CLI Basics FortiGate - FortiOS 7.2.3
CLI Basics FortiGate - FortiOS 7.2.3
CLI Basics FortiGate - FortiOS 7.2.3
3/administration-guide/896276/cli-basics
DOCUMENTS
LIBRARY
Version:
7.2.4
7.2.3
7.2.2
Version:
7.2.1
7.2.0
7.0.9
Version:
7.0.8
7.0.7
7.0.6
Version:
7.0.5
7.0.4
7.0.3
Version:
7.0.2
7.0.1
7.0.0
Version:
6.4.11
6.4.10
6.4.9
Version:
6.4.8
6.4.7
6.4.6
Version:
6.4.5
6.4.4
6.4.3
Version:
6.4.2
6.4.1
6.4.0
Table of Contents
Getting started
•
Using the GUI
◦
Using the CLI
◦
Connecting to the CLI
▪
CLI basics
▪
Command syntax
▪
Subcommands
▪
Permissions
▪
FortiExplorer management
◦
Basic administration
◦
1 of 10 2/3/2023, 12:10 PM
CLI basics | FortiGate / FortiOS 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/896276/cli-basics
LEDs
◦
Troubleshooting your installation
◦
Dashboards and Monitors
•
Network
•
SD-WAN
•
Policy and Objects
•
Security Profiles
•
VPN
•
User & Authentication
•
Wireless configuration
•
Switch Controller
•
System
•
Fortinet Security Fabric
•
Log and Report
•
VM
•
Hyperscale firewall
•
Troubleshooting
•
Change Log
•
C
CLLII bbaassiiccss
Basic features and characteristics of the CLI environment provide support and ease of use for many
CLI tasks.
H
Heellpp
Press the question mark (?) key to display command help and complete commands.
• Press the question mark (?) key at the command prompt to display a list of the commands
available and a description of each command.
• Enter a command followed by a space and press the question mark (?) key to display a list of the
options available for that command and a description of each option.
• Enter a command followed by an option and press the question mark (?) key to display a list of
additional options available for that command option combination and a description of each
option.
• Enter a question mark after entering a portion of a command to see a list of valid complete
commands and their descriptions. If there is only one valid command, it will be automatically
filled in.
S
Shhoorrttccuuttss aanndd kkeeyy ccoom
mmmaannddss
S
Shhoorrttccuutt kkeeyy A
Accttiioonn
U
Upp aarrrroow
w oorr C
Cttrrll ++ PP Recall the previous command.
D
Doow
wnn aarrrroow
w,, oorr C
Cttrrll ++ N
N Recall the next command.
LLeefftt oorr R
Riigghhtt aarrrroow
w Move the cursor left or right within the command line.
C
Cttrrll ++ AA Move the cursor to the beginning of the command line.
C
Cttrrll ++ EE Move the cursor to the end of the command line.
C
Cttrrll ++ B
B Move the cursor backwards one word.
C
Cttrrll ++ FF Move the cursor forwards one word.
CLI basics C
Cttrrll ++ D
D Delete the current character.
2 of 10 2/3/2023, 12:10 PM
CLI basics | FortiGate / FortiOS 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/896276/cli-basics
Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.
C
Cttrrll ++ C
C Abort current interactive commands, such as when entering multiple
lines.
Help
If you are not currently within an interactive command such as
config or edit, this closes the CLI connection.
Press the question mark (?) key to display command help and complete commands.
• Enter a command followed by an option and press the question mark (?) key to display
For each a list
line that youof want
additional options
to continue, availableit for
terminate withthat
a command option combination and a
description of each option. backslash ( \ ). To complete the command, enter a space instead of
a backslash, and then press Enter.
• Enter a question mark after entering a portion of a command to see a list of valid complete commands and their descriptions. If there is only one valid command, it will
be automatically filled in.
C
Coom
mmmaanndd ttrreeee
Shortcuts and key commands
Enter tree to display the CLI command tree. To capture the full output, connect to your device using
a terminal emulation program and capture the output to a log file. For some commands, use the
Shortcut key Action
tree command to view all available variables and subcommands.
You can abbreviate words in the command line to their smallest number of non-ambiguous
Tab Complete the word with the next available match.
characters.
Press multiple times to cycle through available matches.
For example, the command get system status could be abbreviated to g sy stat.
Up arrow or Ctrl + P Recall the previous command.
A Command
Addddiin memory
ngg aanndd rre
em isng
moovviin limited toonthe
g ooppttiio nss current
ffrroom session.
m lliis
sttss
For example, if a user group currently includes members A, B, and C, the command set member D
Left or Right arrow Move the cursor left or right within the command line.
will remove members A, B, and C. To avoid removing the existing members from the group, the
Ctrl + A command
Moveset
the members A B
cursor to the C D must
beginning ofbe
theused.
command line.
To avoid this issue, the following commands are available:
Ctrl + E Move the cursor to the end of the command line.
Ctrl + B aappppeen
ndd the cursor
Move Add an optionone
backwards to an existing list.
word.
For example, append member D adds user D to the user group without
Ctrl + F Move the cursor forwards
removing one
any of word.
the existing members.
EEnnvviirroonnm
meenntt vvaarriiaabblleess
Command tree
The following environment variables are support by the CLI. Variable names are case-sensitive.
Enter tree to display the CLI command tree. To capture the full output, connect to your device using a terminal emulation program and capture the output to a log file. For
some commands, use the tree command to view all available variables and subcommands.
$$U
USSEER
RFFR
ROOMM The management access type (ssh, jsconsole, and so on) and the IPv4
address of the administrator that configured the item.
Command abbreviation
$$UUSSEER RN NAAM
MEE The account name of the administrator that configured the item.
You can abbreviate words in the command line to their smallest number of non-ambiguous characters.
$$SSeerriiaallN
Nuum
m The serial number of the FortiGate.
For example, the command get system status could be abbreviated to g sy stat.
For example, to set a FortiGate device's host name to its serial number, use the following CLI
Adding and removing options from lists
command:
3 of 10 2/3/2023, 12:10 PM
CLI basics | FortiGate / FortiOS 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/896276/cli-basics
Question marks and tabs cannot be copied into the CLI Console or some
SSH clients. They must be typed in.
C
Chhaarraacctteerr K
Keeyyss
' \'
" \"
\ \\
U
Ussiinngg ggrreepp ttoo ffiilltteerr ccoom
mmmaanndd oouuttppuutt
The get, show, and diagnose commands can produce large amounts of output. The grep
command can be used to filter the output so that it only shows the required information.
The grep command is based on the standard UNIX grep, used for searching text output based on
regular expressions.
For example, the following command displays the MAC address of the internal interface:
-A <num> After
-B <num> Before
-C <num> Context
The -f option is available to support contextual output, in order to show the complete configuration.
The following example shows the difference in the output when -f is used versus when it is not used:
4 of 10 2/3/2023, 12:10 PM
CLI basics | FortiGate / FortiOS 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/896276/cli-basics
set identity-
based enable
set nat enable
config identity-
based-policy
edit 1
set
schedule "always"
set
groups "ldap-group1"
set
dstaddr "all"
set
service "ALL"
next
end
next
end
Characters such as ñ and é, symbols, and ideographs are sometimes acceptable input. Support
varies depending on the type of item that is being configured. CLI commands, objects, field names,
and options must use their exact ASCII characters, but some items with arbitrary names or values
can be input using your language of choice. To use other languages in those cases, the correct
encoding must be used.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into UTF-8
before it is stored. If your input method encodes some characters differently than in UTF-8,
configured items may not display or operate as expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter
a regular expression using a different encoding, or if an HTTP client sends a request in a different
encoding, matches may not be what is expected.
For example, with Shift-JIS, backslashes could be inadvertently interpreted as the symbol for the
Japanese yen ( ¥ ), and vice versa. A regular expression intended to match HTTP requests containing
monetary values with a yen symbol may not work it if the symbol is entered using the wrong
encoding.
• use only characters whose numerically encoded values are the same in UTF-8, such as the US-
ASCII characters that are encoded using the same values in ISO 8859-1, Windows code page
1252, Shift-JIS, and other encoding methods, or
• for regular expressions that must match HTTP requests, use the same encoding as your HTTP
clients.
HTTP clients may send requests in encodings other than UTF-8. Encodings
usually vary based on the client’s operating system or input language. If the
client's encoding method cannot be predicted, you might only be able to
match the parts of the request that are in English, as the values for English
characters tend to be encoded identically, regardless of the encoding method.
If the FortiGate is configured to use an encoding method other than UTF-8, the management
computer's language may need to be changed, including the web browse and terminal emulator. If
the FortiGate is configured using non-ASCII characters, all the systems that interact with the FortiGate
must also support the same encoding method. If possible, the same encoding method should be
used throughout the configuration to avoid needing to change the language settings on the
management computer.
The GUI and CLI client normally interpret output as encoded using UTF-8. If they do not, configured
items may not display correctly. Exceptions include items such as regular expression that may be
configured using other encodings to match the encoding of HTTP requests that the FortiGate
receives.
22.. Configure the client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by terminal client.
5 of 10 2/3/2023, 12:10 PM
CLI basics | FortiGate / FortiOS 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/896276/cli-basics
44.. At the command prompt, type your command and press Enter.
Words that use encoded characters may need to be enclosed in single quotes ( ' ).
Depending on your terminal client’s language support, you may need to interpret the characters
into character codes before pressing Enter. For example, you might need to enter: edit
'\743\601\613\743\601\652'
S
Sccrreeeenn ppaaggiinngg
By default, the CLI will pause after displaying each page worth of text when a command has multiple
pages of output. this can be useful when viewing lengthy outputs that might exceed the buffer of
terminal emulator.
• Press an arrow key, Insert, Home, Delete, End, Page Up, or Page Down to show the next few
pages,
• Wait for about 30 seconds for the console to truncate the output and return to the command
prompt.
When pausing the screen is disabled, press Ctrl + C to stop the output and log out of the FortiGate.
Search Document
Administration Guide TToo ddiissaabbllee ppaauussiinngg tthhee C
CLLII oouuttppuutt::
Getting started
config system console
Using the GUI set output standard
Using the CLI end
Connecting to
TToo eennaabbllee ppaauussiinngg tthhee C
CLLII oouuttppuutt::
the CLI
CLI basics config system console
Command set output more
syntax end
Subcommands
C
Chhaannggiinngg tthhee bbaauudd rraattee
Permissions
The baud rate of the local console connection can be changed from its default value of 9600.
FortiExplorer
management TToo cchhaannggee tthhee bbaauudd rraattee::
Basic administration
config system console
LEDs set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
Troubleshooting your end
installation
Network The FortiGate configuration file can be edited on an external host by backing up the configuration,
editing the configuration file, and then restoring the configuration to the FortiGate.
SD-WAN
Editing the configuration file can save time is many changes need to be made, particularly if the plain
Policy and Objects text editor that you are using provides features such as batch changes.
Security Profiles
TToo eeddiitt tthhee ccoonnffiigguurraattiioonn ffiillee::
VPN
11.. Backup the configuration. See Configuration backups for details.
User & Authentication
22.. Open the configuration file in a plain text editor that supports UNIX-style line endings.
Wireless configuration
33.. Edit the file as needed.
Switch Controller
System Do not edit the first line of the configuration file.
Fortinet Security Fabric This line contains information about the firmware version and FortiGate
model. If you change the model number, the FortiGate will reject the
Log and Report configuration when you attempt to restore it.
VM
44.. Restore the modified configuration to the FortiGate. See Configuration backups for details.
Hyperscale firewall
The FortiGate downloads the configuration file and checks that the model information is correct.
Troubleshooting If it is correct, the configuration file is loaded and each line is checked for errors. If a command is
invalid, that command is ignored. If the configuration file is valid, the FortiGate restarts and loads
Change Log
the downloaded configuration.
6 of 10 2/3/2023, 12:10 PM
CLI basics | FortiGate / FortiOS 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/896276/cli-basics
For example, unselect member C removes only member C from the group, without affecting the other members.
Environment variables
The following environment variables are support by the CLI. Variable names are case-sensitive.
$USERFROM The management access type (ssh, jsconsole, and so on) and the IPv4 address of the administrator that configured the item.
$USERNAME The account name of the administrator that configured the item.
For example, to set a FortiGate device's host name to its serial number, use the following CLI command:
Special characters
The following characters cannot be used in most CLI commands: <, >, (, ), #, ', and "
If one of those characters, or a space, needs to be entered as part of a string, it can be entered by using a special command, enclosing the entire string in quotes, or preceding
it with an escape character (backslash, \).
To enter a question mark (?) or a tab, Ctrl + V or Ctrl + Shift + - must be entered first.
Question marks and tabs cannot be copied into the CLI Console or some SSH clients. They must be typed in.
Character Keys
Space Enclose the string in single or double quotation marks: "Security Administrator" or 'Security
' \'
" \"
\ \\
The get, show, and diagnose commands can produce large amounts of output. The grep command can be used to filter the output so that it only shows the required
information.
The grep command is based on the standard UNIX grep, used for searching text output based on regular expressions.
For example, the following command displays the MAC address of the internal interface:
-A <num> After
7 of 10 2/3/2023, 12:10 PM
CLI basics | FortiGate / FortiOS 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/896276/cli-basics
-B <num> Before
-C <num> Context
The -f option is available to support contextual output, in order to show the complete configuration. The following example shows the difference in the output when -f is
used versus when it is not used:
Characters such as ñ and é, symbols, and ideographs are sometimes acceptable input. Support varies depending on the type of item that is being configured. CLI commands,
objects, field names, and options must use their exact ASCII characters, but some items with arbitrary names or values can be input using your language of choice. To use
other languages in those cases, the correct encoding must be used.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into UTF-8 before it is stored. If your input method encodes some characters
differently than in UTF-8, configured items may not display or operate as expected.
Regular expressions are especially impacted. Matching uses the UTF‑8 character values. If you enter a regular expression using a different encoding, or if an HTTP client sends
a request in a different encoding, matches may not be what is expected.
For example, with Shift-JIS, backslashes could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ ), and vice versa. A regular expression intended to match
HTTP requests containing monetary values with a yen symbol may not work it if the symbol is entered using the wrong encoding.
• use only characters whose numerically encoded values are the same in UTF‑8, such as the US-ASCII characters that are encoded using the same values in ISO 8859-1,
Windows code page 1252, Shift-JIS, and other encoding methods, or
• for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.
HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary based on the client’s operating system or input
language. If the client's encoding method cannot be predicted, you might only be able to match the parts of the request that are in
English, as the values for English characters tend to be encoded identically, regardless of the encoding method.
If the FortiGate is configured to use an encoding method other than UTF-8, the management computer's language may need to be changed, including the web browse and
terminal emulator. If the FortiGate is configured using non-ASCII characters, all the systems that interact with the FortiGate must also support the same encoding method. If
possible, the same encoding method should be used throughout the configuration to avoid needing to change the language settings on the management computer.
The GUI and CLI client normally interpret output as encoded using UTF-8. If they do not, configured items may not display correctly. Exceptions include items such as regular
expression that may be configured using other encodings to match the encoding of HTTP requests that the FortiGate receives.
2. Configure the client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by terminal client.
8 of 10 2/3/2023, 12:10 PM
CLI basics | FortiGate / FortiOS 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/896276/cli-basics
Words that use encoded characters may need to be enclosed in single quotes ( ' ).
Depending on your terminal client’s language support, you may need to interpret the characters into character codes before pressing Enter. For example, you might need
to enter: edit '\743\601\613\743\601\652'
Screen paging
By default, the CLI will pause after displaying each page worth of text when a command has multiple pages of output. this can be useful when viewing lengthy outputs that
might exceed the buffer of terminal emulator.
• Press an arrow key, Insert, Home, Delete, End, Page Up, or Page Down to show the next few pages,
• Wait for about 30 seconds for the console to truncate the output and return to the command prompt.
When pausing the screen is disabled, press Ctrl + C to stop the output and log out of the FortiGate.
The baud rate of the local console connection can be changed from its default value of 9600.
The FortiGate configuration file can be edited on an external host by backing up the configuration, editing the configuration file, and then restoring the configuration to the
FortiGate.
Editing the configuration file can save time is many changes need to be made, particularly if the plain text editor that you are using provides features such as batch changes.
2. Open the configuration file in a plain text editor that supports UNIX-style line endings.
This line contains information about the firmware version and FortiGate model. If you change the model number, the FortiGate will
reject the configuration when you attempt to restore it.
4. Restore the modified configuration to the FortiGate. See Configuration backups for details.
The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the configuration file is loaded and each line is checked
for errors. If a command is invalid, that command is ignored. If the configuration file is valid, the FortiGate restarts and loads the downloaded configuration.
Link
PDF
TOC
9 of 10 2/3/2023, 12:10 PM
CLI basics | FortiGate / FortiOS 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/896276/cli-basics
Fortinet
Fortinet.com
Fortinet Blog
Customer & Technical Support
Fortinet Video Library
Training
FortiGuard
FortiGuard
Fortinet PSIRT Advisories
FortiGuard Outbreak Alert
Communities
Knowledge Base
FortiAnswers
Fortinet Developer Network
LEGAL PRIVACY
10 of 10 2/3/2023, 12:10 PM