Manual CLI Fortigate 5.0
-
Upload
carlos-luis -
Category
Documents
-
view
588 -
download
2
Transcript of Manual CLI Fortigate 5.0
-
FortiAnalyzer v5.0 Patch Release 2CLI Reference
-
FortiAnalyzer v5.0 Patch Release 2 CLI Reference
April 26, 2013
05-502-185032-20130426
Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Technical Documentation docs.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback [email protected]
-
system ............................................................................................................. 28admin ldap ............................................................................................................. 29admin profile .......................................................................................................... 30
admin radius .......................................................................................................... 34Table of Contents
Change Log....................................................................................................... 9
Introduction..................................................................................................... 10
Using the Command Line Interface.............................................................. 11CLI command syntax............................................................................................. 11
Connecting to the CLI............................................................................................ 12
CLI objects............................................................................................................. 12
CLI command branches ........................................................................................ 12config branch ................................................................................................... 13get branch........................................................................................................ 15show branch .................................................................................................... 17execute branch ................................................................................................ 18diagnose branch .............................................................................................. 18Example command sequences........................................................................ 18
CLI basics .............................................................................................................. 19Command help ................................................................................................ 19Command completion ..................................................................................... 20Recalling commands ....................................................................................... 20Editing commands ........................................................................................... 20Line continuation.............................................................................................. 20Command abbreviation ................................................................................... 20Environment variables...................................................................................... 21Encrypted password support .......................................................................... 21Entering spaces in strings................................................................................ 22Entering quotation marks in strings ................................................................. 22Entering a question mark (?) in a string ........................................................... 22International characters ................................................................................... 22Special characters ........................................................................................... 22IP address formats........................................................................................... 22Editing the configuration file ............................................................................ 22Changing the baud rate ................................................................................... 23Debug log levels............................................................................................... 24
Administrative Domains................................................................................. 25About administrative domains (ADOMs)................................................................ 25
Configuring ADOMs............................................................................................... 26Page 3
-
admin setting ......................................................................................................... 35
admin tacacs ......................................................................................................... 39
admin user ............................................................................................................. 40
aggregation-client .................................................................................................. 46
aggregation-service ............................................................................................... 48
alert-console .......................................................................................................... 49
alert-event.............................................................................................................. 50
alertemail................................................................................................................ 52
backup all-settings ................................................................................................ 53
certificate ca .......................................................................................................... 54
certificate local....................................................................................................... 55
certificate ssh......................................................................................................... 56
dns ......................................................................................................................... 57
fips ......................................................................................................................... 57
global ..................................................................................................................... 58
interface ................................................................................................................. 60
locallog disk setting ............................................................................................... 62
locallog filter........................................................................................................... 65
locallog fortianalyzer setting .................................................................................. 66
locallog memory setting......................................................................................... 67
locallog syslogd (syslogd2, syslogd3) setting........................................................ 68
log alert .................................................................................................................. 70
log fortianalyzer...................................................................................................... 71
log setting .............................................................................................................. 72config rolling-analyzer, rolling-local, and rolling-regular.................................. 75
mail ........................................................................................................................ 78
ntp.......................................................................................................................... 79
password-policy .................................................................................................... 80
route....................................................................................................................... 81
route6..................................................................................................................... 81
snmp community ................................................................................................... 82
snmp sysinfo.......................................................................................................... 85
snmp user .............................................................................................................. 86
sql .......................................................................................................................... 88
syslog..................................................................................................................... 89
execute ............................................................................................................ 90add-vm-license ...................................................................................................... 90Table of Contents Page 4 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
backup ................................................................................................................... 91backup all-settings........................................................................................... 91backup logs ..................................................................................................... 91backup logs-only ............................................................................................. 92backup reports................................................................................................. 92backup reports-config ..................................................................................... 93
bootimage.............................................................................................................. 94
certificate ............................................................................................................... 94certificate ca..................................................................................................... 94certificate local ................................................................................................. 95
console .................................................................................................................. 96console baudrate ............................................................................................. 96
date ........................................................................................................................ 96
device..................................................................................................................... 97
devicelog................................................................................................................ 97devicelog clear ................................................................................................. 97
factory-license ....................................................................................................... 97
fgfm........................................................................................................................ 98fgfm reclaim-dev-tunnel................................................................................... 98
format..................................................................................................................... 98
log device disk_quota ............................................................................................ 99
log-aggregation...................................................................................................... 99
lvm ....................................................................................................................... 100
ping ...................................................................................................................... 100
ping6 .................................................................................................................... 101
raid ....................................................................................................................... 101
reboot................................................................................................................... 102
remove ................................................................................................................. 102
reset ..................................................................................................................... 102
reset-sqllog-transfer ............................................................................................ 102
restore.................................................................................................................. 103restore all-settings ......................................................................................... 103restore image ................................................................................................. 104restore {logs | logs-only} ................................................................................ 104restore reports ............................................................................................... 105restore reports-config .................................................................................... 105
shutdown ............................................................................................................. 106
sql-local ............................................................................................................... 106sql-local remove-db....................................................................................... 106sql-local remove-device................................................................................. 107sql-local remove-logs .................................................................................... 107sql-local remove-logtype ............................................................................... 107Table of Contents Page 5 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
sql-query-dataset ................................................................................................ 108
sql-query-generic................................................................................................. 108
sql-report run ....................................................................................................... 108
ssh ....................................................................................................................... 109
time ...................................................................................................................... 110
top........................................................................................................................ 110
traceroute............................................................................................................. 112
traceroute6........................................................................................................... 112
diagnose........................................................................................................ 113cdb check ............................................................................................................ 114
debug application ................................................................................................ 114
debug cli .............................................................................................................. 117
debug console ..................................................................................................... 117
debug crashlog .................................................................................................... 118
debug disable ...................................................................................................... 118
debug dpm .......................................................................................................... 118
debug enable ....................................................................................................... 119
debug info............................................................................................................ 119
debug service ...................................................................................................... 119
debug sysinfo ...................................................................................................... 120
debug sysinfo-log ................................................................................................ 121
debug sysinfo-log-backup................................................................................... 121
debug sysinfo-log-list .......................................................................................... 121
debug timestamp................................................................................................. 123
debug vminfo ....................................................................................................... 123
dlp-archives quar-cache...................................................................................... 124
dlp-archives rebuild-quar-db............................................................................... 124
dlp-archives statistics .......................................................................................... 125
dlp-archives status .............................................................................................. 125
dvm adom............................................................................................................ 125
dvm chassis ......................................................................................................... 126
dvm check-integrity ............................................................................................. 126
dvm debug........................................................................................................... 127
dvm device........................................................................................................... 127
dvm device-tree-update ...................................................................................... 127
dvm group............................................................................................................ 128
dvm lock .............................................................................................................. 128
dvm proc.............................................................................................................. 128
dvm supported-platforms.................................................................................... 129
dvm task .............................................................................................................. 129Table of Contents Page 6 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
dvm transaction-flag............................................................................................ 129
fgfm...................................................................................................................... 130
fmnetwork arp...................................................................................................... 130
fmnetwork interface ............................................................................................. 131
fmnetwork netstat ................................................................................................ 131
fortilogd................................................................................................................ 132
hardware .............................................................................................................. 132
log device............................................................................................................. 136
sniffer ................................................................................................................... 137
sql ........................................................................................................................ 143
system admin-session ......................................................................................... 143
system disk .......................................................................................................... 144
system export ...................................................................................................... 145
system flash ......................................................................................................... 145
system fsck.......................................................................................................... 146
system ntp ........................................................................................................... 146
system print ......................................................................................................... 146
system process.................................................................................................... 148
system raid .......................................................................................................... 148
system route ........................................................................................................ 149
system route6 ...................................................................................................... 149
system server....................................................................................................... 149
test application .................................................................................................... 150
test policy-check ................................................................................................. 150
test search ........................................................................................................... 151
test sftp ................................................................................................................ 151
upload clear ......................................................................................................... 151
upload force-retry ................................................................................................ 152
upload status ....................................................................................................... 152
get .................................................................................................................. 153system admin setting........................................................................................... 154
system aggregation-client ................................................................................... 155
system aggregation-service................................................................................. 155
system alert-console............................................................................................ 155
system alert-event ............................................................................................... 156
system alertemail ................................................................................................. 156
system backup all-settings .................................................................................. 156
system backup status.......................................................................................... 157
system certificate ca............................................................................................ 157
system certificate local ........................................................................................ 157Table of Contents Page 7 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
system certificate ssh .......................................................................................... 158
system dns........................................................................................................... 158
system fips........................................................................................................... 158
system global....................................................................................................... 158
system interface................................................................................................... 159
system locallog disk setting................................................................................. 159
system locallog disk filter..................................................................................... 160
system locallog fortianalyzer setting.................................................................... 160
system locallog fortianalyzer filter........................................................................ 160
system locallog memory setting .......................................................................... 161
system locallog memory filter .............................................................................. 161
system locallog syslogd setting (also syslogd2 and syslogd3) ........................... 161
system locallog syslogd filter (also syslogd2 and syslogd3) ............................... 162
system log alert.................................................................................................... 162
system log fortianalyzer ....................................................................................... 162
system log settings .............................................................................................. 163
system mail .......................................................................................................... 164
system ntp ........................................................................................................... 164
system password-policy...................................................................................... 164
system performance ............................................................................................ 165
system snmp community..................................................................................... 165
system snmp sysinfo ........................................................................................... 166
system snmp user................................................................................................ 166
system route ........................................................................................................ 166
system route6 ...................................................................................................... 167
system sql............................................................................................................ 167
system status....................................................................................................... 167
system syslog ...................................................................................................... 168
show .............................................................................................................. 169
Appendix A: Object Tables .......................................................................... 170Global object categories...................................................................................... 170
Device object ID values ....................................................................................... 171
Index .............................................................................................................. 174Table of Contents Page 8 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
Change Log
Date Change Description
2012-11-23 Initial release.
2013-01-11 Document updated for FortiAnalyzer v5.0 Patch Release 1.
Command support-pre-fgt43 added. Variable pre-login-banner and pre-login-banner-message added to config system global command.
2013-03-28 Document updated for FortiAnalyzer v5.0 Patch Release 2.
fmsystem and fasystem branches merged into system branch.show-adom-implicit-id-based-policy and policy-display-threshold variables added to the config system admin setting command.execute branch expanded:
backup all-settings fgt, backup all-settings scp, backup logs, backup logs-only, backup reports commands added
restore all-settings fgt, restore all-settings scp, restore image, restore logs, restore logs-only, restore reports commands added
factory-license command addeddiagnose branch expanded:
diagnose dlp-archives quar-cache, diagnose dlp-archives rebuild-quar-db, diagnose dlp-archives statistics, diagnose dlp-archives status commands added
fmupdate, fmpolicy, fmscript, dmserver, and other FortiManager related commands have been removed.
Added Appendix A: Object Tables
2013-04-26 The execute lvm command was added.Page 9
-
Introduction
FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network traffic, such as e-mail, FTP and web browsing activity, to help identify security issues and reduce network misuse and abuse.Introduction Page 10 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
aggregator}You can enter any of the following:
set allowaccess pingset allowaccess https Using the Command Line Interface
This chapter explains how to connect to the CLI and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings.
This chapter describes:
CLI command syntax
Connecting to the CLI
CLI objects
CLI command branches
CLI basics
CLI command syntax
This guide uses the following conventions to describe command syntax.
Angle brackets < > indicate variables.For example:execute restore image ftp You enter:execute restore image ftp myfile.bak indicates a dotted decimal IPv4 address. indicates a dotted decimal IPv4 netmask. indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask.
Vertical bar and curly brackets {|} separate alternative, mutually exclusive required variable.
For example:set protocol {ftp | sftp}You can enter set protocol ftp or set protocol sftp.
Square brackets [ ] indicate that a variable is optional.For example:show system interface []To show the settings for all interfaces, you can enter show system interface. To show the settings for the Port1 interface, you can enter show system interface port1.
A space separates options that can be entered in any combination and must be separated by spaces.
For example:set allowaccess {ping https ping ssh snmp telnet http webservice Using the Command Line Interface Page 11 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
set allowaccess sshset allowaccess https sshset allowaccess https ping ssh webserviceIn most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.
Special characters:
The \ is supported to escape spaces or as a line continuation character.
The single quotation mark ' and the double quotation mark are supported, but must be used in pairs.
If there are spaces in a string, you must precede the spaces with the \ escape character or put the string in a pair of quotation marks.
Connecting to the CLI
You can use a direct console connection or SSH to connect to the FortiAnalyzer CLI. You can also access through the CLI console widget on the Web-based Manager. For more information, see the FortiAnalyzer v5.0 Patch Release 2 Administration Guide, and your devices QuickStart Guide.
CLI objects
The FortiAnalyzer CLI is based on configurable objects. The top-level object are the basic components of FortiAnalyzer functionality.
This object contains more specific lower level objects. For example, the system object contains objects for administrators, DNS, interfaces and so on.
CLI command branches
The FortiAnalyzer CLI consists of the following command branches:
Examples showing how to enter command sequences within each branch are provided in the following sections. See also Example command sequences on page 18.
Table 1: CLI top level object
system Configuration options related to the overall operation of the FortiAnalyzer unit, such as interfaces, virtual domains, and administrators. See system on page 28.
config branch execute branch
get branch diagnose branch
show branchUsing the Command Line Interface Page 12 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
config branch
The config commands configure objects of FortiAnalyzer functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of variables that you can set to particular values. Simpler objects, such as system DNS, are a single set of variables.
To configure an object, you use the config command to navigate to the objects command shell. For example, to configure administrators, you enter the command
config system admin userThe command prompt changes to show that you are in the admin shell.
(user)# This is a table shell. You can use any of the following commands:
If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name:
edit admin_1
edit Add an entry to the FortiAnalyzer configuration or edit an existing entry. For example in the config system admin shell: Type edit admin and press Enter to edit the settings for the default admin
administrator account.
Type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account.
delete Remove an entry from the FortiAnalyzer configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin.
purge Remove all entries configured in the current shell. For example in the config user local shell: Type get to see the list of user names added to the FortiAnalyzer configuration, Type purge and then y to confirm that you want to purge all the user names, Type get again to confirm that no user names are displayed.
get List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.
show Show changes to the default configuration as configuration commands.
end Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You will return to the root FortiAnalyzer CLI prompt.
The end command is also used to save set command changes and leave the shell.Using the Command Line Interface Page 13 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
The FortiAnalyzer unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry:
new entry 'admin_1' added(admin_1)#
From this prompt, you can use any of the following commands:
The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.
config In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add restrict the user to specific devices or VDOMs.
set Assign values. For example from the edit admin command shell, typing set password newpass changes the password of the admin administrator account to newpass.Note: When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.
unset Reset values to defaults. For example from the edit admin command shell, typing unset password resets the password of the admin administrator account to the default of no password.
get List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.
show Show changes to the default configuration in the form of configuration commands.
next Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell. Type edit User1 and press Enter. Use the set commands to configure the values for the new admin account. Type next to save the configuration for User1 without leaving the config
system admin user shell. Continue using the edit, set, and next commands to continue adding admin
user accounts.
Type end and press Enter to save the last configuration and leave the shell.
abort Exit an edit shell without saving the configuration.
end Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command.The end command is also used to save set command changes and leave the shell.Using the Command Line Interface Page 14 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
get branch
Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell.To use get from the root prompt, you must include a path to a shell.The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).
Example 1
When you type get in the config system admin user shell, the list of administrators is displayed.
At the (user)# prompt, type:get
The screen displays:== [ admin ]userid: admin== [ admin2 ]userid: admin2== [ admin3 ]userid: admin3
Example 2
When you type get in the admin user shell, the configuration values for the admin administrator account are displayed.
edit adminAt the (admin)# prompt, type:
getThe screen displays:
userid : admin password : *trusthost1 : 0.0.0.0 0.0.0.0trusthost2 : 0.0.0.0 0.0.0.0trusthost3 : 127.0.0.1 255.255.255.255ipv6_trusthost1 : ::/0ipv6_trusthost2 : ::/0ipv6_trusthost3 : ::1/128profileid : Super_User adom:
== [ all_adoms ]adom-name: all_adoms
policy-package:== [ all_policy_packages ]policy-package-name: all_policy_packages
restrict-access : disable restrict-dev-vdom:description : (null)user_type : local ssh-public-key1 : Using the Command Line Interface Page 15 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
ssh-public-key2 : ssh-public-key3 : meta-data:
== [ Contact Email ]fieldname: Contact Email == [ Contact Phone ]fieldname: Contact Phone
last-name : (null)first-name : (null)email-address : (null)phone-number : (null)mobile-number : (null)pager-number : (null)hidden : 0dashboard-tabs:dashboard:
== [ 7 ]moduleid: 7 == [ 10 ]moduleid: 10 == [ 1 ]moduleid: 1 == [ 2 ]moduleid: 2 == [ 3 ]moduleid: 3 == [ 4 ]moduleid: 4 == [ 5 ]moduleid: 5
Example 3
You want to confirm the IP address and netmask of the port1 interface from the root prompt.
At the (command) # prompt, type:get system interface port1
The screen displays:
name : port1 status : up ip : 172.16.81.30 255.255.255.0allowaccess : ping https ssh snmp telnet http webservice
aggregator serviceaccess : speed : auto description : (null)alias : (null)ipv6:
ip6-address: ::/0 ip6-allowaccess: Using the Command Line Interface Page 16 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
show branch
Use show to display the FortiAnalyzer unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.
To display the configuration of all config shells, you can use show from the root prompt. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).
Example 1
When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed.
At the (port1)# prompt, type:show
The screen displays:
config system interfaceedit "port1"
set ip 172.16.81.30 255.255.255.0set allowaccess ping https ssh snmp telnet http webservice
aggregatornextedit "port2"
set ip 1.1.1.1 255.255.255.0set allowaccess ping https ssh snmp telnet http webservice
aggregatornextedit "port3"nextedit "port4"next
end
Example 2
You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type:
show system dnsThe screen displays:
config system dnsset primary 65.39.139.53set secondary 65.39.139.63
endUsing the Command Line Interface Page 17 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
execute branch
Use execute to run static commands, to reset the FortiAnalyzer unit to factory defaults, or to back up or restore the FortiAnalyzer configuration. The execute commands are available only from the root prompt.
The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).
Example 1
At the root prompt, type:
execute rebootThe system will be rebooted.Do you want to continue? (y/n)
and press Enter to restart the FortiAnalyzer unit.
diagnose branch
Commands in the diagnose branch are used for debugging the operation of the FortiAnalyzer unit and to set parameters for displaying different levels of diagnostic information.
Example command sequences
To configure the primary and secondary DNS server addresses:
1. Starting at the root prompt, type:config system dnsand press Enter. The prompt changes to (dns)#.
2. At the (dns)# prompt, type (question mark) ?The following options are displayed.
setunsetgetshowabortend
3. Type set (question mark)?The following options are displayed:primarysecondary
Diagnose commands are intended for advanced users only. Contact Fortinet technical support before using these commands.
The command prompt changes for each shell.Using the Command Line Interface Page 18 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
4. To set the primary DNS server address to 172.16.100.100, type: set primary 172.16.100.100and press Enter.
5. To set the secondary DNS server address to 207.104.200.1, type:set secondary 207.104.200.1and press Enter.
6. To restore the primary DNS server address to the default address, type unset primary and press Enter.
7. If you want to leave the config system dns shell without saving your changes, type abort and press Enter.
8. To save your changes and exit the dns sub-shell, type end and press Enter.9. To confirm your changes have taken effect after leaving the dns sub-shell, type get
system dns and press Enter.
CLI basics
This section includes:
Command help
Command completion
Recalling commands
Editing commands
Line continuation
Command abbreviation
Environment variables
Encrypted password support
Entering spaces in strings
Entering quotation marks in strings
Entering a question mark (?) in a string
International characters
Special characters
IP address formats
Editing the configuration file
Changing the baud rate
Debug log levels
Command help
You can press the question mark (?) key to display command help.
Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.
Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.
Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command option combination and a description of each option.Using the Command Line Interface Page 19 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
Command completion
You can use the tab key or the question mark (?) key to complete commands:
You can press the tab key at any prompt to scroll through the options available for that prompt.
You can type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position.
After completing the first word of a command, you can press the space bar and then the tab key to scroll through the options available at the current cursor position.
Recalling commands
You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.
Editing commands
Use the left and right arrow keys to move the cursor back and forth in a recalled command. You can also use the backspace and delete keys and the control keys listed in Table 2 to edit the command.
Line continuation
To break a long command over multiple lines, use a \ at the end of each line.
Command abbreviation
You can abbreviate commands and command options to the smallest number of unambiguous characters. For example, the command get system status can be abbreviated to g sy st.
Table 2: Control keys for editing commands
Function Key combination
Beginning of line CTRL+A
End of line CTRL+E
Back one character CTRL+B
Forward one character CTRL+F
Delete current character CTRL+D
Previous command CTRL+P
Next command CTRL+N
Abort the command CTRL+C
If used at the root prompt, exit the CLI CTRL+CUsing the Command Line Interface Page 20 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
Environment variables
The FortiAnalyzer CLI supports several environment variables.
Variable names are case sensitive. In the following example, when entering the variable, you can type (dollar sign) $ followed by a tab to auto-complete the variable to ensure that you have the exact spelling and case. Continue pressing tab until the variable you want to use is displayed.
config system globalset hostname $SerialNum
end
Encrypted password support
After you enter a clear text password using the CLI, the FortiAnalyzer unit encrypts the password and stores it in the configuration file with the prefix ENC. For example:
show system admin user user1config system admin user
edit "user1"set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1
rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f
set profileid "Standard_User"next
endIt is also possible to enter an already encrypted password. For example, type:
config system adminthen press Enter.Type:
edit user1then press Enter.Type:
set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f
then press Enter.Type:
endthen press Enter.
$USERFROM The management access type (SSH, Telnet and so on) and the IP address of the logged in administrator.
$USERNAME The user account name of the logged in administrator.
$SerialNum The serial number of the FortiAnalyzer unit.Using the Command Line Interface Page 21 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
Entering spaces in strings
When a string value contains a space, do one of the following:
Enclose the string in quotation marks, for example "Security Administrator". Enclose the string in single quotes, for example 'Security Administrator'. Use a backslash (\) preceding the space, for example Security\ Administrator.
Entering quotation marks in strings
If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.
Entering a question mark (?) in a string
If you want to include a question mark (?) in a string, you must precede the question mark with CTRL-V. Entering a question mark without first entering CTRL-V causes the CLI to display possible command completions, terminating the string.
International characters
The CLI supports international characters in strings.
Special characters
The characters , (, ), #, , and " are not permitted in most CLI fields, but you can use them in passwords. If you use the apostrophe () or quote (") character, you must precede it with a backslash (\) character when entering it in the CLI set command.
IP address formats
You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type either:
set ip 192.168.1.1 255.255.255.0or
set ip 192.168.1.1/24The IP address is displayed in the configuration file in dotted decimal format.
Editing the configuration file
You can change the FortiAnalyzer configuration by backing up the configuration file to a TFTP server. Then you can make changes to the file and restore it to the FortiAnalyzer unit.
1. Use the execute backup all-settings command to back up the configuration file to a TFTP server. For example,execute backup all-settings 10.10.0.1 mybackup.cfg myid mypass
2. Edit the configuration file using a text editor.
Related commands are listed together in the configuration file. For instance, all the system commands are grouped together. You can edit the configuration by adding, changing or deleting the CLI commands in the configuration file.Using the Command Line Interface Page 22 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
The first line of the configuration file contains information about the firmware version and FortiAnalyzer model. Do not edit this line. If you change this information the FortiAnalyzer unit will reject the configuration file when you attempt to restore it.
3. Use the execute restore all-settings command to copy the edited configuration file back to the FortiAnalyzer unit. For example, execute restore all-settings 10.10.0.1 mybackup.cfg myid mypassThe FortiAnalyzer unit receives the configuration file and checks to make sure the firmware version and model information is correct. If it is, the FortiAnalyzer unit loads the configuration file and checks each command for errors. If the FortiAnalyzer unit finds an error, an error message is displayed after the command and the command is rejected. Then the FortiAnalyzer unit restarts and loads the new configuration.
Changing the baud rate
Using execute console baudrate, you can change the default console connection baud rate.
To check the current baud rate enter the following CLI command:
# execute console baudrate [enter]current baud rate is: 9600
To view baudrate options, enter the CLI command with the question mark (?).
# execute console baudrate ?baudrate 9600 | 19200 | 38400 | 57600 | 115200
To change the baudrate, enter the CLI command as listed below.
# execute console baudrate 19200Your console connection will get lost after changing baud rate.Change your console setting!Do you want to continue? (y/n)
Changing the default baud rate is not available on all models. Using the Command Line Interface Page 23 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
Debug log levels
The following table lists available debug log levels on your FortiAnalyzer.
Table 3: Debug log levels
Level Type Description
0 Emergency Emergency the system has become unusable.
1 Alert Alert immediate action is required.
2 Critical Critical Functionality is affected.
3 Error Error an erroneous condition exists and functionality is probably affected.
4 Warning Warning function might be affected.
5 Notification Notification of normal events.
6 Information Information General information about system operations.
7 Debug Debugging Detailed information useful for debugging purposes.
8 Maximum Maximum log level.Using the Command Line Interface Page 24 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
ADOMs.
By default, administrator accounts other than the admin account are assigned to the root
ADOM, which includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list, and assigning them to administrator accounts, you can Administrative Domains
Administrative domains (ADOMs) enable the admin administrator to constrain other Fortinet unit administrators access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific FortiGate VDOM.
This section contains the following topics:
About administrative domains (ADOMs)
Configuring ADOMs
About administrative domains (ADOMs)
Enabling ADOMs alters the structure and available functionality of the Web-based Manager and CLI according to whether you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator accounts assigned access profile.
If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted access and ADOM configuration.
config system global contains settings used by the FortiAnalyzer unit itself and settings shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.
If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files, content archives, IP aliases, and LDAP queries specific to your ADOM. You cannot access Global Configuration, or enter other
The admin administrator can further restrict other administrators access to specific configuration areas within their ADOM by using access profiles. For more information, see admin profile on page 30.
Table 4: Characteristics of the CLI and Web-based Manager when ADOMs are enabled
admin administrator account Other administrators
Access to config system global
Yes No
Can create administrator accounts Yes No
Can enter all ADOMs Yes NoAdministrative Domains Page 25 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
restrict other administrator accounts to a subset of the FortiAnalyzer units total devices or VDOMs.
The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM, and cannot configure ADOMs or Global Configuration.
The maximum number of ADOMs varies by FortiAnalyzer model.
Configuring ADOMs
To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign existing FortiAnalyzer administrators to ADOMs.
Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use the Web-based Manager.
To enable or disable ADOMs:
Enter the following CLI command:
config system globalset adom-status {enable | disable}
endAn administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can assign different VDOMs from the same FortiGate to multiple administrative domains.
Table 5: ADOM maximum values
FortiAnalyzer Model Number of ADOMs
FAZ-100C 150
FAZ-200D 150
FAZ-400B and FAZ-400C 200
FAZ-1000B and FAZ-1000C 2 000
FAZ-2000A and 2000B 2 000
FAZ-4000A and FAZ-4000B 2 000
FAZ-VM32 and FAZ-VM64 10 000
Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiAnalyzer unit configuration before enabling ADOMs.
Enabling the advanced mode option will result in a reduced operation mode and more complicated management scenarios. It is recommended only for advanced users.Administrative Domains Page 26 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
To change administrative domain device modes:
Enter the following CLI command:
config system globalset adom-mode {advanced | normal}
end
To assign an administrator to an ADOM:
Enter the following CLI command:
config system admin useredit set adom
nextendwhere is the administrator user name and is the ADOM name.Administrative Domains Page 27 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
system
Use system commands to configure options related to the operation of the FortiAnalyzer unit.This chapter contains following sections:
For more information about configuring ADOMs, see Administrative Domains on page 25.
admin ldap
admin profile
admin radius
admin setting
admin tacacs
admin user
aggregation-client
aggregation-service
alert-console
alert-event
alertemail
backup all-settings
certificate ca
certificate local
certificate ssh
dns
fips
global
interface
locallog disk setting
locallog filter
locallog fortianalyzer setting
locallog memory setting
locallog syslogd (syslogd2, syslogd3) setting
log alert
log fortianalyzer
log setting
mail
ntp
password-policy
route
route6
snmp community
snmp sysinfo
snmp user
sql
syslogsystem Page 28 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
admin ldap
Use this command to add, edit, and delete LDAP users.
Syntax
config system admin ldapedit name {LDAP server entry name}
set server {name_str | ip_str}set cnid set dn set port set type {anonymous | regular | simple}set username set password set group set filter set secure {disable | ldaps | starttls}set ca-cert
end
Variable Description
server {name_str | ip_str} Enter the LDAP server domain name or IP address.
cnid Enter common name identifier. Default: cn
dn Enter the distinguished name.
port Enter the port number for LDAP server communication.Default: 389
type {anonymous | regular | simple}
Set a binding type:
anonymous: Bind using anonymous user search. regular: Bind using username or password and
then search.
simple: Simple password authentication without search.
Default: simple
username Enter a username. This variable appears only when type is set to regular.
password Enter a password for the username above. This variable appears only when type is set to regular.
group Enter an authorization group. The authentication user must be a member of this group (full DN) on the server.system Page 29 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
Example
This example shows how to add the LDAP user user1 at the IP address 206.205.204.203.config system admin ldap
edit user1set server 206.205.204.203set dn techdocset type regularset username auth1set password auth1_pwdset group techdoc
end
Related topics
admin profile
admin profile
Use this command to configure access profiles. In a newly-created access profile, no access is enabled.
Syntax
config system admin profileedit
set description set scope set system-setting {none | read-write}set adom-switch {none | read | read-write}set global-policy-packages {none | read | read-write}set global-objects {none | read | read-write}
filter Enter content for group searching. For example:(&(objectcategory=group)(member=*))(&(objectclass=groupofnames)(member=*))(&(objectclass=groupofuniquenames)(uniquem
ember=*))(&(objectclass=posixgroup)(memberuid=*))
secure {disable | ldaps | starttls}
Set the SSL connection type:
disable: No SSL connection ldaps: Use LDAPS starttls: Use STARTTLS
ca-cert CA certificate name. This variable appears only when secure is set to ldaps or starttls.Default: disable
Variable Descriptionsystem Page 30 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
set assignment {none | read | read-write}set read-passwd {none | read | read-write}set device-manager {none | read | read-write}set device-config {none | read | read-write}set device-op {none | read | read-write}set device-profile {none | read | read-write}set policy-objects {none | read | read-write}set deploy-management {none | read | read-write}set config-retrieve {none | read | read-write}set term-access {none | read | read-write}set adom-policy-packages {none | read | read-write}set adom-policy-objects {none | read | read-write}set vpn-manager {none | read | read-write}set realtime-monitor {none | read | read-write}set forticonsole {none | read | read-write}set consistency-check {none | read | read-write}set faz-management {none | read | read-write}set report-viewer {none | read | read-write}set log-viewer {none | read | read-write}set network {none | read | read-write}set admin {none | read | read-write}set system {none | read | read-write}set devices {none | read | read-write}set alerts {none | read | read-write}set dlp {none | read | read-write}set reports {none | read | read-write}set log {none | read | read-write}set quar {none | read | read-write}set net-monitor {none | read | read-write}set vuln-mgmt {none | read | read-write}
end
Variable Description
Edit the access profile. Enter a new name to create a new profile. The pre-defined access profiles are:
Super_User Standard_User Restricted_User
description Enter a description for this access profile. Enclose the description in quotes if it contains spaces.
scope Set the scope for this access profile to either ADOM or Global.
system-setting {none | read-write}
Set the level of access to system settings for this profile.
adom-switch {none | read | read-write}
Set the administrator domain for this profile.system Page 31 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
global-policy-packages {none | read | read-write}
Set the global policy packages for this profile.
global-objects {none | read | read-write}
Set the global objects for this profile.
assignment {none | read | read-write}
Set the profile permissions.
read-passwd {none | read | read-write}
Add the capability to view the authentication password in clear text to this profile.
device-manager {none | read | read-write}
Enter the level of access to device manager settings for this profile.
device-config {none | read | read-write}
Enter the level of access to device configuration settings for this profile.
device-op {none | read | read-write}
Add the capability to add, delete, and edit devices to this profile.
device-profile {none | read | read-write}
Device profile permissions.
policy-objects {none | read | read-write}
Policy objects permissions.
deploy-management {none | read | read-write}
Enter the level of access to the deployment management configuration settings for this profile.
config-retrieve {none | read | read-write}
Set the configuration retrieve settings for this profile.
term-access {none | read | read-write}
Set the terminal access for this profile.
adom-policy-packages {none | read | read-write}
Enter the level of access to ADOM policy packages for this profile.
adom-policy-objects {none | read | read-write}
Enter the level of access to ADOM policy objects for this profile.
vpn-manager {none | read | read-write}
Enter the level of access to VPN console configuration settings for this profile.
realtime-monitor {none | read | read-write}
Enter the level of access to the Real Time monitor configuration settings for this profile.
forticonsole {none | read | read-write}
Enable or disable the FortiConsole for this profile.
consistency-check {none | read | read-write}
Enable or disable consistency check for this profile.
faz-management {none | read | read-write}
Enter the level of access to FortiAnalyzer configuration management settings for this profile.
Variable Descriptionsystem Page 32 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
Related topics
admin radius
report-viewer {none | read | read-write}
Enable or disable access permission.
log-viewer {none | read | read-write}
Enable or disable access permission.
network {none | read | read-write}
Enable or disable access permission.
admin {none | read | read-write}
Enable or disable access permission.
system {none | read | read-write}
Enable or disable access permission.
devices {none | read | read-write}
Enable or disable access permission.
alerts {none | read | read-write}
Enable or disable access permission.
dlp {none | read | read-write}
Enable or disable access permission.
reports {none | read | read-write}
Enable or disable access permission.
log {none | read | read-write}
Enable or disable access permission.
quar {none | read | read-write}
Enable or disable access permission.
net-monitor {none | read | read-write}
Enable or disable access permission.
vuln-mgmt {none | read | read-write}
Enable or disable access permission.
Variable Descriptionsystem Page 33 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
admin radius
Use this command to add, edit, and delete administration RADIUS servers.
Syntax
config system admin radiusedit
set auth-type set nas-ip set port set secondary-secret set secondary-server set secret set server
end
Example
This example shows how to add the RADIUS server RAD1 at the IP address 206.205.204.203 and set the shared secret as R1a2D3i4U5s.
config system admin radiusedit RAD1
set server 206.205.204.203set secret R1a2D3i4U5s
end
Variable Description
auth-type Enter the authentication protocol the RADIUS server will use:
any: Use any supported authentication protocol. mschap2 chap pap
nas-ip Enter the NAS IP address.
port Enter the RADIUS server port number. Default: 1812
secondary-secret Enter the password to access the RADIUS secondary-server.
secondary-server Enter the RADIUS secondary-server DNS resolvable domain name or IP address.
secret Enter the password to access the RADIUS server.
server Enter the RADIUS server DNS resolvable domain name or IP address.system Page 34 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
admin setting
Use this command to configure system administration settings, including web administration ports, timeout, and language.
Syntax
config system admin settingset access-banner {enable | disable}set admin_server_cert set allow_register {enable | disable}set auto-update {enable | disable}set banner-message set demo-mode {enable | disable}set device_sync_status {enable | disable}set http_port set https_port set idle_timeout set install-ifpolicy-only {enable | disable}set mgmt-addr set mgmt-fqdn set offline_mode {enable | disable}set policy-display-threshold set register_passwd set show-add-multiple {enable | disable}set show-adom-central-nat-policies {enable | disable}set show-adom-devman {enable | disable}set show-adom-dos-policies {enable | disable}set show-adom-dynamic-objects {enable | disable}set show-adom-forticonsole-button {enable | disable}set show-adom-icap-policies {enable | disable}set show-adom-implicit-policy {enable | disable}set show-adom-implicit-id-based-policy {enable | disable}set show-adom-ipv6-settings {enable | disable}set show-adom-policy-consistency-button {enable | disable}set show-adom-rtmlog {enable | disable}set show-adom-sniffer-policies {enable | disable}set show-adom-taskmon-button {enable | disable}set show-adom-terminal-button {enable | disable}set show-adom-voip-policies {enable | disable}set show-adom-vpnman {enable | disable}set show-adom-web-portal {enable | disable}set show-device-import-export {enable | disable}set show-foc-settings {enable | disable}set show-fortimail-settings {enable | disable}set show-fsw-settings {enable | disable}set show-global-object-settings {enable | disable}set show-global-policy-settings {enable | disable}set show_automatic_script {enable | disable}system Page 35 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
set show_grouping_script {enable | disable}set show_tcl_script {enable | disable}set unreg_dev_opt {add_allow_service | add_no_service | ignore}set webadmin_language {auto_detect | english | japanese | korean |
simplified_chinese | traditional_chinese}end
Variable Description
access-banner {enable | disable}
Enable or disable the access banner.
Default: disable
admin_server_cert
Enter the name of an https server certificate to use for secure connections.
Default: server.crt
allow_register {enable | disable}
Enable or disable an unregistered device to be registered.
Default: disable
auto-update {enable | disable} Enable or disable device config auto update.
banner-message Enable the banner messages. Maximum of 255 characters.
demo-mode {enable | disable} Enable or disable demo mode.Default: disable
device_sync_status {enable | disable}
Enable or disable device synchronization status indication.
Default: enable
http_port Enter the HTTP port number for web administration.Default: 80
https_port Enter the HTTPS port number for web administration.
Default: 443
idle_timeout Enter the idle timeout value. The range is from 1 to 480 minutes.
Default: 5
install-ifpolicy-only {enable | disable}
Enable to allow only the interface policy to be installed.
Default: disable
mgmt-addr GQDN/IP of FortiAnalyzer used by FGFM.
mgmt-fqdn FQDN of FortiAnalyzer used by FGFM.system Page 36 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
offline_mode {enable | disable}
Enable offline mode to shut down the protocol used to communicate with managed devices.
Default: disable
policy-display-threshold
Set the policy page display threshold (1 - 10000).
register_passwd Enter the password to use when registering a device.
show-add-multiple {enable | disable}
Show the add multiple button.
show-adom-central-nat-policies {enable | disable}
Show ADOM central NAT policy settings on the Web-based Manager.
Default: disable
show-adom-devman {enable | disable}
Show ADOM device manager tools on the Web-based Manager.
Default: disable
show-adom-dos-policies {enable | disable}
Show ADOM DOS policy settings on the Web-based Manager.
Default: disable
show-adom-dynamic-objects {enable | disable}
Show ADOM dynamic object settings on the Web-based Manager.
Default: enable
show-adom-forticonsole-button {enable | disable}
Show ADOM banner button FortiConsole on the Web-based Manager.
Default: enable
show-adom-icap-policies {enable | disable}
Show the ADOMICAP policy settings in the Web-based Manager.
show-adom-implicit-policy {enable | disable}
Show the ADOM implicit policy settings in the Web-based Manager.
show-adom-implicit-id-based-policy {enable | disable}
Show the ADOM implicit ID based policy settings in the Web-based Manager.
show-adom-ipv6-settings {enable | disable}
Show ADOM IPv6 settings in the Web-based Manager.
Default: disable
show-adom-policy-consistency-button {enable | disable}
Show ADOM banner button Policy Consistency in the Web-based Manager.
Default: disable
Variable Descriptionsystem Page 37 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
show-adom-rtmlog {enable | disable}
Show ADOM RTM device log in the Web-based Manager.
Default: disable
show-adom-sniffer-policies {enable | disable}
Show ADOM sniffer policy settings in the Web-based Manager.
Default: disable
show-adom-taskmon-button {enable | disable}
Show ADOM banner button Task Monitor in the Web-based Manager.
Default: enable
show-adom-terminal-button {enable | disable}
Show ADOM banner button Terminal in the Web-based Manager.
Default: enable
show-adom-voip-policies {enable | disable}
Show ADOM VoIP policy settings in the Web-based Manager.
show-adom-vpnman {enable | disable}
Show ADOM VPN manager in the Web-based Manager.
Default: enable
show-adom-web-portal {enable | disable}
Show ADOM web portal settings in the Web-based Manager.
Default: disable
show-device-import-export {enable | disable}
Enable import/export of ADOM, device, and group lists.
show-foc-settings {enable | disable}
Show FortiCarrier settings in the Web-based Manager.
Default: disable
show-fortimail-settings {enable | disable}
Show FortiMail settings in the Web-based Manager.
Default: disable
show-fsw-settings {enable | disable}
Show FortiSwitch settings in the Web-based Manager.
Default: disable
show-global-object-settings {enable | disable}
Show global object settings in the Web-based Manager.
Default: enable
show-global-policy-settings {enable | disable}
Show global policy settings in the Web-based Manager.
Default: enable
show_automatic_script {enable | disable}
Enable or disable automatic script.
Variable Descriptionsystem Page 38 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
admin tacacs
Use this command to add, edit, and delete administration TACACS+ servers.
Syntax
config system admin tacacsedit
set authen-type set authorization {enable | disable}set key set port set secondary-key set secondary-server set server set tertiary-key set tertiary-server
end
show_grouping_script {enable | disable}
Enable or disable grouping script.
show_tcl_script {enable | disable}
Enable or disable TCL script.
unreg_dev_opt {add_allow_service | add_no_service | ignore}
Select action to take when an unregistered device connects to FortiAnalyzer.
add_allow_service: Add unregistered devices and allow service requests.
add_no_service: Add unregistered devices and deny service requests.
ignore: Ignore unregistered devices.Default: add_all_service
webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}
Enter the language to be used for web administration.
Default: auto_detect
Variable Description
Variable Description
authen-type Choose which authentication type to use.Default: auto
authorization {enable | disable} Enable or disable TACACS+ authorization.
key Key to access the server.system Page 39 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
Example
This example shows how to add the TACACS+ server TAC1 at the IP address 206.205.204.203 and set the key as R1a2D3i4U5s.
config system admin tacacsedit TAC1
set server 206.205.204.203set key R1a2D3i4U5s
end
admin user
Use this command to add, edit, and delete administrator accounts.
Use the admin account or an account with System Settings read and write privileges to add new administrator accounts and control their permission levels. Each administrator account must include a minimum of an access profile. The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change the default profile from Restricted_User.You cannot delete the admin administrator account. You cannot delete an administrator account if that user is logged on. For information about ADOMs, see Administrative Domains on page 25.
Syntax
config system admin useredit
set password set trusthost1 set trusthost2 set trusthost3 set ipv6_trusthost1 set ipv6_trusthost2 set ipv6_trusthost3
port Port number of the TACACS+ server.
secondary-key Key to access the secondary server.
secondary-server Secondary server domain name or IP.
server The server domain name or IP.
tertiary-key Key to access the tertiary server.
tertiary-server Tertiary server domain name or IP.
Variable Description
You can create meta-data fields for administrator accounts. These objects must be created using the FortiAnalyzer Web-based Manager. The only information you can add to the object is the value of the field (pre-determined text/numbers).system Page 40 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
set profileid set adom set policy-package {:
/ | all_policy_packages}
set restrict-access {enable | disable}set description set user_type set ldap-server set radius_server set tacacs-plus-server set ssh-public-key1 set ssh-public-key2 , set ssh-public-key3 set wildcard set radius-accprofile-override set radius-adom-override set radius-group-match set last-name set first-name set email-address set phone-number set mobile-number set pager-number
endconfig meta-data
edit set fieldlengthset fieldvalue set importanceset status
endendconfig dashboard-tabs
edit tabid set name
endconfig dashboard
edit moduleidset name set column set refresh-inverval set status {close | open}set tabid set widget-type {alert | devsummary | jsconsole | licinfo |
logrecv | raid | rpteng | statisctics | sysinfo | sysop | sysres | top-lograte}
set log-rate-type {device | log}set log-rate-topn {1 | 2 | 3 | 4 | 5}system Page 41 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
set log-rate-period {1hour | 2min | 6hours}set res-view-type {history | real-time}set res-period {10min | day | hour}set num-entries
endendconfig restrict-dev-vdom
edit dev-vdom end
end
Variable Description
password Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This variable is available only if user_type is local.
trusthost1 trusthost2 trusthost3
Type the trusted host IP address and netmask from which the administrator can log in to the FortiAnalyzer system. You can specify up to three trusted hosts. (optional)
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 45.
ipv6_trusthost1 ipv6_trusthost2 ipv6_trusthost3
Type the trusted host IP address from which the administrator can log in to the FortiAnalyzer system. You can specify up to three trusted hosts. (optional)
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 45.
profileid Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiAnalyzer features.
Default: Restricted_User
adom Enter the name(s) of the ADOM(s) the administrator belongs to. Any configuration of ADOMs takes place via the FortiAnalyzer Web-based Manager. For more information, see Administrative Domains on page 25.
policy-package {: / | all_policy_packages}
Policy package access.
restrict-access {enable | disable}
Enable or disable restricted access to the dev-vdom.
Default: disablesystem Page 42 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
description Enter a description for this administrator account. When using spaces, enclose description in quotes.
user_type
Enter local if the FortiAnalyzer system verifies the administrators password. Enter radius if a RADIUS server verifies the administrators password.
Default: local
ldap-server Enter the LDAP server name if the user type is set to LDAP.
radius_server Enter the RADIUS server name if the user type is set t o RADIUS.
tacacs-plus-server Enter the TACACS+ server name if the user type is set to TACACS+.
ssh-public-key1
You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.
The ssh-dss for a DSA key, ssh-rsa for an RSA key. The public key string of the SSH client.
ssh-public-key2 ,
ssh-public-key3
wildcard Enable or disable wildcard remote authentication
radius-accprofile-override
Allow access profile to be overridden from RADIUS.
radius-adom-override
Allow ADOM to be overridden from RADIUS
radius-group-match Only admin that belong to this group are allowed to login.
last-name Administrators last name.
first-name Administrators first name.
email-address Administrators email address.
phone-number Administrators phone number.
mobile-number Administrators mobile phone number.
pager-number Administrators pager number.
Variable for config meta-data subcommand:Note: This subcommand can only change the value of an existing field.
To create a new metadata field, use the config meta-data command.
Variable Descriptionsystem Page 43 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
fieldname The label/name of the field. Read-only.Default: 50
fieldlength The maximum number of characters allowed for this field. Read-only.
fieldvalue Enter a pre-determined value for the field. This is the only value that can be changed with the config meta-data subcommand.
importance Indicates whether the field is compulsory (required) or optional (optional). Read-only.Default: optional
status For display only. Value cannot be changed.Default: enabled
Variable for config dashboard-tabs subcommand:
tabid Tab ID.
name Tab name.
Variable for config dashboard subcommand:
moduleid Widget ID.
name Widget name.
column Widgets column ID.Default: 0
refresh-inverval Widgets refresh interval.Default: 300
status {close | open} Widgets opened/closed status.Default: open
tabid ID of the tab where the widget is displayed.Default: 0
Variable Descriptionsystem Page 44 FortiAnalyzer v5.0 Patch Release 2 CLI Reference
-
Using trusted hosts
Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the FortiAnalyzer system does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.
The trusted hosts you define apply both to the Web-based Manager and to the CLI when accessed through SSH. CLI access through the console connector is not affected.
widget-type {alert | devsummary | jsconsole | licinfo | logrecv | raid | rpteng | statisctics | sysinfo | sysop | sysres | top-lograte}
Widget type. Enter one of the following:
alert: Alert message console devsummary: Device summary jsconsole: CLI console licinfo: License information logrecv: Data receive raid: Disk monitor rpteng: Report engine statistics: Statistics sysinfo: System information sysop: Unit operation sysres: System resources top-lograte: Log rates
log-rate-type {device | log} Log receive m