diag test app ipsmonitor <#>

• 1: Display IPS engine information
• 2: Toggle IPS engine enable/disable status
• 3: Display restart log
• 4: Clear restart log
• 5: Toggle bypass status
• 97: Start all IPS engines
• 98: Stop all IPS engines
• 99: Restart all IPS engines and monitor

Documentation

[ # ]

config system global
 set admin-sport 8443
 set sslvpn-sport 443
 end

[ # ]

config system ha
    set group-name <cluster_name>
    set mode <a-a|a-p|standalone>        !! Active-Active, Active-Passive, or Standalone
    set password <HA_Password>
    set hbdev <heartbeat-port>            !! This port cannot be an interface with an IP and in use
    set session-pickup <enable|disable>    !! Sync of sessions (not failover multicast or SSLVPN sessions)
    set override <enable|disable>        !! Preempt
    set monitor <int1> <int2> <etc>        
    set priority <#>                    !! Default is 128
end

Notes:

• To bring a new device into the cluster, ensure the new device has a lower priority than the active device. After connecting to the network and configuring the above settings, the configuration should by pulled from the active unit

Documentation

[ # ]

config system global
 set hostname <hostname>
 end

config system dns
 set primary <ip>
 set secondary <ip>
 end

[ # ]

config vpn ipsec phase2
  edit "<Phase2-Name>"
    set use-natip <enable|disable>

Notes:

• If NATing, enabled (default) will use the public IP of FortiGate as the source selector (encryption domain), disable will use what's configured in the phase 2 settings (src-start-ip/src-end-ip or src-subnet)

Documentation

[ # ]

diag debug report

[ # ]

get system status
get system performance status
diag hardware sysinfo memory
diagnose sys session stat
get system performance top 3 99    !! Let it run for 20-30 secs, then hit ctr + c to stop the command
diag debug crashlog read

[ # ]

Username: admin
Password: <empty>

[ # ]

config system interface
 edit wan1    // Some name
  set ip <ip>/<cidr>
  set allowaccess ping https ssh    !! All protocols needed, usually need ping ssh and https access
  end

!! Aggregate interfaces using LACP 802.3AD (example: assign port8 and port9 to \"aggr1\", aggr1 is a name we can make up, then assign IP like above as normal)
config system interface
 edit aggr1
  set member "port8" "port9"
  end

!! Add VLAN to Aggregate or interface (create int aggr1_30 and assign IP and VLAN 30)
configure system interface
 edit aggr1_30
  set ip <ip>/<cidr>
  set interface "aggr1"
  set vlanid 30
  end

!! Configure a zone (zones are optional, not required unless desired)
config system zone
 edit <some zone name>
  set interface <interface1> <interface2> <etc>
  set intrazone allow     // Only enable if needed as it is insecure (allows 2 ints in the same zone talk to each other without a policy)
  end

[ # ]

!! Ensure ssh is allowed on the interface you are attempting to access
config system interface
edit <interface>
set allowaccess ping https ssh  !! SSH added to the other allowed admin options
end

!! Enable SCP
config system global
set admin-scp enable
end

!! To backup the system
scp admin@<ip>:sysconfig <local-file>

Notes:

• SCP is disabled by default and may become disabled after an upgrade

[ # ]