FortiOS 5.6.2 CLI Reference (Beta) · FORTIGATE COOKBOOK FORTINET TRAINING SERVICES FORTIGUARD...

FortiOS 5.6.2 CLIReference (Beta)VERSION 5.6.2

#

FORTINET DOCUMENTLIBRARY

http://docs.fortinet.com

FORTINETVIDEOGUIDE

http://video.fortinet.com

FORTINETBLOG

https://blog.fortinet.com

CUSTOMERSERVICE&SUPPORT

https://support.fortinet.com

http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATECOOKBOOK

http://cookbook.fortinet.com

FORTINETTRAININGSERVICES

http://www.fortinet.com/training

FORTIGUARDCENTER

http://www.fortiguard.com

FORTICAST

http://forticast.fortinet.com

ENDUSER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: [email protected]

September 21, 2017

FortiOS 5.6.2 CLIReference (Beta)

01-562-441155-20170921
http://docs.fortinet.com/http://video.fortinet.com/https://blog.fortinet.com/https://support.fortinet.com/http://cookbook.fortinet.com/how-to-work-with-fortinet-support/http://cookbook.fortinet.com/http://www.fortinet.com/training/http://www.fortiguard.com/http://forticast.fortinet.com/http://www.fortinet.com/doc/legal/EULA.pdfmailto:[email protected]

TABLEOFCONTENTS

Change Log 19Introduction 20

How this guide is organized 20Availability of commands and options 20

Managing Firmware with the FortiGate BIOS 22Accessing the BIOS 22

Navigating themenu 22Loading firmware 22

Configuring TFTP parameters 23Initiating TFTP firmware transfer 23

Booting the backup firmware 24Using the CLI 25

Connecting to the CLI 25Connecting to the CLI using a local console 25Enabling access to the CLI through the network (SSH or Telnet) 26Connecting to the CLI using SSH 27Connecting to the CLI using Telnet 28

Command syntax 29Terminology 29Indentation 30Notation 30

Sub-commands 32Example of table commands 34

Permissions 36Tips 36

config 45alertemail 46

alertemail setting 47antivirus 49

antivirus heuristic 50antivirus profile 51antivirus quarantine 59antivirus settings 64

application 65application custom 66application list 68application name 75application rule-settings 77

authentication 78authentication rule 79authentication scheme 82authentication setting 84

aws 85aws setting 86

certificate 87certificate ca 88certificate crl 89certificate local 90

dlp 92dlp filepattern 93dlp fp-doc-source 97dlp fp-sensitivity 101dlp sensor 102dlp settings 108

dnsfilter 110dnsfilter domain-filter 111dnsfilter profile 112

endpoint-control 113endpoint-control client 114endpoint-control forticlient-registration-sync 115endpoint-control profile 116endpoint-control registered-forticlient 121endpoint-control settings 122

extender-controller 123extender-controller extender 124

firewall 126firewall {acl | acl6} 128firewall {address |address6} 130firewall {addrgrp | addgrp6} 143firewall auth-portal 150firewall central-snat-map 151firewall dnstranslation 153firewall {DoS-policy | DoS-policy6} 154firewall identity-based-route 157

firewall {interface-policy | interface-policy6} 158firewall internet-service 161firewall internet-service-custom 162firewall ipmacbinding setting 164firewall ipmacbinding table 165firewall {ippool | ippool6} 166firewall ip-translation 168firewall ipv6-eh-filter 169firewall ldb-monitor 170firewall {local-in-policy | local-in-policy6} 171firewall {multicast-address | multicast-address6} 173firewall {multicast-policy | multicast-policy6} 175firewall {policy |policy6} 177firewall {policy46 | policy64} 225firewall profile-group 228firewall profile-protocol-options 229firewall proxy-address 233firewall proxy-addrgrp 235firewall proxy-policy 236firewall schedule group 240firewall schedule onetime 243firewall schedule recurring 247firewall service category 248firewall service custom 251firewall service group 263firewall shaper per-ip-shaper 264firewall shaper traffic-shaper 265firewall shaping-policy 266firewall sniffer 268firewall ssl setting 270firewall ssl-server 271firewall ssl-ssh-profile 273firewall ttl-policy 278firewall {vip | vip6} 279firewall {vip46 | vip64} 312firewall {vipgrp | vipgrp6} 316firewall {vipgrp46 | vipgrp64} 317

ftp-proxy 318ftp-proxy explicit 319

icap 320icap profile 321icap server 322

ips 323ips custom 324ips decoder 327ips global 328ips rule 332ips rule-settings 335ips sensor 336ips settings 342

log 344log custom-field 346log disk filter 347log disk setting 349log eventfilter 351log fortianalyzer override-filter 353log fortianalyzer override-setting 354log {fortianalyzer | fortianalyzer2 | fortianalyzer3} filter 356log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting 357log fortiguard filter 359log fortiguard override-filter 360log fortiguard override-setting 361log fortiguard setting 362log gui-display 363logmemory filter 365logmemory global-setting 367logmemory setting 368log null-device filter 369log null-device setting 370log setting 371log syslogd override-filter 372log syslogd override-setting 373log {syslogd | syslogd2 | syslogd3 | syslogd4} filter 375log {syslogd | syslogd2 | syslogd3 | syslogd4} setting 376log threat-weight 378log webtrends filter 384log webtrends setting 385

report 386report chart 387report dataset 391report layout 392report setting 396report style 397report theme 399

router 401router {access-list | access-list6} 402router aspath-list 404router auth-path 405router bfd 406router bgp 407router community-list 416router isis 417router key-chain 421router {multicast | multicast6} 422router multicast-flow 425router {ospf | ospf6} 426router {policy | policy6} 433router {prefix-list | prefix-list6} 435router rip 437router ripng 440router route-map 443router setting 446router {static | static6} 447

spamfilter 449spamfilter bwl 450spamfilter bword 451spamfilter dnsbl 453spamfilter fortishield 454spamfilter iptrust 455spamfilter mheader 456spamfilter options 457spamfilter profile 458

switch-controller 460switch-controller 802-1X-settings 461switch-controller custom-command 462switch-controller global 463switch-controller igmp-snooping 464switch-controller lldp-profile 465switch-controller lldp-settings 467switch-controller mac-sync-settings 468switch-controller managed-switch 469switch-controller qos dot1p-map 474switch-controller qos ip-dscp-map 477switch-controller qos qos-policy 479switch-controller qos queue-policy 480switch-controller quarantine 481

switch-controller security-policy 802-1X 482switch-controller security-policy captive-portal 483switch-controller storm-control 484switch-controller stp-settings 485switch-controller switch-group 486switch-controller switch-log 487switch-controller switch-profile 488switch-controller vlan 489

system 490system 3g-modem custom 494system accprofile 495system admin 499system alarm 508system alias 509system api-user 510system arp-table 511system auto-install 512system auto-script 513system autoupdate push-update 514system autoupdate schedule 515system autoupdate tunneling 516system central-management 517system cluster-sync 521system console 523system csf 524system custom-language 526system ddns 527system dedicated-mgmt 529system {dhcp server | dhcp6 server} 530system dns 542system dns-database 544system dns-server 546system dscp-based-priority 547system email-server 548system fips-cc 549system fm 550system fortiguard 551system fortimanager 552system fortisandbox 553system fsso-polling 554system ftm-push 555system geoip-override 556

system global 557system gre-tunnel 586system ha 587system ha-monitor 606system interface 607system ipip-tunnel 639system ips-urlfilter-dns 640system ipv6-neighbor-cache 641system ipv6-tunnel 642system link-monitor 643system lte-modem 646systemmac-address-table 647systemmanagement-tunnel 648systemmobile-tunnel 649systemmodem 650system nat64 653system netflow 654system network-visibility 655system np6 656system npu 665system ntp 668system object-tag 669system password-policy 670system password-policy-guest-admin 673system physical-switch 674system pppoe-interface 675system probe-response 676system proxy-arp 677system replacemsg admin 678system replacemsg alertmail 679system replacemsg auth 680system replacemsg device-detection-portal 681system replacemsg ec 682system replacemsg fortiguard-wf 683system replacemsg ftp 684system replacemsg http 685system replacemsgmail 686system replacemsg nac-quar 687system replacemsg nntp 688system replacemsg spam 689system replacemsg sslvpn 690system replacemsg traffic-quota 691

system replacemsg utm 692system replacemsgwebproxy 693system replacemsg-group 694system replacemsg-image 701system resource-limits 702system session-helper 703system session-ttl 704system settings 705system sflow 709system sit-tunnel 710system sms-server 711system snmp community 712system snmp sysinfo 715system snmp user 716system storage 718system stp 719system switch-interface 720system tos-based-priority 721system vdom 722system vdom-dns 723system vdom-link 724system vdom-netflow 725system vdom-property 726system vdom-radius-server 727system vdom-sflow 728system virtual-switch 729system virtual-wan-link 730system virtual-wire-pair 734system vxlan 735systemwccp 736Router mode 737Client mode 739systemwireless ap-status 740systemwireless settings 741system zone 743

user 744user adgrp 745user device 746user device-access-list 749user device-category 751user device-group 752user fortitoken 753

user fsso 755user fsso-polling 757user group 759user krb-keytab 765user ldap 766user local 771user password-policy 775user peer 776user peergrp 779user pop3 780user radius 781user security-exempt-list 793user setting 795user tacacs+ 799

voip 801voip profile 802

vpn 808vpn certificate ca 809vpn certificate crl 811vpn certificate local 814vpn certificate ocsp-server 818vpn certificate remote 820vpn certificate setting 822vpn ipsec concentrator 825vpn ipsec forticlient 826vpn ipsec {manualkey-interface | manualkey} 827vpn ipsec {phase1-interface | phase1} 835vpn ipsec {phase2-interface | phase2} 869vpn l2tp 883vpn pptp 884vpn ssl settings 885vpn ssl web host-check-software 896vpn ssl web portal 899vpn ssl web realm 912vpn ssl web user-bookmark 913vpn ssl web user-group-bookmark 915vpn ssl web virtual-desktop-app-list 921

waf 923waf main-class 924waf profile 925waf signature 932waf sub-class 933

wanopt 934wanopt auth-group 935auth-method{cert | psk} 935wanopt forticache-service 937wanopt peer 938wanopt profile 939wanopt settings 946wanopt storage 947wanopt webcache 948

webfilter 952webfilter content 953webfilter content-header 954webfilter cookie-ovrd 955webfilter fortiguard 956webfilter ftgd-local-cat 957webfilter ftgd-local-rating 958webfilter ips-urlfilter-cache-setting 959webfilter ips-urlfilter-setting 960webfilter override 961webfilter profile 962webfilter search-engine 968webfilter urlfilter 969

web-proxy 971web-proxy debug-url 972web-proxy explicit 973web-proxy forward-server 979web-proxy forward-server-group 981web-proxy global 983web-proxy profile 986web-proxy url-match 989web-proxywisp 991

wireless-controller 993wireless-controller ap-status 994wireless-controller ble-profile 995wireless-controller global 996wireless-controller setting 999wireless-controller timers 1003wireless-controller vap-group 1006wireless-controller wids-profile 1007wireless-controller wtp 1014wireless-controller wtp-group 1026wireless-controller wtp-profile 1029

execute 1053backup 1053batch 1056bypass-mode 1057carrier-license 1057central-mgmt 1057cfg reload 1058cfg save 1059clear system arp table 1059cli check-template-status 1059cli status-msg-only 1060client-reputation 1060date 1060disk 1061disk raid 1062disk scan 1063dhcp lease-clear 1063dhcp lease-list 1063disconnect-admin-session 1064enter 1064erase-disk 1064factoryreset 1065factoryreset2 1065formatlogdisk 1065forticarrier-license 1065forticlient 1065FortiClient-NAC 1066fortiguard-log 1066fortitoken 1067fortitoken-mobile 1068fsso refresh 1068ha disconnect 1068ha ignore-hardware-revision 1069hamanage 1069ha synchronize 1070interface dhcpclient-renew 1071interface pppoe-reconnect 1071log backup 1071log client-reputation-report 1071log convert-oldlogs 1073log delete-all 1073log delete-oldlogs 1073

log detail 1073log display 1074log downgrade-log 1074log filter 1074log fortianalyzer test-connectivity 1075log list 1076log rebuild-sqldb 1076log recreate-sqldb 1076log-report reset 1077log restore 1077log roll 1077log shift-time 1077log upload-progress 1078modem dial 1078modem hangup 1078modem trigger 1078mrouter clear 1079netscan 1079pbx 1080ping 1082ping-options, ping6-options 1082ping6 1084policy-packet-capture delete-all 1084reboot 1084report 1085report-config reset 1085restore 1085revision 1089router clear bfd session 1090router clear bgp 1090router clear ospf process 1091router restart 1091send-fds-statistics 1091sensor detail 1092sensor list 1092set system session filter 1093set-next-reboot 1095sfp-mode-sgmii 1095shutdown 1095ssh 1096sync-session 1096system custom-language import 1096

system fortisandbox test-connectivity 1097tac report 1097telnet 1097time 1097traceroute 1098tracert6 1098update-av 1099update-geo-ip 1099update-ips 1099update-list 1100update-now 1100update-src-vis 1100upd-vd-license 1100upload 1101usb-device 1101usb-disk 1102vpn certificate ca 1102vpn certificate crl 1103vpn certificate local export 1104vpn certificate local generate 1105vpn certificate local import 1107vpn certificate remote 1108vpn ipsec tunnel down 1108vpn ipsec tunnel up 1109vpn sslvpn del-all 1109vpn sslvpn del-tunnel 1109vpn sslvpn del-web 1109vpn sslvpn list 1110webfilter quota-reset 1110wireless-controller delete-wtp-image 1110wireless-controller list-wtp-image 1110wireless-controller reset-wtp 1111wireless-controller restart-acd 1111wireless-controller restart-wtpd 1111wireless-controller upload-wtp-image 1111

get 1112application internet-service status 1112application internet-service-summary 1112certificate 1112extender modem-status 1113extender sys-info 1114firewall dnstranslation 1114

firewall iprope appctrl 1114firewall iprope list 1114firewall proute, proute6 1115firewall service custom 1115firewall shaper 1116grep 1117gui console status 1117hardware cpu 1118hardwarememory 1119hardware nic 1119hardware npu 1120hardware status 1123ips decoder status 1123ips rule status 1124ips session 1124ips view-map 1125ipsec tunnel 1125mgmt-data status 1126pbx branch-office 1126pbx dialplan 1126pbx did 1127pbx extension 1127pbx ftgd-voice-pkg 1127pbx global 1128pbx ringgrp 1128pbx sip-trunk 1129pbx voice-menu 1129router info bfd neighbor 1130router info bgp 1130router info isis 1132router info kernel 1132router info multicast 1133router info ospf 1134router info protocols 1136router info rip 1137router info routing-table 1137router info vrrp 1138router info6 bgp 1138router info6 interface 1139router info6 kernel 1140router info6 ospf 1140router info6 protocols 1140

router info6 rip 1140router info6 routing-table 1141switch-controller poe 1141system admin list 1141system admin status 1142system arp 1143system auto-update 1143system central-management 1143system checksum 1144system cmdb status 1144system fortianalyzer-connectivity 1145system fortiguard-log-service status 1145system fortiguard-service status 1146system ha-nonsync-csum 1146system ha status 1146system info admin status 1149system info admin ssh 1150system interface physical 1150system ip-conflict status 1151systemmgmt-csum 1151system performance firewall 1151system performance status 1152system performance top 1153system session list 1154system session status 1155system session-helper-info list 1155system session-info 1156system source-ip 1157system startup-error-log 1158system stp list 1158system status 1158test 1159user adgrp 1161vpn certificate 1161vpn ike gateway 1162vpn ipsec tunnel details 1162vpn ipsec tunnel name 1162vpn ipsec tunnel summary 1162vpn ipsec stats crypto 1162vpn ipsec stats tunnel 1163vpn ssl monitor 1163vpn status l2tp 1164

vpn status pptp 1164vpn status ssl 1164webfilter categories 1164webfilter ftgd-statistics 1165webfilter status 1167wireless-controller client-info 1167wireless-controller rf-analysis 1167wireless-controller scan 1168wireless-controller spectral-info 1168wireless-controller status 1169wireless-controller vap-status 1169wireless-controller wlchanlistlic 1169wireless-controller wtp-status 1171

tree 1173

Change Log

Change Log

Date Change Description

September 21, 2017 Beta release.

FortiOS 5.6.2 CLIReference (Beta)Fortinet Technologies Inc.

19

Introduction How this guide is organized

Introduction

This document describes FortiOS 5.6 CLI commands used to configure and manage a FortiGate unit from thecommand line interface (CLI).

Beta release

This document is released as a Beta and, as such, is very much a work in progress. Before now, our focus was ondocumenting the most commonly used CLI commands, or those commands that required more explanation. Nowwe are releasing this Beta with every possible command available, with Supplemental Information below theCLIsyntax that dive into a little extra detail.

The CLI syntax is created by processing a schema of a particular build of FortiOS 5.6, and reformatting theresulting CLI output into content that resembles the output found in the CLI console.

In addition, we will continue to improve the supplemental information, and have an HTML version up soonaccessible from http://cli.fortinet.com.

If you have comments on this content, its format, or requests for commands that are not included contact us [email protected].

How this guide is organized

This document contains the following sections:

Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGateunit boot-up.

Using the CLI describes how to connect to the CLI and some basics of how it works.

config describes the commands for each configuration branch of the FortiOS CLI.

execute describes execute commands.

get describes get commands.

tree describes the tree command.

Availability of commands and options

Some FortiOS CLI commands and options are not available on all FortiGate units. The CLI displays an errormessage if you attempt to enter a command or option that is not available. You can use the question mark ? toverify the commands and options that are available.

Commands and options may not be available for the following reasons:


20
mailto:[email protected]

Availability of commands and options Introduction

FortiGate model

All commands are not available on all FortiGate models. For example, low-end FortiGate models do not supportthe aggregate interface type option of the config system interface command.

Hardware configuration

For example, some AMCmodule commands are only available when an AMCmodule is installed.

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

Commands for extended functionality are not available on all FortiGate models. The CLI Reference includescommands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.

21 FortiOS 5.6.2 CLIReference (Beta)Fortinet Technologies Inc.

Managing Firmware with the FortiGate BIOS Accessing the BIOS

Managing Firmware with the FortiGate BIOS

FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the web-based manager or by using the CLI execute restore command. From the console, you can also interrupt theFortiGate units boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.

Using the BIOS, you can:

l view system informationl format the boot devicel load firmware and rebootl reboot the FortiGate unit from the backup firmware, which then becomes the default firmware

Accessing the BIOS

The BIOSmenu is available only through direct connection to the FortiGate units Console port. During boot-up,Press any key appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOSmenu appears. If you are too late, the boot-up process continues as usual.

Navigating the menuThe main BIOSmenu looks like this:

[C]: Configure TFTP parameters[R]: Review TFTP paramters[T]: Initiate TFTP firmware transfer[F]: Format boot device[Q]: Quit menu and continue to boot[I]: System Information[B]: Boot with backup firmare and set as default[Q]: Quit menu and continue to boot[H]: Display this list of options

Enter C,R,T,F,I,B,Q,or H:

Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. Anoption value in square brackets at the end of the Enter line is the default value which you can enter simply bypressing Return. For example,

Enter image download port number [WAN1]:

In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.

Loading firmware

The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.You need to know the IP address of the server and the name of the firmware file to download.


22

Loading firmware Managing Firmware with the FortiGate BIOS

The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot thedownloaded firmware without saving it.

Configuring TFTP parametersStarting from the main BIOSmenu

[C]: Configure TFTP parameters.

Selecting the VLAN (if VLANs are used)

[V]: Set local VLAN ID.

Choose port and whether to use DHCP

[P]: Set firmware download port.

The options listed depend on the FortiGate model. Choose the network interface through which the TFTPserver can be reached. For example:

[0]: Any of port 1 - 7[1]: WAN1[2]: WAN2Enter image download port number [WAN1]:

[D]: Set DHCP mode.Please select DHCP setting[1]: Enable DHCP[2]: Disable DHCP

If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].

Non-DHCP steps

[I]: Set local IP address.Enter local IP address [192.168.1.188]:

This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the samesubnet to which the network interface connects.

[S]: Set local subnet mask.Enter local subnet mask [255.255.252.0]:

[G]: Set local gateway.

The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which theFortiGate unit is connected.

TFTP and filename

[T]: Set remote TFTP server IP address.Enter remote TFTP server IP address [192.168.1.145]:

[F]: Set firmware file name.Enter firmware file name [image.out]:

Enter [Q] to return to the main menu.

Initiating TFTP firmware transferStarting from the main BIOSmenu

[T]: Initiate TFTP firmware transfer.


Managing Firmware with the FortiGate BIOS Booting the backup firmware

Please connect TFTP server to Ethernet port 'WAN1'.

MAC: 00:09:0f:b5:55:28

Connect to tftp server 192.168.1.145 ...

##########################################################Image Received.Checking image... OKSave as Default firmware/Backup firmware/Run image withoutsaving:[D/B/R]?

After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while thefirmware is copied:

Programming the boot device now.................................................................................................................................

Booting the backup firmware

You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.

Starting from the main BIOSmenu

[B]: Boot with backup firmware and set as default.

If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:

Failed to mount filesystem. . .Mount back up partition failed.Back up image open failed.Press Y or y to boot default image.


24

Using the CLI Connecting to the CLI

Using the CLI

The command line interface (CLI) is an alternative configuration tool to the GUI or web-based manager. Whilethe configuration of the GUI uses a point-and-click method, the CLI requires typing commands or uploadingbatches of commands from a text file, like a configuration script.

This section explains common CLI tasks that an administrator does on a regular basis and includes the topics:

l Connecting to the CLIl Command syntaxl Sub-commandsl Permissionsl Tips

Connecting to the CLI

You can access the CLI in three ways:

l Locally with a console cable Connect your computer directly to the FortiGate units console port. Local access isrequired in some cases:l If you are installing your FortiGate unit for the first time and it is not yet configured to connect to your network,

you may only be able to connect to the CLI using a local serial console connection, unless you reconfigure yourcomputers network settings for a peer connection.

l Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the bootprocess has completed, making local CLI access the only viable option.

l Through the network Connect your computer through any network attached to one of the FortiGate unitsnetwork ports. The network interface must have enabled Telnet or SSH administrative access if you will connectusing an SSH/Telnet client, or HTTP/HTTPS administrative access if you will connect by accessing the CLIConsole in the GUI. The CLI console widget is no longer part of the Dashboard with FortiOS 5.6. It can beaccessed, however, from the upper-right hand corner of the screen and is no longer a pop-out window but a slidingwindow.

l Locally with FortiExplorer Connect your computer directly to the FortiGate units USBmanagement port.FortiExplorer provides direct access to the FortiOS setup wizard, Web-based Manager, and CLI console.

Connecting to the CLI using a local consoleLocal console connections to the CLI are formed by directly connecting your management computer or console tothe FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:

l A computer with an available serial communications (COM) port.l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.l Terminal emulation software such as HyperTerminal for Microsoft Windows.

The following procedure describes connection using Microsoft HyperTerminal software; steps may vary with otherterminal emulators.


25

Connecting to the CLI Using the CLI

To connect to the CLI using a local serial console connection

1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate units console port to the serialcommunications (COM) port on your management computer.

2. On your management computer, start HyperTerminal.3. For the Connection Description, enter a Name for the connection, and select OK.4. On the Connect using drop-down list box, select the communications (COM) port on your management

computer you are using to connect to the FortiGate unit.5. Select OK.6. Select the following Port settings and select OK.

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

7. PressEnter orReturn on your keyboard to connect to the CLI.8. Type a valid administrator account name (such as admin) and press Enter.9. Type the password for that administrator account and press Enter. (In its default state, there is no password for

the admin account.)The CLI displays the following text:

Welcome!Type ? to list available commands.

You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

Enabling access to the CLI through the network (SSH or Telnet)SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one ofits RJ-45 network ports. You can either connect directly, using a peer connection between the two, or through anyintermediary network.

If you do not want to use an SSH/Telnet client and you have access to the web-basedmanager, you can alternatively access the CLI through the network using the CLIConsolewidget in the web-based manager.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If yourcomputer is not connected directly or through a switch, you must also configure the FortiGate unit with a staticroute to a router that can forward packets from the FortiGate unit to your computer. You can do this using either alocal console connection or the web-based manager.

Requirements

l A computer with an available serial communications (COM) port and RJ-45 portl Terminal emulation software such as HyperTerminal for Microsoft Windows


Using the CLI Connecting to the CLI

l The RJ-45-to-DB-9 or null modem cable included in your FortiGate packagel A network cablel Prior configuration of the operating mode, network interface, and static route.

To enable SSH or Telnet access to the CLI using a local console connection

1. Using the network cable, connect the FortiGate units network port either directly to your computers network port,or to a network through which your computer can reach the FortiGate unit.

2. Note the number of the physical network port.3. Using a local console connection, connect and log into the CLI.4. Enter the following command:

config system interfaceedit

set allowaccess end

where:

l is the name of the network interface associated with the physical network port andcontaining its number, such as port1

l is the complete, space-delimited list of permitted administrative access protocols, suchas https ssh telnet

For example, to exclude HTTP, HTTPS, SNMP, and PING, and allow only SSH and Telnetadministrative access on port1:

config system interfaceedit port1

set allowaccess ssh telnetend

5. To confirm the configuration, enter the command to display the network interfaces settings.show system interface

The CLI displays the settings, including the allowed administrative access protocols, for the networkinterfaces.

Connecting to the CLI using SSHOnce the FortiGate unit is configured to accept SSH connections, you can use an SSH client on yourmanagement computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate unitssupport 3DES and Blowfish encryption algorithms for SSH.

Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSHconnections. The following procedure uses PuTTY. Steps may vary with other SSH clients.

To connect to the CLI using SSH

1. On your management computer, start an SSH client.2. In Host Name (or IP Address), enter the IP address of a network interface on which you have enabled SSH

administrative access.3. In Port, enter 22.


27

Connecting to the CLI Using the CLI

4. For the Connection type, select SSH.5. Select Open.

The SSH client connects to the FortiGate unit.

The SSH client may display a warning if this is the first time you are connecting to the FortiGate unitand its SSH key is not yet recognized by your SSH client, or if you have previously connected to theFortiGate unit but used a different IP address or SSH key. This is normal If your managementcomputer is directly connected to the FortiGate unit with no network hosts between them.

6. ClickYes to verify the fingerprint and accept the FortiGate units SSH key. You will not be able to log in until youhave accepted the key.

7. The CLI displays a login prompt.8. Type a valid administrator account name (such as admin) and press Enter.9. Type the password for this administrator account and press Enter.

The FortiGate unit displays a command prompt (its host name followed by a #. You can now enterCLI commands.

If three incorrect login or password attempts occur in a row, you will be disconnected.If this occurs, wait one minute, then reconnect to attempt the login again.

Connecting to the CLI using TelnetOnce the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on yourmanagement computer to connect to the CLI.

Telnet is not a secure access method. SSH should be used to access the CLI from theInternet or any other untrusted network.

Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnetconnections.

To connect to the CLI using Telnet

1. On your management computer, start a Telnet client.2. Connect to a FortiGate network interface on which you have enabled Telnet.3. Type a valid administrator account name (such as admin) and press Enter.4. Type the password for this administrator account and press Enter.

The FortiGate unit displays a command prompt (its host name followed by a #. You can now enterCLI commands.

If three incorrect login or password attempts occur in a row, you will be disconnected.If this occurs, wait one minute, then reconnect to attempt the login again.


Using the CLI Command syntax

Command syntax

When entering a command, the command line interface (CLI) requires that you use valid syntax and conform toexpected input constraints. It will reject invalid commands.

Fortinet documentation uses the conventions below to describe valid command syntax.

TerminologyEach command line consists of a command word that is usually followed by words for the configuration data orother specific item that the command uses or affects:

get system admin

To describe the function of each word in the command line, especially if that nature has changed betweenfirmware versions, Fortinet uses terms with the following definitions.

Command syntax terminology

l command Aword that begins the command line and indicates an action that the FortiGate unit should performon a part of the configuration or host on the network, such as config or execute. Together with other words,such as fields or values, that end when you press the Enter key, it forms a command line. Exceptions includemultiline command lines, which can be entered using an escape sequence.Valid command lines must be unambiguous if abbreviated. Optional words or other command line permutations areindicated by syntax notation.

l sub-command A kind of command that is available only when nested within the scope of another command.After entering a command, its applicable sub-commands are available to you until you exit the scope of thecommand, or until you descend an additional level into another sub-command. Indentation is used to indicate levelsof nested commands.Not all top-level commands have sub-commands. Available sub-commands vary by their containing scope.

l object Apart of the configuration that contains tables and / or fields. Valid command lines must be specificenough to indicate an individual object.

l table A set of fields that is one of possibly multiple similar sets which each have a name or number, such as anadministrator account, policy, or network interface. These named or numbered sets are sometimes referenced byother parts of the configuration that use them.


29

Command syntax Using the CLI

l field The name of a setting, such as ip or hostname. Fields in some tables must be configured with values.Failure to configure a required field will result in an invalid object configuration error message, and the FortiGateunit will discard the invalid table.

l value Anumber, letter, IP address, or other type of input that is usually your configuration setting held by a field.Some commands, however, require multiple input values which may not be named but are simply entered insequential order in the same command line. Valid input types are indicated by constraint notation.

l option A kind of value that must be one or more words from of a fixed set of options.

IndentationIndentation indicates levels of nested commands, which indicate what other sub-commands are available fromwithin the scope. For example, the edit sub-command is available only within a command that affects tables,and the next sub-command is available only from within the edit sub-command:


set status upend

NotationBrackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as, indicate which data types or string patterns are acceptable value input.

Command syntax notation

Convention Description

Square brackets[] A non-required word or series of words. For example:

[verbose {1 | 2 | 3}]

indicates that you may either omit or type both the verbose word and itsaccompanying option, such as verbose 3.


Using the CLI Command syntax


Angle brackets

Aword constrained by data type. The angled brackets contain a descriptivename followed by an underscore (_) and suffix that indicates the valid datatype. For example, , indicates that you should enter anumber of retries, such as 5.

Data types include:l : A name referring to another part of the configuration,such as policy_A.

l : An index number referring to another part of theconfiguration, such as 0 for the first static route.

l : A regular expression or word with wild cards thatmatches possible variations, such as *@example.com to match allemail addresses ending in @example.com.

l : A fully qualified domain name (FQDN), such asmail.example.com.

l : An email address, such as [email protected] : An IPv4 address, such as 192.168.1.99.l : A dotted decimal IPv4 netmask, such as255.255.255.0.

l : A dotted decimal IPv4 address and netmaskseparated by a space, such as 192.168.1.99255.255.255.0.

l : A dotted decimal IPv4 address and CIDR-notationnetmask separated by a slash, such as 192.168.1.1/24

l : A hyphen (- )-delimited inclusive range of IPv4addresses, such as 192.168.1.1-192.168.1.255.

l : A colon(:)-delimited hexadecimal IPv6 address, such as3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

l : An IPv6 netmask, such as /96.

l : A dotted decimal IPv6 address and netmaskseparated by a space.

l : A string of characters that is not another data type, such asP@ssw0rd. Strings containing spaces or special characters must besurrounded in quotes or use escape sequences.

l : An integer number that is not another data type, such as15 for the number of minutes.

Curly braces{}Aword or series of words that is constrained to a set of options delimited byeither vertical bars or spaces. You must enter at least one of the options,unless the set of options is surrounded by square brackets [].


31

Sub-commands Using the CLI


Options delimited byvertical bars |

Mutually exclusive options. For example:

{enable | disable}

indicates that you must enter either enable or disable, but must notenter both.

Options delimited byspaces

Non-mutually exclusive options. For example:

{http https ping snmp ssh telnet}

indicates that you may enter all or a subset of those options, in any order,in a space-delimited list, such as:

ping https ssh

Sub-commands

Each command line consists of a command word that is usually followed by words for the configuration data orother specific item that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level,the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend anadditional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:


set status upnext

end

Sub-command scope is indicated by indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

l commands affecting fieldsl commands affecting tables


Using the CLI Sub-commands

Commands for tables

clone Clone (or make a copy of) a table from the current object.

For example, in config firewall policy, you could enter thefollowing command to clone security policy 27 to create security policy 30:

clone 27 to 30

In config antivirus profile, you could enter the followingcommand to clone an antivirus profile named av_pro_1 to create a newantivirus profile named av_pro_2:

clone av_pro_1 to av_pro_2

clone may not be available for all tables.

delete

Remove a table from the current object.

For example, in config system admin, you could delete anadministrator account named newadmin by typing delete newadminand pressing Enter. This deletes newadmin and all its fields, such asnewadmins first-name and email-address.

delete is only available within objects containing tables.

edit Create or edit a table in the current object.

For example, in config system admin:

edit the settings for the default admin administrator account by typingedit admin.add a new administrator account with the name newadmin and editnewadmins settings by typing edit newadmin.

edit is an interactive sub-command: further sub-commands are availablefrom within edit.

edit changes the prompt to reflect the table you are currently editing.

edit is only available within objects containing tables.

In objects such as security policies, is a sequence number. Tocreate a new entry without the risk of overwriting an existing one, enteredit 0. The CLI initially confirms the creation of entry 0, but assigns thenext unused number after you finish editing and enter end.

end Save the changes to the current object and exit the config command.This returns you to the top-level command prompt.


33

Sub-commands Using the CLI

get List the configuration of the current object or table.

In objects, get lists the table names (if present), or fields and theirvalues.In a table, get lists the fields and their values.

For more information on get commands, see the CLI Reference.

purge

Remove all tables in the current object.

For example, in config user local, you could type get to see the listof user names, then type purge and then y to confirm that you want todelete all users.

purge is only available for objects containing tables.

Caution: Back up the FortiGate before performing a purge. purgecannot be undone. To restore purged tables, the configuration must berestored from a backup.

Caution: Do not purge system interface or system admin tables.purge does not provide default tables. This can result in being unable toconnect or log in, requiring the FortiGate unit to be formatted and restored.

rename to Rename a table.

For example, in config system admin, you could rename admin3 tofwadmin by typing rename admin3 to fwadmin.

rename is only available within objects containing tables.

show Display changes to the default configuration. Changes are listed in theform of configuration commands.

Example of table commandsFrom within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within theadmin_1 table:

new entry 'admin_1' added(admin_1)#

Commands for fields

abort Exit both the edit and/or config commands without saving the fields.

http://docs.fortinet.com/

Using the CLI Sub-commands

append Add an option to an existing list.

end Save the changes made to the current table or object fields, and exit the configcommand. (To exit without saving, use abort instead.)

get

List the configuration of the current object or table.

In objects, get lists the table names (if present), or fields and their values.In a table, get lists the fields and their values.

move Move an object within a list, when list order is important. For example, rearrangingsecurity policies within the policy list.

next

Save the changes you have made in the current tables fields, and exit the editcommand to the object prompt. (To save and exit completely to the root prompt, useend instead.)

next is useful when you want to create or edit several tables in the same object,without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

select Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all usersexcept for B, use the command select member B.

set

Set a fields value.

For example, in config system admin, after typing edit admin, you couldtype set password newpass to change the password of the admin administratorto newpass.

Note:When using set to change a field containing a space-delimited list, type thewhole new list. For example, set will replace the list withthe rather than appending to the list.

show Display changes to the default configuration. Changes are listed in the form ofconfiguration commands.

unselect Remove an option from an existing list.

unset Reset the table or objects fields to default values.

For example, in config system admin, after typing edit admin, typing unsetpassword resets the password of the admin administrator account to the default (inthis case, no password).

Example of field commands

From within the admin_1 table, you might enter:


35

Permissions Using the CLI

set password my1stExamplePassword

to assign the value my1stExamplePassword to the password field. You might then enter the nextcommand to save the changes and edit the next administrators table.

Permissions

Access profiles control which CLI commands an administrator account can access. Access profiles assign eitherread, write, or no access to each area of the FortiGate software. To view configurations, you must have readaccess. To make changes, you must have write access. So, depending on the account used to log in to theFortiGate unit, you may not have complete access to all CLI commands

Unlike other administrator accounts, the admin administrator account exists by default and cannot be deleted.The admin administrator account is similar to a root administrator account. This administrator account alwayshas full permission to view and change all FortiGate configuration options, including viewing and changing allother administrator accounts. Its name and permissions cannot be changed. It is the only administrator accountthat can reset another administrators password without being required to enter that administrators existingpassword.

Set a strong password for the admin administrator account, and change the passwordregularly. By default, this administrator account has no password. Failure to maintainthe password of the admin administrator account could compromise the security ofyour FortiGate unit.

For complete access to all commands, you must log in with the administrator account named admin.

Tips

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

HelpTo display brief help during command entry, press the question mark (?) key.

l Press the question mark (?) key at the command prompt to display a list of the commands available and adescription of each command.

l Type a word or part of a word, then press the question mark(?) key to display a list of valid word completions orsubsequent words, and to display a description of each.


Using the CLI Tips

Shortcuts and key commands

Shortcuts and key commands

Action Keys

List valid word completions or subsequent words.

If multiple words could complete your entry, display all possible completions withhelpful descriptions of each.

?

Complete the word with the next available match.

Press the key multiple times to cycle through available matches.Tab

Recall the previous command.

Command memory is limited to the current session.

Up arrow, orCtrl + P

Recall the next command. Down arrow, orCtrl + N

Move the cursor left or right within the command line. Left or Right arrow

Move the cursor to the beginning of the command line. Ctrl + A

Move the cursor to the end of the command line. Ctrl + E

Move the cursor backwards one word. Ctrl + B

Move the cursor forwards one word. Ctrl + F

Delete the current character. Ctrl + D

Abort current interactive commands, such as when entering multiple lines.

If you are not currently within an interactive command such as config or edit, thiscloses the CLI connection.

Ctrl + C

Continue typing a command on the next line for a multi-line command.

For each line that you want to continue, terminate it with a backslash(\). To completethe command line, terminate it by pressing the spacebar and then the Enter key,without an immediately preceding backslash.

\ then Enter

Command abbreviationYou can abbreviate words in the command line to their smallest number of non-ambiguous characters.

For example, the command get system status could be abbreviated to gsy stat.


37

Tips Using the CLI

Adding and removing options from listsWhen adding options to a list, such as a user group, using the set command will remove the previousconfiguration. For example. if you wish to add user D to a user group that already contains members A, B, and C,the command would need to be set member A B C D. If only set member D was used, then all formermembers would be removed from the group.

However, there are additional commands which can be used instead of set for changing options in a list.

Additional commands for lists

append Add an option to an existing list.

For example, append member would add user D to a user group while all previousgroup members are retained

select

Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all usersexcept for B, use the command select member B.

unselect Remove an option from an existing list.

For example, unselect member A would remove member A from a group will allprevious group members are retained.

Environment variablesThe CLI supports the following environment variables. Variable names are case-sensitive.

Environment variables

$USERFROM The management access type (ssh, telnet, jsconsole for the CLI Consolewidget in the web-based manager, and so on) and the IP address of the administratorthat configured the item.

$USERNAME The account name of the administrator that configured the item.

$SerialNum The serial number of the FortiGate unit.

For example, the FortiGate units host name can be set to its serial number.

config system globalset hostname $SerialNum

end


Using the CLI Tips

Special charactersThe characters , (,), #, ', and are not permitted in most CLI fields. These characters are special characters,also known as reserved characters.

You may be able to enter special character as part of a strings value by using a special command, enclosing it inquotes, or preceding it with an escape sequence in this case, a backslash (\) character.

In other cases, different keystrokes are required to input a special character. If you need to enter ? as part ofconfig, you first need to input CTRL-V. If you enter the question mark (?) without first using CTRL-V, the questionmark has a different meaning in CLI: it will show available command options in that section.

For example, if you enter ? without CTRL-V:

edit "*.xetoken line: Unmatched double quote.

If you enter ? with CTRL-V:

edit "*.xe?"new entry '*.xe?' added

Entering special characters

Character Keys

? Ctrl + V then ?

Tab Ctrl + V then Tab

Space

(to be interpreted as part of a string value,not to end the string)

Enclose the string in quotation marks: "SecurityAdministrator.

Enclose the string in single quotes: 'SecurityAdministrator'.

Precede the space with a backslash: Security\Administrator.

'


\'

"


\"

\ \\


39

Tips Using the CLI

Using grep to filter get and show command outputIn many cases, the get and show (and diagnose) commands may produce a large amount of output. If youare looking for specific information in a large get or show command output, you can use the grep command tofilter the output to only display what you are looking for. The grep command is based on the standard UNIXgrep, used for searching text output based on regular expressions.

Use the following command to display the MAC address of the FortiGate unit internal interface:

get hardware nic internal | grep Current_HWaddrCurrent_HWaddr 00:09:0f:cb:c2:75

Use the following command to display all TCP sessions in the session list and include the session list line numberin the output

get system session list | grep -n tcp

Use the following command to display all lines in HTTP replacement message commands that contain URL(upper or lower case):

show system replacemsg http | grep -i url

There are three additional options that can be applied to grep:

-A After-B Before-C Context

The option -f is also available to support Fortinet contextual output, in order to show the completeconfiguration. The following example shows the difference in output when -f option is used versus when it is not.

Using -f:

show | grep -f ldap-group1config user group

edit "ldap-group1"set member "pc40-LDAP"

nextendconfig firewall policy

edit 2set srcintf "port31"set dstintf "port32"set srcaddr "all"set action acceptset identity-based enableset nat enableconfig identity-based-policy

edit 1set schedule "always"set groups "ldap-group1"set dstaddr "all"set service "ALL"

nextend

nextend


Using the CLI Tips

Without using -f:

show | grep ldap-group1edit "ldap-group1"

set groups "ldap-group1"

Language support and regular expressionsCharacters such as , , symbols, and ideographs are sometimes acceptable input. Support varies by the natureof the item being configured. CLI commands, objects, field names, and options must use their exact ASCIIcharacters, but some items with arbitrary names or values may be input using your language of choice. To useother languages in those cases, you must use the correct encoding.

Input is stored using Unicode UTF-8 encoding but is not normalized from other encodings into UTF-8 before it isstored. If your input method encodes some characters differently than in UTF-8, your configured itemsmay notdisplay or operate as expected.

Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regularexpression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8,matches may not be what you expect.

For example, with Shift-JIS, backslashes (\) could be inadvertently interpreted as the symbol for the Japaneseyen () and vice versa. A regular expression intended to match HTTP requests containing money values with ayen symbol therefore may not work it if the symbol is entered using the wrong encoding.

For best results, you should:

l use UTF-8 encoding, orl use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters

that are also encoded using the same values in ISO8859-1, Windows code page 1252, Shift-JIS and otherencodings, or

l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.

HTTP clients may send requests in encodings other than UTF-8. Encodings usuallyvary by the clients operating system or input language. If you cannot predict theclients encoding, you may only be able to match any parts of the request that are inEnglish, because regardless of the encoding, the values for English characters tend tobe encoded identically. For example, English words may be legible regardless ofinterpreting a web page as either ISO 8859-1 or as GB2312, whereas simplifiedChinese characters might only be legible if the page is interpreted as GB2312.

If you configure your FortiGate unit using other encodings, you may need to switch language settings on yourmanagement computer, including for your web browser or Telnet/SSH client. For instructions on how to configureyour management computers operating system language, locale, or input method, see its documentation.

If you choose to configure parts of the FortiGate unit using non-ASCII characters, verify that all systemsinteracting with the FortiGate unit also support the same encodings. You should also use the same encodingthroughout the configuration if possible in order to avoid needing to switch the language settings of the web-based manager and your web browser or Telnet/SSH client while you work.

Similarly to input, your web browser or CLI client should usually interpret display output as encoded using UTF-8.If it does not, your configured itemsmay not display correctly in the GUI or CLI. Exceptions include items such as


41

Tips Using the CLI

regular expressions that you may have configured using other encodings in order to match the encoding of HTTPrequests that the FortiGate unit receives.

To enter non-ASCII characters in the CLI Console

1. On your management computer, start your web browser and go to the URL for the FortiGate units GUI.2. Configure your web browser to interpret the page as UTF-8 encoded.3. Log in to the FortiGate unit.4. Open the CLI Console from the upper right-hand corner.5. In title bar of the CLI Consolewidget, clickEdit (the pencil icon).6. Enable Use external command input box.7. Select OK.8. The Command field appears below the usual input and display area of the CLI Console .9. In Command, type a command.

Entering encoded characters (CLI Console widget):

10. PressEnter.In the display area, the CLI Consolewidget displays your previous command interpreted into itscharacter code equivalent, such as:

edit \743\601\613\743\601\652

and the commands output.

To enter non-ASCII characters in a Telnet/SSH client

1. On your management computer, start your Telnet or SSH client.2. Configure your Telnet or SSH client to send and receive characters using UTF-8 encoding.

Support for sending and receiving international characters varies by each Telnet/SSH client. Consultthe documentation for your Telnet/SSH client.

3. Log in to the FortiGate unit.4. At the command prompt, type your command and press Enter.


Using the CLI Tips

Entering encoded characters (PuTTY):

You may need to surround words that use encoded characters with single quotes (').

Depending on your Telnet/SSH clients support for your languages input methods and for sendinginternational characters, you may need to interpret them into character codes before pressing Enter.

For example, you might need to enter:

edit '\743\601\613\743\601\652'

5. The CLI displays your previous command and its output.

Screen pagingYou can configure the CLI to pause after displaying each pages worth of text when displaying multiple pages ofoutput. When the display pauses, the last line displays --More--. You can then either:

l press the spacebar to display the next page.l type Q to truncate the output and return to the command prompt.

This may be useful when displaying lengthy output, such as the list of possible matching commands forcommand completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer ofyour terminal emulator, you can simply display one page at a time.

To configure the CLI display to pause when the screen is full:

config system consoleset output more

end

Baud rateYou can change the default baud rate of the local console connection.

To change the baud rate enter the following commands:

config system consoleset baudrate {115200 | 19200 | 38400 | 57600 | 9600}

end

Editing the configuration file on an external hostYou can edit the FortiGate configuration on an external host by first backing up the configuration file to a TFTPserver. Then edit the configuration file and restore it to the FortiGate unit.


43

Tips Using the CLI

Editing the configuration on an external host can be timesaving if you have many changes to make, especially ifyour plain text editor provides advanced features such as batch changes.

To edit the configuration on your computer

1. Use execute backup to download the configuration file to a TFTP server, such as your managementcomputer.

2. Edit the configuration file using a plain text editor that supports Unix-style line endings.

Do not edit the first line. The first line(s) of the configuration file (preceded by a #character) contains information about the firmware version and FortiGate model. Ifyou change the model number, the FortiGate unit will reject the configuration filewhen you attempt to restore it.

3. Use execute restore to upload the modified configuration file back to the FortiGateunit.The FortiGate unit downloads the configuration file and checks that the model information is correct.If it is, the FortiGate unit loads the configuration file and checks each command for errors. If acommand is invalid, the FortiGate unit ignores the command. If the configuration file is valid, theFortiGate unit restarts and loads the new configuration.


config

config

Use the config commands to change your FortiGate's configuration.

The command branches and commands are in alphabetical order. The information in this section has beenextracted and formatted from FortiOS source code. The extracted information includes the command syntax,command descriptions (extracted from CLI help)and default values. This is the first version of this contentproduced in this way. You can send comments about this content to [email protected]


45
mailto:[email protected]

alertemail

alertemail

Use the alert email command to configure various alert email settings.

This section includes syntax for the following commands:

l alertemail setting


46

alertemail setting alertemail

alertemail setting

Configure alert email settings, including destination email addresses and various logging options.

config alertemail settingset username {string } Name that appears in the From: field of alert emails (max. 36 characters). size[35]set mailto1 {string } Email address to send alert email to (usually a system administrator) (max. 64 characters). size[63]set mailto2 {string } Optional second email address to send alert email to (max. 64 characters). size[63]set mailto3 {string } Optional third email address to send alert email to (max. 64 characters). size[63]set filter-mode {category | threshold } How to filter log messages that are sent to alert emails.

category Filter based on category.threshold Filter based on severity.

set email-interval {integer } Interval between sending alert emails (1 - 99999 min, default = 5). range[1-99999]set IPS-logs {enable | disable } Enable/disable IPS logs in alert email.set firewall-authentication-failure-logs {enable | disable } Enable/disable firewall authentication failure logs in alert email.set HA-logs {enable | disable } Enable/disable HA logs in alert email.set IPsec-errors-logs {enable | disable } Enable/disable IPsec error logs in alert email.set FDS-update-logs {enable | disable } Enable/disable FortiGuard update logs in alert email.set PPP-errors-logs {enable | disable } Enable/disable PPP error logs in alert email.set sslvpn-authentication-errors-logs {enable | disable } Enable/disable SSL-VPN authentication error logs in alert email.set antivirus-logs {enable | disable } Enable/disable antivirus logs in alert email.set webfilter-logs {enable | disable } Enable/disable web filter logs in alert email.set configuration-changes-logs {enable | disable } Enable/disable configuration change logs in alert email.set violation-traffic-logs {enable | disable } Enable/disable violation traffic logs in alert email.set admin-login-logs {enable | disable } Enable/disable administrator login/logout logs in alert email.set FDS-license-expiring-warning {enable | disable } Enable/disable FortiGuard license expiration warnings in alert email.set log-disk-usage-warning {enable | disable } Enable/disable disk usage warnings in alert email.set fortiguard-log-quota-warning {enable | disable } Enable/disable FortiCloud log quota warnings in alert email.set amc-interface-bypass-mode {enable | disable } Enable/disable Fortinet Advanced Mezzanine Card (AMC) interface bypass mode logs in alert

email.set FIPS-CC-errors {enable | disable } Enable/disable FIPS and Common Criteria error logs in alert email.set FSSO-disconnect-logs {enable | disable } Enable/disable logging of FSSO collector agent disconnect.set FDS-license-expiring-days {integer } Number of days to send alert email prior to FortiGuard license expiration (1 - 100 days, default =

100). range[1-100]set local-disk-usage {integer } Disk usage percentage at which to send alert email (1 - 99 percent, default = 75). range[1-99]set emergency-interval {integer } Emergency alert interval in minutes. range[1-99999]set alert-interval {integer } Alert alert interval in minutes. range[1-99999]set critical-interval {integer } Critical alert interval in minutes. range[1-99999]set error-interval {integer } Error alert interval in minutes. range[1-99999]


alertemail alertemail setting

set warning-interval {integer } Warning alert interval in minutes. range[1-99999]set notification-interval {integer } Notification alert interval in minutes. range[1-99999]set information-interval {integer } Information alert interval in minutes. range[1-99999]set debug-interval {integer } Debug alert interval in minutes. range[1-99999]set severity {option } Lowest severity level to log.

emergency Emergency level.alert Alert level.critical Critical level.error Error level.warning Warning level.notification Notification level.information Information level.debug Debug level.

end


48

antivirus

antivirus

Use antivirus commands to configure antivirus scanning for services, quarantine options, and to enable or disable grayware and heuristic scanning.

This section includes syntax for the following commands:

l antivirus heuristicl antivirus profilel antivirus quarantinel antivirus settings


49

antivirus heuristic antivirus

antivirus heuristic

Configure the global heuristic options used for antivirus scanning.

config antivirus heuristicset mode {pass | block | disable } Enable/disable heuristics and determine how the system behaves if heuristics detects a problem.

pass Enable heuristics but detected files are passed. If enabled, the system will record a log message.block Enable heuristics and detected files are blocked. If enabled, the system will record a log message.disable Turn off heuristics.

end


antivirus antivirus profile

antivirus profile

Create and configure antivirus profiles that can be applied to firewall policies.

config antivirus profileedit {name }# Configure AntiVirus profiles.

set name {string } Profile name. size[35]set comment {string } Comment. size[255]set replacemsg-group {string } Replacement message group customized for this profile. size[35] - datasource(s): system.replacemsg-group.-

nameset inspection-mode {proxy | flow-based } Inspection mode.

proxy Proxy-based inspection.flow-based Flow-based inspection.

set ftgd-analytics {disable | suspicious | everything } Settings to control which files are uploaded to FortiSandbox.disable Do not upload files to FortiSandbox.suspicious Submit files supported by FortiSandbox if heuristics or other methods determine they are suspicious.everything Submit all files scanned by AntiVirus to FortiSandbox. AntiVirus may not scan all files.

set analytics-max-upload {integer } Maximum size of files that can be uploaded to FortiSandbox (1 - 395 MBytes, default = 10). range[1-1606]

set analytics-wl-filetype {integer } Do not submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id

set analytics-bl-filetype {integer } Only submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id

set analytics-db {disable | enable } Enable/disable using the FortiSandbox signature database to supplement the AV signature databases.set mobile-malware-db {disable | enable } Enable/disable using the mobile malware signature database.

set options {scan | avmonitor | quarantine } Enable/disable HTTP AntiVirus scanning, monitoring, and quarantine.scan Enable HTTP antivirus scanning.avmonitor Enable HTTP antivirus logging.quarantine Enable HTTP antivirus quarantine. Files are quarantined depending on quarantine settings.

set archive-block {option } Select the archive types to block.encrypted Block encrypted archives.corrupted Block corrupted archives.multipart Block multipart archives.nested Block nested archives.mailbomb Block mail bomb archives.unhandled Block archives that FortiOS cannot open.

set archive-log {option } Select the archive types to log.encrypted Log encrypted archives.


51

antivirus profile antivirus

corrupted Log corrupted archives.multipart Log multipart archives.nested Log nested archives.mailbomb Log mail bomb archives.unhandled Log archives that FortiOS cannot open.

set emulator {enable | disable } Enable/disable the virus emulator.set options {scan | avmonitor | quarantine } Enable/disable FTP AntiVirus scanning, monitoring, and quarantine.

scan Enable FTP antivirus scanning.avmonitor Enable FTP antivirus logging.quarantine Enable FTP antivirus quarantine. Files are quarantined depending on quarantine settings.


set archive-log {option } Select the archive types to log.encrypted Log encrypted archives.corrupted Log corrupted archives.multipart Log multipart archives.nested Log nested archives.mailbomb Log mail bomb archives.unhandled Log archives that FortiOS cannot open.

set emulator {enable | disable } Enable/disable the virus emulator.set options {scan | avmonitor | quarantine } Enable/disable IMAP AntiVirus scanning, monitoring, and quarantine.

scan Enable IMAP antivirus scanning.avmonitor Enable IMAP antivirus logging.quarantine Enable IMAP antivirus quarantine. Files are quarantined depending on quarantine settings.





set emulator {enable | disable } Enable/disable the virus emulator.set executables {default | virus } Treat Windows executable files as viruses for the purpose of blocking or monitoring.

default Perform standard AntiVirus scanning of Windows executable files.virus Treat Windows executables as viruses.

set options {scan | avmonitor | quarantine } Enable/disable POP3 AntiVirus scanning, monitoring, and quarantine.scan Enable POP3 antivirus scanning.avmonitor Enable POP3 antivirus logging.quarantine Enable POP3 antivirus quarantine. Files are quarantined depending on quarantine settings.





set options {scan | avmonitor | quarantine } Enable/disable SMTP AntiVirus scanning, monitoring, and quarantine.scan Enable SMTP antivirus scanning.avmonitor Enable SMTP antivirus logging.quarantine Enable SMTP antivirus quarantine. Files are quarantined depending on quarantine settings.


set archive-log {option } Select the archive types to log.encrypted Log encrypted archives.corrupted Log corrupted archives.multipart Log multipart archives.nested Log nested archives.mailbomb Log mail bomb archives.


53


unhandled Log archives that FortiOS cannot open.set emulator {enable | disable } Enable/disable the virus emulator.set executables {default | virus } Treat Windows executable files as viruses for the purpose of blocking or monitoring.


set options {scan | avmonitor | quarantine } Enable/disable MAPI AntiVirus scanning, monitoring, and quarantine.scan Enable MAPI antivirus scanning.avmonitor Enable MAPI antivirus logging.quarantine Enable MAPI antivirus quarantine. Files are quarantined depending on quarantine settings.





set options {scan | avmonitor | quarantine } Enable/disable NNTP AntiVirus scanning, monitoring, and quarantine.scan Enable NNTP antivirus scanning.avmonitor Enable NNTP antivirus logging.quarantine Enable NNTP antivirus quarantine. Files are quarantined depending on quarantine settings.


set archive-log {option } Select the archive types to log.encrypted Log encrypted archives.corrupted Log corrupted archives.multipart Log multipart archives.nested Log nested archives.



mailbomb Log mail bomb archives.unhandled Log archives that FortiOS cannot open.

set emulator {enable | disable } Enable/disable the virus emulator.set options {scan | avmonitor | quarantine } Enable/disable SMB AntiVirus scanning, monitoring, and quarantine.

scan Enable SMB antivirus scanning.avmonitor Enable SMB antivirus logging.quarantine Enable SMB antivirus quarantine. Files are quarantined depending on quarantine settings.



set emulator {enable | disable } Enable/disable the virus emulator.set infected {none | quar-src-ip } Enable/Disable quarantining infected hosts to the banned user list.

none Do not quarantine infected hosts.quar-src-ip Quarantine all traffic from the infected hosts source IP.

set expiry {string } Duration of quarantine.set log {enable | disable } Enable/disable AntiVirus quarantine logging.

set av-virus-log {enable | disable } Enable/disable AntiVirus logging.set av-block-log {enable | disable } Enable/disable logging for AntiVirus file blocking.set scan-mode {quick | full } Choose between full scan mode and quick scan mode.

quick Use quick mode scanning. Quick mode uses a smaller database and may be less accurate. Full mode is recommended.full Full mode virus scanning. Recommended scanning mode. More accurate than quick mode with similar performance.

nextend

Supplemental InformationThe following section is for those commands that require further explanation.


55


comment

Add a comment to the profile.

replacemsg-group

Set a replacement message group to use with antivirus scanning.

inspection-mode {proxy | flow-based}

Set the inspection mode. Select between the following options:

l proxy: Scanning reconstructs content passing through the FortiGate unit and inspects the content for security threats.l flow-based: Scanning takes a snapshot of content packets and uses pattern matching to identify security threats in the content.

The default is proxy. For more information, see Inspection Modes.

ftgd-analytics {disable}

Choose which files are sent to FortiSandbox for further inspection. Select between the following options:

l disable: No files are sent for inspection.l suspicious: Files that the antivirus engine deems suspicious as sent for inspection.l everything: All files are sent for inspection.

The default is disable.

analytics-db {enable | disable}

Enable or disable using antivirus signatures from the FortiSandbox's database as well as signatures from the FortiGate. Disabled by default.

mobile-malware-db {enable | disable}

Enable or disable using antivirus signatures from the mobile malware signature database as well as signatures from the FortiGate. Enabled by default.

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Inspection Modes/inspection_modes_intro.htm


config {http | ftp | imap | pop3 | smtp | smb}

Configure how this profile handles specific protocols.

options {scan | avmonitor | quarantine}

Set an action to apply to traffic using this protocol. Select from the following options:

l scan: Scan files transferred using this protocol for viruses.l avmonitor: Log detected viruses, but allow them through the firewall without modification.l quarantine: Quarantine files that contain viruses. This feature is available for FortiGates with a hard disk or those connected to a FortiAnalyzer.

archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled}

Set which types of archived files to block.

archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled}

Set which types of archived files to log.

emulator {enable | disable}

Enable or disable the virus emulator. Enabled by default.

executables {default | virus}

Set how this profile treats executable files sent with this protocol. Select from the following options:

l default: Perform standard antivirus scanning.l virus: Treat executable files as viruses.

The default option is default. This option is only available for IMAP, POP3, and SMTP.

config nac-quar

Configure the quarantine settings for this profile.


57


infected {none | quar-src-ip}

Set which infected hosts are added to the banned user list. Select from the following options:

l none: No hosts are banned.l quar-src-ip: All traffic from the source IP is banned.

The default is none.

expiry

Set the duration of the quarantine in the days, hours, minutes format . The default is 5 minutes. This option only appears if infected isset to quar-src-ip.

log {enable | disable}

Enable or disable logging for antivirus quarantines. Disabled by default.

av-virus-log {enable | disable}

Enable or disable logging for antivirus scanning. Enabled by default.

av-block-log {enable | disable}

Enable or disable logging files that are blocked by antivirus. Enabled by default.

scan-mode {quick | full}

Choose which scan mode to use for antivirus inspection. Select from the following options:

l quick: This mode uses a compact antivirus database and advanced techniques to improve performance.l full: In this mode, content packets are buffered while simultaneously being sent to their destination.

The default is full. These options are only available when inspection-mode is set to flow-based.


antivirus antivirus quarantine

antivirus quarantine

Configure the antivirus quarantine options. Note: MM1, MM3, MM4, and MM7 traffic types supported only in FortiOS Carrier.

config antivirus quarantineset agelimit {integer } Age limit for quarantined files (0 - 479 hours, 0 means forever). range[0-479]set maxfilesize {integer } Maximum file size to quarantine (0 - 500 Mbytes, 0 means unlimited). range[0-500]set quarantine-quota {integer } The amount of disk space to reserve for quarantining files (0 - 4294967295 Mbytes, depends on disk space).

range[0-4294967295]set drop-infected {option } Do not quarantine infected files found in sessions using the selected protocols. Dropped files are deleted instead

of being quarantined.imap IMAP.smtp SMTP.pop3 POP3.http HTTP.ftp FTP.nntp NNTP.imaps IMAPS.smtps SMTPS.pop3s POP3S.https HTTPS.ftps FTPS.mapi MAPI.cifs CIFS.

set store-infected {option } Quarantine infected files found in sessions using the selected protocols.imap IMAP.smtp SMTP.pop3 POP3.http HTTP.ftp FTP.nntp NNTP.imaps IMAPS.smtps SMTPS.pop3s POP3S.https HTTPS.ftps FTPS.mapi MAPI.cifs CIFS.

set drop-blocked {option } Do not quarantine dropped files found in sessions using the selected protocols. Dropped files are deleted instead


59

antivirus quarantine antivirus

of being quarantined.imap IMAP.smtp SMTP.pop3 POP3.http HTTP.ftp FTP.nntp NNTP.imaps IMAPS.smtps SMTPS.pop3s POP3S.ftps FTPS.mapi MAPI.cifs CIFS.

set store-blocked {option } Quarantine blocked files found in sessions using the selected protocols.imap IMAP.smtp SMTP.pop3 POP3.http HTTP.ftp FTP.nntp NNTP.imaps IMAPS.smtps SMTPS.pop3s POP3S.ftps FTPS.mapi MAPI.cifs CIFS.

set drop-heuristic {option } Do not quarantine files detected by heuristics found in sessions using the selected protocols. Dropped files aredeleted instead of being quarantined.

imap IMAP.smtp SMTP.pop3 POP3.http HTTP.ftp FTP.nntp NNTP.imaps IMAPS.smtps SMTPS.pop3s POP3S.https HTTPS.ftps FTPS.mapi MAPI.cifs CIFS.

set store-heuristic {option } Quarantine files detected by heuristics found in sessions using the selected protocols.imap IMAP.


antivirus antivirus quarantine

smtp SMTP.pop3 POP3.http HTTP.ftp FTP.nntp NNTP.imaps IMAPS.smtps SMTPS.pop3s POP3S.https HTTPS.ftps FTPS.mapi MAPI.cifs CIFS.

set lowspace {drop-new | ovrw-old } Select the method for handling additional file

FortiOS 5.6.2 CLI Reference (Beta) · FORTIGATE COOKBOOK FORTINET TRAINING SERVICES FORTIGUARD...

Documents

Transcript of FortiOS 5.6.2 CLI Reference (Beta) · FORTIGATE COOKBOOK FORTINET TRAINING SERVICES FORTIGUARD...