Manual CLI Fortigate 5.0

FortiAnalyzer v5.0 Patch Release 2CLI Reference

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

April 26, 2013

05-502-185032-20130426

Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

system ............................................................................................................. 28admin ldap ............................................................................................................. 29admin profile .......................................................................................................... 30

admin radius .......................................................................................................... 34Table of Contents

Change Log....................................................................................................... 9

Introduction..................................................................................................... 10

Using the Command Line Interface.............................................................. 11CLI command syntax............................................................................................. 11

Connecting to the CLI............................................................................................ 12

CLI objects............................................................................................................. 12

CLI command branches ........................................................................................ 12config branch ................................................................................................... 13get branch........................................................................................................ 15show branch .................................................................................................... 17execute branch ................................................................................................ 18diagnose branch .............................................................................................. 18Example command sequences........................................................................ 18

CLI basics .............................................................................................................. 19Command help ................................................................................................ 19Command completion ..................................................................................... 20Recalling commands ....................................................................................... 20Editing commands ........................................................................................... 20Line continuation.............................................................................................. 20Command abbreviation ................................................................................... 20Environment variables...................................................................................... 21Encrypted password support .......................................................................... 21Entering spaces in strings................................................................................ 22Entering quotation marks in strings ................................................................. 22Entering a question mark (?) in a string ........................................................... 22International characters ................................................................................... 22Special characters ........................................................................................... 22IP address formats........................................................................................... 22Editing the configuration file ............................................................................ 22Changing the baud rate ................................................................................... 23Debug log levels............................................................................................... 24

Administrative Domains................................................................................. 25About administrative domains (ADOMs)................................................................ 25

Configuring ADOMs............................................................................................... 26Page 3

admin setting ......................................................................................................... 35

admin tacacs ......................................................................................................... 39

admin user ............................................................................................................. 40

aggregation-client .................................................................................................. 46

aggregation-service ............................................................................................... 48

alert-console .......................................................................................................... 49

alert-event.............................................................................................................. 50

alertemail................................................................................................................ 52

backup all-settings ................................................................................................ 53

certificate ca .......................................................................................................... 54

certificate local....................................................................................................... 55

certificate ssh......................................................................................................... 56

dns ......................................................................................................................... 57

fips ......................................................................................................................... 57

global ..................................................................................................................... 58

interface ................................................................................................................. 60

locallog disk setting ............................................................................................... 62

locallog filter........................................................................................................... 65

locallog fortianalyzer setting .................................................................................. 66

locallog memory setting......................................................................................... 67

locallog syslogd (syslogd2, syslogd3) setting........................................................ 68

log alert .................................................................................................................. 70

log fortianalyzer...................................................................................................... 71

log setting .............................................................................................................. 72config rolling-analyzer, rolling-local, and rolling-regular.................................. 75

mail ........................................................................................................................ 78

ntp.......................................................................................................................... 79

password-policy .................................................................................................... 80

route....................................................................................................................... 81

route6..................................................................................................................... 81

snmp community ................................................................................................... 82

snmp sysinfo.......................................................................................................... 85

snmp user .............................................................................................................. 86

sql .......................................................................................................................... 88

syslog..................................................................................................................... 89

execute ............................................................................................................ 90add-vm-license ...................................................................................................... 90Table of Contents Page 4 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

backup ................................................................................................................... 91backup all-settings........................................................................................... 91backup logs ..................................................................................................... 91backup logs-only ............................................................................................. 92backup reports................................................................................................. 92backup reports-config ..................................................................................... 93

bootimage.............................................................................................................. 94

certificate ............................................................................................................... 94certificate ca..................................................................................................... 94certificate local ................................................................................................. 95

console .................................................................................................................. 96console baudrate ............................................................................................. 96

date ........................................................................................................................ 96

device..................................................................................................................... 97

devicelog................................................................................................................ 97devicelog clear ................................................................................................. 97

factory-license ....................................................................................................... 97

fgfm........................................................................................................................ 98fgfm reclaim-dev-tunnel................................................................................... 98

format..................................................................................................................... 98

log device disk_quota ............................................................................................ 99

log-aggregation...................................................................................................... 99

lvm ....................................................................................................................... 100

ping ...................................................................................................................... 100

ping6 .................................................................................................................... 101

raid ....................................................................................................................... 101

reboot................................................................................................................... 102

remove ................................................................................................................. 102

reset ..................................................................................................................... 102

reset-sqllog-transfer ............................................................................................ 102

restore.................................................................................................................. 103restore all-settings ......................................................................................... 103restore image ................................................................................................. 104restore {logs | logs-only} ................................................................................ 104restore reports ............................................................................................... 105restore reports-config .................................................................................... 105

shutdown ............................................................................................................. 106

sql-local ............................................................................................................... 106sql-local remove-db....................................................................................... 106sql-local remove-device................................................................................. 107sql-local remove-logs .................................................................................... 107sql-local remove-logtype ............................................................................... 107Table of Contents Page 5 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

sql-query-dataset ................................................................................................ 108

sql-query-generic................................................................................................. 108

sql-report run ....................................................................................................... 108

ssh ....................................................................................................................... 109

time ...................................................................................................................... 110

top........................................................................................................................ 110

traceroute............................................................................................................. 112

traceroute6........................................................................................................... 112

diagnose........................................................................................................ 113cdb check ............................................................................................................ 114

debug application ................................................................................................ 114

debug cli .............................................................................................................. 117

debug console ..................................................................................................... 117

debug crashlog .................................................................................................... 118

debug disable ...................................................................................................... 118

debug dpm .......................................................................................................... 118

debug enable ....................................................................................................... 119

debug info............................................................................................................ 119

debug service ...................................................................................................... 119

debug sysinfo ...................................................................................................... 120

debug sysinfo-log ................................................................................................ 121

debug sysinfo-log-backup................................................................................... 121

debug sysinfo-log-list .......................................................................................... 121

debug timestamp................................................................................................. 123

debug vminfo ....................................................................................................... 123

dlp-archives quar-cache...................................................................................... 124

dlp-archives rebuild-quar-db............................................................................... 124

dlp-archives statistics .......................................................................................... 125

dlp-archives status .............................................................................................. 125

dvm adom............................................................................................................ 125

dvm chassis ......................................................................................................... 126

dvm check-integrity ............................................................................................. 126

dvm debug........................................................................................................... 127

dvm device........................................................................................................... 127

dvm device-tree-update ...................................................................................... 127

dvm group............................................................................................................ 128

dvm lock .............................................................................................................. 128

dvm proc.............................................................................................................. 128

dvm supported-platforms.................................................................................... 129

dvm task .............................................................................................................. 129Table of Contents Page 6 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

dvm transaction-flag............................................................................................ 129

fgfm...................................................................................................................... 130

fmnetwork arp...................................................................................................... 130

fmnetwork interface ............................................................................................. 131

fmnetwork netstat ................................................................................................ 131

fortilogd................................................................................................................ 132

hardware .............................................................................................................. 132

log device............................................................................................................. 136

sniffer ................................................................................................................... 137

sql ........................................................................................................................ 143

system admin-session ......................................................................................... 143

system disk .......................................................................................................... 144

system export ...................................................................................................... 145

system flash ......................................................................................................... 145

system fsck.......................................................................................................... 146

system ntp ........................................................................................................... 146

system print ......................................................................................................... 146

system process.................................................................................................... 148

system raid .......................................................................................................... 148

system route ........................................................................................................ 149

system route6 ...................................................................................................... 149

system server....................................................................................................... 149

test application .................................................................................................... 150

test policy-check ................................................................................................. 150

test search ........................................................................................................... 151

test sftp ................................................................................................................ 151

upload clear ......................................................................................................... 151

upload force-retry ................................................................................................ 152

upload status ....................................................................................................... 152

get .................................................................................................................. 153system admin setting........................................................................................... 154

system aggregation-client ................................................................................... 155

system aggregation-service................................................................................. 155

system alert-console............................................................................................ 155

system alert-event ............................................................................................... 156

system alertemail ................................................................................................. 156

system backup all-settings .................................................................................. 156

system backup status.......................................................................................... 157

system certificate ca............................................................................................ 157

system certificate local ........................................................................................ 157Table of Contents Page 7 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system certificate ssh .......................................................................................... 158

system dns........................................................................................................... 158

system fips........................................................................................................... 158

system global....................................................................................................... 158

system interface................................................................................................... 159

system locallog disk setting................................................................................. 159

system locallog disk filter..................................................................................... 160

system locallog fortianalyzer setting.................................................................... 160

system locallog fortianalyzer filter........................................................................ 160

system locallog memory setting .......................................................................... 161

system locallog memory filter .............................................................................. 161

system locallog syslogd setting (also syslogd2 and syslogd3) ........................... 161

system locallog syslogd filter (also syslogd2 and syslogd3) ............................... 162

system log alert.................................................................................................... 162

system log fortianalyzer ....................................................................................... 162

system log settings .............................................................................................. 163

system mail .......................................................................................................... 164

system ntp ........................................................................................................... 164

system password-policy...................................................................................... 164

system performance ............................................................................................ 165

system snmp community..................................................................................... 165

system snmp sysinfo ........................................................................................... 166

system snmp user................................................................................................ 166

system route ........................................................................................................ 166

system route6 ...................................................................................................... 167

system sql............................................................................................................ 167

system status....................................................................................................... 167

system syslog ...................................................................................................... 168

show .............................................................................................................. 169

Appendix A: Object Tables .......................................................................... 170Global object categories...................................................................................... 170

Device object ID values ....................................................................................... 171

Index .............................................................................................................. 174Table of Contents Page 8 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Change Log

Date Change Description

2012-11-23 Initial release.

2013-01-11 Document updated for FortiAnalyzer v5.0 Patch Release 1.

Command support-pre-fgt43 added. Variable pre-login-banner and pre-login-banner-message added to config system global command.

2013-03-28 Document updated for FortiAnalyzer v5.0 Patch Release 2.

fmsystem and fasystem branches merged into system branch.show-adom-implicit-id-based-policy and policy-display-threshold variables added to the config system admin setting command.execute branch expanded:

backup all-settings fgt, backup all-settings scp, backup logs, backup logs-only, backup reports commands added

restore all-settings fgt, restore all-settings scp, restore image, restore logs, restore logs-only, restore reports commands added

factory-license command addeddiagnose branch expanded:

diagnose dlp-archives quar-cache, diagnose dlp-archives rebuild-quar-db, diagnose dlp-archives statistics, diagnose dlp-archives status commands added

fmupdate, fmpolicy, fmscript, dmserver, and other FortiManager related commands have been removed.

Added Appendix A: Object Tables

2013-04-26 The execute lvm command was added.Page 9

Introduction

FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network traffic, such as e-mail, FTP and web browsing activity, to help identify security issues and reduce network misuse and abuse.Introduction Page 10 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

aggregator}You can enter any of the following:

set allowaccess pingset allowaccess https Using the Command Line Interface

This chapter explains how to connect to the CLI and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings.

This chapter describes:

CLI command syntax

Connecting to the CLI

CLI objects

CLI command branches

CLI basics

CLI command syntax

This guide uses the following conventions to describe command syntax.

Angle brackets < > indicate variables.For example:execute restore image ftp You enter:execute restore image ftp myfile.bak indicates a dotted decimal IPv4 address. indicates a dotted decimal IPv4 netmask. indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask.

Vertical bar and curly brackets {|} separate alternative, mutually exclusive required variable.

For example:set protocol {ftp | sftp}You can enter set protocol ftp or set protocol sftp.

Square brackets [ ] indicate that a variable is optional.For example:show system interface []To show the settings for all interfaces, you can enter show system interface. To show the settings for the Port1 interface, you can enter show system interface port1.

A space separates options that can be entered in any combination and must be separated by spaces.

For example:set allowaccess {ping https ping ssh snmp telnet http webservice Using the Command Line Interface Page 11 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set allowaccess sshset allowaccess https sshset allowaccess https ping ssh webserviceIn most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

Special characters:

The \ is supported to escape spaces or as a line continuation character.

The single quotation mark ' and the double quotation mark are supported, but must be used in pairs.

If there are spaces in a string, you must precede the spaces with the \ escape character or put the string in a pair of quotation marks.

Connecting to the CLI

You can use a direct console connection or SSH to connect to the FortiAnalyzer CLI. You can also access through the CLI console widget on the Web-based Manager. For more information, see the FortiAnalyzer v5.0 Patch Release 2 Administration Guide, and your devices QuickStart Guide.

CLI objects

The FortiAnalyzer CLI is based on configurable objects. The top-level object are the basic components of FortiAnalyzer functionality.

This object contains more specific lower level objects. For example, the system object contains objects for administrators, DNS, interfaces and so on.

CLI command branches

The FortiAnalyzer CLI consists of the following command branches:

Examples showing how to enter command sequences within each branch are provided in the following sections. See also Example command sequences on page 18.

Table 1: CLI top level object

system Configuration options related to the overall operation of the FortiAnalyzer unit, such as interfaces, virtual domains, and administrators. See system on page 28.

config branch execute branch

get branch diagnose branch

show branchUsing the Command Line Interface Page 12 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

config branch

The config commands configure objects of FortiAnalyzer functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of variables that you can set to particular values. Simpler objects, such as system DNS, are a single set of variables.

To configure an object, you use the config command to navigate to the objects command shell. For example, to configure administrators, you enter the command

config system admin userThe command prompt changes to show that you are in the admin shell.

(user)# This is a table shell. You can use any of the following commands:

If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name:

edit admin_1

edit Add an entry to the FortiAnalyzer configuration or edit an existing entry. For example in the config system admin shell: Type edit admin and press Enter to edit the settings for the default admin

administrator account.

Type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account.

delete Remove an entry from the FortiAnalyzer configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin.

purge Remove all entries configured in the current shell. For example in the config user local shell: Type get to see the list of user names added to the FortiAnalyzer configuration, Type purge and then y to confirm that you want to purge all the user names, Type get again to confirm that no user names are displayed.

get List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.

show Show changes to the default configuration as configuration commands.

end Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You will return to the root FortiAnalyzer CLI prompt.

The end command is also used to save set command changes and leave the shell.Using the Command Line Interface Page 13 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

The FortiAnalyzer unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry:

new entry 'admin_1' added(admin_1)#

From this prompt, you can use any of the following commands:

The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.

config In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add restrict the user to specific devices or VDOMs.

set Assign values. For example from the edit admin command shell, typing set password newpass changes the password of the admin administrator account to newpass.Note: When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

unset Reset values to defaults. For example from the edit admin command shell, typing unset password resets the password of the admin administrator account to the default of no password.

get List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.

show Show changes to the default configuration in the form of configuration commands.

next Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell. Type edit User1 and press Enter. Use the set commands to configure the values for the new admin account. Type next to save the configuration for User1 without leaving the config

system admin user shell. Continue using the edit, set, and next commands to continue adding admin

user accounts.

Type end and press Enter to save the last configuration and leave the shell.

abort Exit an edit shell without saving the configuration.

end Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command.The end command is also used to save set command changes and leave the shell.Using the Command Line Interface Page 14 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

get branch

Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell.To use get from the root prompt, you must include a path to a shell.The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type get in the config system admin user shell, the list of administrators is displayed.

At the (user)# prompt, type:get

The screen displays:== [ admin ]userid: admin== [ admin2 ]userid: admin2== [ admin3 ]userid: admin3

Example 2

When you type get in the admin user shell, the configuration values for the admin administrator account are displayed.

edit adminAt the (admin)# prompt, type:

getThe screen displays:

userid : admin password : *trusthost1 : 0.0.0.0 0.0.0.0trusthost2 : 0.0.0.0 0.0.0.0trusthost3 : 127.0.0.1 255.255.255.255ipv6_trusthost1 : ::/0ipv6_trusthost2 : ::/0ipv6_trusthost3 : ::1/128profileid : Super_User adom:

== [ all_adoms ]adom-name: all_adoms

policy-package:== [ all_policy_packages ]policy-package-name: all_policy_packages

restrict-access : disable restrict-dev-vdom:description : (null)user_type : local ssh-public-key1 : Using the Command Line Interface Page 15 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

ssh-public-key2 : ssh-public-key3 : meta-data:

== [ Contact Email ]fieldname: Contact Email == [ Contact Phone ]fieldname: Contact Phone

last-name : (null)first-name : (null)email-address : (null)phone-number : (null)mobile-number : (null)pager-number : (null)hidden : 0dashboard-tabs:dashboard:

== [ 7 ]moduleid: 7 == [ 10 ]moduleid: 10 == [ 1 ]moduleid: 1 == [ 2 ]moduleid: 2 == [ 3 ]moduleid: 3 == [ 4 ]moduleid: 4 == [ 5 ]moduleid: 5

Example 3

You want to confirm the IP address and netmask of the port1 interface from the root prompt.

At the (command) # prompt, type:get system interface port1

The screen displays:

name : port1 status : up ip : 172.16.81.30 255.255.255.0allowaccess : ping https ssh snmp telnet http webservice

aggregator serviceaccess : speed : auto description : (null)alias : (null)ipv6:

ip6-address: ::/0 ip6-allowaccess: Using the Command Line Interface Page 16 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

show branch

Use show to display the FortiAnalyzer unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.

To display the configuration of all config shells, you can use show from the root prompt. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed.

At the (port1)# prompt, type:show

The screen displays:

config system interfaceedit "port1"

set ip 172.16.81.30 255.255.255.0set allowaccess ping https ssh snmp telnet http webservice

aggregatornextedit "port2"

set ip 1.1.1.1 255.255.255.0set allowaccess ping https ssh snmp telnet http webservice

aggregatornextedit "port3"nextedit "port4"next

end

Example 2

You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type:

show system dnsThe screen displays:

config system dnsset primary 65.39.139.53set secondary 65.39.139.63

endUsing the Command Line Interface Page 17 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

execute branch

Use execute to run static commands, to reset the FortiAnalyzer unit to factory defaults, or to back up or restore the FortiAnalyzer configuration. The execute commands are available only from the root prompt.

The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

At the root prompt, type:

execute rebootThe system will be rebooted.Do you want to continue? (y/n)

and press Enter to restart the FortiAnalyzer unit.

diagnose branch

Commands in the diagnose branch are used for debugging the operation of the FortiAnalyzer unit and to set parameters for displaying different levels of diagnostic information.

Example command sequences

To configure the primary and secondary DNS server addresses:

1. Starting at the root prompt, type:config system dnsand press Enter. The prompt changes to (dns)#.

2. At the (dns)# prompt, type (question mark) ?The following options are displayed.

setunsetgetshowabortend

3. Type set (question mark)?The following options are displayed:primarysecondary

Diagnose commands are intended for advanced users only. Contact Fortinet technical support before using these commands.

The command prompt changes for each shell.Using the Command Line Interface Page 18 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

4. To set the primary DNS server address to 172.16.100.100, type: set primary 172.16.100.100and press Enter.

5. To set the secondary DNS server address to 207.104.200.1, type:set secondary 207.104.200.1and press Enter.

6. To restore the primary DNS server address to the default address, type unset primary and press Enter.

7. If you want to leave the config system dns shell without saving your changes, type abort and press Enter.

8. To save your changes and exit the dns sub-shell, type end and press Enter.9. To confirm your changes have taken effect after leaving the dns sub-shell, type get

system dns and press Enter.

CLI basics

This section includes:

Command help

Command completion

Recalling commands

Editing commands

Line continuation

Command abbreviation

Environment variables

Encrypted password support

Entering spaces in strings

Entering quotation marks in strings

Entering a question mark (?) in a string

International characters

Special characters

IP address formats

Editing the configuration file

Changing the baud rate

Debug log levels

Command help

You can press the question mark (?) key to display command help.

Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.

Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.

Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command option combination and a description of each option.Using the Command Line Interface Page 19 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Command completion

You can use the tab key or the question mark (?) key to complete commands:

You can press the tab key at any prompt to scroll through the options available for that prompt.

You can type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position.

After completing the first word of a command, you can press the space bar and then the tab key to scroll through the options available at the current cursor position.

Recalling commands

You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.

Editing commands

Use the left and right arrow keys to move the cursor back and forth in a recalled command. You can also use the backspace and delete keys and the control keys listed in Table 2 to edit the command.

Line continuation

To break a long command over multiple lines, use a \ at the end of each line.

Command abbreviation

You can abbreviate commands and command options to the smallest number of unambiguous characters. For example, the command get system status can be abbreviated to g sy st.

Table 2: Control keys for editing commands

Function Key combination

Beginning of line CTRL+A

End of line CTRL+E

Back one character CTRL+B

Forward one character CTRL+F

Delete current character CTRL+D

Previous command CTRL+P

Next command CTRL+N

Abort the command CTRL+C

If used at the root prompt, exit the CLI CTRL+CUsing the Command Line Interface Page 20 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Environment variables

The FortiAnalyzer CLI supports several environment variables.

Variable names are case sensitive. In the following example, when entering the variable, you can type (dollar sign) $ followed by a tab to auto-complete the variable to ensure that you have the exact spelling and case. Continue pressing tab until the variable you want to use is displayed.

config system globalset hostname $SerialNum

end

Encrypted password support

After you enter a clear text password using the CLI, the FortiAnalyzer unit encrypts the password and stores it in the configuration file with the prefix ENC. For example:

show system admin user user1config system admin user

edit "user1"set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1

rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f

set profileid "Standard_User"next

endIt is also possible to enter an already encrypted password. For example, type:

config system adminthen press Enter.Type:

edit user1then press Enter.Type:

set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f

then press Enter.Type:

endthen press Enter.

$USERFROM The management access type (SSH, Telnet and so on) and the IP address of the logged in administrator.

$USERNAME The user account name of the logged in administrator.

$SerialNum The serial number of the FortiAnalyzer unit.Using the Command Line Interface Page 21 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Entering spaces in strings

When a string value contains a space, do one of the following:

Enclose the string in quotation marks, for example "Security Administrator". Enclose the string in single quotes, for example 'Security Administrator'. Use a backslash (\) preceding the space, for example Security\ Administrator.

Entering quotation marks in strings

If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.

Entering a question mark (?) in a string

If you want to include a question mark (?) in a string, you must precede the question mark with CTRL-V. Entering a question mark without first entering CTRL-V causes the CLI to display possible command completions, terminating the string.

International characters

The CLI supports international characters in strings.

Special characters

The characters , (, ), #, , and " are not permitted in most CLI fields, but you can use them in passwords. If you use the apostrophe () or quote (") character, you must precede it with a backslash (\) character when entering it in the CLI set command.

IP address formats

You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type either:

set ip 192.168.1.1 255.255.255.0or

set ip 192.168.1.1/24The IP address is displayed in the configuration file in dotted decimal format.

Editing the configuration file

You can change the FortiAnalyzer configuration by backing up the configuration file to a TFTP server. Then you can make changes to the file and restore it to the FortiAnalyzer unit.

1. Use the execute backup all-settings command to back up the configuration file to a TFTP server. For example,execute backup all-settings 10.10.0.1 mybackup.cfg myid mypass

2. Edit the configuration file using a text editor.

Related commands are listed together in the configuration file. For instance, all the system commands are grouped together. You can edit the configuration by adding, changing or deleting the CLI commands in the configuration file.Using the Command Line Interface Page 22 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

The first line of the configuration file contains information about the firmware version and FortiAnalyzer model. Do not edit this line. If you change this information the FortiAnalyzer unit will reject the configuration file when you attempt to restore it.

3. Use the execute restore all-settings command to copy the edited configuration file back to the FortiAnalyzer unit. For example, execute restore all-settings 10.10.0.1 mybackup.cfg myid mypassThe FortiAnalyzer unit receives the configuration file and checks to make sure the firmware version and model information is correct. If it is, the FortiAnalyzer unit loads the configuration file and checks each command for errors. If the FortiAnalyzer unit finds an error, an error message is displayed after the command and the command is rejected. Then the FortiAnalyzer unit restarts and loads the new configuration.

Changing the baud rate

Using execute console baudrate, you can change the default console connection baud rate.

To check the current baud rate enter the following CLI command:

# execute console baudrate [enter]current baud rate is: 9600

To view baudrate options, enter the CLI command with the question mark (?).

# execute console baudrate ?baudrate 9600 | 19200 | 38400 | 57600 | 115200

To change the baudrate, enter the CLI command as listed below.

# execute console baudrate 19200Your console connection will get lost after changing baud rate.Change your console setting!Do you want to continue? (y/n)

Changing the default baud rate is not available on all models. Using the Command Line Interface Page 23 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Debug log levels

The following table lists available debug log levels on your FortiAnalyzer.

Table 3: Debug log levels

Level Type Description

0 Emergency Emergency the system has become unusable.

1 Alert Alert immediate action is required.

2 Critical Critical Functionality is affected.

3 Error Error an erroneous condition exists and functionality is probably affected.

4 Warning Warning function might be affected.

5 Notification Notification of normal events.

6 Information Information General information about system operations.

7 Debug Debugging Detailed information useful for debugging purposes.

8 Maximum Maximum log level.Using the Command Line Interface Page 24 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

ADOMs.

By default, administrator accounts other than the admin account are assigned to the root

ADOM, which includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list, and assigning them to administrator accounts, you can Administrative Domains

Administrative domains (ADOMs) enable the admin administrator to constrain other Fortinet unit administrators access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific FortiGate VDOM.

This section contains the following topics:

About administrative domains (ADOMs)

Configuring ADOMs

About administrative domains (ADOMs)

Enabling ADOMs alters the structure and available functionality of the Web-based Manager and CLI according to whether you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator accounts assigned access profile.

If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted access and ADOM configuration.

config system global contains settings used by the FortiAnalyzer unit itself and settings shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.

If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files, content archives, IP aliases, and LDAP queries specific to your ADOM. You cannot access Global Configuration, or enter other

The admin administrator can further restrict other administrators access to specific configuration areas within their ADOM by using access profiles. For more information, see admin profile on page 30.

Table 4: Characteristics of the CLI and Web-based Manager when ADOMs are enabled

admin administrator account Other administrators

Access to config system global

Yes No

Can create administrator accounts Yes No

Can enter all ADOMs Yes NoAdministrative Domains Page 25 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

restrict other administrator accounts to a subset of the FortiAnalyzer units total devices or VDOMs.

The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM, and cannot configure ADOMs or Global Configuration.

The maximum number of ADOMs varies by FortiAnalyzer model.

Configuring ADOMs

To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign existing FortiAnalyzer administrators to ADOMs.

Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use the Web-based Manager.

To enable or disable ADOMs:

Enter the following CLI command:

config system globalset adom-status {enable | disable}

endAn administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can assign different VDOMs from the same FortiGate to multiple administrative domains.

Table 5: ADOM maximum values

FortiAnalyzer Model Number of ADOMs

FAZ-100C 150

FAZ-200D 150

FAZ-400B and FAZ-400C 200

FAZ-1000B and FAZ-1000C 2 000

FAZ-2000A and 2000B 2 000

FAZ-4000A and FAZ-4000B 2 000

FAZ-VM32 and FAZ-VM64 10 000

Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiAnalyzer unit configuration before enabling ADOMs.

Enabling the advanced mode option will result in a reduced operation mode and more complicated management scenarios. It is recommended only for advanced users.Administrative Domains Page 26 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

To change administrative domain device modes:


config system globalset adom-mode {advanced | normal}

end

To assign an administrator to an ADOM:


config system admin useredit set adom

nextendwhere is the administrator user name and is the ADOM name.Administrative Domains Page 27 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system

Use system commands to configure options related to the operation of the FortiAnalyzer unit.This chapter contains following sections:

For more information about configuring ADOMs, see Administrative Domains on page 25.

admin ldap

admin profile

admin radius

admin setting

admin tacacs

admin user

aggregation-client

aggregation-service

alert-console

alert-event

alertemail

backup all-settings

certificate ca

certificate local

certificate ssh

dns

fips

global

interface

locallog disk setting

locallog filter

locallog fortianalyzer setting

locallog memory setting

locallog syslogd (syslogd2, syslogd3) setting

log alert

log fortianalyzer

log setting

mail

ntp

password-policy

route

route6

snmp community

snmp sysinfo

snmp user

sql

syslogsystem Page 28 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

admin ldap

Use this command to add, edit, and delete LDAP users.

Syntax

config system admin ldapedit name {LDAP server entry name}

set server {name_str | ip_str}set cnid set dn set port set type {anonymous | regular | simple}set username set password set group set filter set secure {disable | ldaps | starttls}set ca-cert

end

Variable Description

server {name_str | ip_str} Enter the LDAP server domain name or IP address.

cnid Enter common name identifier. Default: cn

dn Enter the distinguished name.

port Enter the port number for LDAP server communication.Default: 389

type {anonymous | regular | simple}

Set a binding type:

anonymous: Bind using anonymous user search. regular: Bind using username or password and

then search.

simple: Simple password authentication without search.

Default: simple

username Enter a username. This variable appears only when type is set to regular.

password Enter a password for the username above. This variable appears only when type is set to regular.

group Enter an authorization group. The authentication user must be a member of this group (full DN) on the server.system Page 29 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example

This example shows how to add the LDAP user user1 at the IP address 206.205.204.203.config system admin ldap

edit user1set server 206.205.204.203set dn techdocset type regularset username auth1set password auth1_pwdset group techdoc

end

Related topics

admin profile

admin profile

Use this command to configure access profiles. In a newly-created access profile, no access is enabled.

Syntax

config system admin profileedit

set description set scope set system-setting {none | read-write}set adom-switch {none | read | read-write}set global-policy-packages {none | read | read-write}set global-objects {none | read | read-write}

filter Enter content for group searching. For example:(&(objectcategory=group)(member=*))(&(objectclass=groupofnames)(member=*))(&(objectclass=groupofuniquenames)(uniquem

ember=*))(&(objectclass=posixgroup)(memberuid=*))

secure {disable | ldaps | starttls}

Set the SSL connection type:

disable: No SSL connection ldaps: Use LDAPS starttls: Use STARTTLS

ca-cert CA certificate name. This variable appears only when secure is set to ldaps or starttls.Default: disable

Variable Descriptionsystem Page 30 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set assignment {none | read | read-write}set read-passwd {none | read | read-write}set device-manager {none | read | read-write}set device-config {none | read | read-write}set device-op {none | read | read-write}set device-profile {none | read | read-write}set policy-objects {none | read | read-write}set deploy-management {none | read | read-write}set config-retrieve {none | read | read-write}set term-access {none | read | read-write}set adom-policy-packages {none | read | read-write}set adom-policy-objects {none | read | read-write}set vpn-manager {none | read | read-write}set realtime-monitor {none | read | read-write}set forticonsole {none | read | read-write}set consistency-check {none | read | read-write}set faz-management {none | read | read-write}set report-viewer {none | read | read-write}set log-viewer {none | read | read-write}set network {none | read | read-write}set admin {none | read | read-write}set system {none | read | read-write}set devices {none | read | read-write}set alerts {none | read | read-write}set dlp {none | read | read-write}set reports {none | read | read-write}set log {none | read | read-write}set quar {none | read | read-write}set net-monitor {none | read | read-write}set vuln-mgmt {none | read | read-write}

end


Edit the access profile. Enter a new name to create a new profile. The pre-defined access profiles are:

Super_User Standard_User Restricted_User

description Enter a description for this access profile. Enclose the description in quotes if it contains spaces.

scope Set the scope for this access profile to either ADOM or Global.

system-setting {none | read-write}

Set the level of access to system settings for this profile.

adom-switch {none | read | read-write}

Set the administrator domain for this profile.system Page 31 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

global-policy-packages {none | read | read-write}

Set the global policy packages for this profile.

global-objects {none | read | read-write}

Set the global objects for this profile.

assignment {none | read | read-write}

Set the profile permissions.

read-passwd {none | read | read-write}

Add the capability to view the authentication password in clear text to this profile.

device-manager {none | read | read-write}

Enter the level of access to device manager settings for this profile.

device-config {none | read | read-write}

Enter the level of access to device configuration settings for this profile.

device-op {none | read | read-write}

Add the capability to add, delete, and edit devices to this profile.

device-profile {none | read | read-write}

Device profile permissions.

policy-objects {none | read | read-write}

Policy objects permissions.

deploy-management {none | read | read-write}

Enter the level of access to the deployment management configuration settings for this profile.

config-retrieve {none | read | read-write}

Set the configuration retrieve settings for this profile.

term-access {none | read | read-write}

Set the terminal access for this profile.

adom-policy-packages {none | read | read-write}

Enter the level of access to ADOM policy packages for this profile.

adom-policy-objects {none | read | read-write}

Enter the level of access to ADOM policy objects for this profile.

vpn-manager {none | read | read-write}

Enter the level of access to VPN console configuration settings for this profile.

realtime-monitor {none | read | read-write}

Enter the level of access to the Real Time monitor configuration settings for this profile.

forticonsole {none | read | read-write}

Enable or disable the FortiConsole for this profile.

consistency-check {none | read | read-write}

Enable or disable consistency check for this profile.

faz-management {none | read | read-write}

Enter the level of access to FortiAnalyzer configuration management settings for this profile.


Related topics

admin radius

report-viewer {none | read | read-write}

Enable or disable access permission.

log-viewer {none | read | read-write}


network {none | read | read-write}


admin {none | read | read-write}


system {none | read | read-write}


devices {none | read | read-write}


alerts {none | read | read-write}


dlp {none | read | read-write}


reports {none | read | read-write}


log {none | read | read-write}


quar {none | read | read-write}


net-monitor {none | read | read-write}


vuln-mgmt {none | read | read-write}



admin radius

Use this command to add, edit, and delete administration RADIUS servers.

Syntax

config system admin radiusedit

set auth-type set nas-ip set port set secondary-secret set secondary-server set secret set server

end

Example

This example shows how to add the RADIUS server RAD1 at the IP address 206.205.204.203 and set the shared secret as R1a2D3i4U5s.

config system admin radiusedit RAD1

set server 206.205.204.203set secret R1a2D3i4U5s

end


auth-type Enter the authentication protocol the RADIUS server will use:

any: Use any supported authentication protocol. mschap2 chap pap

nas-ip Enter the NAS IP address.

port Enter the RADIUS server port number. Default: 1812

secondary-secret Enter the password to access the RADIUS secondary-server.

secondary-server Enter the RADIUS secondary-server DNS resolvable domain name or IP address.

secret Enter the password to access the RADIUS server.

server Enter the RADIUS server DNS resolvable domain name or IP address.system Page 34 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

admin setting

Use this command to configure system administration settings, including web administration ports, timeout, and language.

Syntax

config system admin settingset access-banner {enable | disable}set admin_server_cert set allow_register {enable | disable}set auto-update {enable | disable}set banner-message set demo-mode {enable | disable}set device_sync_status {enable | disable}set http_port set https_port set idle_timeout set install-ifpolicy-only {enable | disable}set mgmt-addr set mgmt-fqdn set offline_mode {enable | disable}set policy-display-threshold set register_passwd set show-add-multiple {enable | disable}set show-adom-central-nat-policies {enable | disable}set show-adom-devman {enable | disable}set show-adom-dos-policies {enable | disable}set show-adom-dynamic-objects {enable | disable}set show-adom-forticonsole-button {enable | disable}set show-adom-icap-policies {enable | disable}set show-adom-implicit-policy {enable | disable}set show-adom-implicit-id-based-policy {enable | disable}set show-adom-ipv6-settings {enable | disable}set show-adom-policy-consistency-button {enable | disable}set show-adom-rtmlog {enable | disable}set show-adom-sniffer-policies {enable | disable}set show-adom-taskmon-button {enable | disable}set show-adom-terminal-button {enable | disable}set show-adom-voip-policies {enable | disable}set show-adom-vpnman {enable | disable}set show-adom-web-portal {enable | disable}set show-device-import-export {enable | disable}set show-foc-settings {enable | disable}set show-fortimail-settings {enable | disable}set show-fsw-settings {enable | disable}set show-global-object-settings {enable | disable}set show-global-policy-settings {enable | disable}set show_automatic_script {enable | disable}system Page 35 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set show_grouping_script {enable | disable}set show_tcl_script {enable | disable}set unreg_dev_opt {add_allow_service | add_no_service | ignore}set webadmin_language {auto_detect | english | japanese | korean |

simplified_chinese | traditional_chinese}end


access-banner {enable | disable}

Enable or disable the access banner.

Default: disable

admin_server_cert

Enter the name of an https server certificate to use for secure connections.

Default: server.crt

allow_register {enable | disable}

Enable or disable an unregistered device to be registered.

Default: disable

auto-update {enable | disable} Enable or disable device config auto update.

banner-message Enable the banner messages. Maximum of 255 characters.

demo-mode {enable | disable} Enable or disable demo mode.Default: disable

device_sync_status {enable | disable}

Enable or disable device synchronization status indication.

Default: enable

http_port Enter the HTTP port number for web administration.Default: 80

https_port Enter the HTTPS port number for web administration.

Default: 443

idle_timeout Enter the idle timeout value. The range is from 1 to 480 minutes.

Default: 5

install-ifpolicy-only {enable | disable}

Enable to allow only the interface policy to be installed.

Default: disable

mgmt-addr GQDN/IP of FortiAnalyzer used by FGFM.

mgmt-fqdn FQDN of FortiAnalyzer used by FGFM.system Page 36 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

offline_mode {enable | disable}

Enable offline mode to shut down the protocol used to communicate with managed devices.

Default: disable

policy-display-threshold

Set the policy page display threshold (1 - 10000).

register_passwd Enter the password to use when registering a device.

show-add-multiple {enable | disable}

Show the add multiple button.

show-adom-central-nat-policies {enable | disable}

Show ADOM central NAT policy settings on the Web-based Manager.

Default: disable

show-adom-devman {enable | disable}

Show ADOM device manager tools on the Web-based Manager.

Default: disable

show-adom-dos-policies {enable | disable}

Show ADOM DOS policy settings on the Web-based Manager.

Default: disable

show-adom-dynamic-objects {enable | disable}

Show ADOM dynamic object settings on the Web-based Manager.

Default: enable

show-adom-forticonsole-button {enable | disable}

Show ADOM banner button FortiConsole on the Web-based Manager.

Default: enable

show-adom-icap-policies {enable | disable}

Show the ADOMICAP policy settings in the Web-based Manager.

show-adom-implicit-policy {enable | disable}

Show the ADOM implicit policy settings in the Web-based Manager.

show-adom-implicit-id-based-policy {enable | disable}

Show the ADOM implicit ID based policy settings in the Web-based Manager.

show-adom-ipv6-settings {enable | disable}

Show ADOM IPv6 settings in the Web-based Manager.

Default: disable

show-adom-policy-consistency-button {enable | disable}

Show ADOM banner button Policy Consistency in the Web-based Manager.

Default: disable


show-adom-rtmlog {enable | disable}

Show ADOM RTM device log in the Web-based Manager.

Default: disable

show-adom-sniffer-policies {enable | disable}

Show ADOM sniffer policy settings in the Web-based Manager.

Default: disable

show-adom-taskmon-button {enable | disable}

Show ADOM banner button Task Monitor in the Web-based Manager.

Default: enable

show-adom-terminal-button {enable | disable}

Show ADOM banner button Terminal in the Web-based Manager.

Default: enable

show-adom-voip-policies {enable | disable}

Show ADOM VoIP policy settings in the Web-based Manager.

show-adom-vpnman {enable | disable}

Show ADOM VPN manager in the Web-based Manager.

Default: enable

show-adom-web-portal {enable | disable}

Show ADOM web portal settings in the Web-based Manager.

Default: disable

show-device-import-export {enable | disable}

Enable import/export of ADOM, device, and group lists.

show-foc-settings {enable | disable}

Show FortiCarrier settings in the Web-based Manager.

Default: disable

show-fortimail-settings {enable | disable}

Show FortiMail settings in the Web-based Manager.

Default: disable

show-fsw-settings {enable | disable}

Show FortiSwitch settings in the Web-based Manager.

Default: disable

show-global-object-settings {enable | disable}

Show global object settings in the Web-based Manager.

Default: enable

show-global-policy-settings {enable | disable}

Show global policy settings in the Web-based Manager.

Default: enable

show_automatic_script {enable | disable}

Enable or disable automatic script.


admin tacacs

Use this command to add, edit, and delete administration TACACS+ servers.

Syntax

config system admin tacacsedit

set authen-type set authorization {enable | disable}set key set port set secondary-key set secondary-server set server set tertiary-key set tertiary-server

end

show_grouping_script {enable | disable}

Enable or disable grouping script.

show_tcl_script {enable | disable}

Enable or disable TCL script.

unreg_dev_opt {add_allow_service | add_no_service | ignore}

Select action to take when an unregistered device connects to FortiAnalyzer.

add_allow_service: Add unregistered devices and allow service requests.

add_no_service: Add unregistered devices and deny service requests.

ignore: Ignore unregistered devices.Default: add_all_service

webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}

Enter the language to be used for web administration.

Default: auto_detect



authen-type Choose which authentication type to use.Default: auto

authorization {enable | disable} Enable or disable TACACS+ authorization.

key Key to access the server.system Page 39 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example

This example shows how to add the TACACS+ server TAC1 at the IP address 206.205.204.203 and set the key as R1a2D3i4U5s.

config system admin tacacsedit TAC1

set server 206.205.204.203set key R1a2D3i4U5s

end

admin user

Use this command to add, edit, and delete administrator accounts.

Use the admin account or an account with System Settings read and write privileges to add new administrator accounts and control their permission levels. Each administrator account must include a minimum of an access profile. The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change the default profile from Restricted_User.You cannot delete the admin administrator account. You cannot delete an administrator account if that user is logged on. For information about ADOMs, see Administrative Domains on page 25.

Syntax

config system admin useredit

set password set trusthost1 set trusthost2 set trusthost3 set ipv6_trusthost1 set ipv6_trusthost2 set ipv6_trusthost3

port Port number of the TACACS+ server.

secondary-key Key to access the secondary server.

secondary-server Secondary server domain name or IP.

server The server domain name or IP.

tertiary-key Key to access the tertiary server.

tertiary-server Tertiary server domain name or IP.


You can create meta-data fields for administrator accounts. These objects must be created using the FortiAnalyzer Web-based Manager. The only information you can add to the object is the value of the field (pre-determined text/numbers).system Page 40 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set profileid set adom set policy-package {:

/ | all_policy_packages}

set restrict-access {enable | disable}set description set user_type set ldap-server set radius_server set tacacs-plus-server set ssh-public-key1 set ssh-public-key2 , set ssh-public-key3 set wildcard set radius-accprofile-override set radius-adom-override set radius-group-match set last-name set first-name set email-address set phone-number set mobile-number set pager-number

endconfig meta-data

edit set fieldlengthset fieldvalue set importanceset status

endendconfig dashboard-tabs

edit tabid set name

endconfig dashboard

edit moduleidset name set column set refresh-inverval set status {close | open}set tabid set widget-type {alert | devsummary | jsconsole | licinfo |

logrecv | raid | rpteng | statisctics | sysinfo | sysop | sysres | top-lograte}

set log-rate-type {device | log}set log-rate-topn {1 | 2 | 3 | 4 | 5}system Page 41 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set log-rate-period {1hour | 2min | 6hours}set res-view-type {history | real-time}set res-period {10min | day | hour}set num-entries

endendconfig restrict-dev-vdom

edit dev-vdom end

end


password Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This variable is available only if user_type is local.

trusthost1 trusthost2 trusthost3

Type the trusted host IP address and netmask from which the administrator can log in to the FortiAnalyzer system. You can specify up to three trusted hosts. (optional)

Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 45.

ipv6_trusthost1 ipv6_trusthost2 ipv6_trusthost3

Type the trusted host IP address from which the administrator can log in to the FortiAnalyzer system. You can specify up to three trusted hosts. (optional)

Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 45.

profileid Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiAnalyzer features.

Default: Restricted_User

adom Enter the name(s) of the ADOM(s) the administrator belongs to. Any configuration of ADOMs takes place via the FortiAnalyzer Web-based Manager. For more information, see Administrative Domains on page 25.

policy-package {: / | all_policy_packages}

Policy package access.

restrict-access {enable | disable}

Enable or disable restricted access to the dev-vdom.

Default: disablesystem Page 42 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

description Enter a description for this administrator account. When using spaces, enclose description in quotes.

user_type

Enter local if the FortiAnalyzer system verifies the administrators password. Enter radius if a RADIUS server verifies the administrators password.

Default: local

ldap-server Enter the LDAP server name if the user type is set to LDAP.

radius_server Enter the RADIUS server name if the user type is set t o RADIUS.

tacacs-plus-server Enter the TACACS+ server name if the user type is set to TACACS+.

ssh-public-key1

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

The ssh-dss for a DSA key, ssh-rsa for an RSA key. The public key string of the SSH client.

ssh-public-key2 ,

ssh-public-key3

wildcard Enable or disable wildcard remote authentication

radius-accprofile-override

Allow access profile to be overridden from RADIUS.

radius-adom-override

Allow ADOM to be overridden from RADIUS

radius-group-match Only admin that belong to this group are allowed to login.

last-name Administrators last name.

first-name Administrators first name.

email-address Administrators email address.

phone-number Administrators phone number.

mobile-number Administrators mobile phone number.

pager-number Administrators pager number.

Variable for config meta-data subcommand:Note: This subcommand can only change the value of an existing field.

To create a new metadata field, use the config meta-data command.


fieldname The label/name of the field. Read-only.Default: 50

fieldlength The maximum number of characters allowed for this field. Read-only.

fieldvalue Enter a pre-determined value for the field. This is the only value that can be changed with the config meta-data subcommand.

importance Indicates whether the field is compulsory (required) or optional (optional). Read-only.Default: optional

status For display only. Value cannot be changed.Default: enabled

Variable for config dashboard-tabs subcommand:

tabid Tab ID.

name Tab name.

Variable for config dashboard subcommand:

moduleid Widget ID.

name Widget name.

column Widgets column ID.Default: 0

refresh-inverval Widgets refresh interval.Default: 300

status {close | open} Widgets opened/closed status.Default: open

tabid ID of the tab where the widget is displayed.Default: 0


Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the FortiAnalyzer system does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply both to the Web-based Manager and to the CLI when accessed through SSH. CLI access through the console connector is not affected.

widget-type {alert | devsummary | jsconsole | licinfo | logrecv | raid | rpteng | statisctics | sysinfo | sysop | sysres | top-lograte}

Widget type. Enter one of the following:

alert: Alert message console devsummary: Device summary jsconsole: CLI console licinfo: License information logrecv: Data receive raid: Disk monitor rpteng: Report engine statistics: Statistics sysinfo: System information sysop: Unit operation sysres: System resources top-lograte: Log rates

log-rate-type {device | log} Log receive m

Manual CLI Fortigate 5.0

Documents

Transcript of Manual CLI Fortigate 5.0