FortiGate firewalls are known for their powerful capabilities. While much of the configuration can be handled through the GUI, there are times when accessing the CLI is necessary to gather more detailed information. In this article, I’ll outline some very useful commands for troubleshooting and optimizing your FortiGate firewall.
Troubleshoot Traffic Flow
Show the Routing Table: To view the routing table, use the following command:
get router info routing-table all
Use Sniffer to View Traffic Flows: Sniffer commands can help you monitor traffic flows. Here are some examples:
diagnose sniffer packet any 'host 10.0.100.20 && icmp' 4
diagnose sniffer packet any 'host 10.0.100.20 && port 443' 4
diagnose sniffer packet any 'net 10.0.100.0/24' 4
Debugging Packet Flow
For more detailed information on traffic flow through the firewall, such as which policy is being applied or NAT details, use the following debug commands:
Enable debugging:
diag debug enable
Set protocol filter (1 = ICMP, 6 = TCP, 17 = UDP):
diag debug flow filter proto xx
Set address filter:
diag debug flow filter addr 10.0.100.20
Set port filter:
diag debug flow filter port 443
Start trace (number of traces to capture):
diag debug flow trace start 50
All the commands again:
diag debug enable
diag debug flow filter proto xx
diag debug flow filter addr 10.0.100.20
diag debug flow filter port 443
diag debug flow trace start 50By using these commands, you can effectively troubleshoot and optimize your FortiGate firewall.
