Skip to main content

FortiOS CLI Cheat Sheet 2026 — Quick CLI Command Reference

4 min read

FortiOS CLI Cheat Sheet 2026 — Quick Command Reference

FortiOS CLI Cheat Sheet is the complete quick-reference of FortiOS CLI commands grouped by function. Copy any command with one click and find what you need with Ctrl+F in under 3 seconds.

Firewall Policy

Action Command Useful flags
Firewall policy 
show firewall policy
Firewall rules 
AWS Firewall Rules
Show specific policy 
show firewall policy 1
Enter config mode 
config firewall policy
Edit a policy 
edit <id>
Set action 
set action accept
Set source interface 
set srcintf "any"
Set destination interface 
set dstintf "any"
Set source address 
set srcaddr "all"
Set destination address 
set dstaddr "all"
Set schedule 
set schedule "always"
Commit and move to next 
next

NAT & VIP

Action Command Useful flags
Show NAT session statistics 
diagnose sys session stat
Configure virtual IP 
config firewall vip
Configure IP pool for source NAT 
config firewall ippool

VPN (IPsec, SSL)

Action Command Useful flags
Configure IPsec phase1 
config vpn ipsec phase1-interface
 edit <name>
Configure IPsec phase2 
config vpn ipsec phase2-interface
 edit <name>
List IPsec tunnels (diag) 
diagnose vpn ipsec tunnel list
List IKE gateways 
diagnose vpn ipsec ike gateway list
Configure SSL VPN settings 
config vpn ssl settings
Show SSL VPN statistics 
diagnose vpn ssl stats

SD-WAN

Action Command Useful flags
Enter SD-WAN config mode 
config system sdwan
Configure SD-WAN zone 
config system sdwan zone
Configure SD-WAN member 
config system sdwan member
Manage SD-WAN service rules 
config system sdwan service
Configure SD-WAN neighbors 
config system sdwan neighbor
Configure health-check servers 
config system sdwan health-check
 -check
Configure SLA thresholds 
config system sdwan performance-sla
 -sla
Configure SLA log settings 
config system sdwan sla-log
 -log

Routing & BGP

Action Command Useful flags
Show BGP summary 
get router info bgp summary
Show BGP neighbors 
get router info bgp neighbors
Show BGP routes 
get router info bgp routes
Enter BGP config 
config router bgp
Enter static route config 
config router static
Configure prefix list 
config router prefix-list
 -list
Configure route map 
config router route-map
 -map
Configure BGP community list 
config router community-list
 -list
Configure AS path list 
config router aspath-list
 -list
Show BGP networks 
get router info bgp network
Show BGP paths 
get router info bgp paths
Show BGP community info 
get router info bgp community

HA & Clustering

Action Command Useful flags
Enter HA configuration 
config system ha

Diagnostics & Sniffers

Action Command Useful flags
Packet sniffer on any interface 
diagnose sniffer packet any 'host 10.0.0.1' 4
 <interface> <filter> <verbose_level>
Set debug flow filter 
diagnose debug flow filter addr 10.0.0.1
 addr <ip> | dport <port> | proto <num>
Enable flow debug function names 
diagnose debug flow show function-name enable
 enable | disable
Enable debug output 
diagnose debug enable
Disable all debug 
diagnose debug disable
Show top resource consumers 
diagnose sys top
Test DNS proxy resolution 
diagnose test application dnsproxy 2
 <test_type> <options>

System & Upgrades

Action Command Useful flags
Process usage: 
System process usage:
System interface 
show system interface
Reboot FortiGate 
execute reboot
 force
Shutdown FortiGate 
execute shutdown
Factory reset 
execute factoryreset
 keep-config
Trigger firmware update 
execute update-now
 -now
Backup config to TFTP 
execute backup config tftp <server_ip> <filename>
Restore config from TFTP 
execute restore config tftp <server_ip> <filename>
Real-time process list 
diagnose sys top
 -n 10 -s cpu

⚠️ Dangerous / Destructive Commands

These commands are irreversible. Verify your environment (dev/staging vs prod) before running them.

Action Command Warning
⚠️ Factoryreset 
execute factoryreset
 Irreversible — verify the target before running

FAQ — Frequently Asked Questions

What is the difference between Firewall Policy and NAT & VIP?

Each group in this FortiOS CLI cheat sheet covers a distinct area. Firewall Policy focuses on its specific scope, while NAT & VIP and the remaining groups cover networking, storage, security and diagnostics respectively.

How do I check the installed FortiOS CLI version?

Run the version command (usually fortios version or fortios --version). The output shows the client and, when applicable, the server version.

Why does FortiOS CLI return ‘permission denied’?

A ‘permission denied’ error in FortiOS CLI usually means the current user lacks sufficient privileges or credentials are not configured. Check: (1) assigned IAM/RBAC roles, (2) an active authentication context via the corresponding login command.

How do I filter FortiOS CLI output by status or name?

Use flags such as --filter, --selector or --query depending on the tool. You can also pipe into grep or jq to process JSON: 

fortios list | grep RUNNING

What is the fastest way to debug a FortiOS CLI error?

Add the verbose flag (--verbose, -v or --debug) to the failing command. This reveals the underlying HTTP/API calls and the full error response body.

Official sources & references

Commands cross-checked against vendor documentation and high-authority repositories: