Fortigate command tree

If you want to know all possible commands from the command line of your Fortigate firewall, then log in using SSH and type the following command:


Now you get the complete command tree with all options and all choices.

diag sys top – List processes on a Fortigate

Fortigate got some very good diagnostics on there firewalls. There is a hole branch of the command tree, that starts with

diagnose or short diag

On of the commands often used is

diagnose sys top [refresh] [num of procs]

This command keeps running like the ‘top’ command on Unix like systems. As options you can specify the refresh time in seconds and the number of processes to be displayed.

The output on Fortinet is something like:

Run Time:  1 days, 11 hours and 5 minutes
0U, 2S, 97I; 440T, 124F, 138KF
          newcli    22601      R       1.1     3.2
            sshd    22593      S       1.1     2.5
          ospf6d       42      S       0.1     0.5
       ipsengine      355      S <     0.0    29.8
          httpsd       81      S       0.0     4.3
         cmdbsvr       20      S       0.0     4.3
          httpsd       90      S       0.0     4.2
          httpsd       40      S       0.0     3.6
           fgfmd       78      S       0.0     3.2
       scanunitd      639      S <     0.0     3.2
          newcli    22597      S       0.0     3.2

While the line ‘Run Time’ is quite obvious, the next line is quite cryptic.

The next line, with 0U, 2S, 97I … means

U – Userspace CPU usage in %

S – CPU usage in % of System processes (Kernel)

I – CPU idle in %

The second part of this line informs about memory usage:

440T – you got a total of 440MB memory

124F – there are still 124MB free memory

138KF – the amount of shared memory pages used

The line ‘newcli 22601 R 1.1 3.2‘ tells you:

newcli – the name of the process

22601 – the process ID

R – Running, can also be S like sleeping

1.1 – using 1.1% CPU

3.2 – using 3.2% of the memory

Fortigate Management Interface in HA Mode

If you create a Fortigate HA Cluster, you got an option “Reserve Management Port for Cluster Member” which you can activate. If active you can select an interface for this option.

This is a nice feature.

Like that you can assign an IP address to an interface, which is not synchronized. Every machine got it’s own IP address. This is very helpful, if you got virtual clusters with different masters. It also helps to monitor the CPU and memory of a subordinate device.

Again, there is much more you can do on the command line, then on the guy:

First you activate the feature:

config system ha
     set ha-mgmt-status enable
     set ha-mgmt-interface wan2
     set ha-mgmt-interface-gateway

Then you assign an individual IP address to every node in the cluster:

config system interface
	edit wan2
	set ip
	set allow access https ping ssh snmp
config system interface
	edit wan2
	set ip
	set allow access https ping ssh snmp

That’s it. Now you can easily access every single machine in the cluster.

Hide your version of BIND

To hide your version of bind, enter the following value to your named.conf

version "[NONE]";

in the option section:

options {
directory "/var/lib/bind";
version "[NONE]";

Check the value with this command:

dig @dns.server.tld -c CH -t txt version.bind