FortiOS™ Handbook - CLI Reference · antivirusquarantine 70 antivirussettings 75 application 77 applicationcustom 77 applicationlist 79 applicationname 86 applicationrule-settings

FortiOS™Handbook - CLI ReferenceVERSION 6.0.4

#

FORTINET DOCUMENT LIBRARY

https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET KNOWLEDGE BASE

http://kb.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET COOKBOOK

http://cookbook.fortinet.com

FORTINET NSE INSTITUTE (TRAINING)

https://training.fortinet.com/

FORTIGUARD CENTER

https://fortiguard.com

FORTICAST

http://forticast.fortinet.com

END USER LICENSE AGREEMENT AND PRIVACY POLICY

https://www.fortinet.com/doc/legal/EULA.pdf

https://www.fortinet.com/corporate/about-us/privacy.html

FEEDBACK

Email: [email protected]

March 15, 2019

FortiOS™ Handbook - CLI Reference

01-604-481104-20190315

https://docs.fortinet.com/https://video.fortinet.com/http://kb.fortinet.com/https://blog.fortinet.com/https://support.fortinet.com/http://cookbook.fortinet.com/https://training.fortinet.com/https://fortiguard.com/http://forticast.fortinet.com/https://www.fortinet.com/doc/legal/EULA.pdfhttps://www.fortinet.com/corporate/about-us/privacy.htmlmailto:[email protected]

TABLE OF CONTENTS

Change log 25How this guide is organized 26Availability of commands and options 26Disclaimer: CLI syntax parameter format 27

Managing firmware with the FortiGate BIOS 28Accessing the BIOS 28

Navigating themenu 28Loading firmware 28

Configuring TFTP parameters 29Initiating TFTP firmware transfer 29

Booting the backup firmware 30Using the CLI 31

Connecting to the CLI 31Connecting to the CLI using a local console 31Enabling access to the CLI through the network (SSH or Telnet) 32Connecting to the CLI using SSH 33Connecting to the CLI using Telnet 34

Command syntax 35Terminology 35Indentation 35Notation 37Optional values and ranges 39

Sub-commands 39Example of table commands 41

Permissions 43Increasing the security of administrator accounts 43

Tips 43config 51alertemail 52

alertemail setting 52antivirus 54

antivirus heuristic 54antivirus profile 55

antivirus quarantine 70antivirus settings 75

application 77application custom 77application list 79application name 86application rule-settings 87

authentication 89authentication rule 89authentication scheme 92authentication setting 95

aws 97aws setting 97

certificate 98certificate ca 98certificate crl 101certificate local 104

dlp 109dlp filepattern 109dlp fp-doc-source 113dlp fp-sensitivity 116dlp sensor 117dlp settings 123

dnsfilter 125dnsfilter domain-filter 125dnsfilter profile 126

config domain-filter 129config ftgd-dns 129config filters 130

endpoint-control 131endpoint-control forticlient-ems 131endpoint-control forticlient-registration-sync 132endpoint-control profile 133

config forticlient-winmac-settings 141config forticlient-operating-system 144config forticlient-running-app 145config forticlient-registry-entry 145config forticlient-own-file 145config forticlient-android-settings 145config forticlient-vpn-settings 146config forticlient-ios-settings 147

config client-vpn-settings 148endpoint-control settings 149

extender-controller 152extender-controller extender 152

firewall 157firewall {acl | acl6} 159firewall {address | address6} 163firewall address6-template 179firewall {addrgrp | addgrp6} 180firewall auth-portal 187firewall carrier-endpoint-bwl 187firewall central-snat-map 188firewall dnstranslation 190firewall {DoS-policy | DoS-policy6} 191firewall gtp 194firewall identity-based-route 203firewall {interface-policy | interface-policy6} 204firewall internet-service 208firewall internet-service-custom 209firewall internet-service-custom-group 211firewall internet-service-group 211firewall ipmacbinding setting 212firewall ipmacbinding table 213firewall {ippool | ippool6} 214firewall ip-translation 217firewall ipv6-eh-filter 218firewall ldb-monitor 218firewall {local-in-policy | local-in-policy6} 219firewall mms-profile 221

History 222firewall {multicast-address | multicast-address6} 230firewall {multicast-policy | multicast-policy6} 231firewall {policy | policy6} 233

History 234firewall {policy46 | policy64} 283

History 284firewall profile-group 287firewall profile-protocol-options 288

History 288firewall proxy-address 293firewall proxy-addrgrp 295firewall proxy-policy 296

History 296firewall schedule group 301firewall schedule onetime 304firewall schedule recurring 308firewall service category 309firewall service custom 312firewall service group 324firewall shaper per-ip-shaper 325firewall shaper traffic-shaper 326firewall shaping-policy 327

History 327firewall shaping-profile 330

History 330firewall sniffer 331firewall ssh host-key 333

History 333firewall ssh local-ca 334

History 335firewall ssh local-key 335

History 336firewall ssh setting 336

History 337firewall ssl setting 337firewall ssl-server 339

History 339firewall ssl-ssh-profile 342

History 342firewall ttl-policy 350firewall {vip | vip6} 351firewall {vip46 | vip64} 387firewall {vipgrp | vipgrp6} 391firewall {vipgrp46 | vipgrp64} 392firewall wildcard-fqdn custom 393

History 394firewall wildcard-fqdn group 394

History 394ftp-proxy 396

ftp-proxy explicit 396icap 399

icap profile 399icap server 402

ips 404

ips custom 404ips decoder 407ips global 407ips rule 412ips rule-settings 415ips sensor 415ips settings 421

log 423log {azure-security-center | azure-security-center2} filter 424log {azure-security-center | azure-security-center2} setting 426log custom-field 427log disk filter 427log disk setting 429log eventfilter 431log fortianalyzer override-filter 433log fortianalyzer override-setting 434log {fortianalyzer | fortianalyzer2 | fortianalyzer3} filter 435log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting 436log fortiguard filter 438log fortiguard override-filter 439log fortiguard override-setting 440log fortiguard setting 440log gui-display 441

History 441logmemory filter 443logmemory global-setting 444logmemory setting 444log null-device filter 445log null-device setting 446log setting 446log syslogd override-filter 447log syslogd override-setting 448log {syslogd | syslogd2 | syslogd3 | syslogd4} filter 449log {syslogd | syslogd2 | syslogd3 | syslogd4} setting 450log threat-weight 453

History 453log webtrends filter 461log webtrends setting 462

monitoring 463np6-ipsec-engine 463

History 463report 465

report chart 465report dataset 469report layout 471report setting 475

History 475report style 476report theme 477

router 480router {access-list | access-list6} 481router aspath-list 483router auth-path 484router bfd 485router bgp 485

config admin-distance 499config aggregate-address, config aggregate-address6 499config neighbor 500config neighbor-group 506config neighbor-range, config neighbor-range6 513config network, config network6 513config redistribute, config redistribute6 {connected | isis | static | rip | ospf} 513

router community-list 515router isis 516

History 516config isis-interface 525config {redistribute | redistribute6} {bgp | connected | ospf | rip | static} 525config {summary-address | summary-address6} 526

router key-chain 526router multicast 528

config interface 532config pim-sm-global 535

router multicast6 538config interface 539

router multicast-flow 539router {ospf | ospf6} 540

config router ospf 553config area 553config distribute-list 560config neighbor 561config network 562config ospf-interface 563config redistribute 568config summary-address 569

router {policy | policy6} 570router {prefix-list | prefix-list6} 574router rip 576

History 576config distance 581config distribute-list 582config interface 584config neighbor 586config network 586config offset-list 587config redistribute 588

router ripng 589config aggregate-address 593config distance 593config distribute-list 594config interface 595config neighbor 595config offset-list 596config redistribute 597

router route-map 598History 598config rule variables 601Using routemapswith BGP 604config rule variables 604

router setting 608router {static | static6} 609

History 610spamfilter 614

spamfilter bwl 614For SMTP 614For POP3 and IMAP 615For SMTP, POP3, and IMAP using the email address 615For SMTP, POP3, and IMAP using the IP address 615

spamfilter bword 618For SMTP 618For POP3 and IMAP 619For SMTP, POP3, and IMAP 619

spamfilter dnsbl 621For SMTP 622For POP3 and IMAP 622For SMTP, POP3, and IMAP 622

spamfilter fortishield 624

For SMTP 624For POP3 and IMAP 624For SMTP, POP3, and IMAP 624

spamfilter iptrust 625spamfilter mheader 627

For SMTP 627For POP3 and IMAP 627For SMTP, POP3, and IMAP 627

spamfilter options 629spamfilter profile 630

config {imap | imaps | mapi | pop3 | pop3s | smtp | smtps} 633ssh-filter 635

ssh-filter profile 635History 635

switch-controller 637switch-controller 802-1X-settings 638

History 638switch-controller custom-command 638switch-controller global 639

History 639switch-controller igmp-snooping 640switch-controller lldp-profile 641switch-controller lldp-settings 642switch-controller mac-sync-settings 643switch-controller managed-switch 643

config mirror 653config ports 653

switch-controller qos dot1p-map 655switch-controller qos ip-dscp-map 657switch-controller qos qos-policy 659switch-controller qos queue-policy 659switch-controller security-policy 802-1X 660

History 660switch-controller security-policy captive-portal 663switch-controller sflow 663

History 664switch-controller storm-control 665switch-controller stp-settings 666switch-controller switch-group 667switch-controller switch-interface-tag 667

History 668switch-controller switch-log 668

switch-controller switch-profile 669switch-controller system 670

History 670switch-controller virtual-port-pool 671

History 672switch-controller vlan 672

system 674system 3g-modem custom 678system accprofile 678

History 678Access Level 684

system admin 690History 690

system affinity-interrupt 699system affinity-packet-redistribution 700system alarm 700system alias 701

command 702system api-user 703system arp-table 704system auto-install 704system auto-script 705system automation-action 705

History 706system automation-destination 708

History 708system automation-stitch 709

History 709system automation-trigger 710

History 710system autoupdate push-update 712system autoupdate schedule 712system autoupdate tunneling 713system bypass 713system central-management 714system cluster-sync 717system console 721system csf 722

History 722system custom-language 725system ddns 726system dedicated-mgmt 727

system {dhcp server | dhcp6 server} 728History 728

system dnp3-proxy 741system dns 741system dns-database 743system dns-server 744system dscp-based-priority 745system email-server 745system external-resource 747

History 747system fips-cc 748system fm 748system fortiguard 749

History 749system fortimanager 755system fortisandbox 755system fsso-polling 757system ftm-push 757system geoip-override 757system global 759system gre-tunnel 794

History 794system ha 795

History 795config secondary-vcluster 815

system ha-monitor 815system interface 816

History 816Aggregate and redundant interface options 854

system ipip-tunnel 856system {ips-urlfilter-dns | ips-urlfilter-dns6} 856

History 856system ipv6-neighbor-cache 857system ipv6-tunnel 858system link-monitor 858

History 858system lte-modem 862systemmac-address-table 862systemmanagement-tunnel 863systemmobile-tunnel 865systemmodem 866system nat64 869

History 869system nd-proxy 870

History 870system netflow 871system network-visibility 871system np6 872

History 872Optimizing FortiGate-3960E and 3980E IPsec VPN performance 882

system npu 882History 883sw-np-bandwidth {0G | 2G | 4G | 5G | 6G} 887

Supporting single large traffic streams 887system ntp 889system object-tagging 890system password-policy 891system password-policy-guest-admin 893system physical-switch 893system pppoe-interface 895system probe-response 896system proxy-arp 896system replacemsg admin 897system replacemsg alertmail 899

alertmail message types 900system replacemsg auth 902

authmessage types 903Requirements for login page 906

system replacemsg device-detection-portal 906system replacemsg ec 907system replacemsg fortiguard-wf 909

fortiguard-wf message types 910system replacemsg ftp 910

ftp message types 911system replacemsg http 913

http message types 914system replacemsgmail 917

mail message types 918system replacemsg nac-quar 920

nac-quar message types 921system replacemsg nntp 921

nntpmessage types 922system replacemsg spam 923

spammessage types 924

system replacemsg sslvpn 926system replacemsg traffic-quota 927system replacemsg utm 928

utmmessage types 929system replacemsgwebproxy 930system replacemsg-group 932

History 932config {auth | ec | fortiguard-wf | ftp | http | icap | mail | mm1 | mm3 | mm4 | mm7 | nntp |spam} 941

system replacemsg-image 942system resource-limits 942system sdn-connector 947

History 947system session-helper 951system session-ttl 953system settings 955

History 956system sflow 968system sit-tunnel 969system sms-server 971system snmp community 971system snmp sysinfo 974system snmp user 974system storage 977

History 977system stp 978system switch-interface 979system tos-based-priority 981system vdom 982system vdom-dns 982system vdom-exception 983

History 984Different FortiAnalyzer settings for each SLBC worker 985Different FortiAnalyzer settings for each worker and for the root VDOMof each worker985

system vdom-link 985system vdom-netflow 986system vdom-property 986system vdom-radius-server 987system vdom-sflow 988system virtual-switch 988system virtual-wan-link 989

Status checking or health checking 999

config service 1001system virtual-wire-pair 1002

History 1002system vxlan 1003systemwccp 1004WCCP router mode 1006WCCP client mode 1007systemwireless ap-status 1009systemwireless settings 1009system zone 1011

user 1012Configuring users for authentication 1012

user adgrp 1014user device 1015

History 1015user device-access-list 1018user device-category 1020user device-group 1020user domain-controller 1021

History 1022user fortitoken 1022user fsso 1024

History 1024user fsso-polling 1026user group 1028user krb-keytab 1034user ldap 1035user local 1040

History 1041user password-policy 1045user peer 1046user peergrp 1049user pop3 1050user quarantine 1052

History 1052user radius 1053

History 1054user security-exempt-list 1064user setting 1066

History 1066user tacacs+ 1070

voip 1074

voip profile 1074vpn 1093

vpn certificate ca 1094vpn certificate crl 1096vpn certificate local 1099

History 1099vpn certificate ocsp-server 1104vpn certificate remote 1105vpn certificate setting 1106vpn ipsec concentrator 1109vpn ipsec forticlient 1110vpn ipsec {manualkey-interface | manualkey} 1111vpn ipsec {phase1-interface | phase1} 1118

History 1119vpn ipsec {phase2-interface | phase2} 1159

History 1159vpn l2tp 1174vpn ocvpn 1174

History 1175vpn pptp 1176vpn ssl settings 1176

History 1176vpn ssl web host-check-software 1187

History 1187vpn ssl web portal 1191

History 1191vpn ssl web realm 1206vpn ssl web user-bookmark 1207

History 1207vpn ssl web user-group-bookmark 1210

waf 1217waf main-class 1217waf profile 1217waf signature 1227waf sub-class 1227

wanopt 1228wanopt auth-group 1228wanopt cache-service 1230

History 1230wanopt content-delivery-network-rule 1231

History 1231wanopt peer 1234

wanopt profile 1235wanopt remote-storage 1242

History 1242wanopt settings 1243wanopt webcache 1244

webfilter 1249webfilter content 1249webfilter content-header 1250webfilter fortiguard 1251webfilter ftgd-local-cat 1252

History 1252webfilter ftgd-local-rating 1252webfilter ips-urlfilter-cache-setting 1253webfilter {ips-urlfilter-setting | ips-urlfilter-setting6} 1253

History 1253webfilter override 1254webfilter profile 1255

History 1255webfilter search-engine 1262webfilter urlfilter 1262

History 1263web-proxy 1265

web-proxy debug-url 1265web-proxy explicit 1266

History 1267web-proxy forward-server 1273web-proxy forward-server-group 1275web-proxy global 1277

History 1277web-proxy profile 1280

History 1280web-proxy url-match 1284web-proxywisp 1285

wireless-controller 1288wireless-controller ap-status 1289wireless-controller ble-profile 1290wireless-controller global 1291

History 1291wireless-controller hotspot20 anqp-3gpp-cellular 1294wireless-controller hotspot20 anqp-ip-address-type 1295wireless-controller hotspot20 anqp-nai-realm 1296wireless-controller hotspot20 anqp-network-auth-type 1298

wireless-controller hotspot20 anqp-roaming-consortium 1298wireless-controller hotspot20 anqp-venue-name 1299wireless-controller hotspot20 h2qp-conn-capability 1299wireless-controller hotspot20 h2qp-operator-name 1301wireless-controller hotspot20 h2qp-osu-provider 1301wireless-controller hotspot20 h2qp-wan-metric 1302wireless-controller hotspot20 hs-profile 1303wireless-controller hotspot20 icon 1307wireless-controller hotspot20 qos-map 1307wireless-controller setting 1308wireless-controller timers 1313wireless-controller utm-profile 1316

History 1316wireless-controller vap 1317

History 1317wireless-controller vap-group 1337wireless-controller wids-profile 1338wireless-controller wtp 1345wireless-controller wtp-group 1357wireless-controller wtp-profile 1359

History 1359execute 1387

api-user 1387auto-script 1390backup 1390batch 1395bypass-mode 1396carrier-license 1396central-mgmt 1397cfg reload 1397cfg save 1398clear system arp table 1399cli check-template-status 1399cli status-msg-only 1399date 1399dhcp lease-clear 1400dhcp lease-list 1400dhcp6 lease-clear 1400dhcp6 lease-list 1401disk 1401disk raid 1402disconnect-admin-session 1403

dsscc 1404enter 1404erase-disk 1404extender 1404factoryreset 1405factoryreset2 1406firewall ssh generate local-ca 1406

History 1406firewall ssh generate local-key 1406

History 1406formatlogdisk 1407forticarrier-license 1407forticlient 1407fortiguard-log 1408fortitoken 1409fortitoken-mobile 1411fsso refresh 1411ha disconnect 1412ha ignore-hardware-revision 1412hamanage 1413ha set-priority 1414ha synchronize 1414interface dhcp6client-renew 1414interface dhcpclient-renew 1415interface pppoe-reconnect 1415log backup 1415log delete 1416log delete-all 1416log detail 1416log display 1416log filter 1417log flush-cache 1418log flush-cache-all 1418log fortianalyzer test-connectivity 1418log fortiguard test-connectivity 1419log list 1419log roll 1419log upload 1420log upload-progress 1420lte-modem 1420modem dial 1423modem hangup 1424

modem trigger 1424mrouter clear 1424nsx 1425pbx 1425ping 1427ping6 1428ping-options, ping6-options 1428policy-packet-capture delete-all 1431reboot 1432replace device 1432report 1432restore 1433

History 1433revision 1439router clear bfd session 1440router clear bgp 1440router clear ospf process 1441router restart 1441sdn tag nsx 1441

History 1441send-fds-statistics 1442sensor detail 1442sensor list 1443set system session filter 1444set-next-reboot 1446shutdown 1447ssh 1447switch-controller 1448

History 1448sync-session 1455system custom-language import 1455system fortisandbox test-connectivity 1455tac report 1456telnet 1456time 1456traceroute 1457tracert6 1457update-av 1458update-geo-ip 1458update-ips 1458update-list 1459update-now 1459

update-src-vis 1459upd-vd-license 1459upload 1460usb-device 1461usb-disk 1462vpn certificate ca 1462vpn certificate crl 1463vpn certificate local export 1464vpn certificate local generate 1464

History 1464vpn certificate local import 1468vpn certificate remote 1468vpn ipsec tunnel down 1469vpn ipsec tunnel up 1469vpn sslvpn del-all 1469vpn sslvpn del-tunnel 1470vpn sslvpn del-web 1470vpn sslvpn list 1470webcache 1470

History 1470webfilter quota-reset 1471wireless-controller delete-wtp-image 1471wireless-controller hs20-icon 1472wireless-controller led-blink 1473

History 1473wireless-controller restart-stad 1473wireless-controller reset-wtp 1474wireless-controller restart-acd 1474wireless-controller restart-stad 1474wireless-controller restart-wtpd 1474wireless-controller upload-wtp-image 1475

get 1476application internet-service status 1476application internet-service-summary 1476certificate 1476extender modem-status 1477extender sys-info 1478firewall dnstranslation 1478firewall iprope appctrl 1478firewall iprope list 1478firewall proute, proute6 1479firewall service custom 1479

firewall shaper 1480grep 1481gui console status 1481hardware cpu 1482hardwarememory 1483hardware nic 1483hardware npu 1484hardware status 1487ips decoder status 1487ips rule status 1488ips session 1488ips view-map 1489ipsec tunnel 1489mgmt-data status 1490router info bfd neighbor 1490router info bgp 1490router info isis 1493router info kernel 1493router info multicast 1493router info ospf 1495router info protocols 1497router info rip 1498router info routing-table 1498router info vrrp 1499router info6 bgp 1499router info6 interface 1500router info6 kernel 1501router info6 ospf 1501router info6 protocols 1501router info6 rip 1501router info6 routing-table 1502switch-controller poe 1502system admin list 1502system admin status 1503system arp 1504system auto-update 1504system central-management 1504system checksum 1505system cmdb status 1505system fortianalyzer-connectivity 1506system fortiguard-log-service status 1506system fortiguard-service status 1507

system ha-nonsync-csum 1507system ha status 1507system info admin status 1510system info admin ssh 1511system interface physical 1511system ip-conflict status 1512systemmgmt-csum 1512system performance firewall 1512system performance status 1513

History 1514system performance top 1515system session list 1515system session status 1516system session-helper-info list 1517system session-info 1518system source-ip 1519system startup-error-log 1519system stp list 1519system status 1519

History 1520test 1521user adgrp 1522vpn certificate 1523vpn ike gateway 1523vpn ipsec tunnel details 1523vpn ipsec tunnel name 1523vpn ipsec tunnel summary 1524vpn ipsec stats crypto 1524vpn ipsec stats tunnel 1525vpn ssl monitor 1525vpn status l2tp 1525vpn status pptp 1525vpn status ssl 1526webfilter categories 1526webfilter ftgd-statistics 1527webfilter status 1528wireless-controller client-info 1528wireless-controller rf-analysis 1529wireless-controller scan 1530wireless-controller spectral-info 1530wireless-controller status 1530wireless-controller vap-status 1530

wireless-controller wlchanlistlic 1531wireless-controller wtp-status 1533

tree 1535

Change log

Date Change description

March 15, 2019 Minor updates.

January 9, 2019 FortiOS 6.0.4 document release. Minor updates.

November 16,2018

Added more information about using SCP to admin-scp {enable | disable} on page775.

October 10, 2018 FortiOS 6.0.3 document release. Minor updates.

August 22, 2018 Minor updates.

July 26, 2018 FortiOS 6.0.2 document release. Minor updates.

July 10, 2018 Minor update.

June 5, 2018 FortiOS 6.0.1 document release. Minor updates.

April 30, 2018 Minor updates and fixes throughout.

March 29, 2018 FortiOS 6.0 document release. Minor updates.

CLI Reference for FortiOS 6.0.4Fortinet Technologies Inc.

25

This document describes FortiOS 6.0 CLI commands used to configure and manage a FortiGate unit from thecommand line interface (CLI).

Before now, our focus was on documenting the most commonly used CLI commands, or those commands thatrequired more explanation. Therefore, some commands have Supplemental Information sections below theCLI syntax that dive into a little extra detail.

The CLI syntax is created by processing a schema of a particular build of FortiOS 6.0, and reformatting theresulting CLI output into content that resembles the output found in the CLI console.

In addition, we will continue to improve the supplemental information, and have an HTML version up soonaccessible from http://cli.fortinet.com.

If you have comments on this content, its format, or requests for commands that are not included, contact us [email protected].

How this guide is organized

This document contains the following sections:

Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGateunit boot-up.

Using the CLI describes how to connect to the CLI and some basics of how it works.

config describes the commands for each configuration branch of the FortiOS CLI.

execute describes execute commands.

get describes get commands.

tree describes the tree command.

Any new changes to commands since the release of FortiOS 6.0 will be shown at the top of each command.

Availability of commands and options

Some FortiOS™ CLI commands and options are not available on all FortiGate units. The CLI displays an errormessage if you attempt to enter a command or option that is not available. You can use the question mark ‘?’ toverify the commands and options that are available.

Commands and options may not be available for the following reasons:

FortiGate model

All commands are not available on all FortiGate models. For example, low-end FortiGate models do not supportthe aggregate interface type option of the config system interface command.

Hardware configuration

For example, some AMCmodule commands are only available when an AMCmodule is installed.

26 CLI Reference for FortiOS 6.0.4Fortinet Technologies Inc.

mailto:[email protected]

Disclaimer: CLI syntax parameter format

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

Commands for extended functionality are not available on all FortiGate models. The CLI Reference includescommands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.

Disclaimer: CLI syntax parameter format

For the time being, all CLI commands in this guide display their syntax-parameters with braces, or { }. This is adeparture from previous versions of the CLI Reference, which used the following criteria:

< > - Used for variables

{ } - Used for multiple settings

[ ] - Used for settings that are optional

See below for an example:

Current syntax format:

config alertemail settingset username {string}...

Traditional syntax format:

config alertemail settingset username ...

We will attempt to reintroduce the traditional formatting for all CLI commands and their syntaxes.


27

Managing firmware with the FortiGate BIOS

FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the web-based manager or by using the CLI execute restore command. From the console, you can also interrupt theFortiGate unit’s boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.

Using the BIOS, you can:

l view system informationl format the boot devicel load firmware and rebootl reboot the FortiGate unit from the backup firmware, which then becomes the default firmware

Accessing the BIOS

The BIOSmenu is available only through direct connection to the FortiGate unit’s Console port. During boot-up,“Press any key” appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOSmenu appears. If you are too late, the boot-up process continues as usual.

Navigating the menuThe main BIOSmenu looks like this:

[C]: Configure TFTP parameters[R]: Review TFTP paramters[T]: Initiate TFTP firmware transfer[F]: Format boot device[Q]: Quit menu and continue to boot[I]: System Information[B]: Boot with backup firmare and set as default[Q]: Quit menu and continue to boot[H]: Display this list of options

Enter C,R,T,F,I,B,Q,or H:

Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. Anoption value in square brackets at the end of the “Enter” line is the default value which you can enter simply bypressing Return. For example,

Enter image download port number [WAN1]:

In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.

Loading firmware

The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.You need to know the IP address of the server and the name of the firmware file to download.


Managing firmware with the FortiGate BIOS Loading firmware

The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot thedownloaded firmware without saving it.

Configuring TFTP parametersStarting from the main BIOSmenu

[C]: Configure TFTP parameters.

Selecting the VLAN (if VLANs are used)

[V]: Set local VLAN ID.

Choose port and whether to use DHCP

[P]: Set firmware download port.

The options listed depend on the FortiGate model. Choose the network interface through which the TFTPserver can be reached. For example:

[0]: Any of port 1 - 7[1]: WAN1[2]: WAN2Enter image download port number [WAN1]:

[D]: Set DHCP mode.Please select DHCP setting[1]: Enable DHCP[2]: Disable DHCP

If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].

Non-DHCP steps

[I]: Set local IP address.Enter local IP address [192.168.1.188]:

This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the samesubnet to which the network interface connects.

[S]: Set local subnet mask.Enter local subnet mask [255.255.252.0]:

[G]: Set local gateway.

The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which theFortiGate unit is connected.

TFTP and filename

[T]: Set remote TFTP server IP address.Enter remote TFTP server IP address [192.168.1.145]:

[F]: Set firmware file name.Enter firmware file name [image.out]:

Enter [Q] to return to the main menu.

Initiating TFTP firmware transferStarting from the main BIOSmenu

[T]: Initiate TFTP firmware transfer.


29

Booting the backup firmware Managing firmware with the FortiGate BIOS

Please connect TFTP server to Ethernet port 'WAN1'.

MAC: 00:09:0f:b5:55:28

Connect to tftp server 192.168.1.145 ...

##########################################################Image Received.Checking image... OKSave as Default firmware/Backup firmware/Run image withoutsaving:[D/B/R]?

After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while thefirmware is copied:

Programming the boot device now.................................................................................................................................

Booting the backup firmware

You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.

Starting from the main BIOSmenu

[B]: Boot with backup firmware and set as default.

If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:

Failed to mount filesystem. . .Mount back up partition failed.Back up image open failed.Press ‘Y’ or ‘y’ to boot default image.


Using the CLI

The command line interface (CLI) is an alternative configuration tool to the GUI or web-based manager. Whilethe configuration of the GUI uses a point-and-click method, the CLI requires typing commands or uploadingbatches of commands from a text file, like a configuration script.

This section explains common CLI tasks that an administrator performs on a regular basis and includes thetopics:

l Connecting to the CLIl Command syntaxl Sub-commandsl Permissionsl Tips

Connecting to the CLI

You can access the CLI in three ways:

l Connecting to the CLI using a local console — Connect your computer directly to the console port of your FortiGate.Local access is required in some cases:l If you are installing your FortiGate for the first time and it is not yet configured to connect to your network, you

may only be able to connect to the CLI using a local serial console connection, unless you reconfigure yourcomputer’s network settings for a peer connection.

l Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the bootprocess has completed, making local CLI access the only viable option.

l Enabling access to the CLI through the network (SSH or Telnet) — Connect your computer through any networkinterface attached to one of the network ports on your FortiGate. The network interface must have enabled Telnetor SSH administrative access if you connect using an SSH/Telnet client, or HTTP/HTTPS administrative access ifyou connect by accessing the CLI Console in the GUI. The CLI console can be accessed from the upper-righthand corner of the screen and appears as a slide-out window.

l Locally with FortiExplorer for iOS— Use the FortiExplorer app on your iOS device to configure, manage, andmonitor your FortiGate.

Connecting to the CLI using a local consoleLocal console connections to the CLI are formed by directly connecting your management computer or console tothe FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:

l A computer with an available serial communications (COM) port.l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.l Terminal emulation software such as HyperTerminal for Microsoft Windows.

The following procedure describes the connection using Microsoft HyperTerminal software; steps may vary withother terminal emulators.


Using the CLI Connecting to the CLI

To connect to the CLI using a local serial console connection

1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console port to the serialcommunications (COM) port on your management computer.

2. On your management computer, start HyperTerminal.3. For the Connection Description, enter a Name for the connection, and select OK.4. On the Connect using drop-down, select the communications (COM) port on your management computer you

are using to connect to the FortiGate unit.5. Select OK.6. Select the following Port settings and select OK.

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

7. PressEnter orReturn on your keyboard to connect to the CLI.8. Type a valid administrator account name (such as admin) and pressEnter.9. Type the password for that administrator account and pressEnter. (In its default state, there is no password for

the admin account.)The CLI displays the following text:

Welcome!Type ? to list available commands.

You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

Enabling access to the CLI through the network (SSH or Telnet)SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one ofits RJ-45 network ports. You can either connect directly, using a peer connection between the two, or through anyintermediary network.

If you do not want to use an SSH/Telnet client and you have access to the web-basedmanager, you can alternatively access the CLI through the network using the CLIConsolewidget in the web-based manager.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If yourcomputer is not connected directly or through a switch, you must also configure the FortiGate unit with a staticroute to a router that can forward packets from the FortiGate unit to your computer. You can do this using either alocal console connection or the web-based manager.

Requirements

l A computer with an available serial communications (COM) port and RJ-45 portl Terminal emulation software such as HyperTerminal for Microsoft Windows


32

Connecting to the CLI Using the CLI

l The RJ-45-to-DB-9 or null modem cable included in your FortiGate packagel A network cablel Prior configuration of the operating mode, network interface, and static route.

To enable SSH or Telnet access to the CLI using a local console connection

1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port,or to a network through which your computer can reach the FortiGate unit.

2. Note the number of the physical network port.3. Using a local console connection, connect and log into the CLI.4. Enter the following command:

config system interfaceedit

set allowaccess end

where:

l is the name of the network interface associated with the physical network port andcontaining its number, such as port1.

l is the complete, space-delimited list of permitted administrative access protocols, suchas https ssh telnet.

For example, to exclude HTTP, HTTPS, SNMP, and PING, and allow only SSH and Telnet administrativeaccess on port1, enter the following:

config system interfaceedit port1

set allowaccess ssh telnetend

5. To confirm the configuration, enter the command to display the network interface’s settings.show system interface

The CLI displays the settings, including the allowed administrative access protocols, for the networkinterfaces.

Connecting to the CLI using SSHOnce the FortiGate unit is configured to accept SSH connections, you can use an SSH client on yourmanagement computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate unitssupport 3DES and Blowfish encryption algorithms for SSH.

Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSHconnections. The following procedure uses PuTTY. Steps may vary with other SSH clients.

To connect to the CLI using SSH

1. On your management computer, start an SSH client.2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH

administrative access.3. Set Port to 22.


Using the CLI Connecting to the CLI

4. For the Connection type, select SSH.5. Select Open.

The SSH client connects to the FortiGate unit.

The SSH client may display a warning if this is the first time you are connecting to the FortiGate unitand its SSH key is not yet recognized by your SSH client, or if you have previously connected to theFortiGate unit but used a different IP address or SSH key. This is normal if your managementcomputer is directly connected to the FortiGate unit with no network hosts between them.

6. ClickYes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until youhave accepted the key.

7. The CLI displays a login prompt.8. Type a valid administrator account name (such as admin) and pressEnter.9. Type the password for this administrator account and pressEnter.

The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enterCLI commands.

If three incorrect login or password attempts occur in a row, you will be disconnected.If this occurs, wait one minute, then reconnect to attempt the login again.

Connecting to the CLI using TelnetOnce the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on yourmanagement computer to connect to the CLI.

Telnet is not a secure access method. SSH should be used to access the CLI from theInternet or any other untrusted network.

Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnetconnections.

To connect to the CLI using Telnet

1. On your management computer, start a Telnet client.2. Connect to a FortiGate network interface on which you have enabled Telnet.3. Type a valid administrator account name (such as admin) and pressEnter.4. Type the password for this administrator account and pressEnter.

The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enterCLI commands.

If three incorrect login or password attempts occur in a row, you will be disconnected.If this occurs, wait one minute, then reconnect to attempt the login again.


34

Command syntax Using the CLI

Command syntax

When entering a command, the CLI console requires that you use valid syntax and conform to expected inputconstraints. It will reject invalid commands.

Fortinet documentation uses the conventions below to describe valid command syntax.

TerminologyEach command line consists of a command word that is usually followed by configuration data or other specificitem that the command uses or affects.

To describe the function of each word in the command line, especially if that nature has changed betweenfirmware versions, Fortinet uses terms with the following definitions.

Command syntax terminology

l Command— Aword that begins the command line and indicates an action that the FortiGate should perform on apart of the configuration or host on the network, such as config or execute. Together with other words, such asfields or values, that end when you press the Enter key, it forms a command line. Exceptions include multilinecommand lines, which can be entered using an escape sequence.Valid command lines must be unambiguous if abbreviated. Optional words or other command line permutations areindicated by syntax notation.

l Sub-command— A config sub-command that is available only when nested within the scope of anothercommand. After entering a command, its applicable sub-commands are available to you until you exit the scope ofthe command, or until you descend an additional level into another sub-command. Indentation is used to indicatelevels of nested commands.Not all top-level commands have sub-commands. Available sub-commands vary by their containing scope.

l Object— Apart of the configuration that contains tables and /or fields. Valid command lines must be specificenough to indicate an individual object.

l Table— A set of fields that is one of possibly multiple similar sets which each have a name or number, such as anadministrator account, policy, or network interface. These named or numbered sets are sometimes referenced byother parts of the configuration that use them.

l Field— The name of a setting, such as ip or hostname. Fields in some tables must be configured with values.Failure to configure a required field will result in an invalid object configuration error message, and the FortiGatewill discard the invalid table.

l Value— Anumber, letter, IP address, or other type of input that is usually your configuration setting held by a field.Some commands, however, require multiple input values which may not be named but are simply entered insequential order in the same command line. Valid input types are indicated by constraint notation.

l Option— A kind of value that must be one or more words from of a fixed set of options.

IndentationIndentation indicates levels of nested commands, which indicate what other sub-commands are available fromwithin the scope. The “next” and “end” lines are used to maintain a hierarchy and flow to CLI commands,especially helping to distinguish those commands with extensive sub-commands.


Using the CLI Command syntax

The "next" line is entered at the same indentation-level as the previous “edit”, to mark where you would like tofinish that table entry and move on to the next table entry; doing so will not mean that you have “left” that sub-command.

next

Below is an example command, with a sub-command of entries:

After entering settings for and entering next, the table entry has been saved, and you be set back onelevel of indentation so you can continue to create more entries (if you wish).

This hierarchy is best indicated in the CLI console, as the example below is what displays in the console afterentering next:

To go-back up an indentation-level from this point on (i.e. to finish configuring theentries sub-command), you cannot enter next; you must enter end.

end

Below is the same command and sub-command, except end has been entered instead of next after the sub-command:


36

Command syntax Using the CLI

Entering end will save the table entry, but bring you out of the sub-command entirely; in this example, youwould enter this when you don’t wish to continue creating new entries.

Again, your hierarchy is best indicated by the CLI console. Below is what displays in the console after enteringend:

NotationBrackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as, indicate which data types or string patterns are acceptable value input.

All syntax uses the following conventions:

Convention Description

Square brackets [ ] An optional word or series of words. For example:

[verbose {1 | 2 | 3}]

indicates that you may either omit or type both the word verbose and itsaccompanying option/s, such as verbose 3.

See Optional values and ranges below for more information.

Curly braces { } Aword or series of words that is constrained to a set of options delimited byeither vertical bars or spaces. You must enter at least one of the options,unless the set of options is surrounded by square brackets [ ].

Mutually exclusive options- delimited by verticalbars |

Both mutually and non-mutually exclusive commands will use curlybraces, as they provide multiple options, however mutually exclusivecommands will divide each option with a pipe. This indicates that you arepermitted to enter one option or the other:

{enable | disable}


Using the CLI Command syntax

Convention Description

Non-mutually exclusiveoptions - delimited byspaces

Non-mutually exclusive commands do not use pipes to divide theiroptions. In those circumstances, multiple options can be entered at once,as long as they are entered with a space separating each option:

{http https ping snmp ssh telnet}

Angle brackets Aword constrained by data type. The angled brackets contain adescriptive name followed by an underscore ( _ ) and suffix that indicatesthe valid data type. For example, , indicates that youshould enter a number of retries as an integer.

Data types include:

l : A name referring to another part of the configuration,such as policy_A.

l : An index number referring to another part of theconfiguration, such as 0 for the first static route.

l : A regular expression or word with wild cards thatmatches possible variations, such as *@example.com to match allemail addresses ending in @example.com.

l : A fully qualified domain name (FQDN), such asmail.example.com.

l : An email address, such as [email protected] : An IPv4 address, such as 192.168.1.99.l : A dotted decimal IPv4 netmask, such as255.255.255.0.

l : A dotted decimal IPv4 address and netmaskseparated by a space, such as 192.168.1.99 255.255.255.0.

l : A dotted decimal IPv4 address and CIDR-notationnetmask separated by a slash, such as 192.168.1.1/24

l : A hyphen ( - )-delimited inclusive range of IPv4addresses, such as 192.168.1.1-192.168.1.255.

l : A colon( : )-delimited hexadecimal IPv6 address, such as3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

l : An IPv6 netmask, such as /96.l : A dotted decimal IPv6 address and netmaskseparated by a space.

l : A string of characters that is not another data type, such asP@ssw0rd. Strings containing spaces or special characters must besurrounded in quotes or use escape sequences.

l : An integer number that represents a metric, minutes_int for the number of minutes.


38

Sub-commands Using the CLI

Optional values and rangesAny field that is optional will use square-brackets, such as set comment. This is because it doesn’t matterwhether it’s set or not. The overall config command will still successfully be taken.

Another example of where square-brackets would be used is to show that multiple options can be set, evenintermixed with ranges. The example below shows a field that can be set to either a specific value or range, ormultiple instances:

config firewall service customset iprange [ ...]

end

Sub-commands

Each command line consists of a command word that is usually followed by configuration data or other specificitem that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level,the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend anadditional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:

config system interfaceedit port1

set status upnext

end

Sub-command scope is indicated by indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

l commands affecting fieldsl commands affecting tables


Using the CLI Sub-commands

Commands for tables

clone Clone (or make a copy of) a table from the current object.

For example, in config firewall policy, you could enter thefollowing command to clone security policy 27 to create security policy 30:

clone 27 to 30

In config antivirus profile, you could enter the followingcommand to clone an antivirus profile named av_pro_1 to create a newantivirus profile named av_pro_2:

clone av_pro_1 to av_pro_2

clone may not be available for all tables.

delete Remove a table from the current object.

For example, in config system admin, you could delete anadministrator account named newadmin by typing delete newadminand pressing Enter. This deletes newadmin and all its fields, such asnewadmin’s first-name and email-address.

delete is only available within objects containing tables.

edit Create or edit a table in the current object.

For example, in config system admin:

• edit the settings for the default admin administrator account by typingedit admin.• add a new administrator account with the name newadmin and editnewadmin‘s settings by typing edit newadmin.

edit is an interactive sub-command: further sub-commands are availablefrom within edit.

edit changes the prompt to reflect the table you are currently editing.

edit is only available within objects containing tables.

In objects such as security policies, is a sequence number. Tocreate a new entry without the risk of overwriting an existing one, enteredit 0. The CLI initially confirms the creation of entry 0, but assigns thenext unused number after you finish editing and enter end.

end Save the changes to the current object and exit the config command.This returns you to the top-level command prompt.


40

Sub-commands Using the CLI

get List the configuration of the current object or table.

• In objects, get lists the table names (if present), or fields and theirvalues.• In a table, get lists the fields and their values.

For more information on get commands, see the CLI Reference.

purge

Remove all tables in the current object.

For example, in config user local, you could type get to see the listof user names, then type purge and then y to confirm that you want todelete all users.

purge is only available for objects containing tables.

Caution: Back up the FortiGate before performing a purge. purgecannot be undone. To restore purged tables, the configuration must berestored from a backup.

Caution: Do not purge system interface or system admin tables.purge does not provide default tables. This can result in being unable toconnect or log in, requiring the FortiGate to be formatted and restored.

rename to Rename a table.

For example, in config system admin, you could rename admin3 tofwadmin by typing rename admin3 to fwadmin.

rename is only available within objects containing tables.

show Display changes to the default configuration. Changes are listed in theform of configuration commands.

Example of table commandsFrom within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within theadmin_1 table:

new entry 'admin_1' added(admin_1)#

Commands for fields

abort Exit both the edit and/or config commands without saving the fields.


http://help.fortinet.com/cli/fos60hlp/60/index.htm

Using the CLI Sub-commands

append Add an option to an existing list.

end Save the changes made to the current table or object fields, and exit the configcommand (to exit without saving, use abort instead).

get

List the configuration of the current object or table.

• In objects, get lists the table names (if present), or fields and their values.• In a table, get lists the fields and their values.

move Move an object within a list, when list order is important. For example, rearrangingsecurity policies within the policy list.

next

Save the changes you have made in the current table’s fields, and exit the editcommand to the object prompt (to save and exit completely to the root prompt, useend instead).

next is useful when you want to create or edit several tables in the same object,without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

select Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all usersexcept for B, use the command select member B.

set

Set a field’s value.

For example, in config system admin, after typing edit admin, you couldtype set password newpass to change the password of the admin administratorto newpass.

Note:When using set to change a field containing a space-delimited list, type thewhole new list. For example, set will replace the list withthe rather than appending to the list.

show Display changes to the default configuration. Changes are listed in the form ofconfiguration commands.

unselect Remove an option from an existing list.

unset Reset the table or object’s fields to default values.

For example, in config system admin, after typing edit admin, typing unsetpassword resets the password of the admin administrator account to the default (inthis case, no password).


42

Permissions Using the CLI

Example of field commands

To assign the value my1stExamplePassword to the password field, enter the following command fromwithin the admin_1 table:

set password my1stExamplePassword

Next, to save the changes and edit the next administrator's table, enter the next command.

Permissions

Access profiles control which CLI commands an administrator account can access. Access profiles assign eitherread, write, or no access to each area of FortiOS. To view configurations, you must have read access. To makechanges, you must have write access. So, depending on the account used to log in to the FortiGate, you may nothave complete access to all CLI commands. For complete access to all commands, you must log in with anadministrator account that has the super_admin access profile. By default the admin administrator accounthas the super_admin access profile.

Administrator accounts, with the super_admin access profile are similar to a root administrator account thatalways has full permission to view and change all FortiGate configuration options, including viewing and changingall other administrator accounts and including changing other administrator account passwords.

Increasing the security of administrator accountsSet strong passwords for all administrator accounts (including the admin account) and change passwordsregularly.

For more information about increasing the security of administrator accounts, see Hardening your FortiGate.

Tips

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

HelpTo display brief help during command entry, press the question mark (?) key.

l Press the question mark (?) key at the command prompt to display a list of the commands available and adescription of each command.

l Type a word or part of a word, then press the question mark (?) key to display a list of valid word completions orsubsequent words, and to display a description of each.


Using the CLI Tips

Shortcuts and key commands

Keys Action

? List valid word completions or subsequent words.

If multiple words could complete your entry, display all possible completions withhelpful descriptions of each.

Tab Complete the word with the next available match.

Press the Tab key multiple times to cycle through available matches.

Up arrow, orCtrl + P

Recall the previous command.

Command memory is limited to the current session.

Down arrow, orCtrl + N

Recall the next command.

Left or Rightarrow

Move the cursor left or right within the command line.

Ctrl + A Move the cursor to the beginning of the command line.

Ctrl + E Move the cursor to the end of the command line.

Ctrl + B Move the cursor backwards one word.

Ctrl + F Move the cursor forwards one word.

Ctrl + D Delete the current character.

Ctrl + C Abort current interactive commands, such as when entering multiple lines.

If you are not currently within an interactive command such as config or edit, thiscloses the CLI connection.

\ then Enter Continue typing a command on the next line for a multiline command.

For each line that you want to continue, terminate it with a backslash ( \ ). To completethe command line, terminate it by pressing the spacebar and then the Enter key,without an immediately preceding backslash.

Command abbreviationYou can abbreviate words in the command line to their smallest number of non-ambiguous characters.

For example, the command get system status could be abbreviated to g sy stat.


44

Tips Using the CLI

Adding and removing options from listsWhen adding options to a list, such as a user group, using the set command will remove the previousconfiguration. For example, if you wish to add user D to a user group that already contains members A, B, and C,the command would need to be set member A B C D. If only set member D was used, then all formermembers would be removed from the group.

However, there are additional commands which can be used instead of set for changing options in a list.

Additional commands for lists

append Add an option to an existing list.

For example, append member would add user D to a user group while all previousgroup members are retained

select Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all usersexcept for B, use the command select member B.

unselect Remove an option from an existing list.

For example, unselect member A would remove member A from a group will allprevious group members are retained.

Environment variablesThe CLI supports the following environment variables. Variable names are case-sensitive.

Environment variables

$USERFROM The management access type (ssh, telnet, jsconsole for the CLI Consolewidget in the web-based manager, and so on) and the IP address of the administratorthat configured the item.

$USERNAME The account name of the administrator that configured the item.

$SerialNum The serial number of the FortiGate unit.

For example, the FortiGate unit’s host name can be set to its serial number:

config system globalset hostname $SerialNum

end

Special charactersThe following special characters, also known as reserved characters, are not permitted in most CLI fields:


Using the CLI Tips

< > ( ) # ' “

You may be able to enter special characters as part of a string’s value by using a special command, enclosing it inquotes, or preceding it with an escape sequence — in this case, a backslash ( \ ) character.

In other cases, different keystrokes are required to input a special character. If you need to enter ? as part ofconfig, you first need to input CTRL-V. If you enter ? without first using CTRL-V, the question mark has adifferent meaning in the CLI; it will show available command options in that section.

For example, if you enter ? without CTRL-V:edit "*.xetoken line: Unmatched double quote.

If you enter ? with CTRL-V:edit "*.xe?"new entry '*.xe?' added

Entering special characters

Character Keys

? Ctrl + V then ?

Tab Ctrl + V then Tab

Space

(to be interpreted as part of a string value,not to end the string)

Enclose the string in quotation marks: "SecurityAdministrator”.

Enclose the string in single quotes: 'SecurityAdministrator'.

Precede the space with a backslash: Security\Administrator.

'


\'

"


\"

\ \\

Using grep to filter get and show command outputIn many cases, the get and show (and diagnose) commands may produce a large amount of output. If youare looking for specific information in a large get or show command output, you can use the grep command to


46

Tips Using the CLI

filter the output to only display what you are looking for. The grep command is based on the standard UNIXgrep, used for searching text output based on regular expressions.

Use the following command to display the MAC address of the FortiGate unit internal interface:

get hardware nic internal | grep Current_HWaddrCurrent_HWaddr 00:09:0f:cb:c2:75

Use the following command to display all TCP sessions in the session list and include the session list line numberin the output:

get system session list | grep -n tcp

Use the following command to display all lines in HTTP replacement message commands that contain URL(upper or lower case):

show system replacemsg http | grep -i url

There are three additional options that can be applied to grep:

-A After-B Before-C Context

The option -f is also available to support contextual output, in order to show the complete configuration. Thefollowing example shows the difference in output when -f option is used versus when it is not.

Using -f:

show | grep -f ldap-group1config user group

edit "ldap-group1"set member "pc40-LDAP"

nextendconfig firewall policy

edit 2set srcintf "port31"set dstintf "port32"set srcaddr "all"set action acceptset identity-based enableset nat enableconfig identity-based-policy

edit 1set schedule "always"set groups "ldap-group1"set dstaddr "all"set service "ALL"

nextend

nextend

Without using -f:

show | grep ldap-group1edit "ldap-group1"


Using the CLI Tips

set groups "ldap-group1"

Language support and regular expressionsCharacters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the natureof the item being configured. CLI commands, objects, field names, and options must use their exact ASCIIcharacters, but some items with arbitrary names or values may be input using your language of choice. To useother languages in those cases, you must use the correct encoding.

Input is stored using Unicode UTF-8 encoding but is not normalized from other encodings into UTF-8 before it isstored. If your input method encodes some characters differently than in UTF-8, your configured itemsmay notdisplay or operate as expected.

Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regularexpression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8,matches may not be what you expect.

For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as the symbol for the Japaneseyen ( ¥ ) and vice versa. A regular expression intended to match HTTP requests containing money values with ayen symbol therefore may not work it if the symbol is entered using the wrong encoding.

For best results, you should:

l use UTF-8 encoding, orl use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters

that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and otherencodings, or

l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.

HTTP clients may send requests in encodings other than UTF-8. Encodings usuallyvary by the client’s operating system or input language. If you cannot predict theclient’s encoding, you may only be able to match any parts of the request that are inEnglish, because regardless of the encoding, the values for English characters tend tobe encoded identically. For example, English words may be legible regardless ofinterpreting a web page as either ISO 8859-1 or as GB2312, whereas simplifiedChinese characters might only be legible if the page is interpreted as GB2312.

If you configure your FortiGate unit using other encodings, you may need to switch language settings on yourmanagement computer, including for your web browser or Telnet/SSH client. For instructions on how to configureyour management computer’s operating system language, locale, or input method, see its documentation.

If you choose to configure parts of the FortiGate unit using non-ASCII characters, verify that all systemsinteracting with the FortiGate unit also support the same encodings. You should also use the same encodingthroughout the configuration if possible in order to avoid needing to switch the language settings of the web-based manager and your web browser or Telnet/SSH client while you work.

Similarly to input, your web browser or CLI client should normally interpret display output as encoded using UTF-8. If it does not, your configured itemsmay not display correctly in the GUI or CLI. Exceptions include items suchas regular expressions that you may have configured using other encodings in order to match the encoding ofHTTP requests that the FortiGate unit receives.


48

Tips Using the CLI

To enter non-ASCII characters in the CLI console:

1. On your management computer, start your web browser and go to the URL for the FortiGate unit’s GUI.2. Configure your web browser to interpret the page as UTF-8 encoded.3. Log in to the FortiGate unit.4. Open the CLI Console from the upper right-hand corner.5. In the title bar of the CLI Consolewidget, clickEdit (the pencil icon).6. Enable Use external command input box and select OK.7. The Command field appears below the usual input and display area of the CLI Console .8. Type a command in this field and pressEnter.

In the display area, the CLI Consolewidget displays your previous command interpreted into its charactercode equivalent, such as:

edit \743\601\613\743\601\652

and the command’s output.

To enter non-ASCII characters in a Telnet/SSH client

1. On your management computer, start your Telnet or SSH client.2. Configure your Telnet or SSH client to send and receive characters using UTF-8 encoding.

Support for sending and receiving international characters varies by each Telnet/SSH client. Consult thedocumentation for your Telnet/SSH client.

3. Log in to the FortiGate unit.4. At the command prompt, type your command and pressEnter.

You may need to surround words that use encoded characters with single quotes ( ' ).

Depending on your Telnet/SSH client’s support for your language’s input methods and for sendinginternational characters, you may need to interpret them into character codes before pressing Enter.

For example, you might need to enter:

edit '\743\601\613\743\601\652'

5. The CLI displays your previous command and its output.

Screen pagingYou can configure the CLI to pause after displaying each page’s worth of text when displaying multiple pages ofoutput. When the display pauses, the last line displays --More--. You can then either:

l press the spacebar to display the next page.l type Q to truncate the output and return to the command prompt.

This may be useful when displaying lengthy output, such as the list of possible matching commands forcommand completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer ofyour terminal emulator, you can simply display one page at a time.

To configure the CLI Console to pause display when the screen is full:

config system consoleset output more

end


Using the CLI Tips

Baud rateYou can change the default baud rate of the local console connection.

To change the baud rate enter the following commands:

config system consoleset baudrate {9600 | 19200 | 38400 | 57600 | 115200}

end

Editing the configuration file on an external hostYou can edit the FortiGate configuration on an external host by first backing up the configuration file to a TFTPserver. Then edit the configuration file and restore it to the FortiGate unit.

Editing the configuration on an external host can be timesaving if you have many changes to make, especially ifyour plain text editor provides advanced features such as batch changes.

To edit the configuration on your computer:

1. Use execute backup to download the configuration file to a TFTP server, such as your managementcomputer.

2. Edit the configuration file using a plain text editor that supports Unix-style line endings.

Do not edit the first line. The first line(s) of the configuration file (preceded by a #character) contains information about the firmware version and FortiGate model. Ifyou change the model number, the FortiGate unit will reject the configuration filewhen you attempt to restore it.

3. Use execute restore to upload the modified configuration file back to your FortiGate.The FortiGate downloads the configuration file and checks that the model information is correct. If it iscorrect, the FortiGate unit loads the configuration file and checks each command for errors. If a command isinvalid, the FortiGate unit ignores the command. If the configuration file is valid, the FortiGate unit restartsand loads the new configuration.


50

config

Use the config commands to change your FortiGate's configuration.

The command branches and commands are in alphabetical order. The information in this section has beenextracted and formatted from FortiOS source code. The extracted information includes the command syntax,command descriptions (extracted from CLI help) and default values. This is the first version of this contentproduced in this way. You can send comments about this content to [email protected]


mailto:[email protected]

alertemail

Use the alert email command to configure various alert email settings.

This section includes syntax for the following commands:

l alertemail setting

alertemail setting

Use this command to configure the FortiGate unit to send an alert email to up to three recipients.

This command can also be configured to send an alert email a certain number of days before FortiGuard licenses expire and/or when the disk usage exceedsa certain threshold amount. You need to configure an SMTP server before configuring alert email settings.

config alertemail setting

set username {string} Name that appears in the From: field of alert emails (max. 36 characters). size[35]

set mailto1 {string} Email address to send alert email to (usually a system administrator) (max. 64 characters). size[63]

set mailto2 {string} Optional second email address to send alert email to (max. 64 characters). size[63]

set mailto3 {string} Optional third email address to send alert email to (max. 64 characters). size[63]

set filter-mode {category | threshold} How to filter log messages that are sent to alert emails.

category Filter based on category.

threshold Filter based on severity.

set email-interval {integer} Interval between sending alert emails (1 - 99999 min, default = 5). range[1-99999]

set IPS-logs {enable | disable} Enable/disable IPS logs in alert email.

set firewall-authentication-failure-logs {enable | disable} Enable/disable firewall authentication failure logs in alert email.

set HA-logs {enable | disable} Enable/disable HA logs in alert email.

set IPsec-errors-logs {enable | disable} Enable/disable IPsec error logs in alert email.

set FDS-update-logs {enable | disable} Enable/disable FortiGuard update logs in alert email.

set PPP-errors-logs {enable | disable} Enable/disable PPP error logs in alert email.

set sslvpn-authentication-errors-logs {enable | disable} Enable/disable SSL-VPN authentication error logs in alert email.

set antivirus-logs {enable | disable} Enable/disable antivirus logs in alert email.

set webfilter-logs {enable | disable} Enable/disable web filter logs in alert email.


alertemail alertemail setting

set configuration-changes-logs {enable | disable} Enable/disable configuration change logs in alert email.

set violation-traffic-logs {enable | disable} Enable/disable violation traffic logs in alert email.

set admin-login-logs {enable | disable} Enable/disable administrator login/logout logs in alert email.

set FDS-license-expiring-warning {enable | disable} Enable/disable FortiGuard license expiration warnings in alert email.

set log-disk-usage-warning {enable | disable} Enable/disable disk usage warnings in alert email.

set fortiguard-log-quota-warning {enable | disable} Enable/disable FortiCloud log quota warnings in alert email.

set amc-interface-bypass-mode {enable | disable} Enable/disable Fortinet Advanced Mezzanine Card (AMC) interface bypass mode logs in alert

email.

set FIPS-CC-errors {enable | disable} Enable/disable FIPS and Common Criteria error logs in alert email.

set FSSO-disconnect-logs {enable | disable} Enable/disable logging of FSSO collector agent disconnect.

set ssh-logs {enable | disable} Enable/disable SSH logs in alert email.

set FDS-license-expiring-days {integer} Number of days to send alert email prior to FortiGuard license expiration (1 - 100 days, default =

100). range[1-100]

set local-disk-usage {integer} Disk usage percentage at which to send alert email (1 - 99 percent, default = 75). range[1-99]

set emergency-interval {integer} Emergency alert interval in minutes. range[1-99999]

set alert-interval {integer} Alert alert interval in minutes. range[1-99999]

set critical-interval {integer} Critical alert interval in minutes. range[1-99999]

set error-interval {integer} Error alert interval in minutes. range[1-99999]

set warning-interval {integer} Warning alert interval in minutes. range[1-99999]

set notification-interval {integer} Notification alert interval in minutes. range[1-99999]

set information-interval {integer} Information alert interval in minutes. range[1-99999]

set debug-interval {integer} Debug alert interval in minutes. range[1-99999]

set severity {option} Lowest severity level to log.

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

end


53

antivirus

Use antivirus commands to configure antivirus scanning for services, quarantine options, and to enable or disable grayware and heuristic scanning.

This section includes syntax for the following commands:

l antivirus heuristicl antivirus profilel antivirus quarantinel antivirus settings

antivirus heuristic

Configure the global heuristic options used for antivirus scanning in binary files.

config antivirus heuristic

set mode {pass | block | disable} Enable/disable heuristics and determine how the system behaves if heuristics detects a problem.

pass Enable heuristics but detected files are passed. If enabled, the system will record a log message.

block Enable heuristics and detected files are blocked. If enabled, the system will record a log message.

disable Turn off heuristics.

end

Additional informationThe following section is for those options that require additional explanation.

mode {pass | block | default}

Determine the action to take when heuristics detects a problem:

l pass: Enables heuristic scanning, but passes detected files to the recipient. Suspicious files are quarantined if quarantine is enabled.l block: Enables heuristic scanning and blocks detected files. A replacement message is forwarded to the recipient. Blocked files are quarantined if quarantine


antivirus antivirus profile

is enabled.l disable:Disables heuristic scanning (set by default).

antivirus profile

Create and configure antivirus profiles that can be applied to firewall policies. Antivirus profiles configure how virus scanning is applied to sessions acceptedby a firewall policy that includes the antivirus profile.

HistoryThe following table shows all newly added, changed, or removed entries as of FortiOS 6.0.


55

antivirus profile antivirus

Command Description

config set content-disarm {enable | disable}

endconfig content-disarm

set original-file-destination {fortisandbox | quarantine |discard}

set office-macro {enable | disable}set office-hylink {enable | disable}set office-linked {enable | disable}set office-embed {enable | disable}set pdf-javacode {enable | disable}set pdf-embedfile {enable | disable}set pdf-act-gotor {enable | disable}set pdf-act-launch {enable | disable}set pdf-act-uri {enable | disable}set pdf-act-sound {enable | disable}set pdf-act-movie {enable | disable}set pdf-act-java {enable | disable}set pdf-act-form {enable | disable}set cover-page {enable | disable}set detect-only {enable | disable}

next...

Content Disarm and Reconstruction (CDR) is used to removeexploitable content and replace it with content that is known tobe safe. The use of CDR is enabled or disabled separately foreach protocol in the profile.

Note that all CDR commands are only available when you setthe profile's inspection-mode to proxy; CDR is notsupported in Flow mode.

set extended-log {enable | disable} When extended UTM log is enabled, more HTTP headerinformation will be logged when a UTM event happens.

Note that the following HTTP header fields are included inextended-log: http method, client content type, server contenttype, user agent, referer, and x-forward-for.



Command Description

config set outbreak-prevention {disabled | files | full-archive}next

...

Outbreak prevention uses checksums to filter files in order topreempt and prevent quick virus outbreaks before AV signaturesare created.

Setting full-archive analyzes files including the contentsof archives, as opposed to files which does not include thecontents of archives.

Note that outbreak-prevention is only available whenoptions is set to scan.

config set archive-block {partiallycorrupted | fileslimit | timeout

| ...}set archive-log {partiallycorrupted | fileslimit | timeout |

...}next

...

Additional options for file blocking and event logging of certainAntiVirus errors. Determine whether to block partially corruptedarchives, exceeded archive files limit, and/or log scan timeout.

config antivirus profile

edit {name}

# Configure AntiVirus profiles.

set name {string} Profile name. size[35]

set comment {string} Comment. size[255]

set replacemsg-group {string} Replacement message group customized for this profile. size[35] - datasource(s): system.replacemsg-group.name

set inspection-mode {proxy | flow-based} Inspection mode.

proxy Proxy-based inspection.

flow-based Flow-based inspection.

set ftgd-analytics {disable | suspicious | everything} Settings to control which files are uploaded to FortiSandbox.

disable Do not upload files to FortiSandbox.

suspicious Submit files supported by FortiSandbox if heuristics or other methods determine they are suspicious.

everything Submit all files scanned by AntiVirus to FortiSandbox. AntiVirus may not scan all files.

set analytics-max-upload {integer} Maximum size of files that can be uploaded to FortiSandbox (1 - 395 MBytes, default = 10). range[1-1606]

set analytics-wl-filetype {integer} Do not submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource

(s): dlp.filepattern.id


57

antivirus profile antivirus

set analytics-bl-filetype {integer} Only submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource(s):

dlp.filepattern.id

set analytics-db {disable | enable} Enable/disable using the FortiSandbox signature database to supplement the AV signature databases.

set mobile-malware-db {disable | enable} Enable/disable using the mobile malware signature database.

config http

set options {scan | avmonitor | quarantine} Enable/disable HTTP AntiVirus scanning, monitoring, and quarantine.

scan Enable HTTP antivirus scanning.

avmonitor Enable HTTP antivirus logging.

quarantine Enable HTTP antivirus quarantine. Files are quarantined depending on quarantine settings.

set archive-block {option} Select the archive types to block.

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives.

mailbomb Block mail bomb archives.

fileslimit Block exceeded archive files limit.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

set archive-log {option} Select the archive types to log.

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives.

mailbomb Log mail bomb archives.

fileslimit Log exceeded archive files limit.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

set emulator {enable | disable} Enable/disable the virus emulator.

set outbreak-prevention {disabled | files | full-archive} Enable FortiGuard Virus Outbreak Prevention service.

disabled Disabled.

files Analyze files as sent, not the content of archives.

full-archive Analyze files including the content of archives.

set content-disarm {disable | enable} Enable Content Disarm and Reconstruction for this protocol.



config ftp

set options {scan | avmonitor | quarantine} Enable/disable FTP AntiVirus scanning, monitoring, and quarantine.

scan Enable FTP antivirus scanning.

avmonitor Enable FTP antivirus logging.

quarantine Enable FTP antivirus quarantine. Files are quarantined depending on quarantine settings.

set archive-block {option} Select the archive types to block.

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives.

mailbomb Block mail bomb archives.

fileslimit Block exceeded archive files limit.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

set archive-log {option} Select the archive types to log.

encrypted Log encrypted archives.

corrupted Log corrupted archives.

parti

Documents

FortiOS™ Handbook - CLI Reference · antivirusquarantine 70 antivirussettings 75 application 77 applicationcustom 77 applicationlist 79 applicationname 86 applicationrule-settings