Tagged: Fortigate

Fortigate CLI Shortcuts

Fortigate offers some helpful features on the command line to position the cursor.

up arrow, CTRL-PPrevious command
 down arrow, CTRL+N Next command
CTRL-A Beginning of line
 CTRL-E End of line
 CTRL-B Back one word
 CTRL-F Forward one word
 CTRL-D Delete current Character
 CTRL-C Abort Command and exit Branch(be careful: CTRL-C is context sensitive. It moves you up to the previous command branch level. If you are already at the top, it logs you out
CTRL-L Clear screen
TABCompletes the current word or iterates through the folioing words
?Possible commands

Fortigate Session Timeout

This article describes how to change the session TTL for a specific port. In this example it is telnet.

config system session-ttl
 set default 1800
 config port
 edit 23
  set protocol 6
  set timeout 3600
  set start-port 23
  set end-port 23

The session timeout is in seconds.

Protocol 6 is TCP.

Protocol 17 is UDP.

If you leave the protocol on 0, it is valid for all protocols.

Alternatively you can change the TTL per policy. Again, this is only possible on the command line.

config firewall policy
  edit 1
    set session-ttl 1800

It is also possible to change the TTL per Policy or per application on the CLI.

IPv6 connection with Fortigate and xDSL

The IPv6 support of Fortigate is very advanced. Unfortunately Fortigate does not support PPPoe with IPv6, because this is a legacy protocol. If you have a DSL connection it does work with IPv4, but not with IPv6. The workaround is: Connect yourself with IPv4 and PPPoe and request from a tunnel provider like www.sixxs.net a tunnel and later a IPv6 subnet.

The configuration on the Fortigate for the sit-tunnel looks like this:

config system sit-tunnel
edit "sixxs-tun"
    set destination
    set interface wan1
    set ip6 2001:dead:babe:c5::2/64
    set source
config system interface
edit "sixxs-tun"
    config ipv6
        set ip6-allowaccess ping
config router static6
edit 1
    set device "sixxs-tun"

The IP address is the remote tunnel address of your POP.

The IP address is the IP address of your external IPv4 interface.

The IP address 2001:dead:babe:c5::2/64 is the IPv6 address, you got from your tunnel provider.

Now you can use the interface sixxs-tun as your IPv6 connection and gateway.

Fortigate command tree

If you want to know all possible commands from the command line of your Fortigate firewall, then log in using SSH and type the following command:


Now you get the complete command tree with all options and all choices.

diag sys top – List processes on a Fortigate

Fortigate got some very good diagnostics on there firewalls. There is a hole branch of the command tree, that starts with

diagnose or short diag

On of the commands often used is

diagnose sys top [refresh] [num of procs]

This command keeps running like the ‘top’ command on Unix like systems. As options you can specify the refresh time in seconds and the number of processes to be displayed.

The output on Fortinet is something like:

Run Time:  1 days, 11 hours and 5 minutes
0U, 2S, 97I; 440T, 124F, 138KF
          newcli    22601      R       1.1     3.2
            sshd    22593      S       1.1     2.5
          ospf6d       42      S       0.1     0.5
       ipsengine      355      S <     0.0    29.8
          httpsd       81      S       0.0     4.3
         cmdbsvr       20      S       0.0     4.3
          httpsd       90      S       0.0     4.2
          httpsd       40      S       0.0     3.6
           fgfmd       78      S       0.0     3.2
       scanunitd      639      S <     0.0     3.2
          newcli    22597      S       0.0     3.2

While the line ‘Run Time’ is quite obvious, the next line is quite cryptic.

The next line, with 0U, 2S, 97I … means

U – Userspace CPU usage in %

S – CPU usage in % of System processes (Kernel)

I – CPU idle in %

The second part of this line informs about memory usage:

440T – you got a total of 440MB memory

124F – there are still 124MB free memory

138KF – the amount of shared memory pages used

The line ‘newcli 22601 R 1.1 3.2‘ tells you:

newcli – the name of the process

22601 – the process ID

R – Running, can also be S like sleeping

1.1 – using 1.1% CPU

3.2 – using 3.2% of the memory