Search Posts

Fortinet NSE7 6.4 CLI

For my NSE7 6.4 preparation, I made a summary of the CLI commands.
In the mean time, you can take a NSE7 7.0 exam, but the CLI commands won’t change much.

CH. 01: SECURITY FABRIC

diagnose sys csf upstream
diagnose sys csf downstream

config system csf
set configuration-sync local
end

diagnose sys csf neighbor list

diagnose automation test

CH. 02: FORTIOS ARCHITECTURE

diagnose hardware sysinfo memory

diagnose hardware sysinfo slab

diagnose hardware sysinfo shm

SHM = shared memory

diagnose sys top [refresh_time_sec] [number_of_lines]

diagnose sys top-summary -h

diagnose sys top-summary ‘-s mem -i 60 -n 10’

get system status

get system performance status

diagnose debug application
diagnose debug enable

diagnose debug application ike -1
diagnose debug enable

diagnose debug console timestamp enable

diagnose debug application ike 0
diagnose debug disable

diagnose debug reset

diagnose test application ?

config system global

diagnose debug crashlog read

config ips global

diagnose hardware sysinfo conserve

diagnose sys session stat

config firewall profile-protocol-options

config system fortiguard

config system dns

config system session-ttl

config firewall policy

execute config-transaction start
execute config-transaction abort
execute config-transaction commit

diagnose sys config-transaction status

diagnose sys config-transaction show txn-info

diagnose sys config-transaction show txn-cli-commands

diagnose debug comlog < enable | disable >

diagnose debug comlog read

diagnose debug comlog clear

diagnose debug comlog info

diagnose sys nmi-watchdog enable

diagnose debug crashlog read

diagnose sys kill

CH. 03: TRAFFIC AND SESSION MONITORING

get sys session status

get sys session list

diagnose sys session filter clear

diagnose sys session filter ?

diagnose sys session list

config system settings

config firewall policy

diagnose sniffer packet
diagnose sniffer packet any ‘host 8.8.8.8 and icmp’ 4
diagnose sniffer packet any ‘icmp’ 4 3 a

diagnose debug flow show function-name enable
diagnose debug flow filter [filter]
diagnose debug enbale
diagnose debug flow trace start
diagnose debug flow trace stop

diagnose sys session list expectation

run helper-ftp(dir=original)
run helper-ftp(dir=reply)

config system session-helper

config system settings

diagnose sys sip-proxy calls list
diagnose sys sip-proxy calls clear

diagnose debug application im 31
diagnose debug application sip
diagnose debug enable

CH. 04: ROUTING

diagnose firewall proute list
diagnose ip rtcache list

config system interface
edit
set preserve-session-route { enable | disable } (disable is default setting)
next
end

config system global
set snat-route-change [disable | enable ]
end

get router info routing-table all

get router info routing-table database

get router info kernel

diagnose ip rtcache list

CH. 05: FORTIGUARD

diagnose debug rating

config sys global
set ip-src-port-range 1031-4999
end

diagnose test application dnsproxy 7

diagnose autoupdate status

diagnose autoupdate versions

Enable real-time debug:
diagnose debug application update -1
diagnose debug enable
execute update-now

diagnose fmupdate show-dev-obj

diagnose fmupdate view-linkd-log fds

diagnose fmupdate fgd-wfas-rate

config fmupdate web-spam fgd-setting

set stat-log-interval

diagnose fmupdate view-linkd-log fgd

diagnose fmupdate service-restart fgd

diagnose fmupdate vm-license
diagnose fmupdate get-device [fct|fds|fgd|fgc]
diagnose fmupdate service-restart [fct|fds|fgd|fgc]

diagnose fmupdate fds-get-downstream-device
diagnose fmupdate fds-getobject
diagnose fmupdate fds-update-info

diagnose fmupdate fgd-dbver
diagnose fmupdate fgd-get-downstream-device
diagnose fmupdate fgd-url-rating

CH. 06: HIGH AVAILABILITY

diagnose hardware deviceinfo nic port1

diagnose sniffer packet any “ether proto 0x8890” 4

execute ha manage

execute ha manage ?

diagnose sys ha status

get sys ha status

diagnose sys ha dump-by vcluster

diagnose sys ha reset-uptime

diagnose sys ha checksum show

diagnose sys ha checksum cluster

diagnose sys session list

diagnose sys ha checksum recalculate [ | global]

CH. 07: CENTRAL MANAGEMENT

config system admin setting
set show_tcl_script enble
end

CH. 08: OSPF

OSPF Destination Addresses
Broadcast networks:
• 224.0.0.5 AllSPFRouters
• 224.0.0.6 AllDRouters
Point-to-point networks:
• 224.0.0.5 AllSPFRouters

By enabling route redistribution, the FortiGate becomes an ASBR:
config router ospf
config redistribute bgp
set status enable
end
end

get router info ospf status

get router info ospf interface

get router info ospf neighbor

get router info ospf database brief

get router info ospf database self-originate

get router info ospf database router lsa

Enable real-time debug
diagnose ip router ospf all enable
diagnose ip router ospf level info
diagnose debug enable

Disable real-time debug
diagnose ip router ospf all disable
diagnose debug disable

Restart OSPF process
execute router clear ospf process

OSPF Logging
config router ospf
set log-neighbour-change enabled

end

CH. 09: BORDER GATEWAY PROTOCOL

Protocol Redistribution

config router bgp
config redistribute “static”
set status enable
end
end

get router info bgp summary

get router info bgp neighbors

get router info bgp neighbors 10.125.0.60 advertise

get router info bgp neighbors 10.125.0.60 route

Enable real-time BGP debug:
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose debug enble

Disable real-time BGP debug:
diagnose ip router bgp all disable
diagnose ip router bgp level none
diagnose debug disable

execute router clear bgp ?

BGP is patience!

CH. 10: WEB FILTERING

config system fortiguard

config firewall ssl-ssh-profile

get webfilter categories

diagnose webfilter fortiguard statistics list

diagnose test application urlfilter 1

diagnose webfilter fortiguard cache dump

diagnose debug urlfilter src-addr
diagnose debug application urlfilter -1
diagnose debug enable

diagnose debug application urlfilter -1
diagnose debug enable

get system fortiguard

CH. 11: INTRUSION PREVENTION SYSTEM

config ips global

set intelligent-mode {enable | disable}

diagnose sys top

diagnose debug crashlog read

diagnose test application ipsmonitor ?

CH. 12: IPSEC

config vpn ipsec phase1-interface

get router info routing-table all

diagnose vpn tunnel list name

config system ipsec-aggregate

diagnose vpn ike log filter

diagnose vpn ike log filter clear
diagnose vpn ike log filter dst-addr4

diagnose debug application ike
diagnose debug application ike -1
diagnose debug enable

diagnose debug console timestamp enable

diagnose sniffer packet ‘host and udp port 500′

diagnose sniffer packet any ‘host and (udp port 500 or udp port 4500)’

diagnose vpn tunnel list

diagnose vpn tunnel list name

get vpn ipsec tunnel details

diagnose vpn ike gateway list name

diagnose vpn ike gateway clear

get vpn ipsec stats tunnel

get vpn ipsec tunnel summary

get ipsec tunnel list

CH. 13: AUTODISCOVERY VPN

config vpn ipsec phase1-interface
config vpn ipsec phase2-interface

show sys interface | grep –f

show vpn ipsec phase1-interface

show sys interface

show router bgp

get router info bgp network

get router info routing-table all

IKE Real-Time Debug of ADVPN

diagnose debug console timestamp enable
diagnose vpn ike log filter clear
diagnose vpn ike log filter mdst-addr4
diagnose debug application ike -1
diagnose debug enable

get ipsec tunnel list