config log syslogd setting
 set status enable
 set server <ip>
 end

Notes:

  • For additional syslog servers, replace 'syslogd' with syslogd2 or syslogd3
  • Max of 3 syslog servers

[ # ]

execute ha manage <device-id>

Notes:

  • You can question mark after 'manage' to view available devices and their IDs

Documentation

[ # ]

config system interface
 edit wan1    // Some name
  set ip <ip>/<cidr>
  set allowaccess ping https ssh    !! All protocols needed, usually need ping ssh and https access
  end

!! Aggregate interfaces using LACP 802.3AD (example: assign port8 and port9 to \"aggr1\", aggr1 is a name we can make up, then assign IP like above as normal)
config system interface
 edit aggr1
  set member "port8" "port9"
  end

!! Add VLAN to Aggregate or interface (create int aggr1_30 and assign IP and VLAN 30)
configure system interface
 edit aggr1_30
  set ip <ip>/<cidr>
  set interface "aggr1"
  set vlanid 30
  end

!! Configure a zone (zones are optional, not required unless desired)
config system zone
 edit <some zone name>
  set interface <interface1> <interface2> <etc>
  set intrazone allow     // Only enable if needed as it is insecure (allows 2 ints in the same zone talk to each other without a policy)
  end

[ # ]

Username: admin
Password: <empty>

[ # ]

diag hardware sysinfo shm

Notes:

The following are possible results for 'conservemode'

  • 0 - Not in Conserve Mode
  • 1 - Conserve Mode
  • 2 - Kernel Conserve Mode

Documentation

[ # ]

get system status
get system performance status
diag hardware sysinfo memory
diagnose sys session stat
get system performance top 3 99    !! Let it run for 20-30 secs, then hit ctr + c to stop the command
diag debug crashlog read

[ # ]

config vpn ipsec phase2
  edit "<Phase2-Name>"
    set use-natip <enable|disable>

Notes:

  • If NATing, enabled (default) will use the public IP of FortiGate as the source selector (encryption domain), disable will use what's configured in the phase 2 settings (src-start-ip/src-end-ip or src-subnet)

Documentation

[ # ]

config system global
 set hostname <hostname>
 end

config system dns
 set primary <ip>
 set secondary <ip>
 end

[ # ]

config system ha
    set group-name <cluster_name>
    set mode <a-a|a-p|standalone>        !! Active-Active, Active-Passive, or Standalone
    set password <HA_Password>
    set hbdev <heartbeat-port>            !! This port cannot be an interface with an IP and in use
    set session-pickup <enable|disable>    !! Sync of sessions (not failover multicast or SSLVPN sessions)
    set override <enable|disable>        !! Preempt
    set monitor <int1> <int2> <etc>        
    set priority <#>                    !! Default is 128
end

Notes:

  • To bring a new device into the cluster, ensure the new device has a lower priority than the active device. After connecting to the network and configuring the above settings, the configuration should by pulled from the active unit

Documentation

[ # ]

config system global
 set admin-sport 8443
 set sslvpn-sport 443
 end

[ # ]