Stop all the prior debugs that were enabled and running in the foreground or background.

Start printing debugs in the console.

Stop printing debugs in the console. The debugs are still running in the background; use diagnose debug reset to completely stop them.

Show system information.

Show current system time.

Show CPU and memory utilization.

Execute TAC report used to open a support ticket with Fortinet Support.

Show a list of the first n processes every s seconds for i iterations.

• Shift +C: Sort by highest CPU

• Shift + M: Sort by highest memory

Show system and application crashes.

Show PID of the daemon that is running. The names of currently running daemons can be found using diagnose sys top.

For example: diagnose sys process pidof httpsd

Kill the PID with signal 11.

Show session statistics.

Show expectation session statistics.

Show virtual domain information and system statistics.

Show information about the latest configuration change performed by the daemon.

Immediately reset to factory defaults and reboot.

If keepvmlicense is specified (VM models only), the VM license is retained after reset.

Immediately reset to factory defaults and shutdown.

If keepvmlicense is specified (VM models only), the VM license is retained after reset.

Reset to factory default, except system settings, system interfaces, VDOMs, static routes, and virtual switches.

If keepvmlicense is specified (VM models only), the VM license is retained after reset.

Show errors in the configuration file.

Show fragmentation and reassembly information.

Show essential process related information for a particular process PID.

Show CPU usage every n seconds.

Show system memory information.

Show packet distribution statistics.

Show hardware interrupts statistics.

Execute a hardware diagnostic test, also known as an HQIP test.

Show disk information.

Show flash partitions.

Show available mounted disks.

Format the referenced partition.

Execute a disk check to check if disk is faulty.

• <device>: Device to test

• <block>: Block size of each read/write operation.

• <mb>: Test size limit for each cycle

Format the log disk.

Show CPU information.

Show rating cache and daemon statistics.

Show web filter rating server information.

Start debugging for updated daemon to troubleshoot FortiGuard update issues.

Execute the FortiGuard update manually.

Set session table filters.

Show session filters, if set.

Show session table after filtering.

Clear the session table for the specified filter.

Ping IP address <x.x.x.x> using the specified options.

SSH to IP address <x.x.x.x> using the specified options.

Traceroute IP address <x.x.x.x> using the specified options.

Show ARP entries.

Show the names of all of the switches on the FortiGate.

Show the switching table of the specified switch.

Show a summary of interface details, including IP address information.

Show IP address information.

Show detailed interface information.

Stop all the prior debugs that were enabled and running in the foreground or background.

Clear any IPv4 debug flow filters.

Clear any IPv6 debug flow filters.

Set a filter for running IPv4 traffic debug flows.

Set a filter for running IPv6 traffic debug flows.

Show the function name of the code that the traffic accesses.

Show which internal firewall policy that the traffic is going through.

Start printing timestamps on debugs.

Show n lines of IPv4 debugs.

Show n lines of IPv6 debugs.

Start real-time debugging for web filter traffic.

List the web filter debug outputs.

Show the web filter debug output for the specified option.

Start real-time debugging for DNS proxy. DNS proxy is responsible for DNS filter, DNS translation, DNS resolution etc.

List the DNS proxy debug outputs.

Show the DNS proxy debug output for the specified option.

Start IPS engine debugs for Application Control and IPS Security profile

Start real-time debugging for antivirus profile when antivirus profile is configured in flow mode.

Show IPS engine information

Set the IPS engine enable/disable status.

Restart all IPS engines and monitor.

Start all IPS engines.

Stop all IPS engines.

Show the IPS sessions in each engine's memory space.

Show all WAD processes.

Show total memory usage.

Restart all WAD processes.

Start real-time debugging of the traffic processed by WAD daemon.

Set the filter for the WAD debugs.

Show all the filters that have been set for debugging.

Clear the WAD filter settings.

Set the verbosity level of the debugs.

Set the traffic category.

Show the WAS worker PID in debugs that handle the session request.

Set the CPU core to profile.

Start CPU profiling and wait for one to two minutes to stop.

Stop CPU profiling.

Show the applied kernel modules.

Show the entire command tree.

Show the execute command tree.

Show routing table.

Show IPv4 and IPv6 routing database information.

Show the IPv4 and IPv6 kernel routing table.

Show routing protocol information for IPv4 and IPv6.

Restart the routing daemon

Show OSPF status for IPv4 and IPv6.

Show OSPF neighbors for IPv4 and IPv6.

Show OSPF database in brief.

Show BFD neighbors for IPv4 and IPv6.

Show BFD statistics.

Start real-time BFD debugging .

Show BGP summary for IPv4 and IPv6.

Show BGP peer and the advertised and received routes from the BGP peer.

• Substitute <x.x.x.x> with IPv4 address of the peer.

• Substitute <x:x::x:x/m> with IPv6 address of the peer.

Start real-time BGP debugging.

Execute a hard reset based on the specified parameters:

• all: all BGP peers

• as <ASN>: BGP peers specified by AS number

• ip x.x.x.x: BGP peer specified by IPv4 address (x.x.x.x)

• ipv6 y:y:y:y:y:y:y:y: BGP peer specified by IPv6 address (y:y:y:y:y:y:y:y)

Executea soft reset based on the specified parameter:

• all: all BGP peers

• ip x.x.x.x: BGP peer specified by IPv4 address (x.x.x.x)

• ipv6 y:y:y:y:y:y:y:y: BGP peer specified by IPv6 address (y:y:y:y:y:y:y:y)

• in: received BGP routes only

• out: advertised BGP routes only

  A soft reset will occur in both directions if neither in nor out is specified.

Show OSPF status for IPv4 and IPv6.

Show OSPF running on interface for IPv4 and IPv6.

Show OSFP neighbor information for IPv4 and IPv6.

Show OSPF database in brief for IPv4 and IPv6.

Show IGMP statistics for an interface.

Show multicast groups subscribed to with IGMP.

Show maximum IGMP states.

Start real-time debugging of IGMP daemon.

Clear all IGMP entries from one interface.

Clear all IGMP entries for one or all groups.

Show sparse-mode interface information.

Show sparse-mode neighbor information.

Show RP to group mapping information.

Show sparse-mode routing table.

Show SD-WAN health check statistics.

Show SD-WAN rules in control plane.

Show SD-WAN members.

Show SDWAN rule and policy routes in the data plane.

Show link monitoring statistics.

Start real-time link monitor debugging.

Set the filter used to list entries.

List filtered, authenticated IPv4 users.

List current users authenticated by proxy (wad daemon).

Start real-time debugging for remote and local authentication.

Test authentication directly from the CLI.

Caution: The password is visible in clear text; be careful when capture this command to a log file.

Test user authentication using an LDAP server.

Caution: The password is visible in clear text; be careful when capture this command to a log file.

Test user authentication using a Radius server.

Caution: The password is visible in clear text; be careful when capture this command to a log file.

Show information about the polls from FortiGate to DC.

Show FSSO logged on users when Fortigate polls the DC.

Start real-time debugging when the FortiGate is used for FSSO polling.

Refresh the current logged on FSSO users and refresh the list.

Caution: This command can cause an outage, use it carefully.

Show current status of connection between FortiGate and the collector agent.

Start real-time debugging for the connection between FortiGate and the collector agent.

Resend the logged-on users list to FortiGate from the collector agent.

Start real-time debugging for the connection between FortiGate and the collector agent.

Show IPsec phase 1 information.

Show IPsec phase 2 information.

Show summary and detailed information about IPsec tunnels.

Show information about encryption counters.

Set a filter for IKE daemon debugs.

Start real-time debugging of IKE daemon with the filter set.

Restart the IKE process.

Show any filters that are set for SSL VPN debug.

Clear any filters that are set for SSL VPN daemon debug.

Set a filter for SSL VPN debugs.

Start SSL VPN debugs for traffic that the filter is applied to.

Show the current SSL VPN sessions for both web and tunnel mode.

Show the SSL VPN statistics.

Show all SSL VPN web and tunnel mode connections.

Disconnect the users from tunnel mode SSL VPN connection.

Show managed FortiSwitch MAC address list.

Show managed FortiSwitch port statistics.

Show managed FortiSwitch trunk information.

Show MCLAG related information from FortiSwitch.

Show FortiSwitch connection status.

Show FortiLink connectivity graph.

Show information about the FortiAP devices.

Show information about the wireless clients connected to the FortiAP devices.

Show a list of debug options available for the wireless controller.

Start real-time debugging of a wireless client/station that connects to the FortiAP.

• <aa:bb:cc:dd:ee:ff>: MAC address of endpoint/station

Show virtual access point information, including its MAC address, BSSID, SSID, the interface name, and the IP address of the APs that are broadcasting it.

Show HA status and information.

Log into and manage a specific HA member.

Show checksum information of all cluster members.

Show detailed checksum information for a VDOM.

Recalculate HA checksums.

Recalculate HA external files signatures.

Reset the HA uptime. This is used to test failover.

Start real-time debugging of HA daemons.

Show HA history.

Test FortiGate to FortiClient EMS connectivity.

Verify FortiClient EMS’s certificate.

Show EMS connectivity information.

Start real-time debugging of FortiClient NAC daemon.

Show the endpoint record list. Optionally, filter by the endpoint IP address.

Query endpoints by client UID.

Query endpoints by the client IP-VDOM pair.

Query from WAD diagnose command by UID.

Query from WAD diagnose command by IP address.

Show EMS ZTNA tags and all dynamic IP and MAC addresses.

Show the FortiClient NAC daemon ZTNA and route cache.

Generate logs for testing.

Set log filters.

Show log filters.

Show filtered logs.

Delete filtered logs.

Start real-time debugging of logging process miglogd.

Show configured traffic shapers.

Show SIP status.

Show SIP mapping list.

Show SIP dialogue list.

Show list of active SIP proxy calls.

Show SIP proxy statistics.

Show SIP proxy session list.