FortiAnalyzer 5.0.5 CLI Reference

FortiAnalyzer v5.0 Patch Release 5CLI Reference

FortiAnalyzer v5.0 Patch Release 5 CLI Reference

November 12, 2013

05-505-185032-20131112

Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

Administrative Domains................................................................................. 33

About ADOMs........................................................................................................ 33

Configuring ADOMs............................................................................................... 34Table of Contents

Change Log..................................................................................................... 11

Introduction..................................................................................................... 12

Whats New in FortiAnalyzer v5.0 ................................................................. 13FortiAnalyzer v5.0 Patch Release 5 ....................................................................... 13

FortiAnalyzer v5.0 Patch Release 4 ................................................................. 16

Using the Command Line Interface.............................................................. 18CLI command syntax............................................................................................. 18

Connecting to the CLI............................................................................................ 19

CLI objects............................................................................................................. 19

CLI command branches ........................................................................................ 19config branch ................................................................................................... 20get branch........................................................................................................ 22show branch .................................................................................................... 24execute branch ................................................................................................ 25diagnose branch .............................................................................................. 25Example command sequences........................................................................ 26

CLI basics .............................................................................................................. 27Command help ................................................................................................ 27Command tree ................................................................................................. 27Command completion ..................................................................................... 28Recalling commands ....................................................................................... 28Editing commands ........................................................................................... 28Line continuation.............................................................................................. 29Command abbreviation ................................................................................... 29Environment variables...................................................................................... 29Encrypted password support .......................................................................... 29Entering spaces in strings................................................................................ 30Entering quotation marks in strings ................................................................. 30Entering a question mark (?) in a string ........................................................... 30International characters ................................................................................... 30Special characters ........................................................................................... 30IP address formats........................................................................................... 30Editing the configuration file ............................................................................ 31Changing the baud rate ................................................................................... 31Debug log levels............................................................................................... 32Page 3

system ............................................................................................................. 36admin ..................................................................................................................... 36

admin group..................................................................................................... 36admin ldap ....................................................................................................... 37admin profile .................................................................................................... 38admin radius .................................................................................................... 42admin setting ................................................................................................... 43admin tacacs.................................................................................................... 44admin user ....................................................................................................... 45

aggregation-client .................................................................................................. 52

aggregation-service ............................................................................................... 55

alert-console .......................................................................................................... 56

alert-event.............................................................................................................. 57

alertemail................................................................................................................ 60

auto-delete............................................................................................................. 61

backup ................................................................................................................... 62backup all-settings........................................................................................... 62

central-management.............................................................................................. 63

certificate ............................................................................................................... 64certificate ca..................................................................................................... 64certificate crl .................................................................................................... 65certificate local ................................................................................................. 65certificate ssh................................................................................................... 66

dns ......................................................................................................................... 67

fips ......................................................................................................................... 68

global ..................................................................................................................... 68

interface ................................................................................................................. 72

locallog................................................................................................................... 74locallog disk setting ......................................................................................... 74locallog filter..................................................................................................... 76locallog fortianalyzer setting ............................................................................ 78locallog memory setting................................................................................... 79locallog syslogd (syslogd2, syslogd3) setting.................................................. 79

log .......................................................................................................................... 81log alert ............................................................................................................ 81log fortianalyzer................................................................................................ 82log settings....................................................................................................... 83config rolling-analyzer, rolling-local, and rolling-regular.................................. 85

mail ........................................................................................................................ 88

ntp.......................................................................................................................... 88

password-policy .................................................................................................... 89Table of Contents Page 4 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

report ..................................................................................................................... 90report auto-cache ............................................................................................ 90report est-browse-time .................................................................................... 91

route....................................................................................................................... 91

route6..................................................................................................................... 92

snmp ...................................................................................................................... 92snmp community ............................................................................................. 92snmp sysinfo.................................................................................................... 96snmp user ........................................................................................................ 97

sql .......................................................................................................................... 99

syslog................................................................................................................... 103

fmupdate ....................................................................................................... 104analyzer................................................................................................................ 104

analyzer virusreport........................................................................................ 104

av-ips ................................................................................................................... 105av-ips advanced-log ...................................................................................... 105av-ips fct server-override............................................................................... 105av-ips fgt server-override............................................................................... 106av-ips push-override ...................................................................................... 107av-ips push-override-to-client ....................................................................... 108av-ips update-schedule ................................................................................. 108av-ips web-proxy ........................................................................................... 109

device-version...................................................................................................... 110

disk-quota............................................................................................................ 111

fct-services .......................................................................................................... 112

multilayer.............................................................................................................. 112

publicnetwork ...................................................................................................... 113

server-access-priorities ....................................................................................... 113config private-server ...................................................................................... 114

server-override-status.......................................................................................... 115

service.................................................................................................................. 115

support-pre-fgt43 ................................................................................................ 116

execute .......................................................................................................... 117add-vm-license .................................................................................................... 118

backup ................................................................................................................. 118backup all-settings......................................................................................... 118backup logs ................................................................................................... 119backup logs-only ........................................................................................... 119backup logs-rescue ....................................................................................... 120backup reports............................................................................................... 120backup reports-config ................................................................................... 121

bootimage............................................................................................................ 121Table of Contents Page 5 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

certificate ............................................................................................................. 122certificate ca................................................................................................... 122certificate local ............................................................................................... 122

console ................................................................................................................ 123console baudrate ........................................................................................... 123

date ...................................................................................................................... 124

device................................................................................................................... 124

devicelog.............................................................................................................. 125devicelog clear ............................................................................................... 125

factory-license ..................................................................................................... 125

fgfm...................................................................................................................... 125fgfm reclaim-dev-tunnel................................................................................. 125

fmupdate.............................................................................................................. 126fmupdate cdrom import ................................................................................. 126fmupdate cdrom list ....................................................................................... 126fmupdate cdrom mount ................................................................................. 126fmupdate cdrom umount ............................................................................... 126fmupdate {ftp | scp | tftp} import.................................................................... 127fmupdate {ftp | scp | tftp} export.................................................................... 127

format................................................................................................................... 128

log ........................................................................................................................ 129log device disk_quota .................................................................................... 129log device permissions .................................................................................. 129log dlp-files .................................................................................................... 130log import....................................................................................................... 130log ips-pkt ...................................................................................................... 131log quarantine-files ........................................................................................ 131

log-aggregation.................................................................................................... 131

log-integrity .......................................................................................................... 132

lvm ....................................................................................................................... 132

ping ...................................................................................................................... 133

ping6 .................................................................................................................... 134

raid ....................................................................................................................... 134

reboot................................................................................................................... 135

remove ................................................................................................................. 135

reset ..................................................................................................................... 135

reset-sqllog-transfer ............................................................................................ 135

restore.................................................................................................................. 136restore all-settings ......................................................................................... 136restore image ................................................................................................. 137restore {logs | logs-only} ................................................................................ 137restore reports ............................................................................................... 138restore reports-config .................................................................................... 139Table of Contents Page 6 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

shutdown ............................................................................................................. 139

sql-local ............................................................................................................... 140sql-local rebuild-db........................................................................................ 140sql-local rebuild-device.................................................................................. 140sql-local remove-db....................................................................................... 140sql-local remove-device................................................................................. 140sql-local remove-logs .................................................................................... 141sql-local remove-logtype ............................................................................... 141

sql-query-dataset ................................................................................................ 141

sql-query-generic................................................................................................. 142

sql-report ............................................................................................................. 142sql-report run ................................................................................................. 142

ssh ....................................................................................................................... 143

ssh-known-hosts ................................................................................................. 143

time ...................................................................................................................... 144

top........................................................................................................................ 144

traceroute............................................................................................................. 145

traceroute6........................................................................................................... 146

diagnose........................................................................................................ 147cdb....................................................................................................................... 147

cdb check ...................................................................................................... 147

debug................................................................................................................... 148debug application .......................................................................................... 148debug cli ........................................................................................................ 150debug console ............................................................................................... 151debug crashlog .............................................................................................. 151debug disable ................................................................................................ 151debug dpm..................................................................................................... 151debug enable ................................................................................................. 152debug info ...................................................................................................... 152debug service................................................................................................. 152debug sysinfo................................................................................................. 153debug sysinfo-log .......................................................................................... 154debug sysinfo-log-backup............................................................................. 154debug sysinfo-log-list .................................................................................... 154debug timestamp........................................................................................... 155debug vminfo ................................................................................................. 155

dlp-archives ......................................................................................................... 155dlp-archives quar-cache................................................................................ 155dlp-archives rebuild-quar-db ......................................................................... 156dlp-archives statistics .................................................................................... 156dlp-archives status......................................................................................... 156Table of Contents Page 7 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

dvm ...................................................................................................................... 157dvm adom...................................................................................................... 157dvm chassis ................................................................................................... 157dvm check-integrity ....................................................................................... 157dvm debug..................................................................................................... 158dvm device..................................................................................................... 158dvm device-tree-update ................................................................................ 159dvm group...................................................................................................... 159dvm lock......................................................................................................... 159dvm proc........................................................................................................ 159dvm task ........................................................................................................ 160dvm transaction-flag ...................................................................................... 160

fgfm...................................................................................................................... 161

fmnetwork ............................................................................................................ 161fmnetwork arp................................................................................................ 161fmnetwork interface ....................................................................................... 162fmnetwork netstat .......................................................................................... 162

fmupdate.............................................................................................................. 163

fortilogd................................................................................................................ 165

hardware .............................................................................................................. 166

log ........................................................................................................................ 166log device....................................................................................................... 166

pm2...................................................................................................................... 167

report ................................................................................................................... 167

sniffer ................................................................................................................... 168

sql ........................................................................................................................ 173

system.................................................................................................................. 174system admin-session ................................................................................... 174system disk .................................................................................................... 175system export ................................................................................................ 176system flash ................................................................................................... 176system fsck .................................................................................................... 177system geoip.................................................................................................. 177system ntp ..................................................................................................... 177system print ................................................................................................... 178system process.............................................................................................. 180system raid..................................................................................................... 180system route .................................................................................................. 181system route6 ................................................................................................ 181system server................................................................................................. 181Table of Contents Page 8 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

test ....................................................................................................................... 182test application............................................................................................... 182test connection .............................................................................................. 185test policy-check............................................................................................ 185test search ..................................................................................................... 185test sftp .......................................................................................................... 186

upload .................................................................................................................. 186upload clear ................................................................................................... 186upload force-retry .......................................................................................... 186upload status ................................................................................................. 186

get .................................................................................................................. 187system admin....................................................................................................... 188

system admin group ...................................................................................... 188system admin ldap......................................................................................... 188system admin profile...................................................................................... 188system admin radius...................................................................................... 189system admin setting..................................................................................... 189system admin tacacs ..................................................................................... 190system admin user......................................................................................... 191

system aggregation-client ................................................................................... 192

system aggregation-service................................................................................. 193

system alert-console............................................................................................ 193

system alert-event ............................................................................................... 193

system alertemail ................................................................................................. 194

system auto-delete .............................................................................................. 194

system backup..................................................................................................... 194system backup all-settings ............................................................................ 194system backup status.................................................................................... 195

system certificate................................................................................................. 195system certificate ca ...................................................................................... 195system certificate crl ...................................................................................... 196system certificate local .................................................................................. 196system certificate ssh .................................................................................... 196

system dns........................................................................................................... 196

system fips........................................................................................................... 196

system global....................................................................................................... 196

system interface................................................................................................... 198

system locallog .................................................................................................... 198system locallog disk....................................................................................... 198system locallog fortianalyzer.......................................................................... 199system locallog memory ................................................................................ 199system locallog syslogd................................................................................. 199Table of Contents Page 9 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

system log............................................................................................................ 199system log alert.............................................................................................. 199system log fortianalyzer ................................................................................. 200system log settings ........................................................................................ 200

system mail .......................................................................................................... 200

system ntp ........................................................................................................... 200

system password-policy...................................................................................... 201

system performance ............................................................................................ 201

system report ....................................................................................................... 202system report auto-cache.............................................................................. 202system report est-browse-time...................................................................... 202

system route ........................................................................................................ 203

system route6 ...................................................................................................... 203

system snmp........................................................................................................ 203system snmp community............................................................................... 203system snmp sysinfo ..................................................................................... 204system snmp user.......................................................................................... 204

system sql............................................................................................................ 204

system status....................................................................................................... 205

system syslog ...................................................................................................... 205

show .............................................................................................................. 206

Appendix A: Object Tables .......................................................................... 207Global object categories...................................................................................... 207

Device object ID values ....................................................................................... 208

Appendix B: Maximum Values Table .......................................................... 211Maximum values table ......................................................................................... 211

Index .............................................................................................................. 213Table of Contents Page 10 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Change Log

Date Change Description

2012-11-23 Initial release.

2013-01-11 Document updated for FortiAnalyzer v5.0 Patch Release 1.

Command support-pre-fgt43 added. Variable pre-login-banner and pre-login-banner-message added to config system global command.

2013-03-28 Document updated for FortiAnalyzer v5.0 Patch Release 2.

fmsystem and fasystem branches merged into system branch.show-adom-implicit-id-based-policy and policy-display-threshold variables added to the config system admin setting command.execute branch expanded:

backup all-settings fgt, backup all-settings scp, backup logs, backup logs-only, backup reports commands added

restore all-settings fgt, restore all-settings scp, restore image, restore logs, restore logs-only, restore reports commands added

factory-license command addeddiagnose branch expanded:

diagnose dlp-archives quar-cache, diagnose dlp-archives rebuild-quar-db, diagnose dlp-archives statistics, diagnose dlp-archives status commands added

fmupdate, fmpolicy, fmscript, dmserver, and other FortiManager related commands have been removed.

2013-04-26 The execute lvm command was added.

2013-07-16 Provisional document updated for FortiAnalyzer v5.0 Patch Release 3.

2013-09-13 Provisional document updated for FortiAnalyzer v5.0 Patch Release 4.

2013-11-12 Provisional document updated for FortiAnalyzer v5.0 Patch Release 5.Page 11

Introduction

FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network traffic, such as e-mail, FTP, and web browsing activity, to help identify security issues and reduce network misuse and abuse.

This is a provisional document.Page 12

Whats New in FortiAnalyzer v5.0

FortiAnalyzer v5.0 Patch Release 5

The table below list commands which have changed in v5.0 Patch Release 5.

Command Change

config system New variable added:central-management

config system global New variables added:search-all-adomsunregister-pop-up

config fmupdate New variables added:analyzerav-ipsdevice-versiondisk-quotafct-servicesfds-settingmultilayerpublicnetworkserver-access-prioritiesserver-override-statusservicesupport-pre-fgt43

execute backup New variable added:logs-rescuePage 13

config systen admin setting Variables removed:demo-modedevice-sync statusoffline-modeallow_registerregister_passwdshow_grouping_scriptshow_automatic_scriptshow_tcl_scriptauto-updatemgmt-addrmgmt-fqdnshow-global-policy-settingsshow-global-object-settingsshow-adom-ipv6-settingsshow-adom-dynamic-objectsshow-adom-dos-policies show-adom-sniffer-policies show-adom-central-nat-policies show-adom-voip-policies show-adom-icap-policies show-adom-implicit-policy show-adom-implicit-id-based-policy show-adom-taskmon-button show-adom-terminal-button show-adom-policy-consistency-button show-adom-rtmlog show-adom-vpnman show-adom-devman show-fortimail-settings show-foc-settings show-fsw-settingsinstall-ifpolicy-only

config system log settings New commands added:FAZ-custom-field1FAZ-custom-field2FAZ-custom-field3FAZ-custom-field4FAZ-custom-field5

config system aggregation-client New command added:server-deviceNew sub-command added:config device-filter

Command ChangeWhats New in FortiAnalyzer v5.0 Page 14 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

diagnose fmupdate New commands added:add-devicedeldevicedellogfct-configure fct-dbcontractfct-delserverlistfct-getobjectfct-serverlistfct-update-statusfct-updatenowfds-configure fds-dbcontract fds-delserverlist fds-dump-breg fds-dump-srul fds-get-downstream-device fds-getobject fds-serverlist fds-service-info fds-update-status fds-updatenow fgd-updatenow fgt-del-statistics fgt-del-um-db fmg-statistic-info fortitoken getdevice service-restart show-bandwidth show-dev-obj view-linkd-log vm-license

execute fmupdate New commands added:cdrom {import | list | mount |

umount}ftp {export | import}scp {export | import}tftp {export | import}

diagnose fgfm Commands removed:session-listinstall-sessions


FortiAnalyzer v5.0 Patch Release 4

The table below list commands which have changed in v5.0 Patch Release 4.

Command Change

config system auto-delete New command added for automatic deletion policy for logs, reports, archived, and quarantined files.

config system sqlconfig ts-index-field

New sub-command added to configure SQL text search index fields.

config system globalset backup-compression {high |

low | none | normal}

New set command added to set the compression level.

config system globalset backup-to-subfolders

{enable | disable}

New set command added to enable or disable the creation of subfolders on server for backup storage.

config system globalset lcdpin

Legacy set command removed.

config system globalset log-checksum {md5 |

md5-auth | none}

New set command added to record the log file hash value, timestamp, and authentication code at transmission or rolling.

execute log-integrity New command added to query the log files MD5 checksum and timestamp.

execute log device permissions New command added to set log device permissions.

execute log import New command added to allow import of logs and replace the log device ID.

diagnose dvm supported-platforms list

Command removed.

diagnose sql show log-filters New command added to show log view searching filters.

config system aggregation-clientset fwd-remote-server cef

New variable added to allow logs to be forwarded to a CEF (Common Event Format) server.

config system report auto-cacheset aggressive-drilldownset drilldown-intervalset status

New command and variables added for report auto-cache settings.

config system report est-browse timeset max-num-userset status

New command and variables added for report estimated browse time settings.

diagnose sql auto-hcache Command removed.Whats New in FortiAnalyzer v5.0 Page 16 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

config rolling-regular, config rolling-local, config rolling-analyzer

set upload-mode backupset ip2set ip3set username2set username3set password2set password3

Added variables to allow up to three servers to be configured for log upload.

diagnose report statusdiagnose report cleandiagnose report maintain

Added new commands to cleanup, maintain, and get the status of the report queue.


aggregator}Using the Command Line Interface

This chapter explains how to connect to the Command Line Interface (CLI) and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings.

This chapter describes:

CLI command syntax

Connecting to the CLI

CLI objects

CLI command branches

CLI basics

CLI command syntax

This guide uses the following conventions to describe command syntax.

Angle brackets < > indicate variables.For example:execute restore image ftp You enter:execute restore image ftp myfile.bak indicates a dotted decimal IPv4 address. indicates a dotted decimal IPv4 netmask. indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask.

Vertical bar and curly brackets {|} separate alternative, mutually exclusive required variables.

For example:set protocol {ftp | sftp}You can enter set protocol ftp or set protocol sftp.

Square brackets [ ] indicate that a variable is optional.For example:show system interface []To show the settings for all interfaces, you can enter show system interface. To show the settings for the Port1 interface, you can enter show system interface port1.

A space separates options that can be entered in any combination and must be separated by spaces.

For example:set allowaccess {ping https ping ssh snmp telnet http webservice Page 18

You can enter any of the following:set allowaccess pingset allowaccess https set allowaccess sshset allowaccess https sshset allowaccess aggregator http https ping ssh telnet webservice

In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

Special characters:

The \ is supported to escape spaces or as a line continuation character.

The single quotation mark ' and the double quotation mark are supported, but must be used in pairs.

If there are spaces in a string, you must precede the spaces with the \ escape character or put the string in a pair of quotation marks.

Connecting to the CLI

You can use a direct console connection or SSH to connect to the FortiAnalyzer CLI. You can also access through the CLI console widget on the Web-based Manager. For more information, see the FortiAnalyzer v5.0 Patch Release 5 Administration Guide, and your devices QuickStart Guide.

CLI objects

The FortiAnalyzer CLI is based on configurable objects. The top-level object are the basic components of FortiAnalyzer functionality.

This object contains more specific lower level objects. For example, the system object contains objects for administrators, DNS, interfaces and so on.

CLI command branches

The FortiAnalyzer CLI consists of the following command branches:

Examples showing how to enter command sequences within each branch are provided in the following sections. See also Example command sequences on page 26.

Table 1: CLI top level object

system Configuration options related to the overall operation of the FortiAnalyzer unit, such as interfaces, virtual domains, and administrators. See system on page 36.

config branch execute branch

get branch diagnose branch

show branchUsing the Command Line Interface Page 19 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

config branch

The config commands configure objects of FortiAnalyzer functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of variables that you can set to particular values. Simpler objects, such as system DNS, are a single set of variables.

To configure an object, you use the config command to navigate to the objects command shell. For example, to configure administrators, you enter the command

config system admin userThe command prompt changes to show that you are in the admin shell.

(user)# This is a table shell. You can use any of the following commands:

If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name:

edit admin_1

edit Add an entry to the FortiAnalyzer configuration or edit an existing entry. For example in the config system admin shell: Type edit admin and press Enter to edit the settings for the default admin

administrator account.

Type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account.

delete Remove an entry from the FortiAnalyzer configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin.

purge Remove all entries configured in the current shell. For example in the config user local shell: Type get to see the list of user names added to the FortiAnalyzer configuration, Type purge and then y to confirm that you want to purge all the user names, Type get again to confirm that no user names are displayed.

get List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.

show Show changes to the default configuration as configuration commands.

end Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You will return to the root FortiAnalyzer CLI prompt.

The end command is also used to save set command changes and leave the shell.Using the Command Line Interface Page 20 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

The FortiAnalyzer unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry:

new entry 'admin_1' added(admin_1)#

From this prompt, you can use any of the following commands:

The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.

config In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add restrict the user to specific devices or VDOMs.

set Assign values. For example from the edit admin command shell, typing set password newpass changes the password of the admin administrator account to newpass.Note: When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

unset Reset values to defaults. For example from the edit admin command shell, typing unset password resets the password of the admin administrator account to the default of no password.

get List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.

show Show changes to the default configuration in the form of configuration commands.

next Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell. Type edit User1 and press Enter. Use the set commands to configure the values for the new admin account. Type next to save the configuration for User1 without leaving the config

system admin user shell. Continue using the edit, set, and next commands to continue adding admin

user accounts.

Type end and press Enter to save the last configuration and leave the shell.

abort Exit an edit shell without saving the configuration.

end Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command.The end command is also used to save set command changes and leave the shell.Using the Command Line Interface Page 21 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

get branch

Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell.To use get from the root prompt, you must include a path to a shell.The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type get in the config system admin user shell, the list of administrators is displayed.

At the (user)# prompt, type:get

The screen displays:== [ admin ]userid: admin== [ admin2 ]userid: admin2== [ admin3 ]userid: admin3

Example 2

When you type get in the admin user shell, the configuration values for the admin administrator account are displayed.

edit adminAt the (admin)# prompt, type:

getThe screen displays:

userid : admin password : *trusthost1 : 0.0.0.0 0.0.0.0trusthost2 : 0.0.0.0 0.0.0.0trusthost3 : 0.0.0.0 0.0.0.0trusthost4 : 0.0.0.0 0.0.0.0trusthost5 : 0.0.0.0 0.0.0.0trusthost6 : 0.0.0.0 0.0.0.0trusthost7 : 0.0.0.0 0.0.0.0trusthost8 : 0.0.0.0 0.0.0.0trusthost9 : 0.0.0.0 0.0.0.0trusthost10 : 127.0.0.1 255.255.255.255ipv6_trusthost1 : ::/0ipv6_trusthost2 : ::/0ipv6_trusthost3 : ::/0ipv6_trusthost4 : ::/0ipv6_trusthost5 : ::/0ipv6_trusthost6 : ::/0ipv6_trusthost7 : ::/0ipv6_trusthost8 : ::/0Using the Command Line Interface Page 22 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

ipv6_trusthost9 : ::/0ipv6_trusthost10 : ::1/128profileid : Super_User adom:

== [ all_adoms ]adom-name: all_adoms

policy-package:== [ all_policy_packages ]policy-package-name: all_policy_packages

restrict-access : disable restrict-dev-vdom:description : (null)user_type : local ssh-public-key1 : ssh-public-key2 : ssh-public-key3 : meta-data:last-name : (null)first-name : (null)email-address : (null)phone-number : (null)mobile-number : (null)pager-number : (null)hidden : 0dashboard-tabs:dashboard:

== [ 6 ]moduleid: 6 == [ 1 ]moduleid: 1 == [ 2 ]moduleid: 2 == [ 3 ]moduleid: 3 == [ 4 ]moduleid: 4 == [ 5 ]moduleid: 5

Example 3

You want to confirm the IP address and netmask of the port1 interface from the root prompt.

At the (command) # prompt, type:get system interface port1

The screen displays:

name : port1 status : up ip : 172.16.81.30 255.255.255.0Using the Command Line Interface Page 23 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

allowaccess : ping https ssh snmp telnet http webservice aggregator

serviceaccess : speed : auto description : (null)alias : (null)ipv6:

ip6-address: ::/0 ip6-allowaccess:

show branch

Use show to display the FortiAnalyzer unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.

To display the configuration of all config shells, you can use show from the root prompt. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed.

At the (port1)# prompt, type:show

The screen displays:

config system interfaceedit "port1"

set ip 172.16.81.30 255.255.255.0set allowaccess ping https ssh snmp telnet http webservice

aggregatornextedit "port2"

set ip 1.1.1.1 255.255.255.0set allowaccess ping https ssh snmp telnet http webservice

aggregatornextedit "port3"nextedit "port4"next

endUsing the Command Line Interface Page 24 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Example 2

You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type:

show system dnsThe screen displays:

config system dnsset primary 65.39.139.53set secondary 65.39.139.63

end

execute branch

Use execute to run static commands, to reset the FortiAnalyzer unit to factory defaults, or to back up or restore the FortiAnalyzer configuration. The execute commands are available only from the root prompt.

The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

At the root prompt, type:

execute rebootThe system will be rebooted.Do you want to continue? (y/n)

and press Enter to restart the FortiAnalyzer unit.

diagnose branch

Commands in the diagnose branch are used for debugging the operation of the FortiAnalyzer unit and to set parameters for displaying different levels of diagnostic information.

Diagnose commands are intended for advanced users only. Contact Fortinet Technical Support before using these commands.Using the Command Line Interface Page 25 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Example command sequences

To configure the primary and secondary DNS server addresses:

1. Starting at the root prompt, type:config system dns

and press Enter. The prompt changes to (dns)#.2. At the (dns)# prompt, type (question mark) ?

The following options are displayed.setunsetgetshowabortend

3. Type set (question mark)?The following options are displayed:

primarysecondary

4. To set the primary DNS server address to 172.16.100.100, type: set primary 172.16.100.100

and press Enter.5. To set the secondary DNS server address to 207.104.200.1, type:

set secondary 207.104.200.1and press Enter.

6. To restore the primary DNS server address to the default address, type unset primary and press Enter.

7. If you want to leave the config system dns shell without saving your changes, type abort and press Enter.

8. To save your changes and exit the dns sub-shell, type end and press Enter.9. To confirm your changes have taken effect after leaving the dns sub-shell, type get

system dns and press Enter.

The command prompt changes for each shell.Using the Command Line Interface Page 26 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

CLI basics

This section includes:

Command help

Command tree

Command completion

Recalling commands

Editing commands

Line continuation

Command abbreviation

Environment variables

Encrypted password support

Entering spaces in strings

Entering quotation marks in strings

Entering a question mark (?) in a string

International characters

Special characters

IP address formats

Editing the configuration file

Changing the baud rate

Debug log levels

Command help

You can press the question mark (?) key to display command help.

Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.

Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.

Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command option combination and a description of each option.

Command tree

Type tree to display the FortiAnalyzer CLI command tree. To capture the full output, connect to your device using a terminal emulation program, such as PuTTY, and capture the output to a log file. For config commands, use the tree command to view all available variables and sub-commands.Using the Command Line Interface Page 27 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Example

#config system interface (interface)# tree-- [interface] --*name

|- status |- ip |- allowaccess |- serviceaccess |- speed |- description |- alias +- -- ip6-address

+- ip6-allowaccess

Command completion

You can use the tab key or the question mark (?) key to complete commands:

You can press the tab key at any prompt to scroll through the options available for that prompt.

You can type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position.

After completing the first word of a command, you can press the space bar and then the tab key to scroll through the options available at the current cursor position.

Recalling commands

You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.

Editing commands

Use the left and right arrow keys to move the cursor back and forth in a recalled command. You can also use the backspace and delete keys and the control keys listed in Table 2 to edit the command.

Table 2: Control keys for editing commands

Function Key combination

Beginning of line CTRL+A

End of line CTRL+E

Back one character CTRL+B

Forward one character CTRL+F

Delete current character CTRL+D

Previous command CTRL+P

Next command CTRL+NUsing the Command Line Interface Page 28 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Line continuation

To break a long command over multiple lines, use a \ at the end of each line.

Command abbreviation

You can abbreviate commands and command options to the smallest number of unambiguous characters. For example, the command get system status can be abbreviated to g sy st.

Environment variables

The FortiAnalyzer CLI supports several environment variables.

Variable names are case sensitive. In the following example, when entering the variable, you can type (dollar sign) $ followed by a tab to auto-complete the variable to ensure that you have the exact spelling and case. Continue pressing tab until the variable you want to use is displayed.

config system globalset hostname $SerialNum

end

Encrypted password support

After you enter a clear text password using the CLI, the FortiAnalyzer unit encrypts the password and stores it in the configuration file with the prefix ENC. For example:

show system admin user user1config system admin user

edit "user1"set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1

rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f

set profileid "Standard_User"next

endIt is also possible to enter an already encrypted password. For example, type:

config system adminthen press Enter.

Abort the command CTRL+C

If used at the root prompt, exit the CLI CTRL+C

Table 2: Control keys for editing commands

Function Key combination

$USERFROM The management access type (SSH, Telnet and so on) and the IP address of the logged in administrator.

$USERNAME The user account name of the logged in administrator.

$SerialNum The serial number of the FortiAnalyzer unit.Using the Command Line Interface Page 29 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Type:

edit user1then press Enter.Type:

set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f

then press Enter.Type:

endthen press Enter.

Entering spaces in strings

When a string value contains a space, do one of the following:

Enclose the string in quotation marks, for example "Security Administrator". Enclose the string in single quotes, for example 'Security Administrator'. Use a backslash (\) preceding the space, for example Security\ Administrator.

Entering quotation marks in strings

If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.

Entering a question mark (?) in a string

If you want to include a question mark (?) in a string, you must precede the question mark with CTRL-V. Entering a question mark without first entering CTRL-V causes the CLI to display possible command completions, terminating the string.

International characters

The CLI supports international characters in strings.

Special characters

The characters , (, ), #, , and " are not permitted in most CLI fields, but you can use them in passwords. If you use the apostrophe () or quote (") character, you must precede it with a backslash (\) character when entering it in the CLI set command.

IP address formats

You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type either:

set ip 192.168.1.1 255.255.255.0, or set ip 192.168.1.1/24The IP address is displayed in the configuration file in dotted decimal format.Using the Command Line Interface Page 30 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Editing the configuration file

You can change the FortiAnalyzer configuration by backing up the configuration file to a FTP, SCP, or SFTP server. Then you can make changes to the file and restore it to the FortiAnalyzer unit.

1. Use the execute backup all-settings command to back up the configuration file to a FTP server. For example,execute backup all-settings ftp 10.10.0.1 mybackup.cfg myid mypass

2. Edit the configuration file using a text editor.

Related commands are listed together in the configuration file. For instance, all the system commands are grouped together. You can edit the configuration by adding, changing or deleting the CLI commands in the configuration file.

The first line of the configuration file contains information about the firmware version and FortiAnalyzer model. Do not edit this line. If you change this information the FortiAnalyzer unit will reject the configuration file when you attempt to restore it.

3. Use the execute restore all-settings command to copy the edited configuration file back to the FortiAnalyzer unit. For example, execute restore all-settings 10.10.0.1 mybackup.cfg myid mypassThe FortiAnalyzer unit receives the configuration file and checks to make sure the firmware version and model information is correct. If it is, the FortiAnalyzer unit loads the configuration file and checks each command for errors. If the FortiAnalyzer unit finds an error, an error message is displayed after the command and the command is rejected. Then the FortiAnalyzer unit restarts and loads the new configuration.

Changing the baud rate

Using execute console baudrate, you can change the default console connection baud rate.

To check the current baud rate enter the following CLI command:

# execute console baudrate [enter]current baud rate is: 9600

To view baudrate options, enter the CLI command with the question mark (?).

# execute console baudrate ?baudrate 9600 | 19200 | 38400 | 57600 | 115200

To change the baudrate, enter the CLI command as listed below.

# execute console baudrate 19200Your console connection will get lost after changing baud rate.Change your console setting!Do you want to continue? (y/n)

Changing the default baud rate is not available on all models. Using the Command Line Interface Page 31 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Debug log levels

The following table lists available debug log levels on your FortiAnalyzer.

Table 3: Debug log levels

Level Type Description

0 Emergency Emergency the system has become unusable.

1 Alert Alert immediate action is required.

2 Critical Critical Functionality is affected.

3 Error Error an erroneous condition exists and functionality is probably affected.

4 Warning Warning function might be affected.

5 Notification Notification of normal events.

6 Information Information General information about system operations.

7 Debug Debugging Detailed information useful for debugging purposes.

8 Maximum Maximum log level.Using the Command Line Interface Page 32 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

ADOMs.Administrative Domains

Administrative domains (ADOMs) enable the admin administrator to constrain other Fortinet unit administrators access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific FortiGate VDOM.

This section contains the following topics:

About ADOMs

Configuring ADOMs

About ADOMs

Enabling ADOMs alters the structure and available functionality of the Web-based Manager and CLI according to whether you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator accounts assigned access profile.

If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted access and ADOM configuration.

config system global contains settings used by the FortiAnalyzer unit itself and settings shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.

If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files, content archives, IP aliases, and LDAP queries specific to your ADOM. You cannot access Global Configuration, or enter other

The admin administrator can further restrict other administrators access to specific configuration areas within their ADOM by using access profiles. For more information, see admin profile on page 38.

Table 4: Characteristics of the CLI and Web-based Manager when ADOMs are enabled

admin administrator account Other administrators

Access to config system global

Yes No

Can create administrator accounts Yes No

Can enter all ADOMs Yes NoPage 33

By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list, and assigning them to administrator accounts, you can restrict other administrator accounts to a subset of the FortiAnalyzer units total devices or VDOMs.

The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM, and cannot configure ADOMs or Global Configuration.

The maximum number of ADOMs varies by FortiAnalyzer model. For more information, see Maximum Values Table on page 211.

Configuring ADOMs

To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign existing FortiAnalyzer administrators to ADOMs.

Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use the Web-based Manager.

To enable or disable ADOMs:

Enter the following CLI command:

config system globalset adom-status {enable | disable}

end

Table 5: ADOM maximum values

FortiAnalyzer Model Number of ADOMs

FAZ-100C 100

FAZ-200D 150

FAZ-300D 175

FAZ-400B 200

FAZ-400C 300

FAZ-1000B, FAZ-1000C, and FAZ-1000D 2 000

FAZ-2000A and 2000B 2 000

FAZ-3000D 2 000

FAZ-4000A and FAZ-4000B 2 000

FAZ-VM32 and FAZ-VM64 10 000

Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiAnalyzer unit configuration before enabling ADOMs.Administrative Domains Page 34 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

An administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can assign different VDOMs from the same FortiGate to multiple administrative domains.

To change ADOM device modes:


config system globalset adom-mode {advanced | normal}

end

To assign an administrator to an ADOM:


config system admin useredit set adom

nextendwhere is the administrator user name and is the ADOM name.

Enabling the advanced mode option will result in a reduced operation mode and more complicated management scenarios. It is recommended only for advanced users.Administrative Domains Page 35 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Enter the name of the admin group you want to edit. Enter a

new name to create a new entry.system

Use system commands to configure options related to the operation of the FortiAnalyzer unit.

This chapter contains following sections:

For more information about configuring ADOMs, see Administrative Domains on page 33.

admin

Use the following commands to configure admin related settings.

admin group

Use this command to add, edit, and delete admin user groups.

Syntax

config system admin groupedit

set member end

FortiAnalyzer commands and variables are case sensitive.

admin

aggregation-client

aggregation-service

alert-console

alert-event

alertemail

auto-delete

backup

central-management

certificate

dns

fips

global

interface

locallog

log

mail

ntp

password-policy

report

route

route6

snmp

sql

syslog

Variable DescriptionPage 36

Use the show command to display the current configuration: show system admin group

admin ldap

Use this command to add, edit, and delete Lightweight Directory Access Protocol (LDAP) users.

Syntax

config system admin ldapedit

set server {name_string | ip_string}set cnid set dn set port set type {anonymous | regular | simple}set username set password set group set filter set secure {disable | ldaps | starttls}set ca-cert

end

member Enter the name of the member to add to this group. You can add multiple members to the group.

Enter question mark (?) to view available members.

Variable Description

Variable Description Default

Enter the name of the LDAP server you want to edit. Enter a new name to create a new entry.

server {name_string | ip_string} Enter the LDAP server domain name or IP address.

cnid Enter common name identifier. cn

dn Enter the distinguished name.

port Enter the port number for LDAP server communication.

389

type {anonymous | regular | simple} Set a binding type: anonymous: Bind using anonymous user

search.

regular: Bind using username or password and then search.

simple: Simple password authentication without search.

simplesystem Page 37 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Use the show command to display the current configuration: show system admin ldap

admin profile

Use this command to configure access profiles. In a newly-created access profile, no access is enabled.

Syntax

config system admin profileedit

set description set scope {adom | global} set system-setting {none | read | read-write}set adom-switch {none | read | read-write}set global-policy-packages {none | read | read-write}set global-objects {none | read | read-write}set assignment {none | read | read-write}set read-passwd {none | read | read-write}set device-manager {none | read | read-write}

username Enter a username. This variable appears only when type is set to regular.

password Enter a password for the username above. This variable appears only when type is set to regular.

group Enter an authorization group. The authentication user must be a member of this group (full DN) on the server.

filter Enter content for group searching. For example:

(&(objectcategory=group)(member=*))(&(objectclass=groupofnames)(member

=*))(&(objectclass=groupofuniquenames)(

uniquemember=*))(&(objectclass=posixgroup)(memberui

d=*))

secure {disable | ldaps | starttls} Set the SSL connection type: disable: No SSL connection required ldaps: Use LDAP over SSL starttls: Use STARTTLS

ca-cert CA certificate name. This variable appears only when secure is set to ldaps or starttls.

Variable Description Defaultsystem Page 38 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

set device-config {none | read | read-write}set device-op {none | read | read-write}set device-profile {none | read | read-write}set policy-objects {none | read | read-write}set deploy-management {none | read | read-write}set config-retrieve {none | read | read-write}set term-access {none | read | read-write}set adom-policy-packages {none | read | read-write}set adom-policy-objects {none | read | read-write}set vpn-manager {none | read | read-write}set realtime-monitor {none | read | read-write}set consistency-check {none | read | read-write}set faz-management {none | read | read-write}set fgd_center {none | read | read-write}set log-viewer {none | read | read-write}set report-viewer {none | read | read-write}set event-management {none | read | read-write}set fgd_center {none | read | read-write}set network {none | read | read-write}set admin {none | read | read-write}set system {none | read | read-write}set devices {none | read | read-write}set alerts {none | read | read-write}set dlp {none | read | read-write}set reports {none | read | read-write}set logs {none | read | read-write}set quar {none | read | read-write}set net-monitor {none | read | read-write}set vuln-mgmt {none | read | read-write}

end

Variable Description

Edit the access profile. Enter a new name to create a new profile. The pre-defined access profiles are:

Super_User: Super user profiles have all system and device privileges enabled.

Standard_User: Standard user profiles have no system privileges enabled, but have read/write access for all device privileges.

Restricted_User: Restricted user profiles have no system privileges enabled, and have read-only access for all device privileges.

description Enter a description for this access profile. Enclose the description in quotes if it contains spaces.

scope {adom | global} Set the scope for this access profile to either ADOM or Global.

system-setting {none | read | read-write} Configure System Settings permissions for this profile. system Page 39 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

adom-switch {none | read | read-write} Configure administrator domain (ADOM) permissions for this profile.

global-policy-packages {none | read | read-write}

Configure global policy packages permissions for this profile.

global-objects {none | read | read-write} Configure global objects permissions for this profile.

assignment {none | read | read-write} Configure assignment permissions for this profile.

read-passwd {none | read | read-write} Add the capability to view the authentication password in clear text to this profile.

device-manager {none | read | read-write} Configure Device Manager permissions for this profile.

device-config {none | read | read-write} Configure device configuration permissions for this profile.

device-op {none | read | read-write} Add the capability to add, delete, and edit devices to this profile.

device-profile {none | read | read-write} Configure device profile permissions for this profile.

policy-objects {none | read | read-write} Configure policy objects permissions for this profile.

deploy-management {none | read | read-write}

Configure deployment management configuration permissions for this profile.

config-retrieve {none | read | read-write}

Configure configuration retrieve permissions for this profile.

term-access {none | read | read-write} Configure terminal access permissions for this profile.

adom-policy-packages {none | read | read-write}

Configure ADOM policy packages permissions for this profile.

adom-policy-objects {none | read | read-write}

Configure ADOM policy objects permissions for this profile.

vpn-manager {none | read | read-write} Configure VPN manager permissions for this profile.

realtime-monitor {none | read | read-write}

Configure Drill Down configuration permissions for this profile.

consistency-check {none | read | read-write}

Configure consistency check permissions for this profile.

faz-management {none | read | read-write} Configure FortiAnalyzer configuration management permissions for this profile.

fgd_center {none | read | read-write} Set the FortiGuard Center permission.

log-viewer {none | read | read-write} Configure log viewer permissions for this profile.

report-viewer {none | read | read-write} Configure report viewer permissions for this profile.

event-management {none | read | read-write}

Configure event management permissions for this profile.

Variable Descriptionsystem Page 40 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

Use the show command to display the current configuration: show system admin profile

fgd_center {none | read | read-write} Configure FortiGuard Center permissions for this profile.

network {none | read | read-write} CLI command is not in use.

admin {none | read | read-write} CLI command is not in use.

system {none | read | read-write} CLI command is not in use.

devices {none | read | read-write} CLI command is not in use.

alerts {none | read | read-write} CLI command is not in use.

dlp {none | read | read-write} CLI command is not in use.

reports {none | read | read-write} CLI command is not in use.

logs {none | read | read-write} CLI command is not in use.

quar {none | read | read-write} CLI command is not in use.

net-monitor {none | read | read-write} CLI command is not in use.

vuln-mgmt {none | read | read-write} CLI command is not in use.

Variable Descriptionsystem Page 41 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

admin radius

Use this command to add, edit, and delete administration RADIUS servers.

Syntax

config system admin radiusedit

set auth-type set nas-ip set port set secondary-secret set secondary-server set secret set server

end

Use the show command to display the current configuration:show system admin radius


Enter the name of the server you want to edit. Enter a new name to create a new entry.

auth-type Enter the authentication protocol the RADIUS server will use:

any: Use any supported authentication protocol.

mschap2: MSCHAPv2 chap: CHAP pap: PAP

nas-ip Enter the NAS IP address.

port Enter the RADIUS server port number. Default: 1812

1812

secondary-secret Enter the server secret (password) to access the RADIUS secondary-server.

secondary-server Enter the RADIUS secondary-server DNS resolvable domain name or IP address.

secret Enter the server secret (password) to access the RADIUS server.

server Enter the RADIUS server DNS resolvable domain name or IP address.system Page 42 FortiAnalyzer v5.0 Patch Release 5 CLI Reference

admin setting

Use this command to configure system administration settings, including web administration ports, timeout, and language.

Syntax

config system admin settingset access-banner {enable | disable}set admin_server_cert set banner-message set http_port set https_port set idle_timeout set show-add-multiple {enable | disable}set show-device-import-export {enable | disable}set unreg_dev_opt {add_allow_service | add_no_service}set webadmin_language {auto_detect | english | japanese | korean |

simplified_chinese | traditional_chinese}end


access-banner {enable | disable} Enable or disable the access banner. disable

admin_server_cert

Enter the name of an HTTPS server certificate to use for secure connections. FortiAnalyzer has the following certificates pre-loaded:

server.crt

Fortinet_Local

banner-message Enter a banner message. Maximum of 255 characters.

http_port Enter the HTTP port number for web administration.

80

https_port Enter the HTTPS port number for web administration.

443

idle_timeout Enter the idle timeout value. The range is from 1 to 480 minutes.

5

show-add-multiple {enable | disable}

Enable or disable show the add multiple button in the Web-base

Documents

FortiAnalyzer 5.0.5 CLI Reference