For my NSE7 6.4 preparation, I made a summary of the CLI commands.
In the mean time, you can take a NSE7 7.0 exam, but the CLI commands won’t change much.
CH. 01: SECURITY FABRIC
diagnose sys csf upstream
diagnose sys csf downstream
config system csf
set configuration-sync local
end
diagnose sys csf neighbor list
diagnose automation test
CH. 02: FORTIOS ARCHITECTURE
diagnose hardware sysinfo memory
diagnose hardware sysinfo slab
diagnose hardware sysinfo shm
SHM = shared memory
diagnose sys top [refresh_time_sec] [number_of_lines]
diagnose sys top-summary -h
diagnose sys top-summary ‘-s mem -i 60 -n 10’
get system status
get system performance status
diagnose debug application
diagnose debug enable
diagnose debug application ike -1
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application ike 0
diagnose debug disable
diagnose debug reset
diagnose test application ?
config system global
diagnose debug crashlog read
config ips global
diagnose hardware sysinfo conserve
diagnose sys session stat
config firewall profile-protocol-options
config system fortiguard
config system dns
config system session-ttl
config firewall policy
execute config-transaction start
execute config-transaction abort
execute config-transaction commit
diagnose sys config-transaction status
diagnose sys config-transaction show txn-info
diagnose sys config-transaction show txn-cli-commands
diagnose debug comlog < enable | disable >
diagnose debug comlog read
diagnose debug comlog clear
diagnose debug comlog info
diagnose sys nmi-watchdog enable
diagnose debug crashlog read
diagnose sys kill
CH. 03: TRAFFIC AND SESSION MONITORING
get sys session status
get sys session list
diagnose sys session filter clear
diagnose sys session filter ?
diagnose sys session list
config system settings
config firewall policy
diagnose sniffer packet
diagnose sniffer packet any ‘host 8.8.8.8 and icmp’ 4
diagnose sniffer packet any ‘icmp’ 4 3 a
diagnose debug flow show function-name enable
diagnose debug flow filter [filter]
diagnose debug enbale
diagnose debug flow trace start
diagnose debug flow trace stop
diagnose sys session list expectation
run helper-ftp(dir=original)
run helper-ftp(dir=reply)
config system session-helper
config system settings
diagnose sys sip-proxy calls list
diagnose sys sip-proxy calls clear
diagnose debug application im 31
diagnose debug application sip
diagnose debug enable
CH. 04: ROUTING
diagnose firewall proute list
diagnose ip rtcache list
config system interface
edit
set preserve-session-route { enable | disable } (disable is default setting)
next
end
config system global
set snat-route-change [disable | enable ]
end
get router info routing-table all
get router info routing-table database
get router info kernel
diagnose ip rtcache list
CH. 05: FORTIGUARD
diagnose debug rating
config sys global
set ip-src-port-range 1031-4999
end
diagnose test application dnsproxy 7
diagnose autoupdate status
diagnose autoupdate versions
Enable real-time debug:
diagnose debug application update -1
diagnose debug enable
execute update-now
diagnose fmupdate show-dev-obj
diagnose fmupdate view-linkd-log fds
diagnose fmupdate fgd-wfas-rate
config fmupdate web-spam fgd-setting
set stat-log-interval
diagnose fmupdate view-linkd-log fgd
diagnose fmupdate service-restart fgd
diagnose fmupdate vm-license
diagnose fmupdate get-device [fct|fds|fgd|fgc]
diagnose fmupdate service-restart [fct|fds|fgd|fgc]
diagnose fmupdate fds-get-downstream-device
diagnose fmupdate fds-getobject
diagnose fmupdate fds-update-info
diagnose fmupdate fgd-dbver
diagnose fmupdate fgd-get-downstream-device
diagnose fmupdate fgd-url-rating
CH. 06: HIGH AVAILABILITY
diagnose hardware deviceinfo nic port1
diagnose sniffer packet any “ether proto 0x8890” 4
execute ha manage
execute ha manage ?
diagnose sys ha status
get sys ha status
diagnose sys ha dump-by vcluster
diagnose sys ha reset-uptime
diagnose sys ha checksum show
diagnose sys ha checksum cluster
diagnose sys session list
diagnose sys ha checksum recalculate [
CH. 07: CENTRAL MANAGEMENT
config system admin setting
set show_tcl_script enble
end
CH. 08: OSPF
OSPF Destination Addresses
Broadcast networks:
• 224.0.0.5 AllSPFRouters
• 224.0.0.6 AllDRouters
Point-to-point networks:
• 224.0.0.5 AllSPFRouters
By enabling route redistribution, the FortiGate becomes an ASBR:
config router ospf
config redistribute bgp
set status enable
end
end
get router info ospf status
get router info ospf interface
get router info ospf neighbor
get router info ospf database brief
get router info ospf database self-originate
get router info ospf database router lsa
Enable real-time debug
diagnose ip router ospf all enable
diagnose ip router ospf level info
diagnose debug enable
Disable real-time debug
diagnose ip router ospf all disable
diagnose debug disable
Restart OSPF process
execute router clear ospf process
OSPF Logging
config router ospf
set log-neighbour-change enabled
…
end
CH. 09: BORDER GATEWAY PROTOCOL
Protocol Redistribution
config router bgp
config redistribute “static”
set status enable
end
end
get router info bgp summary
get router info bgp neighbors
get router info bgp neighbors 10.125.0.60 advertise
get router info bgp neighbors 10.125.0.60 route
Enable real-time BGP debug:
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose debug enble
Disable real-time BGP debug:
diagnose ip router bgp all disable
diagnose ip router bgp level none
diagnose debug disable
execute router clear bgp ?
BGP is patience!
CH. 10: WEB FILTERING
config system fortiguard
config firewall ssl-ssh-profile
get webfilter categories
diagnose webfilter fortiguard statistics list
diagnose test application urlfilter 1
diagnose webfilter fortiguard cache dump
diagnose debug urlfilter src-addr
diagnose debug application urlfilter -1
diagnose debug enable
diagnose debug application urlfilter -1
diagnose debug enable
get system fortiguard
CH. 11: INTRUSION PREVENTION SYSTEM
config ips global
set intelligent-mode {enable | disable}
diagnose sys top
diagnose debug crashlog read
diagnose test application ipsmonitor ?
CH. 12: IPSEC
config vpn ipsec phase1-interface
get router info routing-table all
diagnose vpn tunnel list name
config system ipsec-aggregate
diagnose vpn ike log filter
diagnose vpn ike log filter clear
diagnose vpn ike log filter dst-addr4
diagnose debug application ike
diagnose debug application ike -1
diagnose debug enable
diagnose debug console timestamp enable
diagnose sniffer packet
diagnose sniffer packet any ‘host
diagnose vpn tunnel list
diagnose vpn tunnel list name
get vpn ipsec tunnel details
diagnose vpn ike gateway list name
diagnose vpn ike gateway clear
get vpn ipsec stats tunnel
get vpn ipsec tunnel summary
get ipsec tunnel list
CH. 13: AUTODISCOVERY VPN
config vpn ipsec phase1-interface
config vpn ipsec phase2-interface
show sys interface | grep –f
show vpn ipsec phase1-interface
show sys interface
show router bgp
get router info bgp network
get router info routing-table all
IKE Real-Time Debug of ADVPN
diagnose debug console timestamp enable
diagnose vpn ike log filter clear
diagnose vpn ike log filter mdst-addr4
diagnose debug application ike -1
diagnose debug enable
get ipsec tunnel list