Skip to main content

FortiOS CLI Cheat Sheet 2026 — Quick CLI Command Reference

3 min read

FortiOS CLI Cheat Sheet 2026 — Quick Command Reference

FortiOS CLI Cheat Sheet is the complete quick-reference of FortiOS CLI commands grouped by function. Copy any command with one click and find what you need with Ctrl+F in under 3 seconds.

Firewall Policy

Action Command Useful flags
Enter firewall policy configuration mode 
config firewall policy
Edit firewall policy by ID 
edit <id>
Set source interface for policy 
set srcintf <interface>
Set destination interface for policy 
set dstintf <interface>
Set source address for policy 
set srcaddr <address>
Set destination address for policy 
set dstaddr <address>
Set action for policy 
set action <action>
Show current firewall policy configuration 
show

NAT & VIP

Action Command Useful flags
Configure IP pool for source NAT 
config firewall ippool
edit <pool-name>
set type overload
set startip <start-ip>
set endip <end-ip>
end
 -ip -name
Configure Virtual IP for destination NAT 
config firewall vip
edit <vip-name>
set extip <external-ip>
set mappedip <internal-ip>
end
 -ip -name
Configure central SNAT policy with IP pool 
config firewall central-snat-map
edit <policy-id>
set nat-ippool <pool-name>
set srcaddr <source-address>
set dstaddr <destination-address>
end
 -address -id -ippool -name
Enable logging for a central SNAT policy 
config firewall central-snat-map
edit <policy-id>
set logtraffic all
end
 -id -snat-map

VPN (IPsec, SSL)

Action Command Useful flags
Show IPsec tunnel status 
diagnose vpn tunnel list
Show IKE gateway list 
diagnose vpn ike gateway list

SD-WAN

Action Command Useful flags
Enter SD-WAN configuration mode 
config system sdwan
Edit an SD-WAN member (interface) 
config system sdwan member edit <member-id>
 -id
Edit an SD-WAN service (traffic rule) 
config system sdwan service edit <service-id>
 -id
Edit an SD-WAN zone 
config system sdwan zone edit <zone-name>
 -name

Routing & BGP

Action Command Useful flags
Enter BGP configuration 
config router bgp
Show BGP summary 
get router info bgp summary
Show BGP routes 
get router info bgp network
Show BGP neighbor details 
get router info bgp neighbors

HA & Clustering

Action Command Useful flags
Enter HA configuration mode 
config system ha

Diagnostics & Sniffers

Action Command Useful flags
Capture packets on interface 
diagnose sniffer packet <interface> '<filter>' <level> <count> <duration>
Enable debug output 
diagnose debug enable
Disable debug output 
diagnose debug disable
Show real-time process usage 
diagnose sys top
Show session list 
diagnose sys session list

System & Upgrades

Action Command Useful flags
Display system status 
get system status
Backup config via TFTP 
execute backup config tftp <tftp-server> <filename>
 -server
Restore config via TFTP 
execute restore config tftp <tftp-server> <filename>
 -server
Check for firmware updates 
execute update-now
 -now
Factory reset device 
execute factoryreset
Reboot device 
execute reboot
Shutdown device 
execute shutdown

⚠️ Dangerous / Destructive Commands

These commands are irreversible. Verify your environment (dev/staging vs prod) before running them.

Action Command Warning
⚠️ Factoryreset 
execute factoryreset
 Irreversible — verify the target before running

FAQ — Frequently Asked Questions

What is the difference between Firewall Policy and NAT & VIP?

Each group in this FortiOS CLI cheat sheet covers a distinct area. Firewall Policy focuses on its specific scope, while NAT & VIP and the remaining groups cover networking, storage, security and diagnostics respectively.

How do I check the installed FortiOS CLI version?

Run the version command (usually config version or config --version). The output shows the client and, when applicable, the server version.

Why does FortiOS CLI return ‘permission denied’?

A ‘permission denied’ error in FortiOS CLI usually means the current user lacks sufficient privileges or credentials are not configured. Check: (1) assigned IAM/RBAC roles, (2) an active authentication context via the corresponding login command.

How do I filter FortiOS CLI output by status or name?

Use flags such as --filter, --selector or --query depending on the tool. You can also pipe into grep or jq to process JSON: 

config list | grep RUNNING

What is the fastest way to debug a FortiOS CLI error?

Add the verbose flag (--verbose, -v or --debug) to the failing command. This reveals the underlying HTTP/API calls and the full error response body.

Official sources & references

Commands cross-checked against vendor documentation and high-authority repositories: