Scribd
Upload
262 views18 pages

FortiGate Firewall CLI Guide

This document provides a cheatsheet of FortiGate firewall CLI commands for common configuration tasks such as interfaces, static routes, firewall policies, administrators, and more. It lists over 50 CLI commands along with the required privilege mode and a brief description of what each command is used for.

Uploaded by

Jorge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
262 views18 pages

FortiGate Firewall CLI Guide

This document provides a cheatsheet of FortiGate firewall CLI commands for common configuration tasks such as interfaces, static routes, firewall policies, administrators, and more. It lists over 50 CLI commands along with the required privilege mode and a brief description of what each command is used for.

Uploaded by

Jorge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

CLI For FortiGate Firewall|info@networkjourney.

com | +91 9739521088

Cheatsheet Guide

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 1 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

Configuration Commands
Sr.no CLI Command Privilege Mode Description
Enter interface configuration
1 config system interface
mode

2 edit <interface_name> Edit a specific interface

set ip <ip_address> Set IP address and subnet


3
<subnet_mask> mask for an interface

Enter static route


4 config router static
configuration mode
5 edit <route_id> Edit a specific static route

Set destination network for a


6 set dst <destination_network>
static route

Set the outgoing interface for


7 set device <interface_name>
a static route
Enter default gateway
8 config system route
configuration mode
9 edit 1 Edit the default gateway
Global
Set the default gateway IP
10 set gateway <gateway_ip>
address
Enter firewall policy
11 config firewall policy
configuration mode
12 edit <policy_id> Edit a specific firewall policy

Set source interface for a


13 set srcintf <source_interface>
firewall policy

set dstintf Set destination interface for a


14
<destination_interface> firewall policy

Set source address for a


15 set srcaddr <source_address>
firewall policy

set dstaddr Set destination address for a


16
<destination_address> firewall policy

Enter global configuration


17 config system global
mode

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 2 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

set admin-ssh-port Set the SSH port for


18
<port_number> administrative access

19 set hostname <hostname> Set the device hostname

Enter administrator
20 config system admin
configuration mode
Edit a specific administrator
21 edit <admin_profile>
profile
Disable access profile override
22 set accprofile-override disable
for administrator
Enter address object
23 config firewall address
configuration mode

24 edit <address_name> Edit a specific address object

Set the subnet for the address


25 set subnet <subnet>
object

set associated-interface Set the associated interface


26
<interface> for the address object

Enter DHCP server


27 config system dhcp server
configuration mode

Edit a specific DHCP server


28 edit <dhcp_server_interface>
interface

Set custom DNS servers for


29 set dns-service custom
DHCP clients

set default-gateway Set the default gateway for


30
<gateway_ip> DHCP clients

Enter time configuration


31 config system time
mode
Set the time zone for the
32 set timezone <timezone>
device
Set NTP server for time
33 set ntpserver <ntp_server_ip>
synchronization
Enter IPv6 address object
34 config firewall address6
configuration mode
Edit a specific IPv6 address
35 edit <address_name>
object

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 3 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

Set the IPv6 subnet for the


36 set subnet6 <subnet>
address object
Enter SNMP community
37 config system snmp community
configuration mode
Edit a specific SNMP
38 edit <community_name>
community
Set the authorization level for
39 set authorization <read_write>
the SNMP community
Set the source IP address for
40 set source <source_ip>
SNMP community access
Enter syslog configuration
41 config system syslog
mode
42 set status enable Enable syslog logging
Set the syslog server IP
43 set server <syslog_server>
address
Enter IPv6 firewall policy
44 config firewall policy6
configuration mode
Edit a specific IPv6 firewall
45 edit <ipv6_policy_id>
policy
Set source address for an IPv6
46 set srcaddr6 <source_address>
firewall policy

set dstaddr6 Set destination address for an


47
<destination_address> IPv6 firewall policy

Enter interface configuration


48 config system interface
mode

49 edit <interface_name> Edit a specific interface

50 set role <interface_role> Set the role for the interface

Set the MTU (Maximum


51 set mtu <mtu_value> Transmission Unit) for the
interface
Enter DNS database
52 config system dns-database
configuration mode

53 edit <dns_database_name> Edit a specific DNS database

Set the domain for the DNS


54 set domain <domain_name>
database

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 4 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

Set the DNS forwarder for the


55 set forwarder <dns_forwarder>
DNS database
Enter interface configuration
56 config system interface
mode

57 edit <interface_name> Edit a specific interface

Set the virtual domain for the


58 set vdom <vdom_name>
interface
set allowaccess Set allowed access options for
59
<access_options> the interface
Enter address object
60 config firewall address
configuration mode

61 edit <address_name> Edit a specific address object

Set the type of the address


62 set type <address_type>
object
Set the subnet for the address
63 set subnet <subnet>
object
Set a comment for the
64 set comment <comment>
address object
Enter administrator
65 config system admin
configuration mode
Edit a specific administrator
66 edit <admin_profile>
profile
Enable access profile override
67 set accprofile-override enable
for the administrator
Set the password expiry
68 set password-expiry <days>
period for the administrator
set trusthost1 Set the first trusted host IP
69
<trusted_host_ip> address for admin login
Enter OSPF configuration
70 config router ospf
mode

71 edit <ospf_instance> Edit a specific OSPF instance

72 set router-id <router_id> Set the OSPF router ID

Set the network range for


73 set network <network>
OSPF

74 set area <area_id> Set the OSPF area ID

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 5 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

Enter global configuration


75 config system global
mode
set admintimeout Set the administrator timeout
76
<timeout_minutes> period

77 set hostname <hostname> Set the device hostname

Enter custom service


78 config firewall service custom
configuration mode

79 edit <service_name> Edit a specific custom service

Set the protocol for the


80 set protocol <protocol>
custom service

set tcp-portrange <start_port>- Set the TCP port range for the
81
<end_port> custom service

set udp-portrange Set the UDP port range for


82
<start_port>-<end_port> the custom service

Set the IP range for the


83 set iprange <start_ip>-<end_ip>
custom service

Enter Dynamic DNS


84 config system ddns
configuration mode

85 set ddns-server <provider> Set the Dynamic DNS provider

86 set ddns-domain <domain> Set the Dynamic DNS domain

set ddns-username Set the Dynamic DNS


87
<username> username
Set the Dynamic DNS
88 set ddns-password <password>
password
Enter DNS configuration
89 config system dns
mode
90 set primary <primary_dns> Set the primary DNS server

91 set secondary <secondary_dns> Set the secondary DNS server

Enter multicast policy


92 config firewall multicast-policy
configuration mode

93 edit <multicast_policy_id> Edit a specific multicast policy

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 6 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

Set the source address for the


94 set srcaddr <source_address>
multicast policy

set dstaddr Set the destination address


95
<destination_address> for the multicast policy

Set the protocol for the


96 set protocol <protocol>
multicast policy
Set the action for the
97 set action <permit/deny>
multicast policy
98 config system ntp Enter NTP configuration mode

99 set server <ntp_server_ip> Set the NTP server IP address

Set the NTP mode


100 set mode <ntp_mode>
(client/server)

101 set interface <interface_name> Set the NTP interface

Enter High Availability (HA)


102 config system ha
configuration mode

103 set mode <active/passive> Set the HA mode

104 set group <group_name> Set the HA group name

105 set hbdev <heartbeat_device> Set the heartbeat device

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 7 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

IPsec Commands
Sr.no CLI Command Privilege Mode Description
config vpn ipsec phase1- Enter Phase 1 configuration
1
interface mode
Edit a specific Phase 1
2 edit <phase1_name>
configuration

3 set interface <interface_name> Set the interface for Phase 1

set remote-gw Set the remote gateway IP


4
<peer_gateway_ip> address for Phase 1

5 set proposal <proposal_name> Set the proposal for Phase 1

config vpn ipsec phase2- Enter Phase 2 configuration


6
interface mode
Edit a specific Phase 2
7 edit <phase2_name>
configuration
set phase1name Set the Phase 1 name for
8
<phase1_name> Phase 2

9 set proposal <proposal_name> Set the proposal for Phase 2

Set the source address for


10 set src-addr <source_network> Global
Phase 2

set dst-addr Set the destination address


11
<destination_network> for Phase 2

Display information about


12 show vpn ipsec phase1
Phase 1 configurations
Display information about
13 show vpn ipsec phase2
Phase 2 configurations
Enter auto-discovery
14 config vpn ipsec auto-discovery
configuration mode

Edit a specific auto-discovery


15 edit <auto_discovery_name>
configuration

Set the interface for auto-


16 set interface <interface_name>
discovery
Set the server IP address for
17 set server <server_ip>
auto-discovery
Enter manual-key
18 config vpn ipsec manual-key
configuration mode

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 8 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

Edit a specific manual-key


19 edit <manual_key_name>
configuration
set remote-gw Set the remote gateway IP
20
<peer_gateway_ip> address for manual-key
Set the pre-shared key for
21 set key <pre_shared_key>
manual-key
Enter tunnel-address
22 config vpn ipsec ta
configuration mode

Edit a specific tunnel-address


23 edit <tunnel_address_name>
configuration

Set the interface for the


24 set interface <interface_name>
tunnel-address
Set the remote gateway IP
set remote-gw
25 address for the tunnel-
<peer_gateway_ip>
address
Enter tunnel-address
26 config vpn ipsec ta
configuration mode

Edit a specific tunnel-address


27 edit <tunnel_address_name>
configuration

Set the interface for the


28 set interface <interface_name>
tunnel-address
Set the remote gateway IP
set remote-gw
29 address for the tunnel-
<peer_gateway_ip>
address
Enter manual-key
30 config vpn ipsec manual-key
configuration mode
Edit a specific manual-key
31 edit <manual_key_name>
configuration
set remote-gw Set the remote gateway IP
32
<peer_gateway_ip> address for manual-key
Set the pre-shared key for
33 set key <pre_shared_key>
manual-key
Enter IPsec profile
34 config vpn ipsec profile
configuration mode

35 edit <profile_name> Edit a specific IPsec profile

set phase1up-timeout Set the Phase 1 negotiation


36
<timeout_seconds> timeout

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 9 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

set phase2up-timeout Set the Phase 2 negotiation


37
<timeout_seconds> timeout

config vpn ipsec phase2- Enter Phase 2 configuration


38
interface mode
Edit a specific Phase 2
39 edit <phase2_name>
configuration
set phase1name Set the Phase 1 name for
40
<phase1_name> Phase 2

41 set proposal <proposal_name> Set the proposal for Phase 2

Set the source address for


42 set src-addr <source_network>
Phase 2

set dst-addr Set the destination address


43
<destination_network> for Phase 2

Set the source port for Phase


44 set srcport <source_port>
2
config vpn ipsec phase1- Enter Phase 1 configuration
45
interface mode
Edit a specific Phase 1
46 edit <phase1_name>
configuration

47 set proposal <proposal_name> Set the proposal for Phase 1

Set the Diffie-Hellman group


48 set dhgrp <group_number>
for Phase 1

set authmethod Set the authentication


49
<authentication_method> method for Phase 1

set remote-gw Set the remote gateway IP


50
<peer_gateway_ip> address for Phase 1
config vpn ipsec phase2- Enter Phase 2 configuration
51
interface mode
Edit a specific Phase 2
52 edit <phase2_name>
configuration

53 set proposal <proposal_name> Set the proposal for Phase 2

Enable Perfect Forward


54 set pfs enable
Secrecy for Phase 2
Set the source address for
55 set src-addr <source_network>
Phase 2

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 10 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

set dst-addr Set the destination address


56
<destination_network> for Phase 2

Enable auto-negotiation for


57 set auto-negotiate enable
Phase 2
Enter manual-key
58 config vpn ipsec manual-key
configuration mode
Edit a specific manual-key
59 edit <manual_key_name>
configuration
Set the pre-shared key for
60 set key <pre_shared_key>
manual-key
set remote-gw Set the remote gateway IP
61
<peer_gateway_ip> address for manual-key
Set the interface for manual-
62 set interface <interface_name>
key
Enter IPsec tunnel monitor
63 config vpn ipsec monitor
configuration mode
Edit a specific IPsec tunnel
64 edit <monitor_name>
monitor
Set the gateway IP address
65 set gateway <gateway_ip>
for the tunnel monitor
Set the source address for the
66 set src-addr <source_address>
tunnel monitor

set dst-addr Set the destination address


67
<destination_address> for the tunnel monitor

Set the schedule for the


68 set schedule <schedule_name>
tunnel monitor
Enter MPLS (Multiprotocol
69 config vpn ipsec mpls Label Switching) configuration
mode
Edit a specific MPLS
70 edit <mpls_name>
configuration
Set the source address for the
71 set src-addr <source_address>
MPLS configuration

set dst-addr Set the destination address


72
<destination_address> for the MPLS configuration

Set the MPLS TTL (Time-to-


73 set mpls-ttl <ttl_value>
Live) value

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 11 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

74 set mpls-label <label_value> Set the MPLS label value

Set the MPLS EXP


75 set mpls-exp <exp_value>
(Experimental) value
Enter IPsec VPN simulation
76 config vpn ipsec simulate
configuration mode
Edit a specific IPsec VPN
77 edit <simulation_name>
simulation
Set the source address for the
78 set src-addr <source_address>
VPN simulation

set dst-addr Set the destination address


79
<destination_address> for the VPN simulation

set duration Set the simulation duration in


80
<duration_minutes> minutes

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 12 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

SSL VPN Commands


Sr.no CLI Command Privilege Mode Description
Enter SSL VPN settings
1 config vpn ssl settings
configuration mode
set tunnel-ip-pools Set the tunnel IP pools for SSL
2
<pool_name> VPN
set dns-server1 Set the primary DNS server
3
<dns_server_ip> for SSL VPN

4 set interface <interface_name> Set the SSL VPN interface

Enter SSL VPN web portal


5 config vpn ssl web portal
configuration mode

6 edit <portal_name> Edit a specific SSL VPN portal

Enable tunnel mode for the


7 set tunnel-mode enable
SSL VPN portal

set sslvpn-redirect-url Set the SSL VPN portal


8
<redirect_url> redirect URL

Enter local user configuration


9 config user local
mode
Global
10 edit <username> Edit a specific local user
Set the password for a local
11 set password <password>
user
Display information about SSL
12 show vpn ssl gateway
VPN gateways
Display information about SSL
13 show vpn ssl session
VPN sessions
Enter SSL VPN settings
14 config vpn ssl settings
configuration mode

set sslvpn-settings
15 Set specific SSL VPN settings
<setting_name>

config vpn ssl web portal Enter custom SSL VPN web
16
custom portal configuration mode

Edit a specific custom SSL VPN


17 edit <custom_portal_name>
web portal

Disable tunnel mode for the


18 set tunnel-mode disable
custom portal

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 13 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

set sslvpn-redirect-ip Set the SSL VPN portal


19
<redirect_ip> redirect IP address

config vpn ssl web portal Enter SSL VPN portal list
20
portal-list configuration mode

Edit a specific SSL VPN portal


21 edit <portal_list_name>
list

Append a portal to the SSL


22 append portals <portal_name>
VPN portal list
Enter DNS configuration
23 config system dns
mode
24 set primary <primary_dns> Set the primary DNS server

25 set secondary <secondary_dns> Set the secondary DNS server

Enter IPv6 firewall policy


26 config firewall policy6
configuration mode
Edit a specific IPv6 firewall
27 edit <ipv6_policy_id>
policy

Set source interface for an


28 set srcintf6 <source_interface>
IPv6 firewall policy

set dstintf6 Set destination interface for


29
<destination_interface> an IPv6 firewall policy

Enter SSL VPN web portal


30 config vpn ssl web portal
configuration mode
Edit a specific SSL VPN web
31 edit <portal_name>
portal

set sslvpn-redirect-ip Set the SSL VPN portal


32
<redirect_ip> redirect IP address

Set the IP pool for SSL VPN


33 set ip-pools <ip_pool>
clients
Enable tunnel mode for the
34 set tunnel-mode enable
SSL VPN portal

set sslvpn-redirect-ip Set the SSL VPN portal


35
<redirect_ip> redirect IP address

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 14 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

config vpn ssl web portal Enter SSL VPN portal list
36
portal-list configuration mode

Edit a specific SSL VPN portal


37 edit <portal_list_name>
list

Append a portal to the SSL


38 append portals <portal_name>
VPN portal list
Enter LDAP user configuration
39 config user ldap
mode

40 edit <ldap_server_name> Edit a specific LDAP server

Set the LDAP server IP


41 set server <ldap_server_ip>
address
set username Set the LDAP username for
42
<ldap_username> authentication
Set the LDAP password for
43 set password <ldap_password>
authentication
Enter IPv6 VIP (Virtual IP)
44 config firewall vip6
configuration mode
45 edit <vip_name> Edit a specific IPv6 VIP
Set the external IPv6 address
46 set extip <external_ip>
for the VIP
Set the mapped IPv6 address
47 set mappedip <mapped_ip>
for the VIP
Enter IPv6-to-IPv4 policy
48 config firewall policy64
configuration mode
Edit a specific IPv6-to-IPv4
49 edit <policy64_id>
policy

Set source interface for an


50 set srcintf <source_interface>
IPv6-to-IPv4 policy

set dstintf Set destination interface for


51
<destination_interface> an IPv6-to-IPv4 policy

Enter SSL VPN settings


52 config vpn ssl settings
configuration mode

53 set sslvpn-port <port_number> Set the SSL VPN port

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 15 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

Enable SSL VPN web mode


54 set sslvpn-redirect enable
redirection

set source-interface Set the source interface for


55
<source_interface> SSL VPN

Enter SSL VPN web portal


56 config vpn ssl web portal
configuration mode
Edit a specific SSL VPN web
57 edit <portal_name>
portal
Disable tunnel mode for the
58 set tunnel-mode disable
SSL VPN portal
Set the login banner for the
59 set login-banner <banner_text>
SSL VPN portal

set sslvpn-redirect-ip Set the SSL VPN portal


60
<redirect_ip> redirect IP address

Enter user group


61 config user group
configuration mode
62 edit <group_name> Edit a specific user group

63 set member <username> Add a user to the user group

Set the firewall policy for the


64 set firewall-policy <policy_id>
user group

Enable SSL VPN portal for the


65 set sslvpn-portal enable
user group
Enter IPv6-to-IPv4 policy
66 config firewall policy64
configuration mode
Edit a specific IPv6-to-IPv4
67 edit <policy64_id>
policy

Set source interface for an


68 set srcintf <source_interface>
IPv6-to-IPv4 policy

set dstintf Set destination interface for


69
<destination_interface> an IPv6-to-IPv4 policy

Set source address for an


70 set srcaddr6 <source_address>
IPv6-to-IPv4 policy

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 16 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

set dstaddr Set destination address for an


71
<destination_address> IPv6-to-IPv4 policy

Enter SSL VPN settings


72 config vpn ssl settings
configuration mode

73 set sslvpn-port <port_number> Set the SSL VPN port

Disable SSL VPN web mode


74 set sslvpn-redirect disable
redirection

set source-interface Set the source interface for


75
<source_interface> SSL VPN

Enter SSL VPN web portal


76 config vpn ssl web portal
configuration mode
Edit a specific SSL VPN web
77 edit <portal_name>
portal
Disable tunnel mode for the
78 set tunnel-mode disable
SSL VPN portal
Set the login banner for the
79 set login-banner <banner_text>
SSL VPN portal

set sslvpn-redirect-ip Set the SSL VPN portal


80
<redirect_ip> redirect IP address

Enter user group


81 config user group
configuration mode
82 edit <group_name> Edit a specific user group

83 set member <username> Add a user to the user group

Enable SSL VPN portal for the


84 set sslvpn-portal enable
user group

Set the firewall policy for the


85 set firewall-policy <policy_id>
user group

Enter IPv6-to-IPv4 policy


86 config firewall policy64
configuration mode
Edit a specific IPv6-to-IPv4
87 edit <policy64_id>
policy

Set source interface for an


88 set srcintf <source_interface>
IPv6-to-IPv4 policy

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 17 | 18


CLI For FortiGate Firewall|[email protected] | +91 9739521088

set dstintf Set destination interface for


89
<destination_interface> an IPv6-to-IPv4 policy

Set source address for an


90 set srcaddr6 <source_address>
IPv6-to-IPv4 policy

set dstaddr Set destination address for an


91
<destination_address> IPv6-to-IPv4 policy

CLI For Fortigate Firewall| [email protected] | +91 9739521088 || P a g e 18 | 18

You might also like