Fortinet Layer by Layer Cheat Sheet
Layer 1: Physical and Link Layer Checks
| Command/Action | Description | Dangerous |
|---|---|---|
get system interface | Check interface status, speed, and duplex settings. | Safe |
| Physical check | Verify cable conditions and connections. | Safe |
diag phy info | Display physical layer information, including PHY chips. | Safe |
diag hardware deviceinfo nic | Display NIC information for all interfaces. | Safe |
diag test application port-phy <port> | Run diagnostics on the physical port (use port number). | Dangerous |
get hardware nic <interface> | Get detailed information about a specific network interface. | Safe |
diag switch-controller phy-info | Show physical layer info for switch interfaces. | Safe |
diag sniffer packet <interface> | Capture real-time traffic on an interface for analysis. | Dangerous |
diag hardware test interface <iface> | Perform a hardware-based test on specified interface. | Dangerous |
| LED check | Check LEDs on device for status indicators. | Safe |
diag cable-diagnostics tdr <port> | Run Time-Domain Reflectometer on port to check cable quality. | Dangerous |
get system performance status | Check system performance and resource usage. | Safe |
diag netlink interface list | List interfaces with detailed state and settings. | Safe |
diag debug enable | Enable debugging before running detailed diagnostic commands. | Dangerous |
diag debug disable | Disable debugging after diagnostics are complete. | Safe |
diag hardware test all | Perform comprehensive hardware tests (use with caution). | Dangerous |
get hardware status | Check the status of hardware components. | Safe |
diag switch-controller detect-poe | Detect Power over Ethernet status on switch ports. | Safe |
get system ha status | Check the High Availability status and configurations. | Safe |
diag hardware sensor list | List sensors and their current readings. | Safe |
diag system top | Display top CPU-consuming processes (helpful for load issues). | Safe |
diag debug flow trace start 100 | Start packet flow tracing (number of packets to trace). | Dangerous |
diag debug flow trace stop | Stop packet flow tracing. | Safe |
diag switch mac-address list | List MAC addresses learned by switch ports. | Safe |
| Re-seat connection | Physically re-seat the connection to ensure good contact. | Safe |
diag test hardware loopback <iface> | Test loopback on a specified interface. | Dangerous |
diag netlink link list | Show link layer information for all interfaces. | Safe |
get router info ospf neighbor | Check OSPF neighbors to verify link layer connectivity. | Safe |
diag vpn tunnel list | List all active VPN tunnels (indirect link layer check). | Safe |
diag switch-controller switch-info | Get information and status of managed switches. | Safe |
Layer 2: Data Link Layer Checks
| Command/Action | Description | Dangerous |
|---|---|---|
get system interface | Verify VLAN IDs and tagging settings. | Safe |
diag switch-controller dump-mac | Display MAC address table on managed switches. | Safe |
diag hardware switch-mac | Show MAC addresses learned by switch ports. | Safe |
diag sniffer packet <interface> 'vlan' | Capture VLAN-tagged packets on a specified interface. | Dangerous |
get switch vlan | Display VLAN configuration across switch interfaces. | Safe |
diag netlink brctl show | Show bridge information and associated interfaces. | Safe |
diag lldp neighbors list | List LLDP neighbors to verify device connectivity. | Safe |
get system stp | Show Spanning Tree Protocol status and configuration. | Safe |
diag switch vlan dump | Dump VLAN table entries for troubleshooting VLAN issues. | Safe |
get hardware switch port-summary | Summarize switch port status and configurations. | Safe |
diag netlink interface list | List network interfaces and verify their state and settings. | Safe |
diag switch-controller switch-info | Get information about managed switches. | Safe |
get system arp | Display the ARP table to check Layer 2 IP-to-MAC resolutions. | Safe |
diag debug enable | Enable debug mode before running diagnostic commands. | Dangerous |
diag debug disable | Disable debug mode after completing diagnostics. | Safe |
diag test application switch 1 | Test switch functionality for errors (use with caution). | Dangerous |
get system lacp | Display LACP (Link Aggregation Control Protocol) status. | Safe |
diag switch error-counters | Check for error counters on switch interfaces. | Safe |
diag switch mclag-icap info | Display multi-chassis link aggregation group info. | Safe |
diag switch-controller mac-policy list | List MAC policies applied to switch ports. | Safe |
Layer 3: Network Layer Checks
| Command/Action | Description | Dangerous |
|---|---|---|
get system interface | Check IP address and subnet mask configuration. | Safe |
get router info routing-table all | Check routes to peers are present with correct next hops. | Safe |
get router info routing-table details | Show detailed routing information. | Safe |
diag ip route list | List all routes and their metrics. | Safe |
get system interface list | Show all interfaces with IP configurations. | Safe |
diag route lookup <ip_address> | Perform a route lookup to determine the route to a specific IP. | Safe |
get router info kernel | Display kernel routing table entries. | Safe |
get router info ospf neighbor | Check OSPF neighbor relationships. | Safe |
get router info ospf database | Display OSPF database entries. | Safe |
diag vpn tunnel list | List all active VPN tunnels. | Safe |
diag firewall proute list | Display policy-based routes. | Safe |
get system sdwan | Display SD-WAN status and rules. | Safe |
get system sdwan health-check | Show SD-WAN health check information. | Safe |
diag debug flow trace start 100 | Trace the first 100 packets to debug routing decisions (use carefully). | Dangerous |
diag sniffer packet any 'host <ip_address>' 4 0 a | Sniff packets to or from an IP address (use with caution). | Dangerous |
get router info bgp network | Check BGP advertised networks. | Safe |
get router info bgp paths | Examine BGP path information. | Safe |
get system session list | List current sessions (helpful for verifying NAT or policy enforcement). | Safe |
diag sys session clear | Clear current sessions (use with caution, as this may disrupt traffic). | Dangerous |
get firewall policy | Review firewall policies affecting traffic flow. | Safe |
get firewall addrgrp | Display configured address groups for firewall policies. | Safe |
Layer 4: BGP Session Checks
| Command/Action | Description | Dangerous |
|---|---|---|
diag ip router list | Confirm BGP session state. | Safe |
get router info bgp summary | Check BGP sessions and configurations. | Safe |
get router info bgp neighbors | Verify BGP neighbor configurations. | Safe |
get router info bgp neighbors <neighbor IP> received-routes | Check routes received from BGP neighbors. | Safe |
get router info bgp neighbors <neighbor IP> advertised-routes | Check routes advertised to BGP neighbors. | Safe |
Layer 7: Application Checks
| Command/Action | Description | Dangerous |
|---|---|---|
| Review BGP configuration | Check for route-maps, prefix-lists, or filter-lists. | Safe |
diag log report | grep BGP | Search logs for BGP related error messages. | Safe |