Komendy FortiGate - vpn

diagnose vpn auto-ipsec client clear-config

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to clear dynamically created IPsec configuration.

Syntax
diagnose vpn auto-ipsec client clear-config < name Clear dynamically created IPsec configuration by name >

diagnose vpn auto-ipsec gateway status

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to show IPsec auto-configuration gateway status.

Syntax
diagnose vpn auto-ipsec gateway status < Enter >

diagnose vpn ike filter mdst-addr4

FortiOS: 6.0
When filtering IKE logs, it is sometimes beneficial to be able to filter based on multiple IP addresses. This option sets the IKE log filter to filter two or more(up to six) destination IPv4 address.

Syntax
diag vpn ike log filter mdst-addr4 [ ]

diagnose vpn ike filter mdst-addr6

Firmware – FortiOS: 6.0
When filtering IKE logs, it is sometimes beneficial to be able to filter based on multiple IP addresses. This option sets IKE log filter to filter two or more(up to 6) destination IPv6 address.

Syntax
diag vpn ike log filter mdst-addr6 [ ]

diagnose vpn ike filter msrc-addr4

Syntax
diag vpn ike log filter msrc-addr4 [ ]

diagnose vpn ike crypto software

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to set or display the software crypto settings.

Syntax
diagnose vpn ike crypto software < Enter >

diagnose vpn ike crypto stats

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to display the number of hardware and software crypto objects.

Syntax
diagnose vpn ike crypto stats

Command
diagnose vpn ike crypto stats

Output

software.dh-modp: 0 0

hardware.dh-modp: 0 0

software.dh-ecp: 0 0

hardware.dh-ecp: 0 0

diagnose vpn ike filter autoconf-type

Firmware – FortiOS: 5.0 5.2 5.4 5.6 6.0

Syntax
diagnose vpn ike filter autoconf-type < type Auto-configuration type, 0 matches all > — Auto-configuration type

diagnose vpn ike filter clear

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to erase the current filter.

Syntax
diagnose vpn ike filter clear < Enter >

diagnose vpn ike filter list

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to display the current filter.

Syntax
diagnose vpn ike filter list < Enter >

diagnose vpn ike filter negate autoconf-status

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to negate autoconf-status.

Syntax
diagnose vpn ike filter negate autoconf-status < Enter >

diagnose vpn ike filter negate dst-port

Description
Firmware – FortiOS: 5.0 5.2 5.4
This command is used to negate destination port.

Syntax
diagnose vpn ike filter negate dst-port < Enter >

diagnose vpn ike filter negate name

Firmware – FortiOS: 5.0 5.2 5.4

Syntax
diagnose vpn ike filter negate name < Enter > — Negate name {5.0}

diagnose vpn ike filter negate src-addr4

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to negate IPv4 source address.

Syntax
diagnose vpn ike filter negate src-addr4 < Enter >

diagnose vpn ike filter src-addr4

Firmware – FortiOS: 5.0 5.2 5.4 5.6 6.0
This command is used to display the IPv4 source address range to filter by.

Syntax
diagnose vpn ike filter src-addr4 < ipv4-address Source IPv4 address (from) >

diagnose vpn ike filter src-port

Firmware – FortiOS: 5.0 5.2 5.4
Use this command to filter by the source port range.

Syntax
diagnose vpn ike filter src-port < port Source port (from) >

diagnose vpn ike filter vd

Firmware – FortiOS: 5.0 5.2 5.4

Syntax
diagnose vpn ike filter vd < index Index of virtual domain. -1 matches all > — Index of virtual domain. -1 matches all

diagnose vpn ike gateway list

Firmware – FortiOS: 5.0 5.2 5.4 5.6 6.0
This command displays VPN IKE gateways.

Changes made in 6.0
The output will display one more line to the previous output that relates to send/recv message-id information of IKEv2 SA

Example:
message-id sent/recv: 7/0

Syntax
diagnose vpn ike gateway list < name List gateway by name. > — list

Example
Test_FGT # diag vpn ike gateway list

vd: root/0
name: p1
version: 2
interface: wan1 5
addr: 172.18.25.230:500 -> 172.18.25.243:500
created: 46s ago
IKE SA: created 1/2 established 1/2 time 10/10530/21050 ms
IPsec SA: created 1/2 established 1/2 time 0/10525/21050 ms

id/spi: 4 fe1a13001cd6d901/ff9d0eaaf62700ac
direction: initiator
status: established 46-25s ago = 21050ms
proposal: aes128-sha256
child: no
SK_ei: 6e34275c0bb6c92e-558c2cb04f6a57cd
SK_er: 1106c20162b11eab-af474e39f0924f2f
SK_ai: 3ac92c8b08f4aab4-e7a7be8e055e322d-e8bacc876bfe60d8-d2ab9d98491cd239
SK_ar: ee9d3ca2f8e4e979-3198960ece74846a-62781d77aa0c59c0-d7cae6251f285ae4
PPK: no
message-id sent/recv: 7/0
lifetime/rekey: 121/65
DPD sent/recv: 00000007/00000007

diagnose vpn ike log filter clear

Firmware – FortiOS: 5.0 5.2 5.4 5.6 6.0
Use this command to erase the current filter

Syntax
diagnose vpn ike log filter clear < Enter > — Erase the current filter

diagnose vpn ike log filter interface

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to display the interface that IKE connection is negotiated over.

Syntax
diagnose vpn ike log filter interface < index Interface index, 0 matches all >

diagnose vpn ike log filter list

Firmware – FortiOS: 5.0 5.2 5.4
Use this command to display the current filter.

Syntax
diagnose vpn ike log filter list < Enter >

Command
diagnose vpn ike log filter list

Output
vd: any
name: any
interface: any
IPv4 source: any
IPv4 dest: any
IPv6 source: any
IPv6 dest: any
source port: any
dest port: any

diagnose vpn ike log filter negate dst-port

Firmware – FortiOS: 5.0 5.2 5.4

Syntax
diagnose vpn ike log filter negate dst-port < Enter > — Negate destination port {5.0}

diagnose vpn ike log terminal clear

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to clear IKE debug log terminals.

Syntax
diagnose vpn ike log terminal clear < Enter >

diagnose vpn ike routes list

Firmware – FortiOS: 5.0 5.2 5.4
This command displays all routes in memory for IKE VPN tunnels.

Syntax
diagnose vpn ike routes list < Enter >

diagnose vpn ike status detailed

Firmware – FortiOS: 5.0 5.2 5.4
This command displays the status of IKE objects. It lists vdom, name, version, IKE SA, and IPsec SA.

Syntax
diagnose vpn ike status detailed < Enter >

diagnose vpn ipsec cpu

Firmware – FortiOS: 5.0 5.2 5.4 5.6 6.0
Actions for software crypto CPU distributions.

Changes made in 5.6.4
Starting in 5.6.4 this command will only be available on models with the 3.2 (or later) kernel.

Syntax
diagnose vpn ipsec cpu

Options
clear – Clears the stats for the cpu

diagnose vpn ipsec driver

Firmware – FortiOS: 5.0 5.2 5.4 5.6 6.0
Actions for crypto drivers.

Changes made in 5.6.4
Starting in 5.6.4 this command will only be available on models with the 3.2 (or later) kernel.

Syntax
diagnose vpn ipsec driver clear

Options
Option Description
clear Clears the stats for the crypto driver

diagnose vpn ssl debug-filter src-addr4

Firmware – FortiOS: 5.0 5.2 5.4 5.6 6.0

Syntax
diagnose vpn ssl debug-filter src-addr4 < ipv4-address source IPv4 address (from) > — IPv4 source address range

diagnose vpn ssl hw-acceleration-status

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to display SSL hardware acceleration status.

Syntax
diagnose vpn ssl hw-acceleration-status < Enter >

diagnose vpn tunnel dialup-list

Firmware – FortiOS: 5.0 5.2 5.4
This command is used to display dialup tunnel list.

Syntax
diagnose vpn tunnel dialup-list < arg please input args >

diagnose vpn tunnel dumpsa

Firmware – FortiOS: 5.0 5.2 5.4

Syntax
diagnose vpn tunnel dumpsa < Enter > — Dump all sa

diagnose vpn tunnel reset

Firmware – FortiOS: 5.0 5.2 5.4 >=5.6.3
This command is used to flush tunnel SAs and reset NAT-T and DPD configuration. It is a workaround to reset the tunnel should a tunnel got stuck in the wrong state.

Changes Made in 5.6.4
This command was removed for the 5.6.4 release of the firmware. The issue that this command was designed to address was fixed some time ago so the command is rarely used. Should the issue happen again, the state can always be corrected by flushing the connection.

To clear all SAs (IKE & IPsec) use:

diagnose vpn ike gateway flush name

Syntax
diagnose vpn tunnel reset