FortiOS™ Handbook - CLI Reference · 2019-03-18 · ping 1028 ping6 1029 ping-options,ping6-options 1029 policy-packet-capturedelete-all 1032 reboot 1033 replacedevice 1033 report

FortiOS™Handbook - CLI ReferenceVERSION 5.6.7

#

FORTINET DOCUMENT LIBRARY

https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET KNOWLEDGE BASE

http://kb.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET COOKBOOK

http://cookbook.fortinet.com

FORTINET NSE INSTITUTE (TRAINING)

https://training.fortinet.com/

FORTIGUARD CENTER

https://fortiguard.com

FORTICAST

http://forticast.fortinet.com

END USER LICENSE AGREEMENT AND PRIVACY POLICY

https://www.fortinet.com/doc/legal/EULA.pdf

https://www.fortinet.com/corporate/about-us/privacy.html

FEEDBACK

Email: [email protected]

March 15, 2019

FortiOS™ Handbook - CLI Reference

01-567-498240-20190315

https://docs.fortinet.com/https://video.fortinet.com/http://kb.fortinet.com/https://blog.fortinet.com/https://support.fortinet.com/http://cookbook.fortinet.com/https://training.fortinet.com/https://fortiguard.com/http://forticast.fortinet.com/https://www.fortinet.com/doc/legal/EULA.pdfhttps://www.fortinet.com/corporate/about-us/privacy.htmlmailto:[email protected]

TABLE OF CONTENTS

Change log 21Introduction 23

How this guide is organized 23Availability of commands and options 23Disclaimer: CLI syntax parameter format 24

Managing firmware with the FortiGate BIOS 25Accessing the BIOS 25

Navigating themenu 25Loading firmware 25

Configuring TFTP parameters 26Initiating TFTP firmware transfer 26

Booting the backup firmware 27Using the CLI 28

Connecting to the CLI 28Connecting to the CLI using a local console 28Enabling access to the CLI through the network (SSH or Telnet) 29Connecting to the CLI using SSH 30Connecting to the CLI using Telnet 31

Command syntax 32Terminology 32Indentation 33Notation 33

Sub-commands 35Example of table commands 37

Permissions 39Increasing the security of administrator accounts 39

Tips 39config 47alertemail 48

alertemail setting 48antivirus 50

antivirus heuristic 50antivirus profile 50

antivirus quarantine 58antivirus settings 62

application 63application custom 63application list 64application name 69application rule-settings 70

authentication 72authentication rule 72authentication scheme 74authentication setting 75

aws 77aws setting 77

certificate 78certificate ca 78certificate crl 80certificate local 82

dlp 86dlp filepattern 86dlp fp-doc-source 88dlp fp-sensitivity 91dlp sensor 91dlp settings 96

dnsfilter 98dnsfilter domain-filter 98dnsfilter profile 99

config domain-filter 101config ftgd-dns 101config filters 101

endpoint-control 102endpoint-control client 102endpoint-control forticlient-registration-sync 103endpoint-control profile 103

config forticlient-winmac-settings 108config forticlient-operating-system 111config forticlient-running-app 111config forticlient-registry-entry 111config forticlient-own-file 111config forticlient-android-settings 111config forticlient-vpn-settings 112config forticlient-ios-settings 113

config client-vpn-settings 113endpoint-control registered-forticlient 114endpoint-control settings 114

extender-controller 117extender-controller extender 117

firewall 121firewall {acl | acl6} 122firewall {address | address6} 125firewall {addrgrp | addgrp6} 136firewall auth-portal 141firewall central-snat-map 141firewall dnstranslation 142firewall {DoS-policy | DoS-policy6} 143firewall identity-based-route 146firewall {interface-policy | interface-policy6} 146firewall internet-service 150firewall internet-service-custom 150firewall ipmacbinding setting 152firewall ipmacbinding table 153firewall {ippool | ippool6} 153firewall ip-translation 155firewall ipv6-eh-filter 156firewall ldb-monitor 156firewall {local-in-policy | local-in-policy6} 157firewall mms-profile 159firewall {multicast-address | multicast-address6} 164firewall {multicast-policy | multicast-policy6} 165firewall {policy | policy6} 167firewall {policy46 | policy64} 205firewall profile-group 207firewall profile-protocol-options 208firewall proxy-address 212firewall proxy-addrgrp 213firewall proxy-policy 214firewall schedule group 218firewall schedule onetime 220firewall schedule recurring 223firewall service category 223firewall service custom 225firewall service group 234firewall shaper per-ip-shaper 235firewall shaper traffic-shaper 236

firewall shaping-policy 237firewall sniffer 238firewall ssl setting 240firewall ssl-server 241firewall ssl-ssh-profile 244firewall ttl-policy 249firewall {vip | vip6} 250firewall {vip46 | vip64} 285firewall {vipgrp | vipgrp6} 287firewall {vipgrp46 | vipgrp64} 288

ftp-proxy 290ftp-proxy explicit 290

icap 292icap profile 292icap server 294

ips 296ips custom 296ips decoder 298ips global 298ips rule 302ips rule-settings 304ips sensor 304ips settings 309

load-balance 311load-balance flow-rule 311load-balance setting 314

log 318log {azure-security-center | azure-security-center2} filter 318log {azure-security-center | azure-security-center2} setting 320log custom-field 321log disk filter 321log disk setting 322log eventfilter 324log fortianalyzer override-filter 325log fortianalyzer override-setting 326log {fortianalyzer | fortianalyzer2 | fortianalyzer3} filter 327log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting 327log fortiguard filter 328log fortiguard override-filter 329log fortiguard override-setting 330log fortiguard setting 330log gui-display 331

logmemory filter 332logmemory global-setting 333logmemory setting 333log null-device filter 333log null-device setting 334log setting 334log syslogd override-filter 335log syslogd override-setting 335log {syslogd | syslogd2 | syslogd3 | syslogd4} filter 337log {syslogd | syslogd2 | syslogd3 | syslogd4} setting 337log threat-weight 338log webtrends filter 343log webtrends setting 343

report 344report chart 344report dataset 347report layout 348report setting 351report style 351report theme 352

router 354router {access-list | access-list6} 354router aspath-list 356router auth-path 357router bfd 357router bgp 358

config admin-distance 370config aggregate-address, config aggregate-address6 370config neighbor 370config neighbor-group 376config neighbor-range 381config network, config network6 381config redistribute, config redistribute6 {connected | isis | static | rip | ospf} 381

router community-list 382router isis 383

config isis-interface 388config redistribute {bgp | connected | ospf | rip | static} 389config summary-address 389

router key-chain 390router multicast 391

config interface 394config pim-sm-global 397

router multicast6 399config interface 400

router multicast-flow 400router {ospf | ospf6} 401

config router ospf 410config area 410config distribute-list 416config neighbor 417config network 418config ospf-interface 418config redistribute 422config summary-address 423

router {policy | policy6} 424router {prefix-list | prefix-list6} 426router rip 428

config distance 432config distribute-list 433config interface 434config neighbor 436config network 436config offset-list 437config redistribute 438

router ripng 438config aggregate-address 442config distance 442config distribute-list 442config interface 443config neighbor 443config offset-list 444config redistribute 444

router route-map 445config rule variables 448Using routemapswith BGP 450config rule variables 450

router setting 453router {static | static6} 454

spamfilter 457spamfilter bwl 457

For SMTP 457For POP3 and IMAP 457For SMTP, POP3, and IMAP using the email address 457For SMTP, POP3, and IMAP using the IP address 458

spamfilter bword 460For SMTP 460For POP3 and IMAP 460For SMTP, POP3, and IMAP 460

spamfilter dnsbl 462For SMTP 462For POP3 and IMAP 463For SMTP, POP3, and IMAP 463

spamfilter fortishield 464For SMTP 464For POP3 and IMAP 464For SMTP, POP3, and IMAP 464

spamfilter iptrust 465spamfilter mheader 466

For SMTP 466For POP3 and IMAP 467For SMTP, POP3, and IMAP 467

spamfilter options 468spamfilter profile 469

config {imap | imaps | mapi | pop3 | pop3s | smtp | smtps} 471switch-controller 473

switch-controller 802-1X-settings 473switch-controller custom-command 474switch-controller global 474switch-controller igmp-snooping 474switch-controller lldp-profile 475switch-controller lldp-settings 476switch-controller mac-sync-settings 476switch-controller managed-switch 477switch-controller qos dot1p-map 482switch-controller qos ip-dscp-map 484switch-controller qos qos-policy 485switch-controller qos queue-policy 486switch-controller quarantine 486switch-controller security-policy 802-1X 487switch-controller security-policy captive-portal 489switch-controller storm-control 489switch-controller stp-settings 489switch-controller switch-group 490switch-controller switch-log 490switch-controller switch-profile 491switch-controller vlan 492

system 493system 3g-modem custom 495system accprofile 496

Access Level 499system admin 503system affinity-interrupt 511system affinity-packet-redistribution 511system alarm 512system alias 512system api-user 513system arp-table 513system auto-install 514system auto-script 514system autoupdate push-update 515system autoupdate schedule 515system autoupdate tunneling 516system bypass 516system central-management 516system cluster-sync 519system console 522system csf 523system custom-language 524system ddns 524system dedicated-mgmt 526system {dhcp server | dhcp6 server} 526system dnp3-proxy 535system dns 536system dns-database 537system dns-server 538system dscp-based-priority 538system email-server 539system fips-cc 539system fm 539system fortiguard 540system fortimanager 544system fortisandbox 545system fsso-polling 545system ftm-push 545system geoip-override 545system global 547system gre-tunnel 571system ha 572

config secondary-vcluster 588system ha-monitor 588system interface 589

Aggregate and redundant interface options 615system ipip-tunnel 616system ips-urlfilter-dns 617system ipv6-neighbor-cache 617system ipv6-tunnel 617system link-monitor 618system lte-modem 620systemmac-address-table 621systemmanagement-tunnel 621systemmobile-tunnel 623systemmodem 623system nat64 625system netflow 626system network-visibility 626system np6 627

Optimizing FortiGate-3960E and 3980E IPsec VPN performance 634system npu 635

sw-np-bandwidth {0G | 2G | 4G | 5G | 6G} 637system ntp 638system object-tag 639system password-policy 639system password-policy-guest-admin 641system physical-switch 641system pppoe-interface 642system probe-response 643system proxy-arp 643system replacemsg admin 644system replacemsg alertmail 645

alertmail message types 646system replacemsg auth 647

authmessage types 649Requirements for login page 651

system replacemsg device-detection-portal 651system replacemsg ec 652system replacemsg fortiguard-wf 653

fortiguard-wf message types 654system replacemsg ftp 654

ftp message types 655system replacemsg http 656

http message types 657system replacemsgmail 659

mail message types 660system replacemsg nac-quar 662

nac-quar message types 662system replacemsg nntp 663

nntpmessage types 664system replacemsg spam 665

spammessage types 665system replacemsg sslvpn 667system replacemsg traffic-quota 668system replacemsg utm 668

utmmessage types 669system replacemsgwebproxy 670system replacemsg-group 671

config {auth | ec | fortiguard-wf | ftp | http | mail | mm1 | mm3 | mm4 | mm7 | nntp |spam} 677

system replacemsg-image 677system resource-limits 678system sdn-connector 681system session-helper 683system session-ttl 685system settings 686system sflow 696system sit-tunnel 697system sms-server 698system snmp community 698system snmp sysinfo 701system snmp user 701system storage 703system stp 703system switch-interface 704system tos-based-priority 706system vdom 706system vdom-dns 707system vdom-link 708system vdom-netflow 708system vdom-property 708system vdom-radius-server 709system vdom-sflow 709system virtual-switch 710system virtual-wan-link 710

Status checking or health checking 714config service 715

system virtual-wire-pair 715system vxlan 716systemwccp 717WCCP router mode 718WCCP client mode 719systemwireless ap-status 720systemwireless settings 721system zone 722

user 723Configuring users for authentication 723

user adgrp 724user device 725user device-access-list 727user device-category 728user device-group 728user fortitoken 729user fsso 730user fsso-polling 731user group 733user krb-keytab 737user ldap 738user local 742user password-policy 745user peer 746user peergrp 748user pop3 749user radius 749user security-exempt-list 757user setting 759user tacacs+ 762

voip 765voip profile 765

vpn 780vpn certificate ca 780vpn certificate crl 782vpn certificate local 784vpn certificate ocsp-server 787vpn certificate remote 788vpn certificate setting 789vpn ipsec concentrator 791

vpn ipsec forticlient 792vpn ipsec {manualkey-interface | manualkey} 792vpn ipsec {phase1-interface | phase1} 798vpn ipsec {phase2-interface | phase2} 827vpn l2tp 838vpn pptp 838vpn ssl settings 839vpn ssl web host-check-software 847vpn ssl web portal 849vpn ssl web realm 859vpn ssl web user-bookmark 859vpn ssl web user-group-bookmark 861

waf 866waf main-class 866waf profile 866waf signature 873waf sub-class 873

wanopt 874wanopt auth-group 874wanopt forticache-service 875wanopt peer 876wanopt profile 877wanopt settings 882wanopt storage 883wanopt webcache 884

webfilter 888webfilter content 888webfilter content-header 889webfilter cookie-ovrd 889webfilter fortiguard 890webfilter ftgd-local-cat 890webfilter ftgd-local-rating 890webfilter ips-urlfilter-cache-setting 891webfilter ips-urlfilter-setting 891webfilter override 891webfilter profile 892webfilter search-engine 896webfilter urlfilter 897

web-proxy 898web-proxy debug-url 898web-proxy explicit 899web-proxy forward-server 903

web-proxy forward-server-group 905web-proxy global 906web-proxy profile 909web-proxy url-match 911web-proxywisp 912

wireless-controller 914wireless-controller ap-status 914wireless-controller ble-profile 915wireless-controller global 916wireless-controller hotspot20 anqp-3gpp-cellular 918wireless-controller hotspot20 anqp-ip-address-type 919wireless-controller hotspot20 anqp-nai-realm 919wireless-controller hotspot20 anqp-network-auth-type 921wireless-controller hotspot20 anqp-roaming-consortium 921wireless-controller hotspot20 anqp-venue-name 921wireless-controller hotspot20 h2qp-conn-capability 922wireless-controller hotspot20 h2qp-operator-name 923wireless-controller hotspot20 h2qp-osu-provider 923wireless-controller hotspot20 h2qp-wan-metric 924wireless-controller hotspot20 hs-profile 925wireless-controller hotspot20 icon 927wireless-controller hotspot20 qos-map 928wireless-controller setting 929wireless-controller timers 932wireless-controller vap 934wireless-controller vap-group 947wireless-controller wids-profile 948wireless-controller wtp 954wireless-controller wtp-group 964wireless-controller wtp-profile 965

execute 987api-user 987auto-script 990backup 990batch 995bypass-mode 996carrier-license 996central-mgmt 996cfg reload 997cfg save 998clear system arp table 998cli check-template-status 999

cli status-msg-only 999date 999dhcp lease-clear 1000dhcp lease-list 1000dhcp6 lease-clear 1000dhcp6 lease-list 1001disk 1001disk raid 1002disconnect-admin-session 1003dsscc 1003enter 1004erase-disk 1004extender 1004factoryreset 1005factoryreset2 1006formatlogdisk 1006forticarrier-license 1006forticlient 1006fortiguard-log 1007fortitoken 1009fortitoken-mobile 1010fsso refresh 1011ha disconnect 1011ha ignore-hardware-revision 1012hamanage 1012ha set-priority 1013ha synchronize 1014interface dhcp6client-renew 1014interface dhcpclient-renew 1014interface pppoe-reconnect 1015load-balance 1015log backup 1016log delete 1016log delete-all 1017log detail 1017log display 1017log filter 1018log filter confsync-member 1019log flush-cache 1019log flush-cache-all 1019log fortianalyzer test-connectivity 1019log fortiguard test-connectivity 1020

log list 1020log roll 1021log upload 1021log upload-progress 1021lte-modem 1021modem dial 1024modem hangup 1025modem trigger 1025mrouter clear 1025nsx 1026pbx 1026ping 1028ping6 1029ping-options, ping6-options 1029policy-packet-capture delete-all 1032reboot 1033replace device 1033report 1033reset-vd-license 1034restore 1034revision 1039router clear bfd session 1040router clear bgp 1040router clear ospf process 1041router restart 1041send-fds-statistics 1042sensor detail 1042sensor list 1043set system session filter 1044set-next-reboot 1046shutdown 1046ssh 1047switch-controller 1047sync-session 1051system console-server 1051system custom-language import 1052system fortisandbox test-connectivity 1052tac report 1052telnet 1052time 1053traceroute 1053tracert6 1053

update-av 1054update-geo-ip 1054update-ips 1055update-list 1055update-now 1055update-src-vis 1055upd-vd-license 1056upload 1056usb-device 1058usb-disk 1058vpn certificate ca 1059vpn certificate crl 1060vpn certificate local export 1060vpn certificate local generate 1060vpn certificate local import 1063vpn certificate remote 1064vpn ipsec tunnel down 1064vpn ipsec tunnel up 1065vpn sslvpn del-all 1065vpn sslvpn del-tunnel 1065vpn sslvpn del-web 1065vpn sslvpn list 1066webfilter quota-reset 1066wireless-controller delete-wtp-image 1066wireless-controller hs20-icon 1066wireless-controller restart-stad 1067wireless-controller reset-wtp 1067wireless-controller restart-acd 1068wireless-controller restart-wtpd 1068wireless-controller upload-wtp-image 1068

get 1070application internet-service status 1070application internet-service-summary 1070certificate 1070extender modem-status 1071extender sys-info 1072firewall dnstranslation 1072firewall iprope appctrl 1072firewall iprope list 1072firewall proute, proute6 1073firewall service custom 1073firewall shaper 1074

grep 1075gui console status 1075hardware cpu 1076hardwarememory 1077hardware nic 1077hardware npu 1078hardware status 1081ips decoder status 1081ips rule status 1082ips session 1082ips view-map 1083ipsec tunnel 1083mgmt-data status 1084router info bfd neighbor 1084router info bgp 1084router info isis 1087router info kernel 1087router info multicast 1087router info ospf 1089router info protocols 1091router info rip 1092router info routing-table 1092router info vrrp 1093router info6 bgp 1093router info6 interface 1094router info6 kernel 1095router info6 ospf 1095router info6 protocols 1095router info6 rip 1095router info6 routing-table 1096switch-controller poe 1096system admin list 1096system admin status 1097system arp 1098system auto-update 1098system central-management 1098system checksum 1099system cmdb status 1099system fortianalyzer-connectivity 1100system fortiguard-log-service status 1100system fortiguard-service status 1101system ha-nonsync-csum 1101

system ha status 1101system info admin status 1105system info admin ssh 1105system interface physical 1106system ip-conflict status 1106systemmgmt-csum 1107system performance firewall 1107system performance status 1108system performance top 1109system session list 1109system session status 1110system session-helper-info list 1111system session-info 1112system source-ip 1113system startup-error-log 1113system stp list 1113system status 1113test 1115user adgrp 1116vpn certificate 1117vpn ike gateway 1117vpn ipsec tunnel details 1117vpn ipsec tunnel name 1117vpn ipsec tunnel summary 1118vpn ipsec stats crypto 1118vpn ipsec stats tunnel 1119vpn ssl monitor 1119vpn status l2tp 1119vpn status pptp 1119vpn status ssl 1120webfilter categories 1120webfilter ftgd-statistics 1121webfilter status 1122wireless-controller client-info 1122wireless-controller rf-analysis 1123wireless-controller scan 1124wireless-controller spectral-info 1124wireless-controller status 1124wireless-controller vap-status 1124wireless-controller wlchanlistlic 1125wireless-controller wtp-status 1127

tree 1129

Change log

Date Change description

March 15, 2019 Minor updates.

January 30, 2019 ForitOS 5.6.7 document release. Minor updates.

November 19, 2018 Added more information about using SCP to admin-scp {enable | disable} on page557.

October 26, 2018Added FortiGate-6000 commands: config load-balance on page 311,execute load-balance on page 1015, execute system console-server on page 1051, execute reset-vd-license on page 1034, and execute log filter confsync-member on page 1019.

September 17, 2018 FortiOS 5.6.6 document release. Minor updates.

September 5, 2018 Minor update.

August 22, 2018 Minor update.

July 10, 2018 Minor update.

June 21, 2018 FortiOS 5.6.5 document release. Minor updates.

April 26, 2018 FortiOS 5.6.4 document release. Minor updates.

February 28, 2018 Updated config system interface to include LACP options.

January 31, 2018 Added new feature to What's New section regarding the default FortiGuard servicesport change from 53 to 8888.

January 25, 2018 Updated config firewall vip to include SSL options.

January 24, 2018 FortiOS 5.6.3 document release. Minor updates.

January 16, 2018 Added a disclaimer to the Introduction regarding the CLI syntax parameter format.

January 3, 2018 Updated the example output section in get hardware nic.

December 20, 2017 Added Azure logging commands.

December 15, 2017 Updated CLI Reference for FortiOS 5.6.3.

November 9, 2017 Added note under execute upd-vd-license to clarify that, since the release ofFortiOS 5.2, upgrading VDOM licenses no longer requires a system reboot.

FortiOS™ Handbook - CLI ReferenceFortinet Technologies Inc.

21

Change log

Date Change description

November 2, 2017 Added note under config user radius to clarify the difference between thedefault radius-port value and the global value.

September 21, 2017 Beta release.

22 FortiOS™ Handbook - CLI ReferenceFortinet Technologies Inc.

Introduction

This document describes FortiOS 5.6 CLI commands used to configure and manage a FortiGate unit from thecommand line interface (CLI).

This document is no longer a Beta release, but is still very much a work in progress. Before now, our focus was ondocumenting the most commonly used CLI commands, or those commands that required more explanation.Therefore, each command now has Supplemental Information sections below the CLI syntax that dive into a littleextra detail.

The CLI syntax is created by processing a schema of a particular build of FortiOS 5.6, and reformatting theresulting CLI output into content that resembles the output found in the CLI console.

In addition, we will continue to improve the supplemental information, and have an HTML version up soonaccessible from http://cli.fortinet.com.

If you have comments on this content, its format, or requests for commands that are not included contact us [email protected].

How this guide is organized

This document contains the following sections:

Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGateunit boot-up.

Using the CLI describes how to connect to the CLI and some basics of how it works.

config describes the commands for each configuration branch of the FortiOS CLI.

execute describes execute commands.

get describes get commands.

tree describes the tree command.

Availability of commands and options

Some FortiOS™ CLI commands and options are not available on all FortiGate units. The CLI displays an errormessage if you attempt to enter a command or option that is not available. You can use the question mark ‘?’ toverify the commands and options that are available.

Commands and options may not be available for the following reasons:

FortiGate model

All commands are not available on all FortiGate models. For example, low-end FortiGate models do not supportthe aggregate interface type option of the config system interface command.


23

mailto:[email protected]

Disclaimer: CLI syntax parameter format Introduction

Hardware configuration

For example, some AMCmodule commands are only available when an AMCmodule is installed.

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

Commands for extended functionality are not available on all FortiGate models. The CLI Reference includescommands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.

Disclaimer: CLI syntax parameter format

For the time being, all CLI commands in this guide display their syntax-parameters with braces, or { }. This is adeparture from previous versions of the CLI Reference, which used the following criteria:

< > - Used for variables

{ } - Used for multiple settings

[ ] - Used for settings that are optional

See below for an example:

Current syntax format:

config alertemail settingset username {string}...

Traditional syntax format:

config alertemail settingset username ...

For future releases, we will attempt to reintroduce the traditional formatting for all CLI commands and theirsyntaxes.


Managing firmware with the FortiGate BIOS

FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the web-based manager or by using the CLI execute restore command. From the console, you can also interrupt theFortiGate unit’s boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.

Using the BIOS, you can:

l view system informationl format the boot devicel load firmware and rebootl reboot the FortiGate unit from the backup firmware, which then becomes the default firmware

Accessing the BIOS

The BIOSmenu is available only through direct connection to the FortiGate unit’s Console port. During boot-up,“Press any key” appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOSmenu appears. If you are too late, the boot-up process continues as usual.

Navigating the menuThe main BIOSmenu looks like this:

[C]: Configure TFTP parameters[R]: Review TFTP paramters[T]: Initiate TFTP firmware transfer[F]: Format boot device[Q]: Quit menu and continue to boot[I]: System Information[B]: Boot with backup firmare and set as default[Q]: Quit menu and continue to boot[H]: Display this list of options

Enter C,R,T,F,I,B,Q,or H:

Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. Anoption value in square brackets at the end of the “Enter” line is the default value which you can enter simply bypressing Return. For example,

Enter image download port number [WAN1]:

In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.

Loading firmware

The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.You need to know the IP address of the server and the name of the firmware file to download.


25

Loading firmware Managing firmware with the FortiGate BIOS

The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot thedownloaded firmware without saving it.

Configuring TFTP parametersStarting from the main BIOSmenu

[C]: Configure TFTP parameters.

Selecting the VLAN (if VLANs are used)

[V]: Set local VLAN ID.

Choose port and whether to use DHCP

[P]: Set firmware download port.

The options listed depend on the FortiGate model. Choose the network interface through which the TFTPserver can be reached. For example:

[0]: Any of port 1 - 7[1]: WAN1[2]: WAN2Enter image download port number [WAN1]:

[D]: Set DHCP mode.Please select DHCP setting[1]: Enable DHCP[2]: Disable DHCP

If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].

Non-DHCP steps

[I]: Set local IP address.Enter local IP address [192.168.1.188]:

This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the samesubnet to which the network interface connects.

[S]: Set local subnet mask.Enter local subnet mask [255.255.252.0]:

[G]: Set local gateway.

The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which theFortiGate unit is connected.

TFTP and filename

[T]: Set remote TFTP server IP address.Enter remote TFTP server IP address [192.168.1.145]:

[F]: Set firmware file name.Enter firmware file name [image.out]:

Enter [Q] to return to the main menu.

Initiating TFTP firmware transferStarting from the main BIOSmenu

[T]: Initiate TFTP firmware transfer.


Managing firmware with the FortiGate BIOS Booting the backup firmware

Please connect TFTP server to Ethernet port 'WAN1'.

MAC: 00:09:0f:b5:55:28

Connect to tftp server 192.168.1.145 ...

##########################################################Image Received.Checking image... OKSave as Default firmware/Backup firmware/Run image withoutsaving:[D/B/R]?

After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while thefirmware is copied:

Programming the boot device now.................................................................................................................................

Booting the backup firmware

You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.

Starting from the main BIOSmenu

[B]: Boot with backup firmware and set as default.

If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:

Failed to mount filesystem. . .Mount back up partition failed.Back up image open failed.Press ‘Y’ or ‘y’ to boot default image.


27

Using the CLI

The command line interface (CLI) is an alternative configuration tool to the GUI or web-based manager. Whilethe configuration of the GUI uses a point-and-click method, the CLI requires typing commands or uploadingbatches of commands from a text file, like a configuration script.

This section explains common CLI tasks that an administrator does on a regular basis and includes the topics:

l Connecting to the CLIl Command syntaxl Sub-commandsl Permissionsl Tips

Connecting to the CLI

You can access the CLI in three ways:

l Locally with a console cable — Connect your computer directly to the FortiGate unit’s console port. Local access isrequired in some cases:l If you are installing your FortiGate unit for the first time and it is not yet configured to connect to your network,

you may only be able to connect to the CLI using a local serial console connection, unless you reconfigure yourcomputer’s network settings for a peer connection.

l Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the bootprocess has completed, making local CLI access the only viable option.

l Through the network— Connect your computer through any network attached to one of the FortiGate unit’snetwork ports. The network interface must have enabled Telnet or SSH administrative access if you connect usingan SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI Console in theGUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-outwindow.

l Locally with FortiExplorer for iOS— Use the FortiExplorer app on your iOS device to configure, manage, andmonitor your FortiGate.

Connecting to the CLI using a local consoleLocal console connections to the CLI are formed by directly connecting your management computer or console tothe FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:

l A computer with an available serial communications (COM) port.l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.l Terminal emulation software such as HyperTerminal for Microsoft Windows.

The following procedure describes the connection using Microsoft HyperTerminal software; steps may vary withother terminal emulators.


28

Connecting to the CLI Using the CLI

To connect to the CLI using a local serial console connection

1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console port to the serialcommunications (COM) port on your management computer.

2. On your management computer, start HyperTerminal.3. For the Connection Description, enter a Name for the connection, and select OK.4. On the Connect using drop-down, select the communications (COM) port on your management computer you

are using to connect to the FortiGate unit.5. Select OK.6. Select the following Port settings and select OK.

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

7. PressEnter orReturn on your keyboard to connect to the CLI.8. Type a valid administrator account name (such as admin) and pressEnter.9. Type the password for that administrator account and pressEnter. (In its default state, there is no password for

the admin account.)The CLI displays the following text:

Welcome!Type ? to list available commands.

You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

Enabling access to the CLI through the network (SSH or Telnet)SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one ofits RJ-45 network ports. You can either connect directly, using a peer connection between the two, or through anyintermediary network.

If you do not want to use an SSH/Telnet client and you have access to the web-basedmanager, you can alternatively access the CLI through the network using the CLIConsolewidget in the web-based manager.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If yourcomputer is not connected directly or through a switch, you must also configure the FortiGate unit with a staticroute to a router that can forward packets from the FortiGate unit to your computer. You can do this using either alocal console connection or the web-based manager.

Requirements

l A computer with an available serial communications (COM) port and RJ-45 portl Terminal emulation software such as HyperTerminal for Microsoft Windows


Using the CLI Connecting to the CLI

l The RJ-45-to-DB-9 or null modem cable included in your FortiGate packagel A network cablel Prior configuration of the operating mode, network interface, and static route.

To enable SSH or Telnet access to the CLI using a local console connection

1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port,or to a network through which your computer can reach the FortiGate unit.

2. Note the number of the physical network port.3. Using a local console connection, connect and log into the CLI.4. Enter the following command:

config system interfaceedit

set allowaccess end

where:

l is the name of the network interface associated with the physical network port andcontaining its number, such as port1.

l is the complete, space-delimited list of permitted administrative access protocols, suchas https ssh telnet.

For example, to exclude HTTP, HTTPS, SNMP, and PING, and allow only SSH and Telnet administrativeaccess on port1, enter the following:

config system interfaceedit port1

set allowaccess ssh telnetend

5. To confirm the configuration, enter the command to display the network interface’s settings.show system interface

The CLI displays the settings, including the allowed administrative access protocols, for the networkinterfaces.

Connecting to the CLI using SSHOnce the FortiGate unit is configured to accept SSH connections, you can use an SSH client on yourmanagement computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate unitssupport 3DES and Blowfish encryption algorithms for SSH.

Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSHconnections. The following procedure uses PuTTY. Steps may vary with other SSH clients.

To connect to the CLI using SSH

1. On your management computer, start an SSH client.2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH

administrative access.3. Set a Port of 22.


30

Connecting to the CLI Using the CLI

4. For the Connection type, select SSH.5. Select Open.

The SSH client connects to the FortiGate unit.

The SSH client may display a warning if this is the first time you are connecting to the FortiGate unitand its SSH key is not yet recognized by your SSH client, or if you have previously connected to theFortiGate unit but used a different IP address or SSH key. This is normal if your managementcomputer is directly connected to the FortiGate unit with no network hosts between them.

6. ClickYes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until youhave accepted the key.

7. The CLI displays a login prompt.8. Type a valid administrator account name (such as admin) and pressEnter.9. Type the password for this administrator account and pressEnter.

The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enterCLI commands.

If three incorrect login or password attempts occur in a row, you will be disconnected.If this occurs, wait one minute, then reconnect to attempt the login again.

Connecting to the CLI using TelnetOnce the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on yourmanagement computer to connect to the CLI.

Telnet is not a secure access method. SSH should be used to access the CLI from theInternet or any other untrusted network.

Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnetconnections.

To connect to the CLI using Telnet

1. On your management computer, start a Telnet client.2. Connect to a FortiGate network interface on which you have enabled Telnet.3. Type a valid administrator account name (such as admin) and pressEnter.4. Type the password for this administrator account and pressEnter.

The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enterCLI commands.

If three incorrect login or password attempts occur in a row, you will be disconnected.If this occurs, wait one minute, then reconnect to attempt the login again.


Using the CLI Command syntax

Command syntax

When entering a command, the CLI console requires that you use valid syntax and conform to expected inputconstraints. It will reject invalid commands.

Fortinet documentation uses the conventions below to describe valid command syntax.

TerminologyEach command line consists of a command word that is usually followed by configuration data or other specificitem that the command uses or affects.

To describe the function of each word in the command line, especially if that nature has changed betweenfirmware versions, Fortinet uses terms with the following definitions.

Command syntax terminology

l Command— Aword that begins the command line and indicates an action that the FortiGate unit should performon a part of the configuration or host on the network, such as config or execute. Together with other words,such as fields or values, that end when you press the Enter key, it forms a command line. Exceptions include multi-line command lines, which can be entered using an escape sequence.Valid command lines must be unambiguous if abbreviated. Optional words or other command line permutations areindicated by syntax notation.

l Sub-command— A kind of command that is available only when nested within the scope of another command.After entering a command, its applicable sub-commands are available to you until you exit the scope of thecommand, or until you descend an additional level into another sub-command. Indentation is used to indicate levelsof nested commands.Not all top-level commands have sub-commands. Available sub-commands vary by their containing scope.

l Object— Apart of the configuration that contains tables and /or fields. Valid command lines must be specificenough to indicate an individual object.

l Table— A set of fields that is one of possibly multiple similar sets which each have a name or number, such as anadministrator account, policy, or network interface. These named or numbered sets are sometimes referenced byother parts of the configuration that use them.


32

Command syntax Using the CLI

l Field— The name of a setting, such as ip or hostname. Fields in some tables must be configured with values.Failure to configure a required field will result in an invalid object configuration error message, and the FortiGateunit will discard the invalid table.

l Value— Anumber, letter, IP address, or other type of input that is usually your configuration setting held by a field.Some commands, however, require multiple input values which may not be named but are simply entered insequential order in the same command line. Valid input types are indicated by constraint notation.

l Option— A kind of value that must be one or more words from of a fixed set of options.

IndentationIndentation indicates levels of nested commands, which indicate what other sub-commands are available fromwithin the scope. For example, the edit sub-command is available only within a command that affects tables,and the next sub-command is available only from within the edit sub-command:


set status upnext

end

NotationBrackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as, indicate which data types or string patterns are acceptable value input.

Command syntax notation

Convention Description

Square brackets [ ] An optional word or series of words. For example:

[verbose {1 | 2 | 3}]

indicates that you may either omit or type both the verbose word and itsaccompanying option, such as verbose 3.

Curly braces { } Aword or series of words that is constrained to a set of options delimited byeither vertical bars or spaces. You must enter at least one of the options,unless the set of options is surrounded by square brackets [ ].

Options delimited byvertical bars |

Mutually exclusive options. For example:

{enable | disable}

indicates that you must enter either enable or disable, but must notenter both.


Using the CLI Command syntax

Convention Description

Angle brackets Aword constrained by data type. The angled brackets contain adescriptive name followed by an underscore ( _ ) and suffix that indicatesthe valid data type. For example, , indicates that youshould enter a number of retries as an integer.

Data types include:

l : A name referring to another part of the configuration,such as policy_A.

l : An index number referring to another part of theconfiguration, such as 0 for the first static route.

l : A regular expression or word with wild cards thatmatches possible variations, such as *@example.com to match allemail addresses ending in @example.com.

l : A fully qualified domain name (FQDN), such asmail.example.com.

l : An email address, such as [email protected] : An IPv4 address, such as 192.168.1.99.l : A dotted decimal IPv4 netmask, such as255.255.255.0.

l : A dotted decimal IPv4 address and netmaskseparated by a space, such as 192.168.1.99 255.255.255.0.

l : A dotted decimal IPv4 address and CIDR-notationnetmask separated by a slash, such as 192.168.1.1/24

l : A hyphen ( - )-delimited inclusive range of IPv4addresses, such as 192.168.1.1-192.168.1.255.

l : A colon( : )-delimited hexadecimal IPv6 address, such as3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

l : An IPv6 netmask, such as /96.l : A dotted decimal IPv6 address and netmaskseparated by a space.

l : A string of characters that is not another data type, such asP@ssw0rd. Strings containing spaces or special characters must besurrounded in quotes or use escape sequences.

l : An integer number that is not another data type, such as15 for the number of minutes.

Options delimited byspaces

Non-mutually exclusive options. For example:

{http https ping snmp ssh telnet}

indicates that you may enter all or a subset of those options, in any order,in a space-delimited list, such as:

ping https ssh


34

Sub-commands Using the CLI

Sub-commands

Each command line consists of a command word that is usually followed by configuration data or other specificitem that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level,the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend anadditional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:


set status upnext

end

Sub-command scope is indicated by indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

l commands affecting fieldsl commands affecting tables

Commands for tables

clone Clone (or make a copy of) a table from the current object.

For example, in config firewall policy, you could enter thefollowing command to clone security policy 27 to create security policy 30:

clone 27 to 30

In config antivirus profile, you could enter the followingcommand to clone an antivirus profile named av_pro_1 to create a newantivirus profile named av_pro_2:

clone av_pro_1 to av_pro_2

clone may not be available for all tables.


Using the CLI Sub-commands

delete Remove a table from the current object.

For example, in config system admin, you could delete anadministrator account named newadmin by typing delete newadminand pressing Enter. This deletes newadmin and all its fields, such asnewadmin’s first-name and email-address.

delete is only available within objects containing tables.

edit Create or edit a table in the current object.

For example, in config system admin:

• edit the settings for the default admin administrator account by typingedit admin.• add a new administrator account with the name newadmin and editnewadmin‘s settings by typing edit newadmin.

edit is an interactive sub-command: further sub-commands are availablefrom within edit.

edit changes the prompt to reflect the table you are currently editing.

edit is only available within objects containing tables.

In objects such as security policies, is a sequence number. Tocreate a new entry without the risk of overwriting an existing one, enteredit 0. The CLI initially confirms the creation of entry 0, but assigns thenext unused number after you finish editing and enter end.

end Save the changes to the current object and exit the config command.This returns you to the top-level command prompt.

get List the configuration of the current object or table.

• In objects, get lists the table names (if present), or fields and theirvalues.• In a table, get lists the fields and their values.


36

Sub-commands Using the CLI

purge

Remove all tables in the current object.

For example, in config user local, you could type get to see the listof user names, then type purge and then y to confirm that you want todelete all users.

purge is only available for objects containing tables.

Caution: Back up the FortiGate before performing a purge. purgecannot be undone. To restore purged tables, the configuration must berestored from a backup.

Caution: Do not purge system interface or system admin tables.purge does not provide default tables. This can result in being unable toconnect or log in, requiring the FortiGate unit to be formatted and restored.

rename to Rename a table.

For example, in config system admin, you could rename admin3 tofwadmin by typing rename admin3 to fwadmin.

rename is only available within objects containing tables.

show Display changes to the default configuration. Changes are listed in theform of configuration commands.

Example of table commandsFrom within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within theadmin_1 table:

new entry 'admin_1' added(admin_1)#

Commands for fields

abort Exit both the edit and/or config commands without saving the fields.

append Add an option to an existing list.

end Save the changes made to the current table or object fields, and exit the configcommand (to exit without saving, use abort instead).


Using the CLI Sub-commands

get

List the configuration of the current object or table.

• In objects, get lists the table names (if present), or fields and their values.• In a table, get lists the fields and their values.

move Move an object within a list, when list order is important. For example, rearrangingsecurity policies within the policy list.

next

Save the changes you have made in the current table’s fields, and exit the editcommand to the object prompt (to save and exit completely to the root prompt, useend instead).

next is useful when you want to create or edit several tables in the same object,without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

select Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all usersexcept for B, use the command select member B.

set

Set a field’s value.

For example, in config system admin, after typing edit admin, you couldtype set password newpass to change the password of the admin administratorto newpass.

Note:When using set to change a field containing a space-delimited list, type thewhole new list. For example, set will replace the list withthe rather than appending to the list.

show Display changes to the default configuration. Changes are listed in the form ofconfiguration commands.

unselect Remove an option from an existing list.

unset Reset the table or object’s fields to default values.

For example, in config system admin, after typing edit admin, typing unsetpassword resets the password of the admin administrator account to the default (inthis case, no password).

Example of field commands

From within the admin_1 table, you might enter:

set password my1stExamplePassword

to assign the value my1stExamplePassword to the password field. You might then enter the nextcommand to save the changes and edit the next administrator’s table.


38

Permissions Using the CLI

Permissions

Access profiles control which CLI commands an administrator account can access. Access profiles assign eitherread, write, or no access to each area of FortiOS. To view configurations, you must have read access. To makechanges, you must have write access. So, depending on the account used to log in to the FortiGate, you may nothave complete access to all CLI commands. For complete access to all commands, you must log in with anadministrator account that has the super_admin access profile. By default the admin administrator accounthas the super_admin access profile.

Administrator accounts, with the super_admin access profile are similar to a root administrator account thatalways has full permission to view and change all FortiGate configuration options, including viewing and changingall other administrator accounts and including changing other administrator account passwords.

Increasing the security of administrator accountsSet strong passwords for all administrator accounts (including the admin account) and change passwordsregularly.

For more information about increasing the security of administrator accounts, see:

l Hardening your FortiGate

Tips

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

HelpTo display brief help during command entry, press the question mark (?) key.

l Press the question mark (?) key at the command prompt to display a list of the commands available and adescription of each command.

l Type a word or part of a word, then press the question mark (?) key to display a list of valid word completions orsubsequent words, and to display a description of each.

Shortcuts and key commands

Keys Action

? List valid word completions or subsequent words.

If multiple words could complete your entry, display all possible completions withhelpful descriptions of each.


https://docs.fortinet.com/document/fortigate/5.6.0/hardening-your-fortigate

Using the CLI Tips

Keys Action

Tab Complete the word with the next available match.

Press the Tab key multiple times to cycle through available matches.

Up arrow, orCtrl + P

Recall the previous command.

Command memory is limited to the current session.

Down arrow, orCtrl + N

Recall the next command.

Left or Rightarrow

Move the cursor left or right within the command line.

Ctrl + A Move the cursor to the beginning of the command line.

Ctrl + E Move the cursor to the end of the command line.

Ctrl + B Move the cursor backwards one word.

Ctrl + F Move the cursor forwards one word.

Ctrl + D Delete the current character.

Ctrl + C Abort current interactive commands, such as when entering multiple lines.

If you are not currently within an interactive command such as config or edit, thiscloses the CLI connection.

\ then Enter Continue typing a command on the next line for a multi-line command.

For each line that you want to continue, terminate it with a backslash ( \ ). To completethe command line, terminate it by pressing the spacebar and then the Enter key,without an immediately preceding backslash.

Command abbreviationYou can abbreviate words in the command line to their smallest number of non-ambiguous characters.

For example, the command get system status could be abbreviated to g sy stat.

Adding and removing options from listsWhen adding options to a list, such as a user group, using the set command will remove the previousconfiguration. For example, if you wish to add user D to a user group that already contains members A, B, and C,the command would need to be set member A B C D. If only set member D was used, then all formermembers would be removed from the group.

However, there are additional commands which can be used instead of set for changing options in a list.


40

Tips Using the CLI

Additional commands for lists

append Add an option to an existing list.

For example, append member would add user D to a user group while all previousgroup members are retained

select Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all usersexcept for B, use the command select member B.

unselect Remove an option from an existing list.

For example, unselect member A would remove member A from a group will allprevious group members are retained.

Environment variablesThe CLI supports the following environment variables. Variable names are case-sensitive.

Environment variables

$USERFROM The management access type (ssh, telnet, jsconsole for the CLI Consolewidget in the web-based manager, and so on) and the IP address of the administratorthat configured the item.

$USERNAME The account name of the administrator that configured the item.

$SerialNum The serial number of the FortiGate unit.

For example, the FortiGate unit’s host name can be set to its serial number:

config system globalset hostname $SerialNum

end

Special charactersThe following special characters, also known as reserved characters, are not permitted in most CLI fields:

< > ( ) # ' “

You may be able to enter special characters as part of a string’s value by using a special command, enclosing it inquotes, or preceding it with an escape sequence — in this case, a backslash ( \ ) character.

In other cases, different keystrokes are required to input a special character. If you need to enter ? as part ofconfig, you first need to input CTRL-V. If you enter ? without first using CTRL-V, the question mark has adifferent meaning in the CLI; it will show available command options in that section.

For example, if you enter ? without CTRL-V:


Using the CLI Tips

edit "*.xetoken line: Unmatched double quote.

If you enter ? with CTRL-V:edit "*.xe?"new entry '*.xe?' added

Entering special characters

Character Keys

? Ctrl + V then ?

Tab Ctrl + V then Tab

Space

(to be interpreted as part of a string value,not to end the string)

Enclose the string in quotation marks: "SecurityAdministrator”.

Enclose the string in single quotes: 'SecurityAdministrator'.

Precede the space with a backslash: Security\Administrator.

'


\'

"


\"

\ \\

Using grep to filter get and show command outputIn many cases, the get and show (and diagnose) commands may produce a large amount of output. If youare looking for specific information in a large get or show command output, you can use the grep command tofilter the output to only display what you are looking for. The grep command is based on the standard UNIXgrep, used for searching text output based on regular expressions.

Use the following command to display the MAC address of the FortiGate unit internal interface:

get hardware nic internal | grep Current_HWaddrCurrent_HWaddr 00:09:0f:cb:c2:75

Use the following command to display all TCP sessions in the session list and include the session list line numberin the output:

get system session list | grep -n tcp


42

Tips Using the CLI

Use the following command to display all lines in HTTP replacement message commands that contain URL(upper or lower case):

show system replacemsg http | grep -i url

There are three additional options that can be applied to grep:

-A After-B Before-C Context

The option -f is also available to support contextual output, in order to show the complete configuration. Thefollowing example shows the difference in output when -f option is used versus when it is not.

Using -f:

show | grep -f ldap-group1config user group

edit "ldap-group1"set member "pc40-LDAP"

nextendconfig firewall policy

edit 2set srcintf "port31"set dstintf "port32"set srcaddr "all"set action acceptset identity-based enableset nat enableconfig identity-based-policy

edit 1set schedule "always"set groups "ldap-group1"set dstaddr "all"set service "ALL"

nextend

nextend

Without using -f:

show | grep ldap-group1edit "ldap-group1"

set groups "ldap-group1"

Language support and regular expressionsCharacters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the natureof the item being configured. CLI commands, objects, field names, and options must use their exact ASCIIcharacters, but some items with arbitrary names or values may be input using your language of choice. To useother languages in those cases, you must use the correct encoding.


Using the CLI Tips

Input is stored using Unicode UTF-8 encoding but is not normalized from other encodings into UTF-8 before it isstored. If your input method encodes some characters differently than in UTF-8, your configured itemsmay notdisplay or operate as expected.

Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regularexpression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8,matches may not be what you expect.

For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as the symbol for the Japaneseyen ( ¥ ) and vice versa. A regular expression intended to match HTTP requests containing money values with ayen symbol therefore may not work it if the symbol is entered using the wrong encoding.

For best results, you should:

l use UTF-8 encoding, orl use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters

that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and otherencodings, or

l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.

HTTP clients may send requests in encodings other than UTF-8. Encodings usuallyvary by the client’s operating system or input language. If you cannot predict theclient’s encoding, you may only be able to match any parts of the request that are inEnglish, because regardless of the encoding, the values for English characters tend tobe encoded identically. For example, English words may be legible regardless ofinterpreting a web page as either ISO 8859-1 or as GB2312, whereas simplifiedChinese characters might only be legible if the page is interpreted as GB2312.

If you configure your FortiGate unit using other encodings, you may need to switch language settings on yourmanagement computer, including for your web browser or Telnet/SSH client. For instructions on how to configureyour management computer’s operating system language, locale, or input method, see its documentation.

If you choose to configure parts of the FortiGate unit using non-ASCII characters, verify that all systemsinteracting with the FortiGate unit also support the same encodings. You should also use the same encodingthroughout the configuration if possible in order to avoid needing to switch the language settings of the web-based manager and your web browser or Telnet/SSH client while you work.

Similarly to input, your web browser or CLI client should normally interpret display output as encoded using UTF-8. If it does not, your configured itemsmay not display correctly in the GUI or CLI. Exceptions include items suchas regular expressions that you may have configured using other encodings in order to match the encoding ofHTTP requests that the FortiGate unit receives.

To enter non-ASCII characters in the CLI Console:

1. On your management computer, start your web browser and go to the URL for the FortiGate unit’s GUI.2. Configure your web browser to interpret the page as UTF-8 encoded.3. Log in to the FortiGate unit.4. Open the CLI Console from the upper right-hand corner.5. In the title bar of the CLI Consolewidget, clickEdit (the pencil icon).6. Enable Use external command input box and select OK.7. The Command field appears below the usual input and display area of the CLI Console .8. Type a command in this field and pressEnter.


44

Tips Using the CLI

In the display area, the CLI Consolewidget displays your previous command interpreted into its charactercode equivalent, such as:

edit \743\601\613\743\601\652

and the command’s output.

To enter non-ASCII characters in a Telnet/SSH client

1. On your management computer, start your Telnet or SSH client.2. Configure your Telnet or SSH client to send and receive characters using UTF-8 encoding.

Support for sending and receiving international characters varies by each Telnet/SSH client. Consult thedocumentation for your Telnet/SSH client.

3. Log in to the FortiGate unit.4. At the command prompt, type your command and pressEnter.

You may need to surround words that use encoded characters with single quotes ( ' ).

Depending on your Telnet/SSH client’s support for your language’s input methods and for sendinginternational characters, you may need to interpret them into character codes before pressing Enter.

For example, you might need to enter:

edit '\743\601\613\743\601\652'

5. The CLI displays your previous command and its output.

Screen pagingYou can configure the CLI to pause after displaying each page’s worth of text when displaying multiple pages ofoutput. When the display pauses, the last line displays --More--. You can then either:

l press the spacebar to display the next page.l type Q to truncate the output and return to the command prompt.

This may be useful when displaying lengthy output, such as the list of possible matching commands forcommand completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer ofyour terminal emulator, you can simply display one page at a time.

To configure the CLI Console to pause display when the screen is full:

config system consoleset output more

end

Baud rateYou can change the default baud rate of the local console connection.

To change the baud rate enter the following commands:

config system consoleset baudrate {9600 | 19200 | 38400 | 57600 | 115200}

end


Using the CLI Tips

Editing the configuration file on an external hostYou can edit the FortiGate configuration on an external host by first backing up the configuration file to a TFTPserver. Then edit the configuration file and restore it to the FortiGate unit.

Editing the configuration on an external host can be timesaving if you have many changes to make, especially ifyour plain text editor provides advanced features such as batch changes.

To edit the configuration on your computer:

1. Use execute backup to download the configuration file to a TFTP server, such as your managementcomputer.

2. Edit the configuration file using a plain text editor that supports Unix-style line endings.

Do not edit the first line. The first line(s) of the configuration file (preceded by a #character) contains information about the firmware version and FortiGate model. Ifyou change the model number, the FortiGate unit will reject the configuration filewhen you attempt to restore it.

3. Use execute restore to upload the modified configuration file back to the FortiGate unit.The FortiGate unit downloads the configuration file and checks that the model information is correct. If it iscorrect, the FortiGate unit loads the configuration file and checks each command for errors. If a command isinvalid, the FortiGate unit ignores the command. If the configuration file is valid, the FortiGate unit restartsand loads the new configuration.


46

config

Use the config commands to change your FortiGate's configuration.

The command branches and commands are in alphabetical order. The information in this section has beenextracted and formatted from FortiOS source code. The extracted information includes the command syntax,command descriptions (extracted from CLI help) and default values. This is the first version of this contentproduced in this way. You can send comments about this content to [email protected]


47

mailto:[email protected]

alertemail

Use the alert email command to configure various alert email settings.

This section includes syntax for the following commands:

l alertemail setting

alertemail setting

Use this command to configure the FortiGate unit to send an alert email to up to three recipients.

This command can also be configured to send an alert email a certain number of days before FortiGuard licensesexpire and/or when the disk usage exceeds a certain threshold amount. You need to configure an SMTP serverbefore configuring alert email settings.

config alertemail setting

set username {string} Name that appears in the From: field of alert emails (max. 36 characters). size

[35]

set mailto1 {string} Email address to send alert email to (usually a system administrator) (max. 64

characters). size[63]

set mailto2 {string} Optional second email address to send alert email to (max. 64 characters). size

[63]

set mailto3 {string} Optional third email address to send alert email to (max. 64 characters). size[63]

set filter-mode {category | threshold} How to filter log messages that are sent to alert emails.

category Filter based on category.

threshold Filter based on severity.

set email-interval {integer} Interval between sending alert emails (1 - 99999 min, default = 5). range

[1-99999]

set IPS-logs {enable | disable} Enable/disable IPS logs in alert email.

set firewall-authentication-failure-logs {enable | disable} Enable/disable firewall authentication

failure logs in alert email.

set HA-logs {enable | disable} Enable/disable HA logs in alert email.

set IPsec-errors-logs {enable | disable} Enable/disable IPsec error logs in alert email.

set FDS-update-logs {enable | disable} Enable/disable FortiGuard update logs in alert email.

set PPP-errors-logs {enable | disable} Enable/disable PPP error logs in alert email.

set sslvpn-authentication-errors-logs {enable | disable} Enable/disable SSL-VPN authentication error

logs in alert email.

set antivirus-logs {enable | disable} Enable/disable antivirus logs in alert email.

set webfilter-logs {enable | disable} Enable/disable web filter logs in alert email.

set configuration-changes-logs {enable | disable} Enable/disable configuration change logs in alert

email.

set violation-traffic-logs {enable | disable} Enable/disable violation traffic logs in alert email.

set admin-login-logs {enable | disable} Enable/disable administrator login/logout logs in alert email.

set FDS-license-expiring-warning {enable | disable} Enable/disable FortiGuard license expiration

warnings in alert email.

set log-disk-usage-warning {enable | disable} Enable/disable disk usage warnings in alert email.


48

alertemail setting alertemail

set fortiguard-log-quota-warning {enable | disable} Enable/disable FortiCloud log quota warnings in

alert email.

set amc-interface-bypass-mode {enable | disable} Enable/disable Fortinet Advanced Mezzanine Card (AMC)

interface bypass mode logs in alert email.

set FIPS-CC-errors {enable | disable} Enable/disable FIPS and Common Criteria error logs in alert

email.

set FSSO-disconnect-logs {enable | disable} Enable/disable logging of FSSO collector agent disconnect.

set FDS-license-expiring-days {integer} Number of days to send alert email prior to FortiGuard license

expiration (1 - 100 days, default = 100). range[1-100]

set local-disk-usage {integer} Disk usage percentage at which to send alert email (1 - 99 percent,

default = 75). range[1-99]

set emergency-interval {integer} Emergency alert interval in minutes. range[1-99999]

set alert-interval {integer} Alert alert interval in minutes. range[1-99999]

set critical-interval {integer} Critical alert interval in minutes. range[1-99999]

set error-interval {integer} Error alert interval in minutes. range[1-99999]

set warning-interval {integer} Warning alert interval in minutes. range[1-99999]

set notification-interval {integer} Notification alert interval in minutes. range[1-99999]

set information-interval {integer} Information alert interval in minutes. range[1-99999]

set debug-interval {integer} Debug alert interval in minutes. range[1-99999]

set severity {option} Lowest severity level to log.

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

end


antivirus

Use antivirus commands to configure antivirus scanning for services, quarantine options, and to enable or disablegrayware and heuristic scanning.

This section includes syntax for the following commands:

l antivirus heuristicl antivirus profilel antivirus quarantinel antivirus settings

antivirus heuristic

Configure the global heuristic options used for antivirus scanning in binary files.

config antivirus heuristic

set mode {pass | block | disable} Enable/disable heuristics and determine how the system behaves if

heuristics detects a problem.

pass Enable heuristics but detected files are passed. If enabled, the system will record a

log message.

block Enable heuristics and detected files are blocked. If enabled, the system will record a

log message.

disable Turn off heuristics.

end

Additional InformationThe following section is for those options that require additional explanation.

mode {pass | block | default}

Determine the action to take when heuristics detects a problem:

l pass: Enables heuristic scanning, but passes detected files to the recipient. Suspicious files are quarantined ifquarantine is enabled.

l block: Enables heuristic scanning and blocks detected files. A replacement message is forwarded to the recipient.Blocked files are quarantined if quarantine is enabled.

l disable:Disables heuristic scanning (set by default).

antivirus profile

Create and configure antivirus profiles that can be applied to firewall policies. Antivirus profiles configure howvirus scanning is applied to sessions accepted by a firewall policy that includes the antivirus profile.


50

antivirus profile antivirus

config antivirus profile

edit {name}

# Configure AntiVirus profiles.

set name {string} Profile name. size[35]

set comment {string} Comment. size[255]

set replacemsg-group {string} Replacement message group customized for this profile. size[35] -

datasource(s): system.replacemsg-group.name

set inspection-mode {proxy | flow-based} Inspection mode.

proxy Proxy-based inspection.

flow-based Flow-based inspection.

set ftgd-analytics {disable | suspicious | everything} Settings to control which files are uploaded

to FortiSandbox.

disable Do not upload files to FortiSandbox.

suspicious Submit files supported by FortiSandbox if heuristics or other methods determine

they are suspicious.

everything Submit all files scanned by AntiVirus to FortiSandbox. AntiVirus may not scan all

files.

set analytics-max-upload {integer} Maximum size of files that can be uploaded to FortiSandbox (1 -

395 MBytes, default = 10). range[1-1606]

set analytics-wl-filetype {integer} Do not submit files matching this DLP file-pattern to

FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id

set analytics-bl-filetype {integer} Only submit files matching this DLP file-pattern to

FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id

set analytics-db {disable | enable} Enable/disable using the FortiSandbox signature database to

supplement the AV signature databases.

set mobile-malware-db {disable | enable} Enable/disable using the mobile malware signature

database.

config http

set options {scan | avmonitor | quarantine} Enable/disable HTTP AntiVirus scanning, monitoring,

and quarantine.

scan Enable HTTP antivirus scanning.

avmonitor Enable HTTP antivirus logging.

quarantine Enable HTTP antivirus quarantine. Files are quarantined depending on

quarantine settings.

set archive-block {option} Select the archive types to block.

encrypted Block encrypted archives.

corrupted Block corrupted archives.

multipart Block multipart archives.

nested Block nested archives.

mailbomb Block mail bomb archives.

unhandled Block archives that FortiOS cannot open.

set archive-log {option} Select the archive types to log.

encrypted Log encrypted archives.

corrupted Log corrupted archives.

multipart Log multipart archives.

nested Log nested archives.

mailbomb Log mail bomb archives.

unhandled Log archives that FortiOS cannot open.

set emulator {enable | disable} Enable/disable the virus emulator.


antivirus antivirus profile

config ftp

set options {scan | avmonitor | quarantine} Enable/disable FTP AntiVirus scanning, monitoring,

and quarantine.

scan Enable FTP antivirus scanning.

avmonitor Enable FTP antivirus logging.

quarantine Enable FTP antivirus quarantine. Files are quarantined depending on

















config imap

set options {scan | avmonitor | quarantine} Enable/disable IMAP AntiVirus scanning, monitoring,

and quarantine.

scan Enable IMAP antivirus scanning.

avmonitor Enable IMAP antivirus logging.

quarantine Enable IMAP antivirus quarantine. Files are quarantined depending on

















set executables {default | virus} Treat Windows executable files as viruses for the purpose of

blocking or monitoring.

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

config pop3


52


set options {scan | avmonitor | quarantine} Enable/disable POP3 AntiVirus scanning, monitoring,

and quarantine.

scan Enable POP3 antivirus scanning.

avmonitor Enable POP3 antivirus logging.

quarantine Enable POP3 antivirus quarantine. Files are quarantined depending on





















config smtp

set options {scan | avmonitor | quarantine} Enable/disable SMTP AntiVirus scanning, monitoring,

and quarantine.

scan Enable SMTP antivirus scanning.

avmonitor Enable SMTP antivirus logging.

quarantine Enable SMTP antivirus quarantine. Files are quarantined depending on




















antivirus antivirus profile



config mapi

set options {scan | avmonitor | quarantine} Enable/disable MAPI AntiVirus scanning, monitoring,

and quarantine.

scan Enable MAPI antivirus scanning.

avmonitor Enable MAPI antivirus logging.

quarantine Enable MAPI antivirus quarantine. Files are quarantined depending on





















config nntp

set options {scan | avmonitor | quarantine} Enable/disable NNTP AntiVirus scanning, monitoring,

and quarantine.

scan Enable NNTP antivirus scanning.

avmonitor Enable NNTP antivirus logging.

quarantine Enable NNTP antivirus quarantine. Files are quarantined depending on

















54



config smb

set options {scan | avmonitor | quarantine} Enable/disable SMB AntiVirus scanning, monitoring,

and quarantine.

scan Enable SMB antivirus scanning.

avmonitor Enable SMB antivirus logging.

quarantine Enable SMB antivirus quarantine. Files are quarantined depending on

q

Documents

FortiOS™ Handbook - CLI Reference · 2019-03-18 · ping 1028 ping6 1029 ping-options,ping6-options 1029 policy-packet-capturedelete-all 1032 reboot 1033 replacedevice 1033 report