This chapter explains how to connect to the Command Line Interface (CLI) and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings.
This chapter describes:
This guide uses the following conventions to describe command syntax.
< > indicate variables.{|} separate alternative, mutually exclusive required variables.For example:
set protocol {ftp | sftp}
You can enter set protocol ftp or set protocol sftp.
[ ] indicate that a variable is optional.For example:
show system interface [<name_str>]
To show the settings for all interfaces, you can enter show system interface. To show the settings for the Port1 interface, you can enter show system interface port1.
For example:
set allowaccess {https ping ssh snmp telnet http webservice aggregator}
You can enter any of the following:
set allowaccess ping
set allowaccess https
set allowaccess ssh
set allowaccess https ssh
set allowaccess aggregator http https ping ssh telnet webservice
In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.
You can use a direct console connection or SSH to connect to the FortiAnalyzer CLI. You can also access through the CLI console widget on the GUI. For more information, see the FortiAnalyzer Administration Guide, and your device’s QuickStart Guide.
You can use a direct console connection or SSH to connect to the FortiAnalyzer CLI.
To connect to the FortiAnalyzer console, you need:
|
|
The following procedure describes how to connect to the FortiAnalyzer CLI using Windows HyperTerminal software. You can use any terminal emulation program. |
| COM port | COM1 |
| Bits per second | 115200 |
| Data bits | 8 |
| Parity | None |
| Stop bits | 1 |
| Flow control | None |
Enter to connect to the FortiAnalyzer CLI. A login prompt appears.Enter.Enter. A command prompt appears. You have connected to the FortiAnalyzer CLI, and you can enter CLI commands.
To perform administrative functions through a FortiAnalyzer network interface, you must enable the required types of administrative access on the interface to which your management computer connects. Access to the CLI requires Secure Shell (SSH) access. If you want to use the GUI, you need HTTPS access.
To use the GUI to configure FortiAnalyzer interfaces for SSH access, see the FortiAnalyzer Administration Guide.
config system interface
edit <interface_name>
set allowaccess <access_types>
end
Where <interface_name> is the name of the FortiAnalyzer interface to be configured to allow administrative access, and <access_types> is a whitespace-separated list of access types to enable.
For example, to configure port1 to accept HTTPS and SSH connections, enter:
config system interface
edit port1
set allowaccess https ssh
end
|
|
Remember to press Enter at the end of each line in the command example. Also, type end and press Enter to commit the changes to the FortiAnalyzer configuration. |
get system interface <interface_name>
The CLI displays the settings, including the management access settings, for the named interface.
SSH provides strong secure authentication and secure communications to the FortiAnalyzer CLI from your internal network or the internet. Once the FortiAnalyzer unit is configured to accept SSH connections, you can run an SSH client on your management computer and use this client to connect to the FortiAnalyzer CLI.
Enter.Enter.The FortiAnalyzer model name followed by a # is displayed.
You have connected to the FortiAnalyzer CLI, and you can enter CLI commands.
The GUI also provides a CLI console window.
The FortiAnalyzer CLI is based on configurable objects. The top-level object are the basic components of FortiAnalyzer functionality.
| system | Configuration options related to the overall operation of the FortiAnalyzer unit, such as interfaces, virtual domains, and administrators. |
| fmupdate | Configures settings related to FortiGuard service updates and the unit’s built-in FDS. |
This object contains more specific lower level objects. For example, the system object contains objects for administrators, DNS, interfaces and so on.
The FortiAnalyzer CLI consists of the following command branches:
|
|
Examples showing how to enter command sequences within each branch are provided in the following sections.
The config commands configure objects of FortiAnalyzer functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of variables that you can set to particular values. Simpler objects, such as system DNS, are a single set of variables.
To configure an object, you use the config command to navigate to the object’s command “shell”. For example, to configure administrators, you enter the command
config system admin user
The command prompt changes to show that you are in the admin shell.
(user)#
This is a table shell. You can use any of the following commands:
| edit | Add an entry to the FortiAnalyzer configuration or edit an existing entry. For example in the config system admin shell:
|
| delete | Remove an entry from the FortiAnalyzer configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin. |
| purge | Remove all entries configured in the current shell. For example in the config user local shell:
|
| get | List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values. |
| show | Show changes to the default configuration as configuration commands. |
| end | Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You will return to the root FortiAnalyzer CLI prompt.The end command is also used to save set command changes and leave the shell. |
If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name:
edit admin_1
The FortiAnalyzer unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry:
new entry 'admin_1' added
(admin_1)#
From this prompt, you can use any of the following commands:
| config | In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add restrict the user to specific devices or VDOMs. |
| set | Assign values. For example from the edit admin command shell, typing set password newpass changes the password of the admin administrator account to newpass.When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. |
| unset | Reset values to defaults. For example from the edit admin command shell, typing unset password resets the password of the admin administrator account to the default of no password. |
| get | List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values. |
| show | Show changes to the default configuration in the form of configuration commands. |
| next | Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell.
|
| abort | Exit an edit shell without saving the configuration. |
| end | Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command.The end command is also used to save set command changes and leave the shell. |
The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.
Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell.
To use get from the root prompt, you must include a path to a shell.
The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).
When you type get in the config system admin user shell, the list of administrators is displayed.
At the (user)# prompt, type:
get
The screen displays:
== [ admin ]
userid: admin
== [ admin2 ]
userid: admin2
== [ admin3 ]
userid: admin3
When you type get in the admin user shell, the configuration values for the admin administrator account are displayed.
edit admin
At the (admin)# prompt, type:
get
The screen displays:
userid : admin
password : *
trusthost1 : 0.0.0.0 0.0.0.0
trusthost2 : 0.0.0.0 0.0.0.0
trusthost3 : 0.0.0.0 0.0.0.0
trusthost4 : 0.0.0.0 0.0.0.0
trusthost5 : 0.0.0.0 0.0.0.0
trusthost6 : 0.0.0.0 0.0.0.0
trusthost7 : 0.0.0.0 0.0.0.0
trusthost8 : 0.0.0.0 0.0.0.0
trusthost9 : 0.0.0.0 0.0.0.0
trusthost10 : 127.0.0.1 255.255.255.255
ipv6_trusthost1 : ::/0
ipv6_trusthost2 : ::/0
ipv6_trusthost3 : ::/0
ipv6_trusthost4 : ::/0
ipv6_trusthost5 : ::/0
ipv6_trusthost6 : ::/0
ipv6_trusthost7 : ::/0
ipv6_trusthost8 : ::/0
ipv6_trusthost9 : ::/0
ipv6_trusthost10 : ::1/128
profileid : Super_User
adom:
== [ all_adoms ]
adom-name: all_adoms
policy-package:
== [ all_policy_packages ]
policy-package-name: all_policy_packages
restrict-access : disable
restrict-dev-vdom:
description : (null)
user_type : local
ssh-public-key1 :
ssh-public-key2 :
ssh-public-key3 :
meta-data:
last-name : (null)
first-name : (null)
email-address : (null)
phone-number : (null)
mobile-number : (null)
pager-number : (null)
hidden : 0
dashboard-tabs:
dashboard:
== [ 6 ]
moduleid: 6
== [ 1 ]
moduleid: 1
== [ 2 ]
moduleid: 2
== [ 3 ]
moduleid: 3
== [ 4 ]
moduleid: 4
== [ 5 ]
moduleid: 5
You want to confirm the IP address and netmask of the port1 interface from the root prompt.
At the (command) # prompt, type:
get system interface port1
The screen displays:
name : port1
status : up
ip : 172.16.81.30 255.255.255.0
allowaccess : ping https ssh snmp telnet http webservice aggregator
serviceaccess :
speed : auto
description : (null)
alias : (null)
ipv6:
ip6-address: ::/0 ip6-allowaccess:
Use show to display the FortiAnalyzer unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.
To display the configuration of all config shells, you can use show from the root prompt. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).
When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed.
At the (port1)# prompt, type:
show
The screen displays:
config system interface
edit "port1"
set ip 172.16.81.30 255.255.255.0
set allowaccess ping https ssh snmp telnet http webservice aggregator
next
edit "port2"
set ip 1.1.1.1 255.255.255.0
set allowaccess ping https ssh snmp telnet http webservice aggregator
next
edit "port3"
next
edit "port4"
next
end
You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type:
show system dns
The screen displays:
config system dns
set primary 65.39.139.53
set secondary 65.39.139.63
end
Use execute to run static commands, to reset the FortiAnalyzer unit to factory defaults, or to back up or restore the FortiAnalyzer configuration. The execute commands are available only from the root prompt.
The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).
At the root prompt, type:
execute reboot
The system will be rebooted.
Do you want to continue? (y/n)
and press Enter to restart the FortiAnalyzer unit.
Commands in the diagnose branch are used for debugging the operation of the FortiAnalyzer unit and to set parameters for displaying different levels of diagnostic information.
|
|
Diagnose commands are intended for advanced users only. Contact Fortinet Technical Support before using these commands. |
|
|
The command prompt changes for each shell. |
config system dns
and press Enter. The prompt changes to (dns)#.
(dns)# prompt, type (question mark) ?The following options are displayed.
set
unset
get
show
abort
end
set ?The following options are displayed:
primary
secondary
172.16.100.100, type: set primary 172.16.100.100
and press Enter.
207.104.200.1, type:set secondary 207.104.200.1
and press Enter.
unset primary and press Enter.config system dns shell without saving your changes, type abort and press Enter.dns sub-shell, type end and press Enter.dns sub-shell, type get system dns and press Enter.You can press the question mark (?) key to display command help.
Type tree to display the FortiAnalyzer CLI command tree. To capture the full output, connect to your device using a terminal emulation program, such as PuTTY, and capture the output to a log file. For config commands, use the tree command to view all available variables and sub-commands.
#config system interface
(interface)# tree
-- [interface] --*name
|- status
|- ip
|- allowaccess
|- serviceaccess
|- speed
|- description
|- alias
+- <ipv6> -- ip6-address
+- ip6-allowaccess
You can use the tab key or the question mark (?) key to complete commands:
You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.
Use the left and right arrow keys to move the cursor back and forth in a recalled command. You can also use the backspace and delete keys and the control keys listed in the following table to edit the command.
| Function | Key combination |
|---|---|
| Beginning of line | Control key + A |
| End of line | Control key + E |
| Back one character | Control key + B |
| Forward one character | Control key + F |
| Delete current character | Control key + D |
| Previous command | Control key + P |
| Next command | Control key + N |
| Abort the command | Control key + C |
| If used at the root prompt, exit the CLI | Control key + C |
To break a long command over multiple lines, use a \ at the end of each line.
You can abbreviate commands and command options to the smallest number of unambiguous characters. For example, the command get system status can be abbreviated to g sy st.
The FortiAnalyzer CLI supports several environment variables.
| $USERFROM | The management access type (SSH, Telnet and so on) and the IP address of the logged in administrator. |
| $USERNAME | The user account name of the logged in administrator. |
| $SerialNum | The serial number of the FortiAnalyzer unit. |
Variable names are case sensitive. In the following example, when entering the variable, you can type (dollar sign) $ followed by a tab to auto-complete the variable to ensure that you have the exact spelling and case. Continue pressing tab until the variable you want to use is displayed.
config system global
set hostname $SerialNum
end
After you enter a clear text password using the CLI, the FortiAnalyzer unit encrypts the password and stores it in the configuration file with the prefix ENC. For example:
show system admin user user1
config system admin user
edit "user1"
set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1
rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f
set profileid "Standard_User"
next
end
It is also possible to enter an already encrypted password. For example, type:
config system admin
then press Enter.
Type:
edit user1
then press Enter.
Type:
set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1rVJmMF
c9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f
then press Enter.
Type:
end
then press Enter.
When a string value contains a space, do one of the following:
"Security Administrator".'Security Administrator'.Security\ Administrator.If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.
If you want to include a question mark (?) in a string, you must precede the question mark with CTRL-V. Entering a question mark without first entering CTRL-V causes the CLI to display possible command completions, terminating the string.
The CLI supports international characters in strings.
The characters <, >, (, ), #, ’, and " are not permitted in most CLI fields, but you can use them in passwords. If you use the apostrophe (‘) or quote (") character, you must precede it with a backslash (\) character when entering it in the CLI set command.
You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type one of:
set ip 192.168.1.1 255.255.255.0
set ip 192.168.1.1/24
The IP address is displayed in the configuration file in dotted decimal format.
Using execute console baudrate, you can change the default console connection baud rate.
To check the current baud rate enter the following CLI command:
# execute console baudrate [enter]
current baud rate is: 9600
To view baudrate options, enter the CLI command with the question mark (?).
# execute console baudrate ?
baudrate 9600 | 19200 | 38400 | 57600 | 115200
To change the baudrate, enter the CLI command as listed below.
# execute console baudrate 19200
Your console connection will get lost after changing baud rate.
Change your console setting!
Do you want to continue? (y/n)
|
|
Changing the default baud rate is not available on all models. |
The following table lists available debug log levels on your FortiAnalyzer .
| Level | Type | Description |
|---|---|---|
| 0 | Emergency | The system has become unusable. |
| 1 | Alert | Immediate action is required. |
| 2 | Critical | Functionality is affected. |
| 3 | Error | An erroneous condition exists and functionality is probably affected. |
| 4 | Warning | Function might be affected. |
| 5 | Notice | Notification of normal events. |
| 6 | Information | General information about system operations. |
| 7 | Debug | Detailed information useful for debugging purposes. |
| 8 | Maximum | Maximum log level. |