques.

3.1 Automated Log Monitoring

To continuously monitor logs:

tail -f /var/log/system.log

To export logs for external analysis:

execute log export ftp <server-IP> <filename>

To configure syslog:

config log syslogd setting
set status enable
set server <syslog-server-IP>
end

3.2 Configuring SNMP via CLI

To enable SNMP monitoring:

config system snmp sysinfo
set description "FortiGate Firewall"
set location "Data Center"
set contact "[email protected]"
end

To enable SNMP traps:

config system snmp community
edit 1
set name "public"
set trap enable
end

3.3 Scheduling Automated Backups

To schedule automatic backups:

config system global
set cfg-save automatic
end

To manually back up the configuration:

execute backup config ftp <server-IP> <filename>

Conclusion

Mastering FortiGate CLI for monitoring and troubleshooting is essential for network engineers and security professionals. With the right commands, you can quickly diagnose issues, optimize performance, and enhance security.

By leveraging CLI commands for real-time monitoring, connectivity checks, firewall policy verification, and VPN troubleshooting, you can ensure your FortiGate firewall operates efficiently and securely.

Bookmark this guide for quick reference and take your FortiGate expertise to the next level!