FortiManager CLI Reference

Add to my manuals
240 Pages

advertisement

FortiManager CLI Reference | Manualzz

FortiManager CLI Reference

VERSION 5.0.10

FORTINET DOCUMENT LIBRARY

http://docs.fortinet.com

FORTINET VIDEO LIBRARY

http://video.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com 

FORTIGATE COOKBOOK

http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER

http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: [email protected]

January 29, 2015

FortiManager 5.0.10 CLI Reference

02-5010-183470-20150129

TABLE OF CONTENTS

Change Log

Introduction

About the FortiManager system

FortiManager feature set

FortiAnalyzer feature set

Web-based Manager

FortiManager system product life cycle

FortiManager documentation

What’s New in FortiManager version 5.0

FortiManager version 5.0.10

FortiManager version 5.0.9

FortiManager version 5.0.8

FortiManager version 5.0.7

FortiManager version 5.0.6

FortiManager version 5.0.5

FortiManager version 5.0.4

FortiManager version 5.0.3

Using the Command Line Interface

CLI command syntax

Connecting to the CLI

Connecting to the FortiManager console

Setting administrative access on an interface

Connecting to the FortiManager CLI using SSH

Connecting to the FortiManager CLI using the Web-based Manager

CLI objects

CLI command branches

config branch

get branch

show branch

execute branch diagnose branch

Example command sequences

CLI basics

Command help

19

20

20

16

17

17

21

24

33

33

34

34

30

32

33

26

27

27

27

28

24

24

25

26

12

13

13

13

13

13

14

14

16

16

Command tree

Command completion

Recalling commands

Editing commands

Line continuation

Command abbreviation

Environment variables

Encrypted password support

Entering spaces in strings

Entering quotation marks in strings

Entering a question mark (?) in a string

International characters

Special characters

IP address formats

Editing the configuration file

Changing the baud rate

Debug log levels

Administrative Domains

ADOMs overview

Configuring ADOMs

Concurrent ADOM Access

system

admin admin group admin ldap

admin profile

admin radius

admin setting

admin tacacs

admin user

alert-console

alert-event

alertemail

auto-delete

backup all-settings

certificate certificate ca

certificate crl certificate local

certificate oftp

certificate ssh

dm

39

39

40

41

43

37

37

37

37

37

36

36

37

38

38

34

34

35

35

35

35

35

72

72

73

66

67

69

70

71

73

74

75

76

54

58

59

43

43

43

45

53

dns

fips

global

ha

General FortiManager HA configuration steps

interface

locallog locallog disk setting

locallog filter

locallog fortianalyzer setting

locallog memory setting

locallog syslogd (syslogd2, syslogd3) setting

log log alert log fortianalyzer

mail

log settings

metadata

ntp

password-policy

report report auto-cache report est-browse-time

report group

report setting

route route6

snmp snmp community

snmp sysinfo

snmp user

sql

syslog

fmupdate

analyzer virusreport av-ips av-ips advanced-log

av-ips fct server-override

av-ips fgt server-override

av-ips push-override

av-ips push-override-to-client

av-ips update-schedule

120

120

120

120

121

122

123

124

125

106

107

108

108

109

109

112

113

115

118

99

102

102

103

104

105

105

105

95

96

98

98

98

89

92

94

77

78

79

84

87

88

89

av-ips web-proxy

custom-url-list device-version

disk-quota fct-services

fds-setting multilayer

publicnetwork server-access-priorities

config private-server

server-override-status service

support-pre-fgt43 web-spam web-spam fct server-override

web-spam fgd-log

web-spam fgd-setting

web-spam fgt server-override

web-spam fsa server-override

web-spam poll-frequency web-spam web-proxy

execute

add-vm-license backup

bootimage certificate certificate ca

certificate local

chassis

console baudrate date

device dmserver dmserver delrev

dmserver revlist dmserver showconfig dmserver showdev dmserver showrev

factory-license fgfm reclaim-dev-tunnel fmpolicy fmpolicy check-upgrade-object

131

131

132

133

133

134

134

134

126

127

127

129

129

130

130

135

136

138

139

140

140

142

142

147

147

148

148

148

149

149

149

142

144

144

144

145

146

149

150

150

150

150

fmpolicy copy-adom-object fmpolicy install-config fmpolicy print-adom-database

fmpolicy print-adom-object fmpolicy print-adom-package

fmpolicy print-device-database fmpolicy print-device-object fmpolicy print-prov-templates

fmprofile fmprofile copy-to-device fmprofile export-profile

fmprofile import-from-device fmprofile import-profile fmprofile list-profiles

fmscript fmscript clean-sched fmscript delete fmscript import

fmscript list

fmscript run fmscript showlog

fmupdate fmupdate {ftp | scp | tftp} import fmupdate {ftp | scp | tftp} export

format

log log device disk_quota log device permissions

log dlp-files clear log import

log ips-pkt clear log quarantine-files clear log-integrity

lvm ping

ping6 raid

reboot remove reset

reset-sqllog-transfer restore

160

161

162

162

162

163

163

164

157

157

157

158

159

159

160

160

154

155

155

155

156

156

156

157

152

152

152

153

153

154

154

164

164

165

165

166

166

167

167

167

168

168

shutdown sql-local sql-local rebuild-db

sql-local remove-db sql-local remove-logtype sql-query-dataset

sql-query-generic sql-report sql-report hcache-check

sql-report import-lang sql-report list

sql-report list-lang sql-report list-schedule sql-report run

sql-report view ssh

ssh-known-hosts time top

traceroute traceroute6

diagnose

auto-delete

cdb check

debug debug application

debug cli

debug console debug crashlog debug disable

debug dpm debug enable debug info

debug reset debug service

debug sysinfo

debug sysinfo-log debug sysinfo-log-backup debug sysinfo-log-list debug timestamp

debug vminfo dlp-archives

172

172

173

173

174

174

174

175

170

170

170

171

171

171

172

175

176

176

176

178

178

179

179

184

185

185

185

186

186

187

188

180

181

181

183

184

184

188

188

188

189

189

dvm dvm adom dvm capability dvm chassis

dvm check-integrity dvm debug dvm device

dvm device-tree-update dvm extender

dvm group dvm lock dvm proc

dvm supported-platforms dvm task

dvm transaction-flag fgfm fmnetwork fmnetwork arp

fmnetwork interface

fmnetwork netstat fmupdate

fortilogd

fwmanager

ha

hardware

log pm2 log device report

sniffer

sql

system

system admin-session

system export system flash

system fsck system geoip system ntp

system print

system process system raid

system route

203

204

206

206

206

206

207

211

195

195

195

196

197

197

201

202

192

192

193

193

193

194

194

195

190

190

190

190

191

191

191

212

213

214

214

215

215

215

216

217

217

218

get

system route6

system server test test application

test connection test deploymanager test policy-check

test search test sftp upload upload clear

upload force-retry vpn upload status

fmupdate analyzer fmupdate av-ips

fmupdate custom-url-list fmupdate device-version fmupdate disk-quota

fmupdate fct-services fmupdate fds-setting fmupdate multilayer fmupdate publicnetwork

fmupdate server-access-priorities fmupdate server-override-status fmupdate service fmupdate support-pre-fgt43

fmupdate web-spam system admin

system alert-console system alert-event

system alertemail system auto-delete system backup

system certificate system dm system dns

system fips system global

system ha system interface

221

221

221

221

222

222

222

218

219

219

219

220

220

220

223

230

231

231

232

232

227

228

228

229

229

229

230

230

225

225

225

226

226

226

226

227

223

223

224

224

224

225

system locallog system log

system mail system metadata system ntp system password-policy

system performance system report

system route system route6 system snmp system sql

system status system syslog

show

235

236

236

236

236

238

238

233

233

234

234

234

234

235

239

Change Log

Date

2012-11-16

2013-04-02

2013-07-19

2013-09-13

2013-11-12

2014-02-05

2014-05-14

2014-07-02

2014-07-11

2014-10-07

2014-10-22

2014-11-13

2014-12-04

2014-12-18

2015-01-29

Change Description

Initial release.

Updated for FortiManager version 5.0.2. Changed all instances of fmsystem/fasystem to system

.

Updated for FortiManager version 5.0.3.

Updated for FortiManager version 5.0.4.

Updated for FortiManager version 5.0.5.

Updated for FortiManager version 5.0.6.

Corrected typographic error. Added additional information for the set vdom-mirror enable command. Added note to alert-event command.

Updated for FortiManager version 5.0.7.

Updated config system snmp user command information.

Updated for FortiManager version 5.0.8.

Updated for FortiManager version 5.0.9.

Minor document update.

Removed the execute sql-local rebuild-device and execute sql-local remove-device commands.

Removed the execute sql-local remove-log command.

Updated for FortiManager version 5.0.10.

12 CLI Reference

Fortinet Technologies Inc.

Introduction

FortiManager centralized management appliances deliver the essential tools needed to effectively manage your

Fortinet-based security infrastructure.

About the FortiManager system

The FortiManager system is a security-hardened appliance with simplified installation, and improved system reliability and security. You can install a second peer FortiManager system for database backups.

The FortiManager system manages communication between the managed devices and the FortiManager Web-based

Manager.

The FortiManager system stores and manages all managed devices’ configurations.

It can also act as a local FortiGuard Distribution Server (FDS) for the managed devices to download virus and attack signatures, and to use the web filtering and email filtering service. This will reduce network delay and usage, compared with the managed devices’ connection to an FDS over the Internet.

FortiManager feature set

The FortiManager feature set includes the following modules: l l l l

Device Manager

Policy & Objects

FortiGuard

System Settings

FortiAnalyzer feature set

The FortiAnalyzer feature set can be enabled in FortiManager. The FortiAnalyzer feature set includes the following modules: l l l

FortiView

Event Management

Reports

Web-based Manager

You can use the FortiManager Web-based Manager to configure the managed devices and to view the device configuration, device status, system health, and logs. The FortiManager Web-based Manager supports role-based administration. Permissions and device access can be set individually for each manager account added to the

FortiManager Web-based Manager.

13 CLI Reference

Fortinet Technologies Inc.

FortiManager system product life cycle Introduction

Administrators with read and write access can view the configuration, health status, and logs, and can change the configurations of the devices assigned to them. The FortiManager Web-based Manager also allows these users to remotely upgrade device firmware, and virus and attack definitions.

Administrators with read only access can view the configuration, device status, system health, and logs of the devices assigned to them.

FortiManager system product life cycle

The FortiManager system allows you to manage devices through their entire product life cycle:

Deployment

Monitoring

Maintenance

Updates

Complete device configuration after initial installation.

Drill down device status and health.

Continuous, incremental configuration and updates.

Updates of virus definitions, attack definitions, web filtering service, email filter service, and firmware images.

FortiManager documentation

The following FortiManager product documentation is available: l

FortiManager Administration Guide

This document describes how to set up the FortiManager system and use it to manage supported Fortinet units. It includes information on how to configure multiple Fortinet units, configuring and managing the FortiGate VPN policies, monitoring the status of the managed devices, viewing and analyzing the FortiGate logs, updating the virus and attack signatures, providing web filtering and email filter service to the licensed FortiGate units as a local

FDS, firmware revision control and updating the firmware images of the managed units.

l

FortiManager device QuickStart Guides

These documents are included with your FortiManager system package. Use these document to install and begin working with the FortiManager system and FortiManager Web-based Manager.

l

FortiManager Online Help

You can get online help from the FortiManager Web-based Manager. FortiManager online help contains detailed procedures for using the FortiManager Web-based Manager to configure and manage FortiGate units.

l

FortiManager CLI Reference

This document describes how to use the FortiManager Command Line Interface (CLI) and contains references for all FortiManager CLI commands.

l

FortiManager Release Notes

This document describes new features and enhancements in the FortiManager system for the release, and lists resolved and known issues. This document also defines supported platforms and firmware versions.

CLI Reference

Fortinet Technologies Inc.

14

Introduction FortiManager documentation l

FortiManager VM (VMware) Install Guide

This document describes installing FortiManager VM in your VMware ESX or ESXi virtual environment.

l

FortiManager VM (Microsoft Hyper-V) Install Guide

This document describes installing FortiManager VM in your Microsoft Hyper-V Server 2008 R2 or 2012 virtual environment.

15 CLI Reference

Fortinet Technologies Inc.

What’s New in FortiManager version 5.0

FortiManager version 5.0.10

The table below lists commands which have changed in FortiManager version 5.0.10.

Command

config system admin profile

Change

Variable added: set show-checkbox-in-table config system log settings config system sql config system sql config system report group config system report settings

Variable added: set log-file-archive-name

Variable removed: set auto-table-upgrade

Variables added: set device-count-high, set event-tablepartition-time, set traffic-table-partition-time, set utmtable-partition-time

Command and variables added.

Variables added: set report-priority, set hcache-lossless execute fmpolicy execute sql-report diagnose cdb check update-devinfo diagnose sql status rebuild-db diagnose sql status sql_hcache_chk

Commands added: check-upgrade-object, copy-adomobject, install-config, print-adom-database, print-adomobject, print-adom-package, print-prov-templates

Commands removed: print-global-database, print-global object, print global-package

Variables added: list, view, hcache-check, list-schedule

Command added.

Commands added.

FortiManager version 5.0.9

The table below lists commands which have changed in FortiManager version 5.0.9.

Command

config system global

Change

Command added: set ssl-protocol

16 CLI Reference

Fortinet Technologies Inc.

FortiManager version 5.0.8

What’s New in FortiManager version 5.0

FortiManager version 5.0.8

The table below lists commands which have changed in FortiManager version 5.0.8.

Command

config system ha

Change

Variable added: file-quota config system admin profile config system admin user config system admin setting config system log settings diagnose debug reset config system report settings diagnose sql config top-dev set execute devicelog clear config system report auto-cache

Variable added: change-password

Variable added: change-password

Variable added: admin-https-redirect

Variable added: FSA-custom-field1

Command added.

Variable added: max-table-rows

Command added.

Variables added: log-thres, max-num

Command removed.

Variables added: aggressive-schedule, drilldown-status, order diagnose sql rebuild-report-hcache Command added.

FortiManager version 5.0.7

The table below lists commands which have changed in FortiManager version 5.0.7.

Command Change

config system admin ldap Variable added: adom, connect-timeout

CLI Reference

Fortinet Technologies Inc.

17

What’s New in FortiManager version 5.0

FortiManager version 5.0.7

Command

config system admin profile config system admin user

Change

Variables added: type, web-filter, ips-filter, app-filter, workflow-approve

Variables added: web-filter, ips-filter, app-filter config system auto-delete Command renamed: regular-auto-deletion to log-auto-deletion config system certificate Command added: oftp config system global config system locallog [memory| disk | fortianalyzer | syslogd | syslogd2 | syslogd3] filter

Variable added: task-list-size

Variable updated: workspace-mode

Variable removed: swapmem

Variable added: faz config system localllog [syslogd | syslogd2 | syslogd3] setting

Variables added: syslog-name

Variables removed: server, port config system log settings Variables removed: FGT-custom-field2 .. 5, FCT-customfield2 .. 5, FML-custom-field2 .. 5, FWB-custom-field2 .. 5,

FCH-custom-field2 .. 5, FAZ-custom-field2 .. 5 config system sql diagnose debug application

Variables removed: event-table-partition-time, event-tablepartition-time-max, event-table-partition-time-min, tablepartition-mode, traffic-table-partition-time, traffic-table-partition-time-max, traffic-table-partition-time-min, utm-tablepartition-time, utm-table-partition-time-max, utm-table-partition-time-min

Variables added: dmworker, curl diagnose dvm extender diagnose fortilogd

Command added: extender

Variable added: lograte

18 CLI Reference

Fortinet Technologies Inc.

FortiManager version 5.0.6

Command

diagnose report execute remove <reports> execute sql-report

What’s New in FortiManager version 5.0

Change

Variable removed: maintain

Variable added: device-id

Variables added: list-lang, import-lang

FortiManager version 5.0.6

The table below lists commands which have changed in FortiManager version 5.0.6.

Command

config system admin ldap

Change

Variable added: attributes config system report setting config system sql

Command added.

Variables added: rebuild-event, rebuils-event-start-time diagnose debug application diagnose dvm device diagnose sql diagnose vpn tunnel config system global config system global config fmupdate web-spam fsa server-override config fmupdate device-version execute fmpolicy print-global-package

Variable added: ipsec

Variable removed: ike

Variable added: delete

Variable added: remove query-cache

Command added.

Variable removed: set webservice-support-sslv3

New variable added: webservice-proto

Command added.

Variable added: fsa

Command added.

CLI Reference

Fortinet Technologies Inc.

19

What’s New in FortiManager version 5.0

Command

diagnose test application fazautormd execute auto-delete

Change

Command added.

Command added.

FortiManager version 5.0.5

FortiManager version 5.0.5

The table below lists commands which have changed in FortiManager version 5.0.5.

Command

config system global

Change

Variables added: partial-install, search-all-adoms, fazstatus, unregister-pop-up config fmupdate web-spam fgd-setting config fmupdate service diagnose fmupdate config system log settings execute backup

Variables added: fq-cache, fq-log, fq-preload, restrict-fqdbver

Variable added: query-filequery

Variables removed: fgd-delwfdb, fgd-delasdb, fgddelavquerydb

Variables added: FAZ-custom-field1, FAZ-custom-field2,

FAZ-custom-field3, FAZ-custom-field4, FAZ-custom-field5

Variable added: logs-rescue

FortiManager version 5.0.4

The table below lists commands which have changed in FortiManager version 5.0.4.

Command Change

config system auto-delete Command added.

config system global Variable added: log-checksum config system log setting config rolling-regular

Command added: set upload-mode backup

20 CLI Reference

Fortinet Technologies Inc.

FortiManager version 5.0.3

Command

config system sql config system report auto-cache

What’s New in FortiManager version 5.0

Change

Command and sub-command added: set text-search-index, config ts-index-field

Command and variables added: set aggressive-drilldown, set drilldown-interval, set status

Command and variables added: config system report est-browse time set max-num-user set status execute log device permissions execute log import execute log-integrity diagnose sql auto-hcache diagnose report status diagnose report clean diagnose report maintain diagnose sql show log-filters

Command added.

Command added.

Command added

Command removed.

Commands added.

Command added.

FortiManager version 5.0.3

The table below lists commands which have changed in FortiManager version 5.0.3.

Command

config system admin profile

Change

Variables added: fgd_center, reports, logs

Variable removed: forticonsole config system admin setting Variables added: show_adom_forticonsole_button, show_ adom_implicit_id_based_policy, show_schedule_script config system admin user Variables added: ip_trustedhost4 to ipvtrusthost10, ipv6_ trustedhost4 to ipv6_trusthost10, group, password-expire, force-password-change, subject, ca, two-factor-auth, dashboard > log-rate-type, dashboard > log-rate-topn, dashboard

> log-rate-period, dashboard > res-view-type, dashboard > res-period, dashboard > res-cpu-display, num-entries

CLI Reference

Fortinet Technologies Inc.

21

What’s New in FortiManager version 5.0

22

Command

config system certificate crl config system dm config system global config system locallog ... filter config system log settings config system report config system snmp sysinfo config system snmp user config system sql config fmupdate service config fmupdate web-spam fgd-setting execute backup

FortiManager version 5.0.3

Change

Command added with variables: comment, crl

Variable added: fortiap-refresh-itvl

Variables added: adom-rev-max-days, adom-rev-max-revisions, dh-params, lock-preempt, pre-login-banner-message

Variable added: fmgws

Variables added: FCH-custom-field1 to 5, FCT-customfield1 to 5, FGT-custom-field1 to 5, FML-custom-field1 to 5,

FWB-custom-field1 to 5

Added rolling-regular command with variables: days, delfiles, directory, file-size, gzip-format, hours, ip, log-format, min, password, server-type, upload, upload-hour, uploadtrigger, username, when

Command added.

Variable added: trap-cpu-high-exclude-nice-threshold

Variable keywords added to the events variable: cpu-highexclude-nice, lic-dev-quota, lic-gbday, log-alert, log-datarate, log-rate

Variables added: database-name, event-table-partitiontime, event-table-partition-time-max, event-table-partitiontime-min, reset, resend-device, server, table-partitionmode, traffic-table-partition-time, traffic-table-partitiontime-max, traffic-table-partition-time-min, username utm-table-partition-time, utm-table-partition-time-max, utm-table-partition-time-min

Added custom-index command, with variables: device-type, log-type, index-field

Variables added: query-antispam, query-antivirus, querywebfilter

Variables added: linkd-log, max-unrated-size, restrict-as1dbver, restrict-as2-dbver, restrict-as4-dbver, restrict-avdbver, restrict-wf-dbver, stat-sync-interval

Variables added: logs, logs-only, reports, reports-config

CLI Reference

Fortinet Technologies Inc.

FortiManager version 5.0.3

Command

diagnose debug service diagnose dlp-archives diagnose dvm capability diagnose dvm device diagnose fmupdate diagnose pm2 diagnose rtm diagnose sql diagnose system diagnose test application diagnose test connection get system report

What’s New in FortiManager version 5.0

Change

Command added.

Command added.

Command added.

Variable removed: deps

Variables added: dellog, fgd-wfserver-stat, show-dev-obj

Variable removed: fml-bandwidth

Command added.

Command removed.

Variable added: upload

Variables added: admin-session > kill, export > fmwslog geoip

Variables removed: disk, logtoconsole, raid

Variable added: fazsvcd

Command added.

Command added.

CLI Reference

Fortinet Technologies Inc.

23

Using the Command Line Interface

This chapter explains how to connect to the CLI and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings.

CLI command syntax

This guide uses the following conventions to describe command syntax.

l l

Angle brackets < > indicate variables.

Vertical bar and curly brackets {|} separate alternative, mutually exclusive required keywords.

For example: set protocol {ftp | sftp}

You can enter set protocol ftp or set protocol sftp.

l

Square brackets [ ] indicate that a variable is optional.

For example: show system interface [<name_str>]

To show the settings for all interfaces, you can enter show system interface. To show the settings for the

Port1 interface, you can enter show system interface port1.

l

A space separates options that can be entered in any combination and must be separated by spaces.

For example: set allowaccess {https ping}

You can enter any of the following: set allowaccess ping set allowaccess https ping set allowaccess http https ping snmp ssh telnet webservice

In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

l

Special characters: l l l

The \ is supported to escape spaces or as a line continuation character.

The single quotation mark ' and the double quotation mark “ are supported, but must be used in pairs.

If there are spaces in a string, you must precede the spaces with the \ escape character or put the string in a pair of quotation marks.

Connecting to the CLI

You can use a direct console connection or SSH to connect to the FortiManager CLI.

24 CLI Reference

Fortinet Technologies Inc.

Connecting to the CLI Using the Command Line Interface

Connecting to the FortiManager console

To connect to the FortiManager console, you need: l l l a computer with an available communications port a console cable, provided with your FortiManager unit, to connect the FortiManager console port and a communications port on your computer terminal emulation software, such as HyperTerminal for Windows.

The following procedure describes how to connect to the FortiManager CLI using Windows Hyper-

Terminal software. You can use any terminal emulation program.

To connect to the CLI:

1. Connect the FortiManager console port to the available communications port on your computer.

2. Make sure the FortiManager unit is powered on.

3. Start HyperTerminal, enter a name for the connection, and select OK.

4. Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the FortiManager console port.

5. Select

OK.

6. Select the following port settings and select OK.

COM port

Bits per second

Data bits

Parity

Stop bits

Flow control

COM1

115200

8

None

1

None

7. Press Enter to connect to the FortiManager CLI.

A prompt similar to the following appears (shown for the FMG-400C):

FMG400C login:

8. Type a valid administrator name and press Enter.

9. Type the password for this administrator and press Enter.

A prompt similar to the following appears (shown for the FMG-400C):

FMG400C #

You have connected to the FortiManager CLI, and you can enter CLI commands.

CLI Reference

Fortinet Technologies Inc.

25

Using the Command Line Interface Connecting to the CLI

Setting administrative access on an interface

To perform administrative functions through a FortiManager network interface, you must enable the required types of administrative access on the interface to which your management computer connects. Access to the CLI requires

Secure Shell (SSH) access. If you want to use the Web-based Manager, you need HTTPS access.

To use the Web-based Manager to configure FortiManager interfaces for SSH access, see the

FortiManager 5.0.10

Administration Guide

.

To use the CLI to configure SSH access:

1. Connect and log into the CLI using the FortiManager console port and your terminal emulation software.

2. Use the following command to configure an interface to accept SSH connections: config system interface edit < interface_name > end set allowaccess <access_types>

Where <interface_name> is the name of the FortiManager interface to be configured to allow administrative access, and <access_types> is a whitespace-separated list of access types to enable.

For example, to configure port1 to accept HTTPS and SSH connections, enter: config system interface edit port1 end set allowaccess https ssh

Remember to press Enter at the end of each line in the command example. Also, type end and press

Enter to commit the changes to the FortiManager configuration.

3. To confirm that you have configured SSH access correctly, enter the following command to view the access settings for the interface: get system interface <interface_name>

The CLI displays the settings, including the management access settings, for the named interface.

Connecting to the FortiManager CLI using SSH

SSH provides strong secure authentication and secure communications to the FortiManager CLI from your internal network or the internet. Once the FortiManager unit is configured to accept SSH connections, you can run an SSH client on your management computer and use this client to connect to the FortiManager CLI.

A maximum of 5 SSH connections can be open at the same time.

26 CLI Reference

Fortinet Technologies Inc.

CLI objects Using the Command Line Interface

To connect to the CLI using SSH:

1. Install and start an SSH client.

2. Connect to a FortiManager interface that is configured for SSH connections.

3. Type a valid administrator name and press Enter.

4. Type the password for this administrator and press Enter.

The FortiManager model name followed by a # is displayed.

You have connected to the FortiManager CLI, and you can enter CLI commands.

Connecting to the FortiManager CLI using the Web-based Manager

The Web-based Manager also provides a CLI console window.

To connect to the CLI using the Web-based Manager:

1. Connect to the Web-based Manager and log in.

For information about how to do this, see the

FortiManager 5.0.10 Administration Guide

.

2. Go to

System Settings > Dashboard

3. Click inside the CLI Console widget. If the widget is not available, select

Add Widget to add the widget to the dashboard.

CLI objects

The FortiManager CLI is based on configurable objects. The top-level objects are the basic components of

FortiManager functionality. Each has its own chapter in this guide.

fmupdate system

Configures settings related to FortiGuard service updates and the FortiManager unit’s built-in

FDS.

Configures options related to the overall operation of the FortiManager unit, such as interfaces, virtual domains, and administrators.

There is a chapter in this manual for each of these top-level objects. Each of these objects contains more specific lower level objects. For example, the system object contains objects for administrators, dns, interfaces, and so on.

CLI command branches

The FortiManager CLI consists of the following command branches:

CLI Reference

Fortinet Technologies Inc.

27

Using the Command Line Interface CLI command branches

config branch get branch show branch execute branch diagnose branch

Examples showing how to enter command sequences within each branch are provided in the following sections.

config branch

The config commands configure objects of FortiManager functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of keywords that you can set to particular values. Simpler objects, such as system DNS, are a single set of keywords.

To configure an object, you use the config command to navigate to the object’s command “shell”. For example, to configure administrators, you enter the command config system admin user

The command prompt changes to show that you are in the admin shell.

(user)#

This is a table shell. You can use any of the following commands:

delete edit end get

Remove an entry from the FortiManager configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin

.

Add an entry to the FortiManager configuration or edit an existing entry. For example in the config system admin shell: l l type edit admin and press Enter to edit the settings for the default admin administrator account.

type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account.

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You return to the root FortiManager CLI prompt.

The end command is also used to save set command changes and leave the shell.

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the keywords and their values.

28 CLI Reference

Fortinet Technologies Inc.

CLI command branches Using the Command Line Interface

purge show

Remove all entries configured in the current shell. For example in the config user local shell: l l l type get to see the list of user names added to the FortiManager configuration, type purge and then y to confirm that you want to purge all the user names, type get again to confirm that no user names are displayed.

Show changes to the default configuration as configuration commands.

If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name: edit admin_1

The FortiManager unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry: new entry 'admin_1' added

(admin_1)#

From this prompt, you can use any of the following commands:

abort config end get next set

Exit an edit shell without saving the configuration.

In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add host definitions to an SNMP community.

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command.

The end command is also used to save set command changes and leave the shell.

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the keywords and their values.

Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell.

l l l l l

Type edit User1 and press Enter.

Use the set commands to configure the values for the new admin account.

Type next to save the configuration for User1 without leaving the config system admin user shell.

Continue using the edit, set, and next commands to continue adding admin user accounts.

type end and press Enter to save the last configuration and leave the shell.

Assign values. For example from the edit admin command shell, typing set passwd newpass changes the password of the admin administrator account to newpass.

Note: When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

CLI Reference

Fortinet Technologies Inc.

29

Using the Command Line Interface CLI command branches

show unset

Show changes to the default configuration in the form of configuration commands.

Reset values to defaults. For example from the edit admin command shell, typing unset passwd resets the password of the admin administrator account to the default of no password.

The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.

The root prompt is the FortiManager host or model name followed by a #.

get branch

Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell.

To use get from the root prompt, you must include a path to a shell.

Example

When you type get in the config system admin user shell, the list of administrators is displayed.

At the (user)# prompt, type: get

The screen displays:

== [ admin ] userid: admin

== [ admin2 ] userid: admin2

== [ admin3 ] userid: admin3

Example

When you type get in the admin user shell, the configuration values for the admin administrator account are displayed.

edit admin

At the (admin)# prompt, type: get

The screen displays: userid : admin password : * trusthost1 : 0.0.0.0 0.0.0.0

trusthost2 : 0.0.0.0 0.0.0.0

trusthost3 : 0.0.0.0 0.0.0.0

trusthost4 : 0.0.0.0 0.0.0.0

trusthost5 : 0.0.0.0 0.0.0.0

trusthost6 : 0.0.0.0 0.0.0.0

trusthost7 : 0.0.0.0 0.0.0.0

30 CLI Reference

Fortinet Technologies Inc.

CLI command branches Using the Command Line Interface trusthost8 : 0.0.0.0 0.0.0.0

trusthost9 : 0.0.0.0 0.0.0.0

trusthost10 : 127.0.0.1 255.255.255.255

ipv6_trusthost1 : ::/0 ipv6_trusthost2 : ::/0 ipv6_trusthost3 : ::/0 ipv6_trusthost4 : ::/0 ipv6_trusthost5 : ::/0 ipv6_trusthost6 : ::/0 ipv6_trusthost7 : ::/0 ipv6_trusthost8 : ::/0 ipv6_trusthost9 : ::/0 ipv6_trusthost10 : ::1/128 profileid : Super_User adom:

== [ all_adoms ] adom-name: all_adoms policy-package:

== [ all_policy_packages ] policy-package-name: all_policy_packages restrict-access : disable restrict-dev-vdom: description : (null) user_type : local ssh-public-key1 : ssh-public-key2 : ssh-public-key3 : meta-data: last-name : (null) first-name : (null) email-address : (null) phone-number : (null) mobile-number : (null) pager-number : (null) hidden : 0 dashboard-tabs: dashboard:

== [ 6 ] moduleid: 6

== [ 1 ] moduleid: 1

== [ 2 ] moduleid: 2

== [ 3 ] moduleid: 3

== [ 4 ] moduleid: 4

== [ 5 ] moduleid: 5

Example

You want to confirm the IP address and netmask of the port1 interface from the root prompt.

At the # prompt, type: get system interface port1

CLI Reference

Fortinet Technologies Inc.

31

Using the Command Line Interface CLI command branches

The screen displays: name : port1 status : up ip : 10.2.115.5 255.255.0.0

allowaccess : ping https ssh snmp telnet http webservice serviceaccess : fgtupdates webfilter-antispam webfilter antispam speed : auto description : (null) alias : (null) ipv6: ip6-address: ::/0 ip6-allowaccess:

show branch

Use show to display the FortiManager unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.

To display the configuration of all config shells, you can use show from the root prompt.

Example

When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed.

At the (port1)# prompt, type: show

The screen displays: config system interface edit "port1" set ip 10.2.115.5 255.255.0.0

set allowaccess ping https ssh snmp telnet http webservice set serviceaccess fgtupdates webfilter-antispam webfilter antispam end next

Example

You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type: show system dns

The screen displays: config system dns set primary 172.39.139.53

end set secondary 172.39.139.63

32 CLI Reference

Fortinet Technologies Inc.

CLI command branches Using the Command Line Interface

execute branch

Use execute to run static commands, to reset the FortiManager unit to factory defaults, or to back up or restore the

FortiManager configuration. The execute commands are available only from the root prompt.

Example

At the root prompt, type: execute reboot and press Enter to restart the FortiManager unit.

diagnose branch

Commands in the diagnose branch are used for debugging the operation of the FortiManager unit and to set parameters for displaying different levels of diagnostic information. The diagnose commands are not documented in this CLI Reference.

Diagnose commands are intended for advanced users only. Contact Fortinet Customer Support before using these commands.

Example command sequences

The command prompt changes for each shell.

To configure the primary and secondary DNS server addresses:

1. Starting at the root prompt, type: config system dns and press Enter. The prompt changes to (dns)#.

2. At the (dns)# prompt, type ?

The following options are displayed.

set unset get show abort end

3. Type set ?

The following options are displayed:

CLI Reference

Fortinet Technologies Inc.

33

Using the Command Line Interface CLI basics primary secondary

4. To set the primary DNS server address to 172.16.100.100, type: set primary 172.16.100.100

and press Enter.

5. To set the secondary DNS server address to 207.104.200.1, type: set secondary 207.104.200.1

and press Enter.

6. To restore the primary DNS server address to the default address, type unset primary and press Enter.

7. If you want to leave the config system dns shell without saving your changes, type abort and press

Enter

.

8. To save your changes and exit the dns sub-shell, type end and press Enter.

9. To confirm your changes have taken effect after leaving the dns sub-shell, type get system dns and press

Enter

.

CLI basics

Command help

You can press the question mark (?) key to display command help.

l l l

Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.

Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.

Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command option combination and a description of each option.

Command tree

Type tree to display the FortiManager CLI command tree. To capture the full output, connect to your device using a terminal emulation program, such as PuTTY, and capture the output to a log file. For config commands, use the tree command to view all available variables and sub-commands.

Command completion

You can use the tab key or the question mark (?) key to complete commands.

l l l

You can press the tab key at any prompt to scroll through the options available for that prompt.

You can type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position.

After completing the first word of a command, you can press the space bar and then the tab key to scroll through the options available at the current cursor position.

34 CLI Reference

Fortinet Technologies Inc.

CLI basics Using the Command Line Interface

Recalling commands

You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.

Editing commands

Use the left and right arrow keys to move the cursor back and forth in a recalled command. You can also use

Backspace and Delete keys, and the control keys to edit the command.

Function

Beginning of line

End of line

Key combination

Control+A

Control+E

Back one character

Forward one character

Delete current character

Previous command

Control+B

Control+F

Control+D

Control+P

Next command

Abort the command

If used at the root prompt, exit the CLI

Control+N

Control+C

Control+C

Line continuation

To break a long command over multiple lines, use a \ at the end of each line.

Command abbreviation

You can abbreviate commands and command options to the smallest number of non-ambiguous characters. For example, the command get system status can be abbreviated to g sy st.

Environment variables

The FortiManager CLI supports several environment variables.

$USERFROM

The management access type (SSH, Telnet and so on) and the IP address of the logged in administrator.

CLI Reference

Fortinet Technologies Inc.

35

Using the Command Line Interface CLI basics

$USERNAME

$SerialNum

The user account name of the logged in administrator.

The serial number of the FortiManager unit.

Variable names are case sensitive. In the following example, when entering the variable, you can type $ followed by a tab to auto-complete the variable to ensure that you have the exact spelling and case. Continue pressing tab until the variable you want to use is displayed.

config system global set hostname $SerialNum end

Encrypted password support

After you enter a clear text password using the CLI, the FortiManager unit encrypts the password and stores it in the configuration file with the prefix ENC. For example: show system admin user user1 config system admin user edit "user1" set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1 rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9 f end set profileid "Standard_User" next

It is also possible to enter an already encrypted password. For example, type: config system admin then press Enter.

Type: edit user1 then press Enter.

Type: set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1rVJmMF c9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f then press Enter.

Type: end then press Enter.

Entering spaces in strings

When a string value contains a space, do one of the following:

36 CLI Reference

Fortinet Technologies Inc.

CLI basics Using the Command Line Interface l l l

Enclose the string in quotation marks, "Security Administrator", for example.

Enclose the string in single quotes, 'Security Administrator', for example.

Use a backslash (“\”) preceding the space, Security\ Administrator, for example.

Entering quotation marks in strings

If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.

Entering a question mark (?) in a string

If you want to include a question mark (?) in a string, you must precede the question mark with Control+V. Entering a question mark without first entering Control+V causes the CLI to display possible command completions, terminating the string.

International characters

The CLI supports international characters in strings.

Special characters

The characters <, >, (, ), #, ’, and " are not permitted in most CLI fields, but you can use them in passwords. If you use the apostrophe (‘) or quote (") character, you must precede it with a backslash (\) character when entering it in the CLI set command.

IP address formats

You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type either: set ip 192.168.1.1 255.255.255.0

or set ip 192.168.1.1/24

The IP address is displayed in the configuration file in dotted decimal format.

Editing the configuration file

You can change the FortiManager configuration by backing up the configuration file to an FTP, SCP, or SFTP server.

You can then make changes to the file and restore it to the FortiManager unit.

1. Use the execute backup all-settings command to back up the configuration file to a TFTP server. For example: execute backup all-settings ftp 10.10.0.1 mybackup.cfg myid mypass

2. Edit the configuration file using a text editor.

CLI Reference

Fortinet Technologies Inc.

37

Using the Command Line Interface CLI basics

Related commands are listed together in the configuration file. You can edit the configuration by adding, changing, or deleting the CLI commands in the configuration file.

The first line of the configuration file contains information about the firmware version and FortiManager model. Do not edit this line. If you change this information the FortiManager unit will reject the configuration file when you attempt to restore it.

3. Use the execute restore all-settings command to copy the edited configuration file back to the

FortiManager unit. For example: execute restore all-settings ftp 10.10.0.1 mybackup.cfg myid mypass

The FortiManager unit receives the configuration file and checks to make sure the firmware version and model information is correct. If it is, the FortiManager unit loads the configuration file and checks each command for errors. If the FortiManager unit finds an error, an error message is displayed after the command and the command is rejected. The FortiManager unit then restarts and loads the new configuration.

Changing the baud rate

Using execute console baudrate, you can change the default console connection baud rate.

Changing the default baud rate is not available on all models.

Debug log levels

6

7

4

5

8

1

2

3

The following table lists available debug log levels on your FortiManager.

Level

0

Type

Emergency

Description

Emergency the system has become unusable.

Alert

Critical

Error

Alert immediate action is required.

Critical Functionality is affected.

Error an erroneous condition exists and functionality is probably affected.

Warning

Notice

Information

Debug

Maximum

Warning function might be affected.

Notification of normal events.

Information General information about system operations.

Debugging Detailed information useful for debugging purposes.

Maximum log level.

38 CLI Reference

Fortinet Technologies Inc.

Administrative Domains

This chapter provides information about the ADOM functionality in FortiManager.

ADOMs overview

FortiManager can manage a large number of Fortinet devices. ADOMs enable administrators to manage only those devices that are specific to their geographic location or business division. This also includes FortiGate units with multiple configured VDOMs.

If ADOMs are enabled, each administrator account is tied to an administrative domain. When a particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account. The one exception is the admin administrator account which can see and maintain all administrative domains and the devices within those domains.

Administrative domains are not enabled by default, and enabling and configuring the domains can only be performed by the admin administrator.

The default and maximum number of administrative domains you can add depends on the FortiManager system model. The table below outlines these limits.

Number of ADOMs/Network Devices per FortiManager model

FortiManager Model

FMG-100C

FMG-200D

FMG-300D

FMG-400B

FMG-400C

FMG-1000C

FMG-1000D

FMG-3000B

FMG-3000C

FMG-4000D

FMG-4000E

Administrative Domain/Network Devices

30/30

30/30

300/300

300/300

300/300

800/800

1000/1000

5000/5000

5000/5000

4000/4000

4000/4000

39 CLI Reference

Fortinet Technologies Inc.

Configuring ADOMs

FortiManager Model

FMG-5001A

FMG-VM-Base

FMG-VM-10-UG

FMG-VM-100-UG

FMG-VM-1000-UG

FMG-VM-5000-UG

FMG-VM-U-UG

Administrative Domains

Administrative Domain/Network Devices

4000/4000

10/10

+10/+10

+100/+100

+1000/+1000

+5000/+5000

+10000/+10000

Configuring ADOMs

To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign existing FortiManager administrators to ADOMs.

Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiManager unit configuration before enabling ADOMs.

ADOMs must be enabled before adding FortiMail, FortiWeb, and FortiCarrier devices to the FortiManager system. FortiMail and FortiWeb devices are added to their respective pre-configured ADOMs.

In FortiManager version 5.0.3 or later, FortiGate and FortiCarrier devices can no longer be grouped into the same ADOM. FortiCarrier devices should be grouped into a dedicated FortiCarrier ADOM.

Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use the

Web-based Manager.

To enable or disable ADOMs:

Enter the following CLI command: config system global set adom-status {enable | disable} end

An administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can assign different VDOMs from the same FortiGate to multiple administrative domains.

CLI Reference

Fortinet Technologies Inc.

40

Administrative Domains Configuring ADOMs

Enabling the advanced mode option will result in a reduced operation mode and more complicated management scenarios. It is recommended only for advanced users.

To change ADOM device modes:

Enter the following CLI command: config system global set adom-mode {advanced | normal} end

To assign an administrator to an ADOM:

Enter the following CLI command: config system admin user edit <name> set adom <adom_name> next end where <name> is the administrator user name and <adom_name> is the ADOM name.

Concurrent ADOM Access

System administrators can enable or disable concurrent access to the same ADOM if multiple administrators are responsible for managing a single ADOM. When enabled, multiple administrators can log in to the same ADOM concurrently. When disabled, only a single administrator has read/write access to the ADOM, while all other administrators have read-only access.

Concurrent ADOM access can be enabled or disabled using the CLI.

Concurrent ADOM access is enabled by default. This can cause conflicts if two administrators attempt to make configuration changes to the same ADOM concurrently.

To enable ADOM locking and disable concurrent ADOM access:

config system global set workspace-mode normal end

To disable ADOM locking and enable concurrent ADOM access:

config system global set workspace-mode disable

Warning: disabling workspaces may cause some logged in users to lose their unsaved data. Do you want to continue? (y/n) y end

41 CLI Reference

Fortinet Technologies Inc.

Configuring ADOMs

To enable workspace workflow mode:

config system global end set workspace-mode workflow

Administrative Domains

When workflow mode is enabled then the admin will have and extra option in the admin page under profile to allow the admin to approve or reject workflow requests.

CLI Reference

Fortinet Technologies Inc.

42

system

Use system commands to configure options related to the overall operation of the FortiManager unit.

FortiManager CLI commands and variables are case sensitive.

admin

Use the following commands to configure administration related settings.

admin group

Use this command to add, edit, and delete administrative user groups.

Syntax

config system admin group end edit <name> set <member> where name is the name of the group you are editing, and member are the group members.

admin ldap

Use this command to add, edit, and delete Lightweight Directory Access Protocol (LDAP) administrative users.

Syntax

config system admin ldap edit <name> set server {name_str | ip_str} set cnid <string> set dn <string> set port <integer> set type {anonymous | regular | simple} set username <string> set password <string> set group <string> set filter <query_string> set attributes <filter> set secure {disable | ldaps | starttls} set ca-cert <string> set connect-timeout <integer>

43 CLI Reference

Fortinet Technologies Inc.

admin end set adom <adom-name>

Variable

<name> server {name_str | ip_str} cnid <string> dn <string> port <integer> type {anonymous | regular | simple} username <string> password <string> group <string> filter <query_string> attributes <filter> system

Description

Enter the name of the LDAP server or enter a new name to create an entry.

Enter the LDAP server domain name or IP address. Enter a new name to create a new entry.

Enter the common name identifier.

Default: cn

Enter the distinguished name.

Enter the port number for LDAP server communication.

Default: 389

Set a binding type: l l l anonymous

: Bind using anonymous user search regular

: Bind using username/password and then search simple

: Simple password authentication without search

Default: simple

Enter a username. This variable appears only when type is set to regular.

Enter a password for the username above. This variable appears only when type is set to regular.

Enter an authorization group. The authentication user must be a member of this group (full DN) on the server.

Enter content for group searching. For example: l

(&(objectcategory=group)(member=*)) l

(&(objectclass=groupofnames)(member=*)) l

(&(objectclass=groupofuniquenames)

(uniquemember=*)) l

(&(objectclass=posixgroup)(memberuid=*))

Attributes used for group searching (for multi-attributes, a use comma as a separator). For example: l member l uniquemember l member,uniquemember

CLI Reference

Fortinet Technologies Inc.

44

system admin

Variable

secure {disable | ldaps | starttls} ca-cert <string>

Description

Set the SSL connection type: l l l disable:

No SSL ldaps

: Use LDAPS starttls:

Use STARTTLS

CA certificate name. This variable appears only when secure is set to ldaps or starttls.

Set the LDAP connection timeout (msec).

Set the ADOM name to link to the LDAP configuration.

connect-timeout <integer> adom <adom-name>

Example

This example shows how to add the LDAP administrative user user1 at the IP address 206.205.204.203.

config system admin ldap edit user1 set server 206.205.204.203

set dn techdoc end set type regular set username auth1 set password auth1_pwd set group techdoc

admin profile

Use this command to configure access profiles. In a newly-created administrative profile, no access is enabled.

Syntax

config system admin profile edit <profile> set description <text> set type {restricted | system} set web-filter {enable | disable} set ips-filter {enable | disable} set app-filter {enable | disable} set scope set system-setting {none | read | read-write} set adom-switch {none | read | read-write} set global-policy-packages {none | read | read-write} set global-objects set assignment {none | read | read-write} set read-passwd {none | read | read-write} set device-manager {none | read | read-write} set device-config {none | read | read-write} set device-op {none | read | read-write} set device-profile {none | read | read-write} set policy-objects {none | read | read-write} set deploy-management {none | read | read-write} set config-retrieve {none | read | read-write}

45 CLI Reference

Fortinet Technologies Inc.

admin system

Variable

<profile> set term-access {none | read | read-write} set adom-policy-packages {none | read | read-write} set adom-policy-objects set vpn-manager {none | read | read-write} set realtime-monitor {none | read | read-write} set consistency-check {none | read | read-write} set faz-management set log-viewer {none | read | read-write} set report-viewer {none | read | read-write} set event-management {none | read | read-write} set change-password {enable | disable} set fgd_center {none | read | read-write} set workflow-approve {none | read | read-write} set network set admin set system set devices set alerts set dlp set quar set net-monitor set vuln-mgmt set reports end set logs description <text> type {restricted | system} web-filter {enable | disable} ips-filter {enable | disable}

Description

Edit the access profile. Enter a new name to create a new profile. The pre-defined access profiles are Super_User, Stand-

ard_User, Restricted_User, and Package_User.

Enter a description for this access profile. Enclose the description in quotes if it contains spaces. The description can be up to

1023 characters.

Enter the admin profile type. One of: l l restricted

: Restricted admin profile system

: System admin profile

Enable/disable Web Filter Profile permission for the restricted admin profile.

Dependencies: type must be set to restricted

Enable/disable Application Sensor permission for the restricted admin profile.

Dependencies: type must be set to restricted

CLI Reference

Fortinet Technologies Inc.

46

system

Variable

app-filter {enable | disable} scope (Not Applicable) system-setting {none | read | read-write} adom-switch {none | read | read-write} admin

Description

Enable/disable IPS Sensor permission for the restricted admin profile.

Dependencies: type must be set to restricted

CLI command is not in use.

Configure System Settings permissions for this profile. Type none to hide this option from the administrator in the Webbased Manager.

This command corresponds to the System Settings option in the Web-based Manager administrator profile.

Controlled functions: System Settings tab, All the settings under System setting

Dependencies: type must be set to system

Configure administrative domain (ADOM) permissions for this profile. Type none to hide this option from the administrator in the Web-based Manager.

Controlled functions: ADOM settings in DVM, ADOM settings in

All ADOMs page (under System Settings tab)

Dependencies: If system-setting is none, the All ADOMs page is not accessible, type must be set to system global-policy-packages {none | read | read-write} Configure global policy package permissions for this profile.

Type none to hide this option from the administrator in the

Web-based Manager.

This command corresponds to the Global Policy Packages &

Objects option in the Web-based Manager administrator profile.

This is a sub-setting of policy-objects.

Controlled functions: All operations in Global ADOM

Dependencies: type must be set to system

47 CLI Reference

Fortinet Technologies Inc.

admin

Variable

assignment {none | read | read-write} read-passwd {none | read | read-write} device-manager {none | read | read-write} device-config {none | read | read-write} system

Description

Configure assignment permissions for this profile. Type none to hide this option from the administrator in the Web-based

Manager.

This command corresponds to the Assignment option in the

Web-based Manager administrator profile. This is a sub-setting of policy-objects.

Controlled functions: Global assignment in Global ADOM

Dependencies: type must be set to system

Add the capability to view the authentication password in clear text to this profile.

Dependencies: type must be set to system

Enter the level of access to Device Manager settings for this profile. Type none to hide this option from the administrator in the

Web-based Manager.

This command corresponds to the Device Manager option in the Web-based Manager administrator profile.

Controlled functions: Device Manager tab

Dependencies: type must be set to system

Enter the level of access to device configuration settings for this profile. Type none to hide this option from the administrator in the Web-based Manager.

This command corresponds to the Manage Device Configuration option in the Web-based Manager administrator profile. This is a sub-setting of device-manager.

Controlled functions: Edit devices, All settings under Menu in

Dashboard

Dependencies: type must be set to system

CLI Reference

Fortinet Technologies Inc.

48

system

Variable

device-op {none | read | read-write} admin

Description

Add the capability to add, delete, and edit devices to this profile. Type none to hide this option from the administrator in the

Web-based Manager.

This command corresponds to the Add/Delete Devices/Groups option in the Web-based Manager administrator profile. This is a sub-setting of device-manager.

Controlled functions: Add or delete devices or groups

Dependencies: type must be set to system device-profile {none | read | read-write} policy-objects {none | read | read-write}

Configure device profile permissions for this profile. Type none to hide this option from the administrator in the Web-based

Manager.

This command corresponds to the System Templates option in the Web-based Manager administrator profile. This is a sub-setting of device-manager.

Controlled functions: Provisioning Templates

Dependencies: type must be set to system

This command corresponds to the Policy & Objects option in the

Web-based Manager administrator profile.

Controlled functions: Policy & Objects tab

Dependencies: type must be set to system deploy-management {none | read | read-write} Enter the level of access to the deployment management configuration settings for this profile. Type none to hide this option from the administrator in the Web-based Manager.

This command corresponds to the Install to Devices option in the Web-based Manager administrator profile. This is a sub-setting of device-manager.

Controlled functions: Install to devices

Dependencies: type must be set to system

49 CLI Reference

Fortinet Technologies Inc.

admin system

Variable

config-retrieve {none | read | read-write} term-access {none | read | read-write}

Description

Set the configuration retrieve settings for this profile. Type none to hide this option from the administrator in the Webbased Manager.

This command corresponds to the Retrieve Configuration from

Devices option in the Web-based Manager administrator profile. This is a sub-setting of device-manager.

Controlled functions: Retrieve configuration from devices

Dependencies: deploy-management must be set to readwrite for config-retrieve to be set to read-write, type must be set to system

Set the terminal access permissions for this profile. Type none to hide this option from the administrator in the Web-based

Manager.

This command corresponds to the Terminal Access option in the Web-based Manager administrator profile. This is a sub-setting of device-manager.

Controlled functions: Connect to the CLI via Telnet or SSH

Dependencies: Depends on device-config option, type must be set to system adom-policy-packages {none | read | read-write} Enter the level of access to ADOM policy packages for this profile. Type none to hide this option from the administrator in the

Web-based Manager.

This command corresponds to the Policy Packages & Objects option in the Web-based Manager administrator profile. This is a sub-setting of policy-objects.

Controlled functions: All the operations in ADOMs

Dependencies: Install and re-install depends on Install to

Devices in DVM settings, type must be set to system

CLI Reference

Fortinet Technologies Inc.

50

system

Variable

vpn-manager {none | read | read-write} realtime-monitor {none | read | read-write} consistency-check {none | read | read-write} log-viewer {none | read | read-write} admin

Description

Enter the level of access to VPN console configuration settings for this profile. Type none to hide this option from the administrator in the Web-based Manager.

This command corresponds to the VPN Manager option in the

Web-based Manager administrator profile. This is a sub-setting of policy-objects.

Controlled functions: VPN Console

Dependencies: VPN Management must be configured as Central VPN Console at ADOM level, Must be enabled in System

Settings > Admin settings, type must be set to system

Enter the level of access to the Drill Down configuration settings for this profile. Type none to hide this option from the administrator in the Web-based Manager.

This command corresponds to the Drill Down option in the Webbased Manager administrator profile.

Controlled functions: Drill Down tab and all its operations

Dependencies: faz-status must be set to enable in system global, type must be set to system

Configure Policy Check permissions for this profile. Type none to hide this option from the administrator in the Web-based

Manager.

This command corresponds to the Policy Check option in the

Web-based Manager administrator profile.

This is a sub-setting of policy-objects.

Controlled functions: Policy check

Dependencies: type must be set to system

Set the Log View permission. Type none to hide this option from the administrator in the Web-based Manager.

This command corresponds to the Log View option in the Webbased Manager administrator profile.

Controlled functions: Log View tab and all its operations

Dependencies: faz-status must be set to enable in system global, type must be set to system

51 CLI Reference

Fortinet Technologies Inc.

admin system

Variable

report-viewer {none | read | read-write} event-management {none | read | read-write} change-password {enable | disable} fgd_center {none | read | read-write} workflow-approve {none | read | read-write} adom-policy-objects

Description

Set the Reports permission. Type none to hide this option from the administrator in the Web-based Manager.

This command corresponds to the Reports option in the Webbased Manager administrator profile.

Controlled functions: Reports tab and all its operations

Dependencies: faz-status must be set to enable in system global, type must be set to system

Set the Event Management permission. Type none to hide this option from the administrator in the Web-based Manager.

This command corresponds to the Event Management option in the Web-based Manager administrator profile.

Controlled functions: Event Management tab and all its operations

Dependencies: faz-status must be set to enable in system global, type must be set to system

Enable/disable allowing admin users to change their password.

Set the FortiGuard Center permission. Type none to hide this option from the administrator in the Web-based Manager.

This command corresponds to the FortiGuard Center option in the Web-based Manager administrator profile.

Controlled functions: FortiGuard tab, All the settings under

FortiGuard

Dependencies: type must be set to system

Set the workspace workflow permission to approve workflow session requests. Type one of the following settings: l l l none: No permission.

read: Read permission.

read-write: Read-write permission.

Dependencies: type must be set to system

CLI command is not in use.

CLI Reference

Fortinet Technologies Inc.

52

system admin

Variable

global-objects faz-management network admin system devices alerts dlp quar net-monitor vuln-mgmt reports logs

Description

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

CLI command is not in use.

admin radius

Use this command to add, edit, and delete administration RADIUS servers.

Syntax

config system admin radius edit <server> set auth-type <auth_prot_type> set nas-ip <ip> set port <integer> set secondary-secret <password_string> set secondary-server <string> set secret <password_string> set server <string> end

Variable

<server>

Description

Enter the name of the RADIUS server or enter a new name to create an entry.

53 CLI Reference

Fortinet Technologies Inc.

admin system

Variable

auth-type <auth_prot_type> nas-ip <ip> port <integer> secondary-secret <password_string> secondary-server <string> secret <password_string> server <string>

Description

Enter the authentication protocol the RADIUS server will use.

l any

: use any supported authentication protocol l mschap2 l chap l pap

Enter the NAS IP address.

Enter the RADIUS server port number.

Default: 1812

Enter the password to access the RADIUS secondary-server.

Enter the RADIUS secondary-server DNS resolvable domain name or IP address.

Enter the password to access the RADIUS server.

Enter the RADIUS server DNS resolvable domain name or IP address.

Example

This example shows how to add the RADIUS server RAID1 at the IP address 206.205.204.203 and set the shared secret as R1a2D3i4U5s.

config system admin radius edit RAID1 end set server 206.205.204.203

set secret R1a2D3i4U5s

admin setting

Use this command to configure system administration settings, including web administration ports, timeout, and language.

Syntax

config system admin setting set access-banner {enable | disable} set admin-https-redirect {enable | disable} set admin_server_cert <admin_server_cert> set allow_register {enable | disable} set auto-update {enable | disable} set banner-message <string> set chassis-mgmt {enable | disable} set chassis-update-interval <integer> set demo-mode {enable | disable} set device_sync_status {enable | disable} set http_port <integer>

CLI Reference

Fortinet Technologies Inc.

54

system admin set https_port <integer> set idle_timeout <integer> set install-ifpolicy-only {enable | disable} set mgmt-addr <string> set mgmt-fqdn <string> set offline_mode {enable | disable} set register_passwd <password_string> set show-add-multiple {enable | disable} set show-adom-central-nat-policies {enable | disable} set show-adom-devman {enable | disable} set show-adom-dos-policies {enable | disable} set show-adom-dynamic-objects {enable | disable} set show-adom-icap-policies {enable | disable} set show-adom-implicit-policy {enable | disable} set show-adom-implicit-id-based-policy {enable | disable} set show-adom-ipv6-settings {enable | disable} set show-adom-policy-consistency-button {enable | disable} set show-adom-rtmlog {enable | disable} set show-adom-sniffer-policies {enable | disable} set show-adom-taskmon-button {enable | disable} set show-adom-terminal-button {enable | disable} set show-adom-voip-policies {enable | disable} set show-adom-vpnman {enable | disable} set show-adom-web-portal {enable | disable} set show-checkbox-in-table {enable | disable} set show-device-import-export {enable | disable} set show-foc-settings {enable | disable} set show-fortimail-settings {enable | disable} set show-fsw-settings {enable | disable} set show-global-object-settings {enable | disable} set show-global-policy-settings {enable | disable} set show_automatic_script {enable | disable} set show_grouping_script {enable | disable} set show_schedule_script {enable | disable} set show_tcl_script {enable | disable} end set unreg_dev_opt {add_allow_service | add_no_service | ignore} set webadmin_language {auto_detect | english | japanese | korean | simplified_ chinese | traditional_chinese}

Variable

access-banner {enable | disable} admin-https-redirect {enable | disable} admin_server_cert <admin_server_cert> allow_register {enable | disable}

Description

Enable/disable the access banner.

Default: disable

Enable/disable redirection of an HTTP admin traffic to HTTPS.

Enter the name of an HTTPS server certificate to use for secure connections.

Default: server.crt

Enable/disable allowing unregistered devices to be registered.

Default: disable

55 CLI Reference

Fortinet Technologies Inc.

admin system

Variable

auto-update {enable | disable} banner-message <string> chassis-mgmt {enable | disable} chassis-update-interval <integer> demo-mode {enable | disable} device_sync_status {enable | disable} http_port <integer> https_port <integer> idle_timeout <integer> install-ifpolicy-only {enable | disable} mgmt-addr <string> mgmt-fqdn <string> offline_mode {enable | disable} register_passwd <password_string> show-add-multiple {enable | disable} show-adom-central-nat-policies {enable | disable} show-adom-devman {enable | disable}

Description

Enable/disable device config auto update.

Type the banner messages. Maximum of 255 characters.

Default: none

Enable/disable chassis management.

Default: disable

Set the chassis background update interval (4 - 1440 minutes).

Default: 15

Enable/disable demo mode.

Default: disable

Enable/disable device synchronization status indication.

Default: enable

Enter the HTTP port number for web administration.

Default: 80

Enter the HTTPS port number for web administration.

Default: 443

Enter the idle timeout value. The range is from 1 to 480 minutes.

Default: 5

Enable to allow only the interface policy to be installed.

Default: disable

GQDN/IP of FortiManager used by FGFM.

FQDN of FortiManager used by FGFM.

Enable/disable offline mode to shut down the protocol used to communicate with managed devices.

Default: disable

Enter the password to use when registering a device.

Show the add multiple button.

Show ADOM central NAT policy settings in the Web-based Manager.

Default: disable

Enable/disable ADOM device manager tools in the Web-based

Manager.

Default: disable

CLI Reference

Fortinet Technologies Inc.

56

system admin

Variable

show-adom-dos-policies {enable | disable}

Description

Enable/disable ADOM DOS policy settings in the Web-based

Manager.

Default: disable show-adom-dynamic-objects {enable | disable} Enable/disable ADOM dynamic object settings in the Web-based

Manager.

Default: enable show-adom-icap-policies {enable | disable} show-adom-implicit-policy {enable | disable}

Enable/disable the ADOMICAP policy settings in the Web-based

Manager.

Enable/disable the ADOM implicit policy settings in the Webbased Manager.

show-adom-implicit-id-based-policy

{enable | disable} show-adom-ipv6-settings {enable | disable}

Enable/disable the ADOM implicit ID based policy settings in the

Web-based Manager.

Enable/disable ADOM IPv6 settings in the Web-based Manager.

Default: disable show-adom-policy-consistency-button

{enable | disable} show-adom-rtmlog {enable | disable} show-adom-sniffer-policies {enable | disable} show-adom-taskmon-button {enable | disable} show-adom-terminal-button {enable | disable} show-adom-voip-policies {enable | disable} show-adom-vpnman {enable | disable}

Enable/disable ADOM banner button Policy Consistency in the

Web-based Manager.

Default: disable

Enable/disable ADOM RTM device log in the Web-based Manager.

Default: disable

Enable/disable ADOM sniffer policy settings in the Web-based

Manager.

Default: disable

Enable/disable ADOM banner button Task Monitor in the Webbased Manager.

Default: enable

Enable/disable ADOM banner button Terminal in the Web-based

Manager.

Default: enable

Enable/disable ADOM VoIP policy settings in the Web-based

Manager.

Enable/disable ADOM VPN manager in the Web-based Manager.

Default: enable show-adom-web-portal {enable | disable} Enable/disable ADOM web portal settings in the Web-based Manager.

Default: disable

57 CLI Reference

Fortinet Technologies Inc.

admin system

Variable

show-checkbox-in-table {enable | disable} show-device-import-export {enable | disable} show-foc-settings {enable | disable} show-fortimail-settings {enable | disable} show-fsw-settings {enable | disable} show-global-object-settings {enable | disable} show-global-policy-settings {enable | disable}

Description

Enable/disable showing checkboxes in tables in the Web-based

Manager.

Enable import/export of ADOM, device, and group lists.

Enable/disable FortiCarrier settings in the Web-based Manager.

Default: disable

Enable/disable FortiMail settings in the Web-based Manager.

Default: disable

Enable/disable FortiSwitch settings in the Web-based Manager.

Default: disable

Enable/disable global object settings in the Web-based Manager.

Default: enable

Enable/disable global policy settings in the Web-based Manager.

Default: enable show_automatic_script {enable | disable} show_grouping_script {enable | disable} show_schedule_script {enable | disable} show_tcl_script {enable | disable} unreg_dev_opt {add_allow_service | add_no_ service | ignore} webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}

Enable/disable automatic script.

Enable/disable grouping script.

Enable/disable schedule script.

Enable/disable TCL script.

Type action to take when an unregistered device connects to

FortiManager.

l add_allow_service

: Add unregistered devices and allow service requests (default value).

l add_no_service

: Add unregistered devices and deny service requests.

l ignore

: Ignore unregistered devices.

Enter the language to be used for web administration.

Default: auto_detect

admin tacacs

Use this command to add, edit, and delete administration TACACS+ servers.

Syntax

config system admin tacacs edit <name> set authen-type <auth_prot_type>

CLI Reference

Fortinet Technologies Inc.

58

system admin

Variable

<name> end set authorization {enable | disable} set key <password_string> set port <integer> set secondary-key <password_string> set secondary-server <string> set server <string> set tertiary-key <password_string> set tertiary-server <string> authen-type <auth_prot_type> authorization {enable | disable} key <password_string> port <integer> secondary-key <password_string> secondary-server <string> server <string> tertiary-key <password_string> tertiary-server <string>

Description

Enter the name of the TACACS+ server or enter a new name to create an entry.

Choose which authentication type to use.

Default: auto

Enable/disable TACACS+ authorization.

Key to access the server.

Port number of the TACACS+ server.

Key to access the secondary server.

Secondary server domain name or IP.

The server domain name or IP.

Key to access the tertiary server.

Tertiary server domain name or IP.

Example

This example shows how to add the TACACS+ server TAC1 at the IP address 206.205.204.203 and set the key as

R1a2D3i4U5s

.

config system admin tacacs edit TAC1 end set server 206.205.204.203

set key R1a2D3i4U5s

admin user

Use this command to add, edit, and delete administrator accounts.

Use the admin account or an account with System Settings read and write privileges to add new administrator accounts and control their permission levels. Each administrator account must include a minimum of an access profile.

The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change the default profile from Restricted_User. You cannot delete the admin administrator account. You cannot delete an administrator account if that user is logged on.

59 CLI Reference

Fortinet Technologies Inc.

admin system

You can create meta-data fields for administrator accounts. These objects must be created using the

FortiManager Web-based Manager. The only information you can add to the object is the value of the field (pre-determined text/numbers). For more information, see System Settings in the FortiMan-

ager5.0.10 Administration Guide.

Syntax

config system admin user edit <name_str> set password <password_string> set change-password {enable | disable} set trusthost1 <ipv4_mask> set trusthost2 <ipv4_mask> set trusthost3 <ipv4_mask>

...

set trusthost10 <ipv4_mask> set ipv6_trusthost1 <ipv6_mask> set ipv6_trusthost2 <ipv6_mask> set ipv6_trusthost3 <ipv6_mask>

...

set ipv6_trusthost10 <ipv6_mask> set profileid <profile-name> set adom <adom_name(s)> set web-filter <Web Filter profile name> set ips-filter <IPS Sensor name> set app-filter <Application Sensor name> set policy-package {<adom name>: <policy package id> <adom policy folder name>/

<package name> | all_policy_packages} set restrict-access {enable | disable} set description <string> set user_type <group | ldap | local | pki-auth | radius | tacacs-plus> set set group <string> set ldap-server <string> set radius_server <string> set tacacs-plus-server <string> set ssh-public-key1 <key-type> <key-value> set ssh-public-key2 <key-type>, <key-value> set ssh-public-key3 <key-type> <key-value> set wildcard <enable | disable> set radius-accprofile-override <enable | disable> set radius-adom-override <enable | disable> set radius-group-match <string> set password-expire <yyyy-mm-dd> set force-password-change {enable | disable} set subject <string> set ca <string> set two-factor-auth {enable | disable} set last-name <string> set first-name <string> set email-address <string> set phone-number <string> set mobile-number <string> end set pager-number <string> config meta-data

CLI Reference

Fortinet Technologies Inc.

60

system admin edit <fieldname> set fieldlength set fieldvalue <string> set importance end end set status config dashboard-tabs edit tabid <integer> end set name <string> end config dashboard edit moduleid set name <string> set column <column_position> set refresh-inverval <integer> set status {close | open} set tabid <integer> set widget-type <string> set log-rate-type {device | log} set log-rate-topn {1 | 2 | 3 | 4 | 5} set log-rate-period {1hour | 2min | 6hours} set res-view-type {history | real-time} set res-period {10min | day | hour} set res-cpu-display {average | each} set num-entries <integer> end set time-period <integer> end config restrict-dev-vdom end end edit dev-vdom <string>

Variable

password <password_string> change-password {enable | disable}

Description

Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This variable is available only if user_type is local.

Enable/disable allowing the admin user to change their password.

61 CLI Reference

Fortinet Technologies Inc.

admin

Variable

trusthost1 <ipv4_mask> trusthost2 <ipv4_mask> trusthost3 <ipv4_mask>

...

trusthost10 <ipv4_mask> ipv6_trusthost1 <ipv6_mask> ipv6_trusthost2 <ipv6_mask> ipv6_trusthost3 <ipv6_mask>

...

ipv6_trusthost10 <ipv6_mask> profileid <profile-name> adom <adom_name(s)> web-filter <Web Filter profile name> ips-filter <IPS Sensor name> system

Description

Optionally, type the trusted host IPv4 address and network mask from which the administrator can log in to the FortiManager system. You can specify up to ten trusted hosts.

Setting trusted hosts for all of your administrators can enhance the security of your system.

Defaults: l l trusthost1

: 0.0.0.0 0.0.0.0 for all others: 255.255.255.255 255.255.255.255 for none

Optionally, type the trusted host IPv6 address from which the administrator can log in to the FortiManager system. You can specify up to ten trusted hosts.

Setting trusted hosts for all of your administrators can enhance the security of your system.

Defaults: l ipv6_trusthost1

: ::/0 for all l others: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 for none

Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiManager features.

Default: Restricted_User

Enter the name(s) of the ADOM(s) the administrator belongs to. Any configuration of ADOMs takes place via the FortiManager Web-based

Manager.

Enter the Web Filter profile to associate with the restricted admin profile.

Dependencies: The admin user must be associated with a restricted admin profile.

Enter the IPS Sensor to associate with the restricted admin profile.

Dependencies: The admin user must be associated with a restricted admin profile.

app-filter <Application Sensor name> Enter the Application Sensor to associate with the restricted admin profile.

Dependencies: The admin user must be associated with a restricted admin profile.

CLI Reference

Fortinet Technologies Inc.

62

system admin

Variable

policy-package {<adom name>: <policy package id> <adom policy folder name>/

<package name> | all_policy_packages}

Description

Policy package access restrict-access {enable | disable} description <string> user_type <group | ldap | local | pki-auth | radius | tacacs-plus> set group <string> ldap-server <string> radius_server <string> tacacs-plus-server <string> ssh-public-key1 <key-type> <key-value> ssh-public-key2 <key-type>, <key-value> ssh-public-key3 <key-type> <key-value> wildcard <enable | disable> radius-accprofile-override <enable | disable> radius-adom-override <enable | disable> radius-group-match <string> password-expire <yyyy-mm-dd> force-password-change {enable | disable}

Enable/disable restricted access to the development VDOM (devvdom)

.

Default: disable

Enter a description for this administrator account. When using spaces, enclose description in quotes.

Enter local if the FortiManager system verifies the administrator’s password. Enter radius if a RADIUS server verifies the administrator’s password.

Default: local

Enter the group name.

Enter the LDAP server name if the user type is set to LDAP.

Enter the RADIUS server name if the user type is set t o RADIUS.

Enter the TACACS+ server name if the user type is set to TACACS+.

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

l l

<key type> is ssh-dss for a DSA key, ssh-rsa for an

RSA key.

<key-value> is the public key string of the SSH client.

Enable/disable wildcard remote authentication

Enable/disable allowing the access profile to be overridden from

RADIUS.

Enable/disable allowing the ADOM to be overridden from RADIUS

Only admin that belong to this group are allowed to login.

When enforcing the password policy, enter the date that the current password will expire.

Enable/disable force password change on next login.

63 CLI Reference

Fortinet Technologies Inc.

admin system

Variable

subject <string> ca <string> two-factor-auth {enable | disable} last-name <string> first-name <string> email-address <string> phone-number <string> mobile-number <string> pager-number <string>

Description

PKI user certificate name constraints.

This command is available when a PKI administrator account is configured.

PKI user certificate CA (CA name in local).

This command is available when a PKI administrator account is configured.

Enable/disable two-factor authentication (certificate + password).

This command is available when a PKI administrator account is configured.

Administrators last name.

Administrators first name.

Administrators email address.

Administrators phone number.

Administrators mobile phone number.

Administrators pager number.

Variable for config meta-data subcommand

This subcommand can only change the value of an existing field. To create a new metadata field, use theconfig metadata command.

Variable

fieldname

Description

The label/name of the field. Read-only.

Default: 50 fieldlength fieldvalue <string> importance status

The maximum number of characters allowed for this field. Readonly.

Enter a pre-determined value for the field. This is the only value that can be changed with the config meta-data subcommand.

Indicates whether the field is compulsory (required) or optional

(optional). Read-only.

Default: optional

For display only. Value cannot be changed.

Default: enable

CLI Reference

Fortinet Technologies Inc.

64

system admin

Variable for config dashboard-tabs subcommand

Variable

tabid <integer> name <string>

Description

Tab ID.

Tab name.

Variable for config dashboard subcommand

Variable

moduleid

Description

Widget ID.

1

: System Information

2

: System Resources

3

: License Information

4

: Unit Operation

5

: Alert Message Console

6

: CLI Console

7: Log Receive Monitor

8

: Statistics

9

: Logs/Data Received name <string> column <column_position> refresh-inverval <integer> status {close | open} tabid <integer> widget-type <string> log-rate-type {device | log} log-rate-topn {1 | 2 | 3 | 4 | 5} log-rate-period {1hour | 2min | 6hours}

Widget name.

Widget’s column ID.

Default: 0

Widget’s refresh interval.

Default: 300

Widget’s opened/closed status.

Default: open

ID of the tab where the widget is displayed.

Default: 0

Widget type.

Log receive monitor widget’s statistics breakdown options.

Log receive monitor widgets’s number of top items to display.

Log receive monitor widget’s data period.

res-view-type {history | real-time} Widget’s data view type.

65 CLI Reference

Fortinet Technologies Inc.

alert-console system

Variable

res-period {10min | day | hour} res-cpu-display {average | each} num-entries <integer> time-period <integer>

Description

Widget’s data period.

Widget’s CPU display type.

Number of entries.

Time period

Variable for config restrict-dev-vdom subcommand

Variable

dev-vdom <string>

Description

Enter device or VDOM to edit.

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the FortiManager system does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply both to the Web-based Manager and to the CLI when accessed through SSH. CLI access through the console connector is not affected.

Example

Use the following commands to add a new administrator account named admin_2 with the password set to p8ssw0rd and the Super_User access profile. Administrators that log in to this account will have administrator access to the FortiManager system from any IP address.

config system admin user edit admin_2 set description "Backup administrator" set password p8ssw0rd end set profileid Super_User

alert-console

Use this command to configure the alert console options. The alert console appears on the dashboard in the Webbased Manager.

Syntax

config system alert-console

CLI Reference

Fortinet Technologies Inc.

66

system alert-event end set period <integer> set severity-level {information | notify | warning | error | critical | alert | emergency}

Variable Description

period <integer> Enter the number of days to keep the alert console information on the dashboard in days between 1 and 7. Default: 7 severity-level {information | notify | warning | error | critical | alert | emergency}

Enter the severity level to display on the alert console on the dashboard.

Example

This example sets the alert console message display to warning for a duration of three days.

config system alert-console set period 3 end set severity-level warning

alert-event

Use alert-event commands to configure the FortiManager unit to monitor logs for log messages with certain severity levels, or information within the logs. If the message appears in the logs, the FortiManager unit sends an email or SNMP trap to a predefined recipient(s) of the log message encountered. Alert event messages provide immediate notification of issues occurring on the FortiManager unit.

When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server.

alert-event was removed from the Web-based Manager in version 5.0.3. This command has been kept in the CLI for customers who previously configured this function.

67

Syntax

config system alert-event edit <name_string> config alert-destination edit destination_id <integer> set type {mail | snmp | syslog} set from <email_address> set to <email_addr> set smtp-name <server_name> set snmp-name <server_name> set syslog-name <server_name> end set enable-generic-text {enable | disable} set enable-severity-filter {enable | disable} set event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

CLI Reference

Fortinet Technologies Inc.

alert-event system set generic-text <string> set num-events {1 | 5 | 10 | 50 | 100} set severity-filter {high | low | medium | medium-high | medium-low} set severity-level-comp {>= | = | <=} end set severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

Variable

<name_string> destination_id <integer> type {mail | snmp | syslog} from <email_address> to <email_addr> smtp-name <server_name>

Description

Enter a name for the alert event.

Enter the table sequence number, beginning at 1.

Type the alert event message method of delivery.

Default: mail

Enter the email address of the sender of the message. This is available when the type is set to mail.

Enter the recipient of the alert message. This is available when the type is set to mail.

Enter the name of the mail server. This is available when the type is set to mail.

snmp-name <server_name> syslog-name <server_name> enable-generic-text {enable | disable} enable-severity-filter {enable | disable}

Enter the snmp server name. This is available when the type is set to snmp.

Enter the syslog server name or IP address. This is available when the type is set to syslog.

Enable/disable the text alert option.

Default: disable

Enable/disable the severity filter option.

Default: disable event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 |

168}

The period of time in hours during which if the threshold number is exceeded, the event will be reported.

Enter the text the alert looks for in the log messages.

generic-text <string> num-events {1 | 5 | 10 | 50 | 100} Set the number of events that must occur in the given interval before it is reported.

severity-filter {high | low | medium | medium-high

| medium-low}

Set the alert severity indicator for the alert message the FortiManager unit sends to the recipient.

severity-level-comp {>= | = | <=} Set the severity level in relation to the log level. Log messages are monitored based on the log level. For example, alerts may be monitored if the messages are greater than, and equal to (>=) the

Warning log level.

CLI Reference

Fortinet Technologies Inc.

68

system alertemail

Variable

severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

Description

Set the log level the FortiManager looks for when monitoring for alert messages.

Example

In the following example, the alert message is set to send an email to the administrator when 5 warning log messages appear over the span of three hours.

config system alert-event edit warning config alert-destination edit 1 set type mail set from [email protected]

set to [email protected]

end set smtp-name mail.example.com

set enable-severity-filter enable set event-time-period 3 set severity-level-log warning set severity-level-comp = set severity-filter medium end

alertemail

Use this command to configure alert email settings for your FortiManager unit.

All variables are required if authentication is enabled.

Syntax

config system alertemail set authentication {enable | disable} set fromaddress <email-addr_string> set fromname <name_string> set smtppassword <password_string> set smtpport <port_int> set smtpserver {<ipv4>|<fqdn_string>} end set smtpuser <username_string>

Variable Description

authentication {enable | disable} fromaddress <email-addr_string>

Enable/disable alert email authentication.

Default: enable

The email address the alertmessage is from.

This is a required variable.

69 CLI Reference

Fortinet Technologies Inc.

auto-delete system

Variable

fromname <name_string> smtppassword <password_string> smtpport <port_int> smtpserver {<ipv4>|<fqdn_string>}

Description

The SMTP name associated with the email address. To enter a name that includes spaces, enclose the whole name in quotes.

Set the SMTP server password.

The SMTP server port.

Default: 25

The SMTP server address. Enter either a DNS resolvable host name or an IPv4 address.

Set the SMTP server username.

smtpuser <username_string>

Example

Here is an example of configuring alertemail. Enable authentication, the alert is set in Mr. Customer’s name and from his email address, the SMTP server port is the default port(25), and the SMTP server is at IP address of

192.168.10.10.

config system alertemail set authentication enable set fromaddress [email protected]

set fromname “Mr. Customer” end set smtpport 25 set smtpserver 192.168.10.10

auto-delete

Use this command to automatically delete policies for logs, reports, and archived and quarantined files.

Syntax

config system auto-delete config dlp-files-auto-deletion set status {enable | disable} set value <integer> end set when {days | hours | months | weeks} config quarantine-files-auto-deletion set status {enable | disable} set value <integer> set when {days | hours | months | weeks} end config log-auto-deletion set status {enable | disable} set value <integer> end set when {days | hours | months | weeks} config report-auto-deletion set status {enable | disable} set value <integer>

CLI Reference

Fortinet Technologies Inc.

70

system backup all-settings end end set when {days | hours | months | weeks}

Variable

dlp-files-auto-deletion quarantine-files-auto-deletion log-auto-deletion report-auto-deletion status {enable | disable} value <integer> when {days | hours | months | weeks}

Description

Automatic deletion policy for DLP archives.

Automatic deletion policy for quarantined files.

Automatic deletion policy for device logs.

Automatic deletion policy for reports.

Enable/disable automatic deletion.

Set the value integer.

Auto-delete data older that <value> days, hours, months, weeks.

backup all-settings

Use this command to set or check the settings for scheduled backups.

Syntax

config system backup all-settings set status {enable | disable} set server {<ipv4>|<fqdn_str>} set user <username_string> set directory <dir_str> set week_days {monday tuesday wednesday thursday friday saturday sunday} set time <hh:mm:ss> end set protocol {ftp | scp | sftp} set passwd <password_string> set cert <string> set crptpasswd <password_string>

Variable Description

status {enable | disable} Enable/disable scheduled backups.

Default: disable server {<ipv4>|<fqdn_str>} user <username_string>

Enter the IPv4 address or DNS resolvable host name of the backup server.

Enter the user account name for the backup server.

71 CLI Reference

Fortinet Technologies Inc.

certificate system

Variable

directory <dir_str> week_days {monday tuesday wednesday thursday friday saturday sunday} time <hh:mm:ss> protocol {ftp | scp | sftp} passwd <password_string> cert <string>

Description

Enter the name of the directory on the backup server in which to save the backup file.

Enter days of the week on which to perform backups. You may enter multiple days.

Enter time of day to perform the backup. Time is required in the form <hh:mm:ss>.

Enter the transfer protocol.

Default: sftp

Enter the password for the backup server.

SSH certificate for authentication. Only available if the protocol is set to scp.

Optional password to protect backup content crptpasswd <password_string>

Example

This example shows a whack where backup server is 172.20.120.11 using the admin account with no password, saving to the /usr/local/backup directory. Backups are done on Mondays at 1:00pm using ftp.

config system backup all-settings set status enable set server 172.20.120.11

set user admin end set directory /usr/local/backup set week_days monday set time 13:00:00 set protocol ftp

certificate

Use the following commands to configure certificate related settings.

certificate ca

Use this command to install Certificate Authority (CA) root certificates.

When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL).

The process for obtaining and installing certificates is as follows:

1. Use the execute certificate local generate command to generate a CSR.

2. Send the CSR to a CA.

CLI Reference

Fortinet Technologies Inc.

72

system

The CA sends you the CA certificate, the signed local certificate and the CRL.

3. Use the system certificate local command to install the signed local certificate.

4. Use the system certificate ca command to install the CA certificate.

Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ca edit <ca_name> end set ca <cert> set comment <string>

To view all of the information about the certificate, use the get command: get system certificate ca <ca_name>

Variable

<ca_name> ca <cert> comment <string>

Description

Enter a name for the CA certificate.

Enter or retrieve the CA certificate in PEM format.

Optionally, enter a descriptive comment.

certificate

certificate crl

Use this command to configure CRLs.

Syntax

config system certificate crl edit <name> end set crl <crl> set comment <string>

Variable

<name> crl <crl> comment <string>

Description

Enter a name for the CRL.

Enter or retrieve the CRL in PEM format.

Optionally, enter a descriptive comment for this CRL.

certificate local

Use this command to install local certificates. When a CA processes your CSR, it sends you the CA certificate, the signed local certificate and the CRL.

73 CLI Reference

Fortinet Technologies Inc.

certificate

The process for obtaining and installing certificates is as follows:

1. Use the execute certificate local generate command to generate a CSR.

2. Send the CSR to a CA.

The CA sends you the CA certificate, the signed local certificate and the CRL.

3. Use the system certificate local command to install the signed local certificate.

4. Use the system certificate ca command to install the CA certificate.

Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate local edit <cert_name> set password <cert_password> set comment <comment_text> set certificate <cert_PEM> set private-key <prkey> end set csr <csr_PEM>

To view all of the information about the certificate, use the get command: get system certificate local [cert_name]

Variable

<cert_name> password <cert_password> comment <comment_text>

Description

Enter the local certificate name.

Enter the local certificate password.

Enter any relevant information about the certificate.

certificate <cert_PEM> Enter the signed local certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <prkey> csr <csr_PEM>

The private key in PEM format.

The CSR in PEM format.

system

certificate oftp

Use this command to install OFTP certificates and keys.

Syntax

config system certificate oftp set

"system" on page 75

set

"system" on page 75

set set

"system" on page 75

"system" on page 75

CLI Reference

Fortinet Technologies Inc.

74

system end

Variable

certificate <certificate> comment <string> custom {enable | disable} private-key <key>

Description

PEM format certificate.

OFTP certificate comment.

Enable/disable custom certificates

PEM format private key.

certificate ssh

Use this command to install SSH certificates and keys.

The process for obtaining and installing certificates is as follows:

1. Use the execute certificate local generate command to generate a CSR.

2. Send the CSR to a CA.

The CA sends you the CA certificate, the signed local certificate and the CRL.

3. Use the system certificate local command to install the signed local certificate.

4. Use the system certificate ca command to install the CA certificate.

5. Use the system certificate SSH command to install the SSH certificate.

Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax

config system certificate ssh edit

"system" on page 75

set

"system" on page 75

set set

"system" on page 75

"system" on page 75

end

To view all of the information about the certificate, use the get command: get system certificate ssh [cert_name]

Variable

<name> comment <comment_text>

Description

Enter the SSH certificate name.

Enter any relevant information about the certificate.

certificate <certificate> Enter the signed SSH certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <key> The private key in PEM format.

certificate

75 CLI Reference

Fortinet Technologies Inc.

dm system

dm

Use this command to configure Deployment Manager (DM) settings.

Syntax

config system dm set

"system" on page 76

set set

"system" on page 76

"system" on page 76

set set set set set

"system" on page 76

"system" on page 76

"system" on page 76

"system" on page 77

"system" on page 77

set set set set set set set

"system" on page 77

"system" on page 77

"system" on page 77

"system" on page 77

"system" on page 77

"system" on page 77

"system" on page 77

end

Variable

concurrent-install-limit <installs_int> concurrent-install-script-limit <scripts_int> discover-timeout <integer> dpm-logsize <kbytes_int> fgfm-sock-timeout <sec_int> fgfm_keepalive_itvl <sec_int>

Description

The maximum number of concurrent installs. The range can be from 5 to 100.

Default: 60

The maximum number of concurrent install scripts. The range can be from 5 to 100.

Default: 60

Check connection timeout when discovering a device (3-15)

The maximum DPM log size per device in kB. The range can be from 1 to 10000kB.

Default: 10000

The maximum FortiManager/FortiGate communication socket idle time. The interval can be from 90 to 1800 seconds.

Default: 900

The interval at which the FortiManager will send a keepalive signal to a FortiGate unit to keep the FortiManager/FortiGate communication protocol active. The interval can be from 30 to 600 seconds.

Default: 300

CLI Reference

Fortinet Technologies Inc.

76

system dns

Variable

force-remote-diff {enable | disable} max-revs <revs_int> nr-retry <retries_int> retry {enable | disable} retry-intvl <sec_int> rollback-allow-reboot {enable | disable} script-logsize <integer> verify-install {enable | disable}

Description

Enable to always use remote diff when installing.

Default: disable

The maximum number of revisions saved. Valid numbers are from 1 to 250.

Default: 100

The number of times the FortiManager unit will retry.

Default: 1

Enable/disable configuration installation retries.

Default: enable

The interval between attempting another configuration installation following a failed attempt.

Default: 15

Enable to allow a FortiGate unit to reboot when installing a script or configuration.

Default: disable

Enter the maximum script log size per device (1-10000kB).

Enable to verify install against remote configuration.

Default: enable

Set the auto refresh FortiAP status interval, from 1-1440 minutes.

fortiap-refresh-itvl <integer>

Example

This example shows how to set up configuration installations. It shows how to set 5 attempts to install a configuration on a FortiGate device, waiting 30 seconds between attempts.

config system dm set retry enable end set nr-retry 5 set retry-intvl 30

dns

Use this command to set the DNS server addresses. Several FortiManager functions, including sending alert email, use DNS.

Syntax

config system dns set end set

"system" on page 78

"system" on page 78

77 CLI Reference

Fortinet Technologies Inc.

fips system

Variable

primary <ipv4_address> secondary <ipv4_address>

Description

Enter the primary DNS server IPv4 address.

Enter the secondary DNS IPv4 server address.

Example

This example shows how to set the primary FortiManager DNS server IP address to 172.20.120.99 and the secondary FortiManager DNS server IP address to 192.168.1.199.

config system dns set primary

172.20.120.99

set secondary

192.168.1.199

end

fips

Use this command to set the Federal Information Processing Standards (FIPS) status. FIPS mode is an enhanced security option for some FortiManager models. Installation of FIPS firmware is required only if the unit was not ordered with this firmware pre-installed.

Syntax

config system fips set

"system" on page 78

set set

"system" on page 78

"system" on page 78

end

Variable

status {enable | disable} fortitrng {enable | disable} | dynamic] re-seed-interval <integer>

Description

Enable/disable the FIPS-CC mode of operation.

Default

enable

Configure support for the FortiTRNG entropy token: l l l enable

: The token must be present during boot up and reseeding. If the token is not present, the boot up or reseeding is interupted until the token is inserted.

disable

: The current entropy implementation is used to seed the Random Number Generator

(RNG).

dynamic

: The token is used to seed or reseed the

RNG if it is present. If the token is not present, the boot process is not blocked and the old entropy implementation is used.

disable

The amount of time, in minutes, between RNG reseeding.

1440

CLI Reference

Fortinet Technologies Inc.

78

system

global

Use this command to configure global settings that affect miscellaneous FortiManager features.

Syntax

config system global set admin-https-pki-required {disable | enable} set admin-lockout-duration <integer> set admin-lockout-threshold <integer> set admin-maintainer {disable | enable} set admintimeout <integer> set adom-mode {advanced | normal}sh set adom-rev-auto-delete {by-days | by-revisions | disable} set adom-rev-max-days <integer> set adom-rev-max-revisions <integer> set adom-status {enable | disable} set clt-cert-req {disable | enable} set console-output {more | standard} set daylightsavetime {enable | disable} set default-disk-quota <integer> set dh-params < > set faz-status {enable | disable} set enc-algorithm {default | high | low} set hostname <string> set language {english | japanese | simch | trach} set ldapconntimeout <integer> set lcdpin <integer> set lock-preempt {enable | disable} set log-checksum {md5 | md5-auth | none} set max-concurrent-users <integer> set max-running-reports <integer> set partial-install {enable | disable} set unregister-pop-up {enable | disable} set pre-login-banner {disable | enable} set pre-login-banner-message <string> set remoteauthtimeout <integer> set search-all-adoms {enable | disable} set ssl-low-encryption {enable | disable} set ssl-protocol {tlsv1 | sslv3} set swapmem {enable | disable} set task-list-size <integer> end set timezone <timezone_int> set vdom-mirror {enable | disable} set webservice-proto {tlsv1 | sslv3 | sslv2} set workspace-mode {disabled | normal | workflow}

Variable

admin-https-pki-required {disable | enable}

Description

Enable/disable HTTPS login page when PKI is enabled.

global

79 CLI Reference

Fortinet Technologies Inc.

global system

Variable

admin-lockout-duration <integer> admin-lockout-threshold <integer> admin-maintainer {disable | enable} admintimeout <integer> adom-mode {advanced | normal} adom-rev-auto-delete {by-days | by-revisions | disable} adom-rev-max-days <integer> adom-rev-max-revisions <integer> adom-status {enable | disable}

Description

Set the lockout duration (seconds) for FortiManager administration.

Default: 60

Set the lockout threshold for FortiManager administration (1 to

10).

Default: 3

Enable/disable the special user maintainer account.

Set the administrator idle timeout (in minutes).

Default: 5

Set the ADOM mode.

Auto delete features for old ADOM revisions.

clt-cert-req {disable | enable} console-output {more | standard} daylightsavetime {enable | disable}

The maximum number of days to keep old ADOM revisions.

The maximum number of ADOM revisions to keep.

Enable/disable administrative domains (ADOMs). Default: disable

Enable/disable requiring a client certificate for Web-based Manager login.

Select how the output is displayed on the console. Type more to pause the output at each full screen until keypress. Type standard for continuous output without pauses. Default: standard

Enable/disable daylight saving time. If you enable daylight saving time, the FortiManager unit automatically adjusts the system time when daylight saving time begins or ends.

Default: enable default-disk-quota <integer> faz-status {enable | disable} enc-algorithm {default | high | low} hostname <string>

Default disk quota (MB) for registered device.

Enable/disable FortiAnalyzer status.

Note: This command is not available on the FMG-100C.

Set SSL communication encryption algorithms.

Default: default

FortiManager host name.

CLI Reference

Fortinet Technologies Inc.

80

system global

Variable

language {english | japanese | simch | trach} ldapconntimeout <integer> lcdpin <integer> lock-preempt {enable | disable} log-checksum {md5 | md5-auth | none} max-concurrent-users <integer> max-running-reports <integer> partial-install {enable | disable} unregister-pop-up {enable | disable} pre-login-banner {disable | enable} pre-login-banner-message <string> remoteauthtimeout <integer> search-all-adoms {enable | disable} ssl-low-encryption {enable | disable}

Description

Web-based Manager language. Type one of the following: l l l l english

: English japanese

: Japanese simch

: Simplified Chinese trach

: Traditional Chinese

Default: English

LDAP connection timeout (in milliseconds).

Default: 60000

Set the 6-digit PIN administrators must enter to use the LCD panel.

Enable/disable the ADOM lock override.

Record log file hash value, timestamp, and authentication code at transmission or rolling. Select one of the following: l md5

: Record log file’s MD5 hash value only l l md5-auth

: Record log file’s MD5 hash value and authentication code none

: Do not record the log file checksum

Maximum number of concurrent administrators.

Default: 20

Maximum running reports number. (Min:1, Max: 10)

Enable/disable partial install (install only some objects). Use this command to enable pushing individual objects of the policy package down to all FortiGates in the Policy Package.

Once enabled, in the Web-based Manager you can right-click an object and choose to install it.

Enable/disable unregistered device popup messages in the Webbased Manager.

Enable/disable pre-login banner.

Set the pre-login banner message.

Remote authentication (RADIUS/LDAP) timeout (in seconds).

Default: 10

Enable/disable search all ADOMs for where-used queries.

Enable/disable low-grade (40-bit) encryption.

Default: enable

81 CLI Reference

Fortinet Technologies Inc.

global system

Variable

ssl-protocol {tlsv1 | sslv3} swapmem {enable | disable} task-list-size <integer> timezone <timezone_int> vdom-mirror {enable | disable}

Description

Set the SSL protocols.

l l tlsv1: Enable TLSv1 sslv3: Enable SSLv3

Enable/disable virtual memory.

Set the maximum number of completed tasks to keep. The default task list size is 2000.

The time zone for the FortiManager unit.

Default: (GMT-8)Pacific Time(US & Canada)

Enable/disable VDOM mirror. Once enabled in the CLI, you can select to enable VDOM Mirror when editing a virtual domain in the System > Virtual Domain device tab in Device Manager. You can then add devices and VDOMs to the list so they may be mirrored. A icon is displayed in the Mirror column of this page to indicate that the VDOM is being mirrored to another device/VDOM.When changes are made to the master device’s

VDOM database, a copy is applied to the mirror device’s VDOM database. A revision is created and then installed to the devices.

Default: disabled

Note: VDOM mirror is intended to be used by MSSP or enterprise companies who need to provide a backup VDOM for their customers.

webservice-proto {tlsv1 | sslv3 | sslv2} WebService connection using one of the following protocols: l l l tlsv1

: TLSv1 protocol sslv3

: SSLv3 protocol sslv2

: SSLv2 protocol workspace-mode {disabled | normal | workflow} Enable/disable Workspace and Workflow (ADOM locking). Select one of the following options: l l l disabled

: Workspace is disabled.

normal

: Workspace lock mode enabled.

workspace

: Workspace workflow mode enabled.

Example

The following command turns on daylight saving time, sets the FortiManager unit name to FMG3k, and chooses the

Eastern time zone for US & Canada.

config system global set daylightsavetime enable set hostname FMG3k set timezone 12

CLI Reference

Fortinet Technologies Inc.

82

system global

19

20

21

22

15

16

17

18

11

12

13

14

07

08

09

10 end

Time zones

03

04

05

06

Integer Time zone

00 (GMT-12:00) Eniwetak, Kwajalein

01

02

(GMT-11:00) Midway Island, Samoa

(GMT-10:00) Hawaii

(GMT-9:00) Alaska

(GMT-8:00) Pacific Time (US & Canada)

(GMT-7:00) Arizona

(GMT-7:00) Mountain Time (US & Canada)

(GMT-6:00) Central America

(GMT-6:00) Central Time (US & Canada)

(GMT-6:00) Mexico City

(GMT-6:00) Saskatchewan

(GMT-5:00) Bogota, Lima, Quito

(GMT-5:00) Eastern Time (US & Canada)

(GMT-5:00) Indiana (East)

(GMT-4:00) Atlantic Time (Canada)

(GMT-4:00) La Paz

(GMT-4:00) Santiago

(GMT-3:30) Newfoundland

(GMT-3:00) Brasilia

(GMT-3:00) Buenos Aires, Georgetown

(GMT-3:00) Nuuk (Greenland)

(GMT-2:00) Mid-Atlantic

(GMT-1:00) Azores

60

61

62

63

56

57

58

59

52

53

54

55

48

49

50

51

44

45

46

47

Integer Time zone

41 (GMT+3:30) Tehran

42

43

(GMT+4:00) Abu Dhabi, Muscat

(GMT+4:00) Baku

(GMT+4:30) Kabul

(GMT+5:00) Ekaterinburg

(GMT+5:00) Islamabad, Karachi,Tashkent

(GMT+5:30) Calcutta, Chennai, Mumbai,

New Delhi

(GMT+5:45) Kathmandu

(GMT+6:00) Almaty, Novosibirsk

(GMT+6:00) Astana, Dhaka

(GMT+6:00) Sri Jayawardenapura

(GMT+6:30) Rangoon

(GMT+7:00) Bangkok, Hanoi, Jakarta

(GMT+7:00) Krasnoyarsk

(GMT+8:00) Beijing,ChongQing,

HongKong,Urumqi

(GMT+8:00) Irkutsk, Ulaanbaatar

(GMT+8:00) Kuala Lumpur, Singapore

(GMT+8:00) Perth

(GMT+8:00) Taipei

(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul

(GMT+9:00) Yakutsk

(GMT+9:30) Adelaide

(GMT+9:30) Darwin

83 CLI Reference

Fortinet Technologies Inc.

ha system

30

31

32

33

34

35

36

37

38

39

Integer Time zone

23 (GMT-1:00) Cape Verde Is

24

25

(GMT) Casablanca, Monrovia

(GMT) Greenwich Mean Time:Dublin, Edinburgh, Lisbon, London

26

27

28

29

(GMT+1:00) Amsterdam, Berlin, Bern,

Rome, Stockholm, Vienna

(GMT+1:00) Belgrade, Bratislava, Budapest,

Ljubljana, Prague

(GMT+1:00) Brussels, Copenhagen, Madrid,

Paris

(GMT+1:00) Sarajevo, Skopje, Sofija, Vilnius, Warsaw, Zagreb

40

(GMT+1:00) West Central Africa

(GMT+2:00) Athens, Istanbul, Minsk

(GMT+2:00) Bucharest

(GMT+2:00) Cairo

(GMT+2:00) Harare, Pretoria

(GMT+2:00) Helsinki, Riga,Tallinn

(GMT+2:00) Jerusalem

(GMT+3:00) Baghdad

(GMT+3:00) Kuwait, Riyadh

(GMT+3:00) Moscow, St.Petersburg, Volgograd

(GMT+3:00) Nairobi

Integer Time zone

64 (GMT+10:00) Brisbane

65

66

(GMT+10:00) Canberra, Melbourne, Sydney

(GMT+10:00) Guam, Port Moresby

67

68

69

70

71

72

73

74

75

76

77

78

79

(GMT+10:00) Hobart

(GMT+10:00) Vladivostok

(GMT+11:00) Magadan

(GMT+11:00) Solomon Is., New Caledonia

(GMT+12:00) Auckland, Wellington

(GMT+12:00) Fiji, Kamchatka, Marshall Is

(GMT+13:00) Nuku'alofa

(GMT-4:30) Caracas

(GMT+1:00) Namibia

(GMT-5:00) Brazil-Acre)

(GMT-4:00) Brazil-West

(GMT-3:00) Brazil-East

(GMT-2:00) Brazil-DeNoronha

ha

Use the config system ha command to enable and configure FortiManager high availability (HA). FortiManager

HA provides a solution for a key requirement of critical enterprise management and networking components: enhanced reliability.

CLI Reference

Fortinet Technologies Inc.

84

system ha

A FortiManager HA cluster consists of up five FortiManager units of the same FortiManager model. One of the

FortiManager units in the cluster operates as a primary or master unit and the other one to four units operate as backup units. All of the units are visible on the network. The primary unit and the backup units can be at the same location. FortiManager HA also supports geographic redundancy so the primary unit and backup units can be in different locations attached to different networks as long as communication is possible between them (for example over the Internet, over a WAN, or through a private network).

Administrators connect to the primary unit Web-Based Manager or CLI to perform FortiManager operations. The primary unit also interacts with managed FortiGate devices, and FortiSwitch devices. Managed devices connect with the primary unit for configuration backup and restore. If FortiManager is being used to distribute firmware updates and

FortiGuard updates to managed devices, the managed devices can connect to the primary unit or one of the backup units.

If the primary FortiManager unit fails you must manually configure one of the backup units to become the primary unit.

The new primary unit will have the same IP addresses as it did when it was the backup unit. For the managed devices to automatically start using the new primary unit, you should add all of the FortiManager units in the cluster to the managed devices.

To configure a cluster, use the config system ha command to set the HA operation mode (mode) to ha and set the local IP1 (local-ip1), peer IP1 (peer-ip1) and the first synchronization interface (also called synchronization port) (synchport1) of both FortiManager units in the cluster. The local IP1 IP address of both FortiManager units must match the peer IP1 IP address of the other FortiManager unit. Both units should also have the same first synchronization interface.

Syntax

config system ha set

"system" on page 85

set set set

"system" on page 85

"system" on page 86

"system" on page 86

set set

"system" on page 86

"system" on page 86

config edit

"system" on page 87

"system" on page 87

set set set

"system" on page 87

"system" on page 87

"system" on page 87

end end

Variable

clusterid <clusert_ID_int> file-quota <integer>

Description

A number between 0 and 64 that identifies the HA cluster. All members of the HA cluster must have the same clusterid. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different group ID.

Set the file quota in MB (2048 to 20480).

85 CLI Reference

Fortinet Technologies Inc.

ha

Variable

hb-interval <time_interval_int> hb-lost-threshold <lost_heartbeats_int> mode {master | slave | standalone} password <password_string> system

Description

The time in seconds that a cluster unit waits between sending heartbeat packets. The heartbeat interval is also the amount of time that a cluster unit waits before expecting to receive a heartbeat packet from the other cluster unit. The default heartbeat interval is 5 seconds.

The default heartbeat interval is 5 seconds. The heartbeat interval range is 1 to 255 seconds.

The number of heartbeat intervals that one of the cluster units waits to receive HA heartbeat packets from other cluster units before assuming that the other cluster units have failed.

The default failover threshold is 3. The failover threshold range is

1 to 255.In most cases you do not have to change the heartbeat interval or failover threshold. The default settings mean that if the a unit fails, the failure is detected after 3 x 5 or 15 seconds; resulting in a failure detection time of 15 seconds.If the failure detection time is too short the HA cluster may detect a failure when none has occurred.

For example, if the primary unit is very busy it may not respond to

HA heartbeat packets in time. In this situation, the backup unit may assume that the primary unit has failed when the primary unit is actually just busy. Increase the failure detection time to prevent the backup unit from detecting a failure when none has occurred.

If the failure detection time is too long, administrators will be delayed in learning that the cluster has failed. In most cases, a relatively long failure detection time will not have a major effect on operations. But if the failure detection time is too long for your network conditions, then you can reduce the heartbeat interval or failover threshold.

Type master to configure the FortiManager unit to be the primary unit in a cluster. Type slave to configure the FortiManager unit to be a backup unit in a cluster. Type standalone to stop operating in HA mode.

A group password for the HA cluster. All members of the HA cluster must have the same group password. The maximum password length is 19 characters. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different password.

CLI Reference

Fortinet Technologies Inc.

86

system

peer variable

Variable

peer

<peer_id_int> ip <ipv4_address> serial-number <peer_serial_str> status <peer_status> ha

Description

Add peers to the HA configuration of the FortiManager unit. You add all of the backup units as peers to the primary unit (up to four). For each backup unit you add the primary unit.

Add a peer and add the peer’s IP address and serial number.

Enter the IPv4 address of the peer FortiManager unit.

Enter the serial number of the peer FortiManager unit.

Enter the status of the peer FortiManager unit.

General FortiManager HA configuration steps

The following steps assume that you are starting with four FortiManager units running the same firmware build and are set to the factory default configuration. The primary unit and the first backup unit are connected to the same network.

The second and third backup units are connected to a remote network and communicate with the primary unit over the

Internet.

1. Enter the following command to configure the primary unit for HA operation.

config system ha set mode master set password <password_str> set clusterid 10 config peer edit 1 set ip <peer_ip_ipv4> set serial-number <peer_serial_str> next edit 2 set ip <peer_ip_ipv4> set serial-number <peer_serial_str> next edit 3 set ip <peer_ip_ipv4> set serial-number <peer_serial_str> next end

This command configures the FortiManager unit to operate as the primary unit, adds a password, sets the clusterid to 10, and accepts defaults for the other HA settings. This command also adds the three backup units to the primary unit as peers.

2. Enter the following command to configure the backup units for HA operation.

config system ha set mode slave set password <password_str> set clusterid 10 config peer

87 CLI Reference

Fortinet Technologies Inc.

interface system edit 1 set ip <peer_ip_ipv4> set serial-number <peer_serial_str> next end

This command configures the FortiManager unit to operate as a backup unit, adds the same password, and clusterid as the primary unit, and accepts defaults for the other HA settings. This command also adds the primary unit to the backup unit as a peer.

3. Repeat step

"system" on page 87

to configure each backup unit.

interface

Use this command to edit the configuration of a FortiManager network interface.

Syntax

config system interface edit

"system" on page 88

set set

"system" on page 88

"system" on page 88

set set

"system" on page 89

"system" on page 89

set set

"system" on page 89

"system" on page 89

set

"system" on page 89

config

"system" on page 89

set set

"system" on page 89

"system" on page 89

end end

Variable

<port_string> status {up | down} ip <ipv4_mask>

Description

<port_str> can be set to a port number such as port1, port2, port3, or port4. Different FortiManager models have different numbers of ports.

Start or stop the interface. If the interface is stopped it does not accept or send packets.

If you stop a physical interface, VLAN interfaces associated with it also stop.

Default: up

Enter the interface IPv4 address and netmask.

The IPv4 address cannot be on the same subnet as any other interface.

CLI Reference

Fortinet Technologies Inc.

88

system locallog

Variable Description

allowaccess {http https ping snmp ssh telnet webservice}

Enter the types of management access permitted on this interface. Separate multiple selected types with spaces.

If you want to add or remove an option from the list, retype the list as required.

serviceaccess {fclupdates fgtupdates webfilterantispam}

Enter the types of service access permitted on this interface.

Separate multiple selected types with spaces.

If you want to add or remove an option from the list, retype the list as required.

speed {1000full 100full 100half 10full 10half auto} description <string> alias <string>

<ipv6> ip6-address <IPv6 prefix>

Enter the speed and duplexing the network port uses. Enter auto to automatically negotiate the fastest common speed.

Default: auto

Enter a description of the interface.

Enter an alias for the interface.

Configure the interface IPv6 settings.

IPv6 address/prefix of interface.

ip6-allowaccess {http https ping snmp ssh telnet webservice}

Allow management access to the interface.

Example

This example shows how to set the FortiManager port1 interface IP address and network mask to

192.168.100.159

255.255.255.0

, and the management access to ping, https, and ssh.

config system interface edit port1 set allowaccess ping https ssh set ip 192.168.110.26 255.255.255.0

end set status up

locallog

Use the following commands to configure local log settings.

locallog disk setting

Use this command to configure the disk settings for uploading log files, including configuring the severity of log levels.

status must be enabled to view diskfull, max-log-file-size and upload variables.

upload must be enabled to view/set other upload* variables.

89 CLI Reference

Fortinet Technologies Inc.

locallog system

Syntax

config system locallog disk setting set status {enable | disable} set severity {alert | critical | debug | emergency | error | information | notification | warning} set max-log-file-size <size_int> set roll-schedule {none | daily | weekly} set roll-day <string> set roll-time <hh:mm> set diskfull {nolog | overwrite} set log-disk-full-percentage <integer> set upload {disable | enable} set uploadip <ipv4_address> set server-type {FAZ | FTP | SCP | SFTP} set uploadport <port_int> set uploaduser <user_str> set uploadpass <password_string> set uploaddir <dir_str> set uploadtype <event> set uploadzip {disable | enable} set uploadsched {disable | enable} set upload-time <hh:mm> end set upload-delete-files {disable | enable}

Variable

status {enable | disable} severity {alert | critical | debug | emergency | error | information | notification | warning}

Description

Enter enable to begin logging.

Default: disable

Select the logging severity level. The FortiManager unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert and emergency level messages. Default: alert

The logging levels in descending order are: l emergency

: The unit is unusable.

l alert

: Immediate action is required.

l l l l l l critical

: Functionality is affected.

error

: Functionality is probably affected.

warning

: Functionality might be affected.

notification

: Information about normal events.

information

: General information about unit operations.

debug

: Information used for diagnosis or debugging.

CLI Reference

Fortinet Technologies Inc.

90

system

91

Variable

max-log-file-size <size_int> roll-schedule {none | daily | weekly} roll-day <string> roll-time <hh:mm> diskfull {nolog | overwrite} log-disk-full-percentage <integer> upload {disable | enable} uploadip <ipv4_address> server-type {FAZ | FTP | SCP | SFTP} uploadport <port_int> uploaduser <user_str> uploadpass <password_string> uploaddir <dir_str> uploadtype <event> uploadzip {disable | enable} uploadsched {disable | enable} upload-time <hh:mm> upload-delete-files {disable | enable} locallog

Description

Enter the size at which the log is rolled. The range is from 1 to

1024 megabytes.

Default: 100

Enter the period for the scheduled rolling of a log file. If roll-schedule is none, the log rolls when max-log-filesize is reached.

Default: none

Enter the day for the scheduled rolling of a log file.

Enter the time for the scheduled rolling of a log file.

Enter action to take when the disk is full: l nolog

: stop logging l overwrite

: overwrites oldest log entries

Default: overwrite

Enter the percentage at which the log disk will be considered full

(50-90%).

Enable to permit uploading of logs.

Default: disable

Enter IPv4 address of the destination server.

Default: 0.0.0.0

Enter the type the server to use to store the logs.

Enter the port to use when communicating with the destination server.

Default: 21

Enter the user account on the destination server.

Enter the password of the user account on the destination server.

Enter the destination directory on the remote server.

Enter to upload the event log files.

Default: event

Enable to compress uploaded log files.

Default: disable

Enable to schedule log uploads.

Enter to configure when to schedule an upload.

Enable to delete log files after uploading.

Default: enable

CLI Reference

Fortinet Technologies Inc.

locallog system

Example

In this example, the logs are uploaded to an upload server and are not deleted after they are uploaded.

config system locallog disk setting set status enable set severity information set max-log-file-size 1000MB set roll-schedule daily set upload enable set uploadip 10.10.10.1

set uploadport port 443 set uploaduser myname2 set uploadpass 12345 set uploadtype event set uploadzip enable set uploadsched enable set upload-time 06:45 end set upload-delete-file disable

locallog filter

Use this command to configure filters for local logs. All keywords are visible only when event is enabled.

Syntax

config system locallog [memory| disk | fortianalyzer | syslogd | syslogd2 | syslogd3] filter set devcfg {disable | enable} set dm {disable | enable} set dvm {disable | enable} set epmgr {disable | enable} set event {disable | enable} set faz {enable | disable| set fgd {disable | enable} set fgfm {disable | enable} set fips {disable | enable} set fmgws {disable | enable} set fmlmgr {disable | enable} set fmwmgr {disable | enable} set glbcfg {disable | enable} set ha {disable | enable} set iolog {disable | enable} set logd {disable | enable} set lrmgr {disable | enable} set objcfg {disable | enable} set rev {disable | enable} set rtmon {disable | enable} set scfw {disable | enable} set scply {disable | enable} set scrmgr {disable | enable} set scvpn {disable | enable} set system {disable | enable} set webport {disable | enable}

CLI Reference

Fortinet Technologies Inc.

92

system end

Variable

devcfg {disable | enable} dm {disable | enable} dvm {disable | enable} epmgr {disable | enable} event {disable | enable} faz {enable | disable| fgd {disable | enable} fgfm {disable | enable} fips {disable | enable} fmgws {disable | enable} fmlmgr {disable | enable} fmwmgr {disable | enable} glbcfg {disable | enable} ha {disable | enable} iolog {disable | enable} logd {disable | enable}

93 locallog

Description

Enable to log device configuration messages.

Enable to log deployment manager messages.

Default: disable

Enable to log device manager messages.

Default: disable

Enable to log endpoint manager messages.

Default: disable

Enable to configure log filter messages.

Default: disable

Enable to log FortiAnalyzer messages.

Default: disable

Enable to log FortiGuard service messages.

Default: disable

Enable to log FortiGate/FortiManager communication protocol messages.

Default: disable

Enable to log FIPS messages.

Default: disable

Enable to log web service messages.

Default: disable

Enable to log FortiMail manager messages.

Default: disable

Enable to log firmware manager messages.

Default: disable

Enable to log global database messages.

Default: disable

Enable to log high availability activity messages.

Default: disable

Enable input/output log activity messages.

Default: disable

Enable logd messages.

Default: disable

CLI Reference

Fortinet Technologies Inc.

locallog system

Variable

lrmgr {disable | enable} objcfg {disable | enable} rev {disable | enable} rtmon {disable | enable} scfw {disable | enable} scply {disable | enable} scrmgr {disable | enable} scvpn {disable | enable} system {disable | enable} webport {disable | enable}

Description

Enable to log log and report manager messages.

Default: disable

Enable to log object configuration.

Default: disable

Enable to log revision history messages.

Default: disable

Enable to log real-time monitor messages.

Default: disable

Enable to log firewall objects messages.

Default: disable

Enable to log policy console messages.

Default: disable

Enable to log script manager messages.

Default: disable

Enable to log VPN console messages.

Default: disable

Enable to log system manager messages.

Default: disable

Enable to log web portal messages.

Default: disable

Example

In this example, the local log filters are log and report manager, and system settings. Events in these areas of the

FortiManager unit will be logged.

config system locallog filter set event enable set lrmgr enable end set system enable

locallog fortianalyzer setting

Use this command to enable or disable, and select the severity threshold of, remote logging to the FortiAnalyzer unit entered in system log fortianalyzer.

The severity threshold required to forward a log message to the FortiAnalyzer unit is separate from event, syslog, and local logging severity thresholds.

Syntax

config system locallog fortianalyzer setting

CLI Reference

Fortinet Technologies Inc.

94

system locallog set severity {emergency | alert | critical | error | warning | notification | information | debug} end set status {disable | enable}

Variable

severity {emergency | alert | critical | error | warning | notification | information | debug}

Description

Enter the severity threshold that a log message must meet or exceed to be logged to the unit. Default: alert status {disable | enable} Enable/disable remote logging to the FortiAnalyzer unit. Default: disable

Example

You might enable remote logging to the FortiAnalyzer unit configured. Events at the information level and higher, which is everything except debug level events, would be sent to the FortiAnalyzer unit.

config system locallog fortianalyzer setting set status enable end set severity information

locallog memory setting

Use this command to configure memory settings for local logging purposes.

Syntax

config system locallog memory setting set diskfull {nolog | overwrite} set severity {emergency | alert | critical | error | warning | notification | information | debug} end set status <disable | enable>

Variable

diskfull {nolog | overwrite} severity {emergency | alert | critical | error | warning | notification | information | debug}

Description

Enter the action to take when the disk is full: l l nolog

: Stop logging when disk full overwrite

: Overwrites oldest log entries

Enter to configure the severity level to log files.

Default: alert status <disable | enable> Enable/disable the memory buffer log. Default: disable

95 CLI Reference

Fortinet Technologies Inc.

locallog system

Example

This example shows how to enable logging to memory for all events at the notification level and above. At this level of logging, only information and debug events will not be logged.

config system locallog memory set severity notification end set status enable

locallog syslogd (syslogd2, syslogd3) setting

Use this command to configure the settings for logging to a syslog server. You can configure up to three syslog servers; syslogd, syslogd2 and syslogd3.

Syntax

config system locallog {syslogd | syslogd2 | syslogd3} setting set csv {disable | enable} set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp} set severity {emergency | alert | critical | error | warning | notification | information | debug} end set status {enable | disable} set syslog-name <string>

Variable

csv {disable | enable}

Description

Enable to produce the log in comma separated value (CSV) format.

If you do not enable CSV format the FortiManager unit produces space separated log files.

Default: disable

CLI Reference

Fortinet Technologies Inc.

96

system locallog

Variable Description

facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Enter the facility type. facility identifies the source of the log message to syslog. Change facility to distinguish log messages from different FortiManager units so you can determine the source of the log messages. Available facility types are: l l l l l l l l l l l l l l l alert

: log alert audit

: log audit auth

: security/authorization messages authpriv

: security/authorization messages (private) clock

: clock daemon cron

: cron daemon performing scheduled commands daemon

: system daemons running background system processes ftp

: File Transfer Protocol (FTP) daemon kernel

: kernel messages local0

: local7 — reserved for local use lpr

: line printer subsystem mail

: email system news

: network news subsystem ntp

: Network Time Protocol (NTP) daemon syslog

: messages generated internally by the syslog daemon.

Default: local7 severity {emergency | alert | critical | error | warning | notification | information | debug} status {enable | disable} syslog-name <string>

Select the logging severity level. The FortiManager unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert and emergency level messages. The logging levels in descending order are: l l l l l l l l emergency

: The unit is unusable.

alert

: Immediate action is required.

critical

: Functionality is affected.

error

: Functionality is probably affected.

warning

: Functionality might be affected.

notification

: Information about normal events.

information

: General information about unit operations.

debug

: Information used for diagnosis or debugging.

Enter enable to begin logging.

Enter the remote syslog server name.

97 CLI Reference

Fortinet Technologies Inc.

log system

Example

In this example, the logs are uploaded to a syslog server at IP address 10.10.10.8. The FortiManager unit is identified as facility local0.

config system locallog syslogd setting set facility local0 end set status enable set severity information

log

Use the following commands to configure log settings.

log alert

Use this command to configure log based alert settings.

Syntax

config system log alert set max-alert-count <integer> end

Variable

max-alert-count <integer>

Description

The alert count range, between 100 and 1000.

log fortianalyzer

Use this command to configure a connection with the FortiAnalyzer unit which will be used as the FortiManager’s remote log server. You must configure the FortiAnalyzer unit to accept web service connections.

Syntax

config system log fortianalyzer set status {disable | enable} set ip <ipv4> set secure_connection {disable | enable} set localid <string> set psk <password_string> set username <username_string> set passwd <password_string> end set auto_install {enable | disable}

CLI Reference

Fortinet Technologies Inc.

98

system log

Variable

status {disable | enable} ip <ipv4> secure_connection {disable | enable} localid <string> psk <password_string> username <username_string> passwd <password_string> auto_install {enable | disable}

Description

Enable/disable to configure the connection to the FortiAnalyzer unit.

Default: disable

Enter the IP address of the FortiAnalyzer unit.

Enable/disable secure connection with the FortiAnalyzer unit.

Enter the local ID.

Enter the preshared key with the FortiAnalyzer unit.

Enter the FortiAnalyzer administrator login that the FortiManager unit will use to administer the FortiAnalyzer unit.

Enter the FortiAnalyzer administrator password for the account specified in username.

Enable to automatically update the FortiAnalyzer settings as they are changed on the FortiManager unit.

Default: disable

Example

You can configure a secure tunnel for logs and other communications with the FortiAnalyzer unit.

config system log fortianalyzer set status enable set ip 192.168.1.100

set username admin end set passwd wert5W34bNg

log settings

Use this command to configure settings for logs.

Syntax

config system log settings set FCH-custom-field1 <string> set FCT-custom-field1 <string> set FGT-custom-field1 <string> set FML-custom-field1 <string> set FWB-custom-field1 <string> set FAZ-custom-field1 <string> set FSA-custom-field1 <string> set log-file-archive-name {basic | extended} config rolling-regular set days {fri | mon| sat | sun | thu | tue | wed} set del-files {disable | enable} set directory <string> set file-size <integer>

99 CLI Reference

Fortinet Technologies Inc.

log system set gzip-format {disable | enable} set hour <integer> set ip <ipv4_address> set ip2 <ipv4_address> set ip3 <ipv4_address> set log-format {csv | native | text} set min <integer> set password <string> set password2 <string> set password3 <string> set server-type {ftp | scp | sftp} set upload {disable | enable} set upload-hour <integer> set upload-mode backup set upload-trigger {on-roll | on-schedule} end end set username <string> set username2 <string> set username3 <string> set when {daily | none | weekly}

Variable

FCH-custom-field1 <string>

FCT-custom-field1 <string>

FGT-custom-field1 <string>

FML-custom-field1 <string>

FWB-custom-field1 <string>

FAZ-custom-field1 <string>

FSA-custom-field1 <string> log-file-archive-name {basic | extended}

Description

Enter a name of the custom log field to index.

Enter a name of the custom log field to index.

Enter a name of the custom log field to index.

Enter a name of the custom log field to index.

Enter a name of the custom log field to index.

Enter a name of the custom log field to index.

Enter a name of the custom log field to index.

Log file name format for archiving, such as backup, upload or download.

l l basic

: Basic format for log archive file name, e.g.

FGT20C0000000001.tlog.1417797247.log.

extended

: Extended format for log archive file name, e.g. FGT20C0000000001.2014-12-05-

08:34:58.tlog.1417797247.log.

CLI Reference

Fortinet Technologies Inc.

100

system log

Variables for config rolling-regular subcommand:

Variable

days {fri | mon| sat | sun | thu | tue | wed} del-files {disable | enable} directory <string> file-size <integer> gzip-format {disable | enable} hour <integer> ip <ipv4_address> ip2 <ipv4_address> ip3 <ipv4_address> log-format {csv | native | text} min <integer> password <string> password2 <string> password3 <string> server-type {ftp | scp | sftp} upload {disable | enable} upload-hour <integer> upload-mode backup upload-trigger {on-roll | on-schedule}

Description

Log files rolling schedule (days of the week). When when is set to weekly

, you can configure days, hour, and min values.

Enable/disable log file deletion after uploading.

The upload server directory.

Roll log files when they reach this size (MB).

Enable/disable compression of uploaded log files.

Log files rolling schedule (hour).

Upload server IP addresses. Configure up to three servers.

Format of uploaded log files.

Log files rolling schedule (minutes).

Upload server login passwords.

Upload server type.

Enable/disable log file uploads.

Log files upload schedule (hour).

Configure upload mode with multiple servers. Servers are attempted and used one after the other upon failure to connect.

Event triggering log files upload: l l on-roll

: Upload log files after they are rolled.

on-schedule

: Upload log files daily.

Upload server login usernames.

username <string> username2 <string> username3 <string> when {daily | none | weekly} Roll log files periodically.

101 CLI Reference

Fortinet Technologies Inc.

mail system

mail

Use this command to configure mail servers on your FortiManager unit.

Syntax

config system mail edit <server> set auth {enable | disable} set passwd <password_string> end set port <port> set user <string>

Variable

<server> auth {enable | disable} passwd <password_string> port <port> user <string>

Description

Enter the name of the mail server.

Enable/disable authentication.

Enter the SMTP account password value.

Enter the SMTP server port.

Enter the SMTP account user name.

metadata

Use this command to add additional information fields to the administrator accounts of your FortiManager unit.

This command creates the metadata fields. Use config system admin user to add data to the metadata fields.

Syntax

config system metadata admins edit <fieldname> set field_length {20 | 50 | 255} set importance {optional | required} end set status {enable | disable}

CLI Reference

Fortinet Technologies Inc.

102

system

Variable

<fieldname> field_length {20 | 50 | 255} importance {optional | required} status {enable | disable} ntp

Description

Enter the name of the field.

Select the maximum number of characters allowed in this field:

20, 50, or 255.

Default: 50

Select if this field is required or optional when entering standard information.

Default: optional

Enable/disable the metadata.

Default: disable

ntp

Use this command to configure automatic time setting using a network time protocol (NTP) server.

Syntax

config system ntp set status {enable | disable} set sync_interval <min_str> config ntpserver edit <id> set ntpv3 {disable | enable} set server {<ipv4> | <fqdn_str>} set authentication {disable | enable} set key <password_string> set key-id <integer> end end

Variable

Description

status {enable | disable} sync_interval <min_str>

Enable/disable NTP time setting.

Default: disable

Enter time, in minutes, how often the FortiManager unit synchronizes its time with the NTP server.

Default: 60

Variables for config ntpserver subcommand:

Variable

ntpv3 {disable | enable}

Description

Enable/disable NTPV3.

Default: disable

103 CLI Reference

Fortinet Technologies Inc.

password-policy

Variable

server {<ipv4> | <fqdn_str>} authentication {disable | enable} key <password_string> key-id <integer> system

Description

Enter the IP address or fully qualified domain name of the NTP server.

Enable/disable MD5 authentication.

Default: disable

The authentication key.

The key ID for authentication.

Default: 0

password-policy

Use this command to configure access password policies.

Syntax

config system password-policy set status {disable | enable} set minimum-length <integer> set must-contain <lower-case-letter | non-alphanumeric | number | upper-case-letter> end set change-4-characters {disable | enable} set expire <integer>

Variable

status {disable | enable} minimum-length <integer> must-contain <lower-case-letter | non-alphanumeric | number | upper-case-letter> change-4-characters {disable | enable}

Description

Enable/disable the password policy.

Default: enable

Set the password’s minimum length. Must contain between 8 and

256 characters.

Default: 8

Characters that a password must contain.

l lower-case-letter

: the password must contain at least one lower case letter l non-alphanumeric

: the password must contain at least one non-alphanumeric characters l l number

: the password must contain at least one number upper-case-letter

: the password must contain at least one upper case letter.

Enable/disable changing at least 4 characters for a new password.

Default: disable

CLI Reference

Fortinet Technologies Inc.

104

system

Variable

expire <integer> report

Description

Set the number of days after which admin users' password will expire; 0 means never.

Default: 0

report

Use the following command to configure report related settings.

report auto-cache

Use this command to view or configure report auto-cache settings.

Syntax

config system report auto-cache set aggressive-drilldown {enable | disable} set aggressive-schedule {enable | disable} set drilldown-interval <integer> set drilldown-status {enable | disable} set order {latest-first | oldest-first} end set status {enable | disable}

Variable

aggressive-drilldown {enable | disable} aggressive-schedule {enable | disable} drilldown-interval <integer> drilldown-status {enable | disable} order {latest-first | oldest-first} status {enable | disable}

Description

Enable/disable the aggressive drill-down auto-cache.

Enable/disable auto-cache on schedule reports aggressively.

The time interval in hours for drill-down auto-cache.

Enable/disable drill-down auto-cache.

The order of which SQL log table is processed first.

l latest-first

: The latest SQL log table is processed first.

l oldest-first

: The oldest SQL log table is processed first.

Enable/disable the SQL report auto-cache.

report est-browse-time

Use this command to view or configure report settings.

105 CLI Reference

Fortinet Technologies Inc.

report system

Syntax

config system report est-browse-time set max-num-user <integer> end set status {enable | disable}

Variable

max-num-user <integer> status {enable | disable}

Description

Set the maximum number of users to estimate browse time.

Enable/disable estimating browse time.

report group

Use these commands to configure report grouping.

Syntax

config system report group edit <group-id> set adom <ADOM name> set case-insensitive {enable |disable} set report-like <string> next config chart-alternative config group-by edit <variable-name> set var-expression <string> end edit <chart-name> set chart-replace <string>

Variable

<group-id>

<ADOM name> case-insensitive {enable | disable} report-like <string>

Description

Enter the report group ID or enter a new name to create a new entry.

Enter the ADOM name.

Enable/disable case insensitive match.

l l disable

: Disable the case insensitive match.

enable

: Enable the case insensitive match.

Enter the report name string.

CLI Reference

Fortinet Technologies Inc.

106

system report

Variable for config chart-alternative subcommand:

Variable

<group-id>

<ADOM name> case-insensitive {enable | disable}

Description

Enter the report group ID or enter a new name to create a new entry.

Enter the ADOM name.

Enable/disable case insensitive match.

report-like <string> l l disable

: Disable the case insensitive match.

enable

: Enable the case insensitive match.

Enter the report name string.

Variable for config group-by subcommand:

Variable

<var-name> var-expression <string>

Description

Enter the variable name or enter a new name to create a new entry.

Enter the variable expression.

report setting

Use these commands to view or configure report settings.

Syntax

config system report setting set hcache-lossless {enable | disable} set max-table-rows <integer> set report-priority {low | normal} end set week-start {mon | sun}

Variable

hcache-lossless {enable | disable} max-table-rows <integer>

Description

Enable/disable hcache lossless.

l l disable

: Use ready-with-loss hcaches.

enable

: Do not use ready-with-loss hcaches.

Set the maximum number of rows that can be generated in a single table.

Range: 10000 to 100000

107 CLI Reference

Fortinet Technologies Inc.

route system

Variable

report-priority {low | normal}

Description

Priority of SQL report.

l l low

: Low normal

: Normal

Set the day that the week starts on, either Sunday or Monday.

week-start {mon | sun}

Use the show command to display the current configuration if it has been changed from its default value: show system report settings

route

Use this command to view or configure static routing table entries on your FortiManager unit.

Syntax

config system route edit <seq_int> set device <port_str> set dst <dst_ipv4mask> end set gateway <ipv4_address>

Variable

<seq_int> device <port_str> dst <dst_ipv4mask> gateway <ipv4_address>

Description

Enter an unused routing sequence number to create a new route.

Enter an existing route number to edit that route.

Enter the port used for this route.

Enter the IP address and mask for the destination network.

Enter the default gateway IP address for this network.

route6

Use this command to view or configure static IPv6 routing table entries on your FortiManager unit.

Syntax

config system route6 edit <seq_int> set device <string> set dst <ipv6_address> end set gateway <ipv6_address>

CLI Reference

Fortinet Technologies Inc.

108

system

Variable

<seq_int> device <string> dst <ipv6_address> gateway <ipv6_address> snmp

Description

Enter an unused routing sequence number to create a new route.

Enter an existing route number to edit that route.

Enter the port used for this route.

Enter the IP address and mask for the destination network.

Enter the default gateway IP address for this network.

snmp

Use the following commands to configure SNMP related settings.

snmp community

Use this command to configure SNMP communities on your FortiManager unit.

You add SNMP communities so that SNMP managers, typically applications running on computers to monitor SNMP status information, can connect to the FortiManager unit (the SNMP agent) to view system information and receive

SNMP traps. SNMP traps are triggered when system events happen such as when there is a system restart, or when the log disk is almost full.

You can add up to three SNMP communities, and each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiManager unit for a different set of events.

Hosts are the SNMP managers that make up this SNMP community. Host information includes the IP address and interface that connects it to the FortiManager unit.

For more information on SNMP traps and variables, see the Fortinet Document Library .

Part of configuring an SNMP manager is to list it as a host in a community on the FortiManager unit that it will be monitoring. Otherwise that SNMP manager will not receive any traps or events from the FortiManager unit, and will be unable to query the FortiManager unit as well.

Syntax

config system snmp community edit <index_number> set events <events_list> set name <community_name> set query-v1-port <port_number> set query-v1-status {enable | disable} set query-v2c-port <port_number> set query-v2c-status {enable | disable} set status {enable | disable} set trap-v1-rport <port_number> set trap-v1-status {enable | disable} set trap-v2c-rport <port_number>

109 CLI Reference

Fortinet Technologies Inc.

snmp system end set trap-v2c-status {enable | disable} config hosts edit <host_number> set interface <if_name> end set ip <ipv4_address>

Variable

<index_number> events <events_list> name <community_name> query-v1-port <port_number>

Description

Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new

SNMP community.

Enable the events for which the FortiManager unit should send traps to the SNMP managers in this community. The raid_ changed event is only available for devices which support RAID.

l l l l l l l l l l l l l cpu-high-exclude-nice

: CPU usage exclude NICE threshold.

cpu_high

: CPU usage too high.

disk_low

: Disk usage too high.

ha_switch

: HA switch.

intf_ip_chg

: Interface IP address changed.

lic-dev-quota

: High licensed device quota detected.

lic-gbday

: High licensed log GB/day detected.

log-alert

: Log base alert message.

log-data-rate

: High incoming log data rate detected.

log-rate

: High incoming log rate detected.

mem_low

: Available memory is low.

raid_changed

: RAID status changed.

sys_reboot

: System reboot.

Default: All events enabled

Enter the name of the SNMP community. Names can be used to distinguish between the roles of the hosts in the groups.

For example the Logging and Reporting group would be interested in the disk_low events, but likely not the other events.

The name is included in SNMPv2c trap packets to the SNMP manager, and is also present in query packets from, the SNMP manager.

Enter the SNMPv1 query port number used when SNMP managers query the FortiManager unit.

Default: 161

CLI Reference

Fortinet Technologies Inc.

110

system snmp

111

Variable

query-v1-status {enable | disable} query-v2c-port <port_number> query-v2c-status {enable | disable} status {enable | disable} trap-v1-rport <port_number> trap-v1-status {enable | disable} trap-v2c-rport <port_number> trap-v2c-status {enable | disable}

Description

Enable/disable SNMPv1 queries for this SNMP community.

Default: enable

Enter the SNMPv2c query port number used when SNMP managers query the FortiManager unit.

SNMP v2c queries will include the name of the community.

Default: 161

Enable/disable SNMPv2c queries for this SNMP community.

Default: enable

Enable/disable this SNMP community.

Default: enable

Enter the SNMPv1 remote port number used for sending traps to the SNMP managers.

Default: 162

Enable/disable SNMPv1 traps for this SNMP community. Default: enable

Enter the SNMPv2c remote port number used for sending traps to the SNMP managers.

Default: 162

Enable/disable SNMPv2c traps for this SNMP community.

SNMPv2c traps sent out to SNMP managers include the community name.

Default: enable

Host variable

Variable

<host_number> interface <if_name> ip <ipv4_address>

Description

Enter the index number of the host in the table. Enter an unused index number to create a new host.

Enter the name of the FortiManager unit that connects to the

SNMP manager.

Enter the IPv4 address of the SNMP manager.

Default: 0.0.0.0

Example

This example shows how to add a new SNMP community named SNMP_Com1. The default configuration can be used in most cases with only a few modifications. In the example below the community is added, given a name, and then because this community is for an SNMP manager that is SNMPv1 compatible, all v2c functionality is disabled. After the community is configured the SNMP manager, or host, is added. The SNMP manager IP address is 192.168.20.34

and it connects to the FortiManager unit internal interface.

config system snmp community

CLI Reference

Fortinet Technologies Inc.

snmp system edit 1 set name SNMP_Com1 set query-v2c-status disable set trap-v2c-status disable end config hosts edit 1 set interface internal set ip 192.168.10.34

end

snmp sysinfo

Use this command to enable the FortiManager SNMP agent and to enter basic system information used by the SNMP agent. Enter information about the FortiManager unit to identify it. When your SNMP manager receives traps from the

FortiManager unit, you will know which unit sent the information. Some SNMP traps indicate high CPU usage, log full, or low memory.

For more information on SNMP traps and variables, see the Fortinet Document Library .

Syntax

config system snmp sysinfo set contact-info <info_str> set description <description> set engine-id <string> set location <location> end set status {enable | disable} set trap-high-cpu-threshold <percentage> set trap-low-memory-threshold <percentage> set trap-cpu-high-exclude-nice-threshold <percentage>

Variable

contact-info <info_str> description <description> engine-id <string> location <location> status {enable | disable} trap-high-cpu-threshold <percentage>

Description

Add the contact information for the person responsible for this

FortiManager unit. The contact information can be up to 35 characters long.

Add a name or description of the FortiManager unit. The description can be up to 35 characters long.

Local SNMP engine ID string (maximum 24 characters).

Describe the physical location of the FortiManager unit. The system location description can be up to 35 characters long.

Enable/disable the FortiManager SNMP agent.

Default: disable

CPU usage when trap is set.

Default: 80

CLI Reference

Fortinet Technologies Inc.

112

system snmp

Variable

trap-low-memory-threshold <percentage>

Description

Memory usage when trap is set.

Default: 80

CPU high usage excludes nice when the trap is sent.

trap-cpu-high-exclude-nice-threshold <percentage>

Example

This example shows how to enable the FortiManager SNMP agent and add basic SNMP information.

config system snmp sysinfo set status enable end set contact-info 'System Admin ext 245' set description 'Internal network unit' set location 'Server Room A121'

snmp user

Use this command to configure SNMPv3 users on your FortiManager unit. To use SNMPv3, you will first need to enable the FortiManager SNMP agent. For more information, see snmp sysinfo. There should be a corresponding configuration on the SNMP server in order to query to or receive traps from FortiManager.

For more information on SNMP traps and variables, see the Fortinet Document Library .

Syntax

config system snmp user edit <name> set auth-proto {md5 | sha} set auth-pwd <password_string> set events <events_list> set notify-hosts <ipv4_address> set priv-proto {aes | des} set priv-pwd <password_string> set queries {enable | disable} set query-port <port_number> end end set security-level <level>

Variable

<name>

Description

Enter a SNMPv3 user name to add, edit, or delete.

113 CLI Reference

Fortinet Technologies Inc.

snmp

Variable

auth-proto {md5 | sha} auth-pwd <password_string> events <events_list> notify-hosts <ipv4_address> priv-proto {aes | des} priv-pwd <password_string>

CLI Reference

Fortinet Technologies Inc.

system

Description

Authentication protocol. The security level must be set to authno-priv or auth-priv to use this variable. Select one of the following: l l md5

: HMAC-MD5-96 authentication protocol sha

: HMAC-SHA-96 authentication protocol

Password for the authentication protocol. The security level must be set to auth-no-priv or auth-priv to use this variable.

Enable the events for which the FortiManager unit should send traps to the SNMPv3 managers in this community. The raid_ changed event is only available for devices which support RAID.

l l l l l l l l l l l l l cpu-high-exclude-nice

: CPU usage exclude nice threshold.

cpu_high

: The CPU usage is too high.

disk_low

: The log disk is getting close to being full.

ha_switch

: A new unit has become the HA master.

intf_ip_chg

: An interface IP address has changed.

lic-dev-quota

: High licensed device quota detected.

lic-gbday

: High licensed log GB/Day detected.

log-alert

: Log base alert message.

log-data-rate

: High incoming log data rate detected.

log-rate

: High incoming log rate detected.

mem_low

: The available memory is low.

raid_changed

: RAID status changed.

sys_reboot

: The FortiManager unit has rebooted.

Default: All events enabled.

Hosts to send notifications (traps) to.

Privacy (encryption) protocol. The security level must be set to auth-no-priv or auth-priv to use this variable. Select one of the following: l l aes

: CFB128-AES-128 symmetric encryption protocol des

: CBC-DES symmetric encryption protocol

Password for the privacy (encryption) protocol. The security level must be set to auth-no-priv or auth-priv to use this variable.

114

system

Variable

queries {enable | disable} query-port <port_number> security-level <level> sql

Description

Enable/disable queries for this user.

Default: enable

SNMPv3 query port

Default: 161

Security level for message authentication and encryption.

l l l auth-no-priv

: Message with authentication but no privacy (encryption).

auth-priv

: Message with authentication and privacy

(encryption).

no-auth-no-priv

: Message with no authentication and no privacy (encryption).

Default: no-auth-no-priv

sql

Configure Structured Query Language (SQL) settings.

Syntax

config system sql set database-name <string> set database-type <postgres> set device-count-high {disable | enable} set event-table-partition-time <integer> set logtype {none | app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan} set password <password_string> set prompt-sql-upgrade {enable | disable} set rebuild-event {enable | disable} set rebuild-event-start-time <hh:mm> <yyyy/mm/dd> set resend-device < > set reset {enable | disable} set server <string> set start-time <hh>:<mm> <yyyy>/<mm>/<dd> set status {disable | local | remote} set text-search-index {disable | enable} set traffic-table-partition-time <integer> set username <string> set utm-table-partition-time <integer> config custom-index edit <id> set device-type {FortiCache | FortiGate | FortiMail | FortiSandbox | FortiWeb} set index-field <Field-Name> end set log-type <Log-Type> config ts-index-field edit <category>

115 CLI Reference

Fortinet Technologies Inc.

sql system end end set <value> <string>

Variable

database-name <string> database-type <postgres> device-count-high

Description

Database name. Command only available when status is set to remote.

Database type. Command only available when status is set to local or remote.

Must set to enable if the count of registered devices is greater than 8000.

l l disable

: Set to disable if device count is less than

8000.

enable

: Set to enable if device count is equal to or greater than 8000.

event-table-partition-time <integer> Maximum SQL database table partitioning time range in minute

(0 for unlimited) for event logs. SQL database table partitioning time range between 0 and 525600 minutes.

logtype {none | app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus

| voip | webfilter | netscan}

Log type. Command only available when status is set to local or remote.

password <password_string> prompt-sql-upgrade {enable | disable} rebuild-event {enable | disable} rebuild-event-start-time <hh:mm> <yyyy/mm/dd> reset {enable | disable} server <string> start-time <hh>:<mm> <yyyy>/<mm>/<dd> status {disable | local | remote} text-search-index {disable | enable}

The password that the Fortinet unit will use to authenticate with the remote database. Command only available when status is set to remote.

Enable/disable prompt to convert log database into SQL database at start time in GUI.

Enable/disable a rebuild event during SQL database rebuilding.

The rebuild event starting date and time.

This command is hidden.

Set the database ip or hostname.

Start date and time <hh:mm yyyy/mm/dd>. Command only available when status is set to local or remote.

SQL database status.

Disable or enable the text search index.

CLI Reference

Fortinet Technologies Inc.

116

system sql

Variable

traffic-table-partition-time <integer> username <string> utm-table-partition-time <integer>

Description

Maximum SQL database table partitioning time range in minute

(0 for unlimited) for traffic logs. SQL database table partitioning time range between 0 and 525600 minutes.

User name for login remote database.

Maximum SQL database table partitioning time range in minute

(0 for unlimited) for UTM logs. SQL database table partitioning time range between 0 and 525600 minutes.

Variables for config custom-index subcommand:

Variable

device-type {FortiCache | FortiGate | FortiMail |

FortiSandbox | FortiWeb}

Description

Set the device type. Select one of the following: l l l l l

FortiCache

FortiGate

FortiMail

FortiSandbox

FortiWeb index-field <Field-Name> log-type <Log-Type>

Type a valid field name. Select one of the available field names.

The available options for index-field is dependent on the device-type entry.

Type the log type. The available options for log-type is dependent on the device-type entry. Select one of the available log types.

l l

FortiCache: N/A

FortiGate: app-ctrl, content, dlp, emailfilter, event, netscan, traffic, virus, voip, webfilter l

FortiMail: emailfilter, event, history, virus l l

FortiSandbox: N/A

FortiWeb: attack, event, traffic

117 CLI Reference

Fortinet Technologies Inc.

syslog system

Variables for config ts-index-field subcommand:

Variable

<category>

Description

Category of the text search index fields. The following is the list of categories and their default fields. Select one of the following: l

FGT-app-ctrl

: user, group, srcip, dstip, dstport

, service, app, action, status, hostname l

FGT-attack

: severity, srcip, proto, user, attackname l l l

FGT-content

: from, to, subject, action, srcip, dstip

, hostname, status

FGT-dlp

: user, srcip, service, action, file

FGT-emailfilter

: user, srcip, from, to, subject l l l l l l l l l l l l l

FGT-event

: subtype, ui, action, msg

FGT-traffic

: user, srcip, dstip, service, app, utmaction

, utmevent

FGT-virus

: service, srcip, file, virus, user

FGT-voip

: action, user, src, dst, from, to

FGT-webfilter

: user, srcip, status, catdesc

FGT-netscan

: user, dstip, vuln, severity, os

FML-emailfilter

: client_name, dst_ip, from, to

, subject

FML-event

: subtype, msg

FML-history

: classifier, disposition, from, to

, client_name, direction, domain, virus

FML-virus

: src, msg, from, to

FWB-attack

: http_host, http_url, src, dst, msg

, action

FWB-event

: ui, action, msg

FWB-traffic

: src, dst, service, http_method, msg

<value>

<string>

Fields of the text search filter.

Select one or more field names separated with a comma. The available field names is dependent on the category selected.

syslog

Use this command to configure syslog servers.

CLI Reference

Fortinet Technologies Inc.

118

system

Syntax

config system syslog edit <name> set ip <string> set port <integer> end end

Variable

ip <string> port <integer>

Description

Syslog server IP address or hostname.

Syslog server port.

syslog

119 CLI Reference

Fortinet Technologies Inc.

fmupdate

Use fmupdate to configure settings related to FortiGuard service updates and the FortiManager unit’s built-in FDS.

CLI commands and variables are case sensitive.

analyzer virusreport

Use this command to enable or disable notification of virus detection to FortiGuard.

Syntax

config fmupdate analyzer virusreport set status {enable | disable} end

Variable

Description

status {enable | disable} Enable/disable sending virus detection notification to FortiGuard.

Default: enable

Example

This example enables virus detection notifications to FortiGuard.

config fmupdate analyzer virusreport set status enable end

av-ips

Use the following commands to configure antivirus and IPS related settings.

av-ips advanced-log

Use this command to enable logging of FortiGuard antivirus and IPS update packages received by the FortiManager unit’s built-in FDS from the external FDS.

Syntax

config fmupdate av-ips advanced-log

120 CLI Reference

Fortinet Technologies Inc.

av-ips fmupdate end set

"fmupdate" on page 121

set

"fmupdate" on page 121

Variable

log-fortigate {enable | disable} log-server {enable | disable}

Description

Enable/disable logging of FortiGuard antivirus and IPS service updates of FortiGate devices.

Default: disable

Enable/disable logging of update packages received by the builtin FDS server.

Default: disable

Example

You could enable logging of FortiGuard antivirus updates to FortiClient installations and update packages downloaded by the built-in FDS from the FDS.

config fmupdate av-ips advanced-log set log-forticlient enable end set log-server enable

av-ips fct server-override

Use this command to override the default IP address and port that the built-in FDS contacts when requesting

FortiGuard antivirus updates for FortiClient from the FDS.

Syntax

config fmupdate av-ips fct server-override set

"fmupdate" on page 121

config servlist edit

"fmupdate" on page 122

set

"fmupdate" on page 122

set

"fmupdate" on page 122

end end

Variable

Description

status {enable | disable}

Enable/disable the override.

Default: disable

CLI Reference

Fortinet Technologies Inc.

121

fmupdate

Variable for config servlist subcommand:

Variable

Description

<id> ip <ipv4_address port <integer>

Override server ID (1-10).

Enter the IPv4 address of the override server address.

Default: 0.0.0.0

Enter the Sort number to use when contacting the FDS.

Default: 443

Example

You could configure the FortiManager unit’s built-in FDS to use a specific FDS server and a different port when retrieving FortiGuard antivirus updates for FortiClient from the FDS.

config fmupdate av-ips fct server-override set status enable config servlist edit 1 s et ip 192.168.25.152

set port 80 end end

av-ips fgt server-override

Use this command to override the default IP address and port that the built-in FDS contacts when requesting

FortiGuard antivirus and IPS updates for FortiGate units from the FDS.

Syntax

config fmupdate av-ips fgt server-override set

"fmupdate" on page 122

config servlist edit

"fmupdate" on page 123

set

"fmupdate" on page 123

set

"fmupdate" on page 123

end end

Variable

status {enable | disable}

Description

Enable/disable the override.

Default: disable av-ips

122 CLI Reference

Fortinet Technologies Inc.

av-ips fmupdate

Variable for config servlist subcommand:

Variable

<id> ip <ipv4_address> port <integer>

Description

Override server ID (1-10)

Enter the IPv4 address of the override server address.

Default: 0.0.0.0

Enter the port number to use when contacting the FDS.

Default: 443

Example

You could configure the FortiManager unit’s built-in FDS to use a specific FDS server and a different port when retrieving FortiGuard antivirus and IPS updates for FortiGate units from the FDS.

config fmupdate av-ips fgt server-override set status enable config servlist edit 1 set ip 172.27.152.144

set port 8890 end end

av-ips push-override

Use this command to enable or disable push updates, and to override the default IP address and port to which the FDS sends FortiGuard antivirus and IPS push messages.

This is useful if push notifications must be sent to an IP address and/or port other than the FortiManager unit, such as the external or virtual IP address of a NAT device that forwards traffic to the FortiManager unit.

Syntax

config fmupdate av-ips push-override set set end set

"fmupdate" on page 123

"fmupdate" on page 124

"fmupdate" on page 124

Variable

Description

ip <ipv4_address> Enter the external or virtual IP address of the NAT device that will forward push messages to the FortiManager unit.

Default: 0.0.0.0

CLI Reference

Fortinet Technologies Inc.

123

fmupdate av-ips

Variable

port <recipientport_int>

Description

status {enable | disable}

Enter the receiving port number on the NAT device.

Default: 9443

Enable/disable the push updates.

Default: disable

Example

You could enable the FortiManager unit’s built-in FDS to receive push messages.

If there is a NAT device or firewall between the FortiManager unit and the FDS, you could also notify the FDS to send push messages to the external IP address of the NAT device, instead of the FortiManager unit’s private network IP address.

config fmupdate av-ips push-override set status enable end set ip 172.16.124.135

set port 9000

You would then configure port forwarding on the NAT device, forwarding push messages received on User Datagram

Protocol (UDP) port 9000 to the FortiManager unit on UDP port 9443.

av-ips push-override-to-client

Use this command to enable or disable push updates, and to override the default IP address and port to which the FDS sends FortiGuard antivirus and IPS push messages.

This command is useful if push notifications must be sent to an IP address and/or port other than the FortiManager unit, such as the external or virtual IP address of a NAT device that forwards traffic to the FortiManager unit.

Syntax

config fmupdate av-ips push-override-to-client set

"fmupdate" on page 124

config

"fmupdate" on page 124

edit

"fmupdate" on page 125

set set

"fmupdate" on page 125

"fmupdate" on page 125

end end

Variable

Description

status {enable | disable}

<announce-ip>

Enable/disable push updates.

Default: disable

Config the IP information of the device.

124 CLI Reference

Fortinet Technologies Inc.

av-ips fmupdate

Variable

<id> ip <ipv4_address> port <recipientport_int>

Description

Edit the announce IP ID number.

Enter the announce IPv4 address.

Default: 0.0.0.0

Enter the announce IP port.

Default: 9443

av-ips update-schedule

Use this command to configure the built-in FDS to retrieve FortiGuard antivirus and IPS updates at a specified day and time.

Syntax

config fmupdate av-ips update-schedule set set set end set

"fmupdate" on page 125

"fmupdate" on page 125

"fmupdate" on page 125

"fmupdate" on page 125

Variable

Description

day {Sunday | Monday | Tuesday

| Wednesday | Thursday |

Friday | Saturday} frequency

{every | daily | weekly} status {enable | disable} time <hh:mm>

Enter the day of the week when the update will begin.

This option only appears when the frequency is weekly

.

Enter to configure the frequency of the updates.

Default: every

Enable/disable regularly scheduled updates.

Default: enable

Enter to configure the time or interval when the update will begin. For example, if you want to schedule an update every day at 6:00 PM, enter 18:00.

The time period format is the 24-hour clock: hh=0-23, mm=0-59. If the minute is 60, the updates will begin at a random minute within the hour.

If the frequency is every, the time is interpreted as an hour and minute interval, rather than a time of day.

Default: 01:60

CLI Reference

Fortinet Technologies Inc.

125

fmupdate av-ips

Example

You could schedule the built-in FDS to request the latest FortiGuard antivirus and IPS updates every five hours, at a random minute within the hour.

config fmupdate av-ips udpate-schedule set status enable end set frequency every set time 05:60

av-ips web-proxy

Use this command to configure a web proxy if FortiGuard antivirus and IPS updates must be retrieved through a web proxy.

Syntax

config fmupdate av-ips web-proxy set set set set set end set

"fmupdate" on page 126

"fmupdate" on page 126

"fmupdate" on page 126

"fmupdate" on page 126

"fmupdate" on page 126

"fmupdate" on page 126

Variable

Description

ip <proxy_ipv4> mode {proxy | tunnel} password <password_string> port <port_int> status {enable | disable} username <username_string>

Enter the IP address of the web proxy.

Default: 0.0.0.0

Enter the web proxy mode.

If the web proxy requires authentication, enter the password for the user name.

Enter the port number of the web proxy.

Default: 80

Enable/disable connections through the web proxy.

Default: disable

If the web proxy requires authentication, enter the user name.

Example

You could enable a connection through a non-transparent web proxy on an alternate port.

config fmupdate av-ips web-proxy set status enable set mode proxy

126 CLI Reference

Fortinet Technologies Inc.

custom-url-list end set ip 10.10.30.1

set port 8890 set username avipsupdater set password cvhk3rf3u9jvsYU fmupdate

custom-url-list

Use this command to configure the URL database for rating and filtering. You can select to use the FortiGuard URL database, a custom URL database, or both. When selecting to use a custom URL database, use the

fmupdate {ftp | scp | tftp} import

command to import the custom URL list. When FortiManager performs the URL rating, it will check the custom URL first. If a match is found, the custom rating is returned. If there is no match, then FortiManager will check the FortiGuard database.

Syntax

config fmupdate custom-url-list set

"fmupdate" on page 127

end

Variable Description

db_selection {both | custom-url

| fortiguard-db}

Manage the FortiGuard URL database.

l both

: Support both custom URL database and the

FortiGuard database l l custom-url

: Customer imported URL list fortiguard-db

: FortiGuard database

Default setting: both

device-version

Use this command to configure the correct firmware version of the device or devices connected or will be connecting to the FortiManager unit. You should verify what firmware version is currently running on the device before using this command.

Syntax

config fmupdate device-version end set

"fmupdate" on page 128

set

"fmupdate" on page 128

set set

"fmupdate" on page 128

"fmupdate" on page 128

set set

"fmupdate" on page 128

"fmupdate" on page 128

CLI Reference

Fortinet Technologies Inc.

127

fmupdate

Variable

faz <firmware_version> fct <firmware_version> fgt <firmware_version> fml <firmware_version> fsa <firmware_version> fsw <firmware_version> device-version

Description

Enter the correct firmware version that is currently running on

FortiAnalyzer units. Select one of the following: l l l l

3.0

: Support version 3.0

4.0

: Support version 4.0

5.0

: Support version 5.0

6.0

: Support version greater than 5.0

Enter the firmware version that is currently running for FortiClient agents. Select one of the following: l l l l

3.0

: Support version 3.0

4.0

: Support version 4.0

5.0

: Support version 5.0

6.0

: Support version greater than 5.0

Enter the firmware version that is currently running for FortiGate units. Select one of the following: l l l l

3.0

: Support version 3.0

4.0

: Support version 4.0

5.0

: Support version 5.0

6.0

: Support version greater than 5.0

Enter the firmware version that is currently running for FortiMail units. Select one of the following: l l l l

3.0

: Support version 3.0

4.0

: Support version 4.0

5.0

: Support version 5.0

6.0

: Support version greater than 5.0

Enter the firmware version that is currently running on FortiSandbox units. Select one of the following: l l

1.0: Support version 1.0. (FortiSandbox)

2.0: Support version greater than 1.0.

Enter the firmware version that is currently running on

FortiSwitch units. Select one of the following: l l l l

3.0

: Support version 3.0

4.0

: Support version 4.0

5.0

: Support version 5.0

6.0

: Support version greater than 5.0

128 CLI Reference

Fortinet Technologies Inc.

disk-quota fmupdate

Example

In the following example, the FortiGate units, including FortiClient agents, are configured with the firmware version

5.0.

config fmupdate device-version set faz 4.0

set fct 5.0

end set fgt 5.0

disk-quota

Use this command to configure the disk space available for use by the Upgrade Manager.

If the Upgrade Manager disk space is full or if there is insufficient space to save an update package to disk, the package will not download and an alert will be sent to notify you.

Syntax

config fmupdate disk-quota set value <size_int> end

Use value to set the size of the Upgrade Manager disk quota in megabytes (MB). The default size is 10 gigabytes

(GB). If you set the disk-quota smaller than the size of an update package, the update package will not download and you will get a disk full alert.

fct-services

Use this command to configure the built-in FDS to provide FortiGuard services to FortiClient installations.

Syntax

config fmupdate fct-services end set

"fmupdate" on page 129

set

"fmupdate" on page 129

Variable

status {enable | disable} port <port_int>

Description

Enable/disable built-in FDS service to FortiClient installations.

Default: enable

Enter the port number on which the built-in FDS should provide updates to FortiClient installations.

Default: 80

CLI Reference

Fortinet Technologies Inc.

129

fmupdate fds-setting

Example

You could configure the built-in FDS to accommodate older versions of FortiClient installations by providing service on their required port.

config fmupdate fct-services set status enable end set port 80

fds-setting

Use this command to set FDS settings.

Syntax

config fmupdate fds-settings end set

"fmupdate" on page 130

set

"fmupdate" on page 130

Variable

fds-pull-interval <integer>

Description

max-av-ips-version <integer>

Time interval FortiManager may pull updates from FDS (1 - 120 minutes).

The maximum number of AV/IPS full version downloadable packages (1-1000).

multilayer

Use this command to set multilayer mode configuration.

Syntax

config fmupdate multilayer set webspam-rating {disable | enable} end

Variable

Description

webspam-rating {disable | enable}

Enable/disable URL/antispam rating service.

Default: enable

130 CLI Reference

Fortinet Technologies Inc.

publicnetwork fmupdate

publicnetwork

Use this command to enable access to the public FDS. If this function is disabled, the service packages, updates, and license upgrades must be imported manually.

Syntax

config fmupdate publicnetwork set status {disable | enable} end

Variable

Description

status {disable | enable}

Enable/disable the public network.

Default: enable

Example

The following example shows how to enable public network.

config fmupdate publicnetwork end

(publicnetwork) # set status enable

server-access-priorities

Use this command to configure how a FortiGate unit may download antivirus updates and request web filtering services from multiple FortiManager units and private FDS servers.

By default, the FortiGate unit receives updates from the FortiManager unit if the FortiGate unit is managed by the FortiManager unit and the FortiGate unit was configured to receive updates from the

FortiManager unit.

Syntax

config fmupdate server-access-priorities end set

"fmupdate" on page 132

set

"fmupdate" on page 132

set

"fmupdate" on page 132

CLI Reference

Fortinet Technologies Inc.

131

fmupdate server-access-priorities

Variable

access-public {disable | enable} av-ips {disable | enable} web-spam {disable | enable}

Description

Disable to prevent FortiManager default connectivity to public

FDS and FortiGuard servers.

Default: enable

Enable to allow the FortiGate unit to get antivirus updates from other FortiManager units or private FDS servers.

Default: disable

Enable/disable private server in web-spam.

config private-server

Use this command to configure multiple FortiManager units and private servers.

Syntax

config fmupdate server-access-priorities config private-server edit

"fmupdate" on page 132

set

"fmupdate" on page 132

set

"fmupdate" on page 132

end end

Variable

Description

<id> ip <ipv4_address> time_zone <integer>

Enter a number to identify the FortiManager unit or private server

(1 to 10).

Enter the IPv4 address of the FortiManager unit or private server.

Enter the correct time zone of the private server. Using -24 indicates that the server is using the local time zone.

Example

The following example configures access to public FDS servers and allows FortiGate units to receive antivirus updates from other FortiManager units and private FDS servers. This example also configures three private servers.

config fmupdate server-access-priorities set access-public enable set av-ips enable config private-server edit 1 set ip 172.16.130.252

next edit 2 set ip 172.31.145.201

next

132 CLI Reference

Fortinet Technologies Inc.

server-override-status edit 3 set ip 172.27.122.99

end end

server-override-status

Syntax

config fmupdate server-override-status set mode {loose | strict} end

Variable

mode

{loose | strict}

Description

Set the server override mode.

l loose

: allow access other servers l strict

: access override server only.

Default: loose fmupdate

service

Use this command to enable or disable the services provided by the built-in FDS.

Syntax

config fmupdate service end set

"fmupdate" on page 133

set

"fmupdate" on page 133

set

"fmupdate" on page 133

set

"fmupdate" on page 134

set

"fmupdate" on page 134

set

"fmupdate" on page 134

Variable

Description

avips {enable | disable}

Enable the built-in FDS to provide FortiGuard antivirus and IPS updates.

Default: disable

Enable/disable antispam service.

query-antispam {disable | enable} query-antivirus {disable | enable}

Enable/disable antivirus service.

CLI Reference

Fortinet Technologies Inc.

133

fmupdate support-pre-fgt43

Variable

query-filequery {disable | enable} query-webfilter {disable | enable} use-cert {BIOS | FortiGuard}

Description

Enable/disable file query service.

Enable/disable web filter service.

Choose local certificate.

l

BIOS

: Use default certificate in BIOS.

l

FortiGuard

: Use default certificate as FortiGuard.

Default: BIOS

Example

config fmupdate service set avips enable end

support-pre-fgt43

Use this command to support FortiMail 4.2 devices for FortiGuard Center updates.

Syntax

config fmupdate support-pre-fgt43 set status {enable | disable} end end

Variable

Description

status {enable | disable} Enable/disable update support.

Default: disable

web-spam

Use the following commands to configure FortiGuard antispam related settings.

web-spam fct server-override

Use this command to override the default IP address and port that the built-in FDS contacts when requesting

FortiGuard antispam updates for FortiClient from the FDS.

134 CLI Reference

Fortinet Technologies Inc.

web-spam

Syntax

config fmupdate web-spam fct server-override set

"fmupdate" on page 135

config servlist edit

"fmupdate" on page 135

set

"fmupdate" on page 135

set

"fmupdate" on page 135

end end

Variable

Description

status {enable | disable} Enable/disable the override. Default: disable

Variable for config servlist subcommand:

Variable

Description

<id> ip <ipv4_address> port <port_int>

Override server ID (1-10).

Enter the IPv4 address of the override server address.

Default: 0.0.0.0

Enter the port number to use when contacting the FDS.

Default: 443 fmupdate

web-spam fgd-log

Use this command to configure the FortiGuard web-spam log settings.

Syntax

config fmupdate web-spam fgd-log set

"fmupdate" on page 135

set

"fmupdate" on page 136

end set

"fmupdate" on page 136

Variable

Description

spamlog {all | disable | nospam}

Configure the anti spam log settings.

l l l all

: Log all Spam lookups disable

: Disable Spam log nospam

: Log Non-spam events.

CLI Reference

Fortinet Technologies Inc.

135

fmupdate web-spam

Variable

status {disable | enable} urllog {all | disable | miss}

Description

Enable/disable the FortiGuard server event log status.

Configure the web filter log setting.

l l l all

: Log all URL lookups disable

: Disable URL log miss

: Log URL rating misses.

web-spam fgd-setting

Use this command to configure FortiGuard run parameters.

Syntax

config fmupdate web-spam fgd-setting end set

"fmupdate" on page 136

set

"fmupdate" on page 137

set

"fmupdate" on page 137

set

"fmupdate" on page 137

set

"fmupdate" on page 137

set

"fmupdate" on page 137

set

"fmupdate" on page 137

set

"fmupdate" on page 137

set set

"fmupdate" on page 137

"fmupdate" on page 137

set

"fmupdate" on page 137

set set set set

"fmupdate" on page 137

"fmupdate" on page 137

"fmupdate" on page 137

"fmupdate" on page 137

set set

"fmupdate" on page 137

"fmupdate" on page 137

"fmupdate" on page 138

set set set

"fmupdate" on page 138

"fmupdate" on page 138

set

"fmupdate" on page 138

set

"fmupdate" on page 138

set

"fmupdate" on page 138

set

"fmupdate" on page 138

set

"fmupdate" on page 138

set

"fmupdate" on page 138

Variable

Description

as-cache <integer>

Set the antispam service maximum memory usage (100 to

2800MB).

136 CLI Reference

Fortinet Technologies Inc.

web-spam fmupdate

Variable

Description

as-log {all | disable | nospam} as-preload {disable | enable} av-cache <integer>

Antispam log setting. Select one of the following: l all

: Log all spam lookups.

l disable

: Disable spam log.

l nospam

: Log non-spam events.

Enable/disable preloading the antispam database into memory.

Set the web filter service maximum memory usage (100 to

500MB).

av-log {all | disable | novirus} Antivirus log settings. Select one of the following: l all

: Log all virus lookups.

l l disable

: Disable virus log.

novirus

: Log non-virus events.

av-preload {disable | enable}

Enable/disable preloading the antivirus database into memory.

eventlog-query {disable | enable}

Enable/disable record query to event-log besides fgd-log.

fq-cache <integer>

Set the file query service maximum memory usage (100 to

500MB).

fq-log

{all | disable | nofilequery}

File query log settings. Select one of the following: l all

: Log all file query.

l disable

: Disable file query log.

l nofilequery

: Log non-file query events.

fq-preload {disable | enable} Enable/disable preloading the filequery database to memory.

Enable/disable the linkd log.

linkd-log {disable | enable} max-log-quota <integer> max-unrated-size <integer>

Maximum log quota setting (100-20480MB).

Maximum number of unrated site in memory, from 10 to

5120K. The default is 500K.

restrict-as1-dbver <string> restrict-as2-dbver <string>

Restrict the system update to indicated the antispam(1) database version.

Restrict the system update to indicated the antispam(2) database version.

restrict-as4-dbver <string> restrict-av-dbver <string>

Restrict the system update to indicated the antispam(4) database version.

Restrict the system update to indicated the antivirus database version.

CLI Reference

Fortinet Technologies Inc.

137

fmupdate web-spam

Variable

Description

restrict-fq-dbver <string>

Restrict the system update to indicated filequery database version.

restrict-wf-dbver <string>

Restrict the system update to indicated the webfilter database version.

stat-log-interval <integer>

Statistic log interval setting (1-1440 minutes).

stat-sync-interval <integer>

Synchronization interval for statistics of unrated sites, from 1 to 60 minutes.

update-interval <integer>

Set the FortiGuard database update wait time if there are not enough delta files (2 to 24 hours).

update-log {disable | enable}

Enable/disable update log setting.

wf-cache <integer> wf-log {all | disable | nourl}

Set the web filter service maximum memory usage (100 to

2800MB).

Web filter log setting. Select one of the following: l all

: Log all URL lookups.

l disable

: Disable URL log.

l nourl

: Log non-URL events.

wf-preload {disable | enable} Enable/disable preloading the web filter database into memory.

web-spam fgt server-override

Use this command to override the default IP address and port that the built-in FDS contacts when requesting

FortiGuard spam updates for FortiGate from the FDS.

Syntax

config fmupdate web-spam fgt server-override set

"fmupdate" on page 138

config servlist edit

"fmupdate" on page 139

set

"fmupdate" on page 139

set

"fmupdate" on page 139

end end

Variable

Description

status {enable | disable} Enable/disable the override. Default: disable

138 CLI Reference

Fortinet Technologies Inc.

web-spam

Variable for config servlist subcommand:

Variable

Description

<id> ip <ipv4_address> port <port_int>

Override server ID (1-10).

Enter the IP address of the override server address.

Default: 0.0.0.0

Enter the port number to use when contacting the FDS.

Default: 443 fmupdate

web-spam fsa server-override

Use this command to override the default IP address and port that the built-in FDS contacts when requesting

FortiGuard spam updates for FortiSandbox from the FDS.

Syntax

config fmupdate web-spam fsa server-override set

"fmupdate" on page 139

config servlist edit

"fmupdate" on page 139

set

"fmupdate" on page 139

set

"fmupdate" on page 139

end end

Variable

Description

status {enable | disable} Enable/disable the override. Default: disable

Variable for config servlist subcommand:

Variable

Description

<id> ip <ipv4_address> port <port_int>

Override server ID (1-10).

Enter the IPv4 address of the override server address.

Default: 0.0.0.0

Enter the port number to use when contacting the FDS.

Default: 443

CLI Reference

Fortinet Technologies Inc.

139

fmupdate web-spam

web-spam poll-frequency

Use this command to configure the web-spam poll frequency.

Syntax

config fmupdate web-spam poll-frequency set

"fmupdate" on page 140

end

Variable

Description

time <hh:mm>

Enter the poll frequency time interval

web-spam web-proxy

Use this command to configure the web-spam web-proxy.

Syntax

config fmupdate web-spam web-proxy end set

"fmupdate" on page 140

set

"fmupdate" on page 140

set

"fmupdate" on page 140

set

"fmupdate" on page 140

set

"fmupdate" on page 140

set

"fmupdate" on page 141

Variable

Description

ip <ipv4_address> mode {proxy | tunnel} password <password_string> port <integer>

Enter the IPv4 address of the web proxy.

Default: 0.0.0.0

Enter the web proxy mode. Select one of the following: l proxy

: HTTP proxy.

l tunnel

: HTTP tunnel.

If the web proxy requires authentication, enter the password for the user name.

Enter the port number of the web proxy.

Default: 80

140 CLI Reference

Fortinet Technologies Inc.

web-spam

Variable

status {disable | enable} username <string> fmupdate

Description

Enable/disable connections through the web proxy.

Default: disable

If the web proxy requires authentication, enter the user name.

CLI Reference

Fortinet Technologies Inc.

141

execute

The execute commands perform immediate operations on your device. You can: l l l l l l

Back up and restore the system settings, or reset the unit to factory settings.

Set the unit date and time.

Use ping to diagnose network problems.

View the processes running on the FortiManager unit.

Start and stop the FortiManager unit.

Reset or shut down the FortiManager unit.

CLI commands and variables are case sensitive.

add-vm-license

Add a VM license to the FortiManager VM.

Syntax

execute add-vm-license <vm license>

This command is only available on FortiManager VM models.

backup

Use this command to backup the configuration or database to a file.

When you back up the unit settings from the vdom_admin account, the backup file contains global settings and the settings for each VDOM. When you back up the unit settings from a regular administrator account, the backup file contains the global settings and only the settings for the VDOM to which the administrator belongs.

Syntax

execute backup all-settings {ftp | scp | sftp} <ip> <string> <username> <password_string>

<ssh-cert> <crptpasswd> execute backup logs <device name(s)> {ftp | scp | sftp} <ip> <username> <password_string>

<directory>

142 CLI Reference

Fortinet Technologies Inc.

backup execute execute backup logs-only <device name(s)> {ftp | scp | sftp} <ip> <username> <password_ string> <directory> execute backup logs-rescue <device serial number(s)> {ftp | scp | sftp} <ip> <username>

<password_string> <directory> execute backup reports <report schedule name(s)> {ftp | scp | sftp} <ip> <username>

<password_string> <directory> execute backup reports-config <adom name(s)> {ftp | scp | sftp} <ip> <username> <password_ string> <directory>

Variable

all-settings logs logs-only logs-rescue reports reports-config

<device name(s)>

<device serial number(s)>

<report schedule name(s)>

<adom name(s)>

{ftp | scp | sftp}

<ip>

<string>

<username>

<password_string>

<ssh-cert>

<crptpasswd>

<directory>

Description

Backup all settings to a file on a server.

Backup the device logs to a specified server.

Backup device logs only to a specified server.

Use this hidden command to backup logs regardless of DVM database for emergency reasons. This command will scan folders under /Storage/Logs/ for possible device logs to backup.

Backup the reports to a specified server.

Backup reports configuration to a specified server.

Enter the device name(s) separated by a comma, or enter all for all devices.

Enter the device serial number(s) separated by a comma, or enter all for all devices.

Enter the report schedule name(s) separated by a comma, or enter all for all reports schedules.

Enter the ADOM name(s) separated by a comma, or enter all for all ADOMs.

Enter the server type.

Enter the server IP address.

Enter the path and file name for the backup.

Enter username to use to log on the backup server.

Enter the password for the username on the backup server.

Enter the SSH certification for the server. This option is only available for backup operations to SCP servers.

Optional password to protect backup content. Use any for no password.

Enter the path to where the file will be backed up to on the backup server.

CLI Reference

Fortinet Technologies Inc.

143

execute bootimage

Example

This example shows how to backup the system settings to a file named fmg.cfg on a server at IP address

192.168.1.23 using the admin username, a password of 123456.

execute backup all-settings ftp 192.168.1.23 fmd.cfg admin 123456

Starting backup all settings...

Starting transfer the backup file to FTP server...

bootimage

Use this command to set the boot image partition.

Syntax

execute bootimage <primary | secondary>

This command is only available on hardware models.

certificate

Use these commands to manage certificates.

certificate ca

Use these commands to list CA certificates, and to import or export CA certificates.

Syntax

To list the CA certificates installed on your device:

execute certificate ca list

To export or import CA certificates:

execute certificate ca {<export>|<import>} <cert_name> <tftp_ip>

Variable Description

<export> Export CA certificate to TFTP server.

<import> Import CA certificate from a TFTP server.

144 CLI Reference

Fortinet Technologies Inc.

certificate execute

Variable

list

<cert_name>

<tftp_ip>

Description

Generate a list of CA certificates on your device.

Name of the certificate.

IP address of the TFTP server.

certificate local

Use these commands to list local certificates, and to import or export local certificates.

Syntax

To list the local certificates installed on your device:

execute certificate local list

To export or import local certificates:

execute certificate local {<export>|<import>} <cert_name> <tftp_ip>

Variable

<export>

<import> list

<cert_name>

<tftp_ip>

Description

Export CA certificate to TFTP server.

Import CA certificate from a TFTP server.

Generate a list of CA certificates on your device.

Name of the certificate.

IP address of the TFTP server.

certificate local generate

Use this command to generate a certificate request.

Syntax

execute certificate local generate

145 "execute" on page 146

"execute" on page 145 "execute" on page 146 "execute" on page

Variable Description

<certificate-name_str> Enter a name for the certificate. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters and _. Other special characters and spaces are not allowed.

<number> Enter 512, 1024, 1536, or 2048 for the size, in bits, of the encryption key.

CLI Reference

Fortinet Technologies Inc.

145

execute

Variable

<subject>

[<optional_information>] chassis

Description

Enter one of the following pieces of information to identify the FortiManager unit being certified: l l the FortiManager unit IP address the fully qualified domain name of the FortiManager unit l l an email address that identifies the FortiManager unit

An IP address or domain name is preferable to an email address.

Enter optional_information as required to further identify the unit.

See

Optional information variables

for the list of optional information variables. You must enter the optional variables in the order that they are listed in the table. To enter any optional variable you must enter all of the variables that come before it in the list. For example, to enter the organization_name_str

, you must first enter the country_code_str, state_name_str

, and city_name_str. While entering optional variables, you can type? for help on the next required variable.

Optional information variables

Variable

<country_code_str>

<state_name_str>

<city_name_str>

<organization-name_str>

<organization-unit_name_str>

<email_address_str>

<ca_server_url>

<challenge_password>

Description

Enter the two-character country code.

Enter the name of the state or province where the FortiManager unit is located.

Enter the name of the city, or town, where the person or organization certifying the FortiManager unit resides.

Enter the name of the organization that is requesting the certificate for the FortiManager unit.

Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiManager unit.

Enter a contact email address for the FortiManager unit.

Enter the URL of the CA (SCEP) certificate server that allows auto-signing of the request.

Enter the challenge password for the SCEP certificate server.

chassis

Use this command to replace a chassis device password on your device.

146 CLI Reference

Fortinet Technologies Inc.

console baudrate

Syntax

execute chassis replace

"execute" on page 147

Variable

<pw>

Description

Replace the chassis password.

This command is only available on devices that support chassis management.

console baudrate

Use this command to get or set the console baudrate.

Syntax

execute console baudrate [9600 | 19200 | 38400 | 57600 | 115200]

If you do not specify a baudrate, the command returns the current baudrate.

Setting the baudrate will disconnect your console session.

Example

Get the baudrate: execute console baudrate

The response is displayed: current baud rate is: 115200

Set the baudrate to 9600: execute console baudrate 9600

date

Get or set the system date.

Syntax

execute date [<date_str>] date_str has the form mm/dd/yyyy, where

• mm is the month and can be 01 to 12

• dd is the day of the month and can be 01 to 31

CLI Reference

Fortinet Technologies Inc.

execute

147

execute device

• yyyy is the year and can be 2001 to 2100

If you do not specify a date, the command returns the current system date.

Dates entered will be validated - mm and dd require 2 digits, and yyyy requires 4 digits. Entering fewer digits will result in an error.

Example

This example sets the date to 17 September 2014: execute date 09/17/2014

device

Use this command to change a device password or serial number when changing devices due to a hardware issue.

Syntax

execute device replace pw execute device replace sn

"execute" on page 148 "execute" on page 148

"execute" on page 148 "execute" on page 148

Variable

<name>

<pw>

<devname>

<serialnum>

Description

The name of the device.

The device password.

The name of the device.

The new serial number.

Example

execute device replace pw FGT600C2805030002

This operation will clear the password of the device.

Do you want to continue? (y/n)y

dmserver

Use these commands to manage devices and revisions.

dmserver delrev

Use this command to delete configuration revisions. The device name will be kept.

Syntax

execute dmserver delrev

"execute" on page 149 "execute" on page 149 "execute" on page 149

148 CLI Reference

Fortinet Technologies Inc.

dmserver execute

Variable

<device_name>

<startrev>

<endrev>

Description

The name of the device.

The starting configuration revision number that you want to delete.

The ending configuration revision number that you want to delete.

dmserver revlist

Use this command to show a list of revisions for a device.

Syntax

execute dmserver revlist <devicename>

Variable

<devicename>

Description

The name of the device.

dmserver showconfig

Use this command to show a specific configuration type and revision. You cannot use this command with read-only permission.

Syntax

execute dmserver showconfig

"execute" on page 149

Variable

<devicename>

Description

The name of the device.

dmserver showdev

Use this command to show a list of available devices. For each listed device, this command lists the device ID, device name, and serial number.

Syntax

execute dmserver showdev

dmserver showrev

Use this command to display a device’s configuration revision. You cannot use this command with read-only permission.

CLI Reference

Fortinet Technologies Inc.

149

execute

Syntax

execute dmserver showrev <devicename> <revision>

Variable

<devicename>

<revision>

Description

The name of the device.

The configuration revision you want to display.

factory-license

factory-license

Use this command to enter a factory license key. This command is hidden.

Syntax

execute factory-license <key>

Variables

<key>

Description

Enter the factory license key.

fgfm reclaim-dev-tunnel

Use this command to reclaim a management tunnel. The device name is optional.

Syntax

execute fgfm reclaim-dev-tunnel <devicename>

Variable

<devicename>

Description

Enter the device name.

fmpolicy

Use these commands to perform policy and object related actions.

fmpolicy check-upgrade-object

Use this command to check/upgrade objects by syntax.

150 CLI Reference

Fortinet Technologies Inc.

fmpolicy execute

Syntax

execute fmpolicy check-upgrade-object <action> {checking | fixing} <mode> <issue> execute fmpolicy check-upgrade-object dump log execute fmpolicy check-upgrade-object upload-log <ftpserver> <port> <path> <username>

<passwd>

Variable

<action>

{checking | fixing}

Description

Select the auto-upgrade action. The following options are available: l l l manual: Run auto-upgrade manually.

dump-log: Dump a detail log (size 8 K) on console.

upload-log: Upload a detail log (size 8 K) to a remote FTP server.

Select the action to take. The following options are available: l l checking: Only check for target issues.

fixing: Check for and then fix target issues.

<mode> Enter the mode. The following options are available: l l l l basic: Only check/fix basic know cases.

auto: Only check/fix auto syntax based cases.

misc: Only check/fix misc know cases.

all: Check/fix all basic, auto, misc cases.

<issue>

<ftpserver>

<port>

<path>

<username>

<password>

Enter the ID, UUID, or enter all to fix all issues.

Enter the FTP server IP address.

This option is available when action is upload-log.

Enter the FTP server port.

This option is available when action is upload-log.

Enter the FTP server destination path.

This option is available when action is upload-log.

Enter the FTP server username.

This option is available when action is upload-log.

Enter the FTP server password.

This option is available when action is upload-log.

CLI Reference

Fortinet Technologies Inc.

151

execute

fmpolicy copy-adom-object

Use this command to set the policy to copy an ADOM level object.

Syntax

execute fmpolicy copy-adom-object <adom> <category> <name> <devname> <vdom>

Variable

<adom>

<category>

<name>

<devname>

<vdom>

Description

Enter the name of the ADOM.

Enter the name of the category in the ADOM.

Enter the name of the object.

Enter the name of the device.

Enter the name of the VDOM.

fmpolicy install-config

Use this command to print the configuration for an ADOM.

Syntax

execute fmpolicy install-config <adom> <devname> <revname>

Variable

<adom>

<devname>

<revname>

Description

Enter the name of the ADOM.

Enter the device name.

Enter the install revision name.

fmpolicy

fmpolicy print-adom-database

Use this command to print the ADOM database configuration.

Syntax

execute fmpolicy print-adom-database <adom> <output>

152 CLI Reference

Fortinet Technologies Inc.

fmpolicy execute

Variable

<adom>

<output>

Description

Enter the name of the ADOM or Global..

Enter the output file name.

fmpolicy print-adom-object

Use this command to print the ADOM object database.

Syntax

execute fmpolicy print-adom-object <adom> <category name> {<object name> | all | list}

<output>

Variable

<adom>

<category name>

{<object name> | all | list}

<output>

Description

Enter the name of the ADOM or Global.

Enter the category name.

Show object by name. Enter all to show all objects, or enter list to get all objects.

Enter the output file name.

fmpolicy print-adom-package

Use this command to print the ADOM policy package database.

Syntax

execute fmpolicy print-adom-package <adom> <package name> <category name> {<object name> | all | list} <output>

Variable

<adom>

<package name>

<category name>

{<object name> | all | list}

<output>

Description

Enter the name of the ADOM or Global.

Enter the package name.

Enter the category name.

Show object by name. Enter all to show all objects, or enter list to get all objects.

Enter the output file name.

CLI Reference

Fortinet Technologies Inc.

153

execute fmpolicy

fmpolicy print-device-database

Use this command to print the device database configuration for an ADOM.

Syntax

execute fmpolicy print-device-database <adom> <devname> <output>

Variable

<adom>

<devname>

<output>

Description

Enter the name of the ADOM.

Enter the device name.

Enter the output filename.

fmpolicy print-device-object

Use this command to print the device objects.

Syntax

execute fmpolicy print-device-object

"execute" on page 154 "execute" on page 154 "execute" on page 154

{

"execute" on page 154

|

"execute" on page 142

|

"execute" on page 142

}

"execute" on page

154

Variable

<devname>

<vdom>

<category>

{<object name> | all | list}

<output>

Description

Enter the name of the device.

Enter the name of the VDOM.

Enter the category of the ADOM.

Show object by name. Enter all to show all objects, or enter list to get all objects.

Output file name.

fmpolicy print-prov-templates

Use this command to print provisioing templates.

Syntax

execute fmpolicy print-prov-templates <adom> <package name> <category name> {<object name> | all | list} <output>

154 CLI Reference

Fortinet Technologies Inc.

fmprofile execute

Variable

<adom>

<package name>

<category name>

Description

Enter the name of the ADOM.

Enter the template name.

Enter the category name.

{<object name> | all | list} Show object by name. Enter all to show all objects, or enter list to get all objects.

<output> Enter the output name.

fmprofile

Use these commands to perform profile related actions.

fmprofile copy-to-device

Use this command to copy profile settings from a profile to a device.

Syntax

execute fmprofile copy-to-device

"execute" on page 155 "execute" on page 155 "execute" on page 155

Variable

<adom>

<profile-id>

<devname>

Description

Enter the name of the ADOM.

Enter the profile ID.

Enter the device ID.

fmprofile export-profile

Use this command to export profile configurations.

Syntax

execute fmprofile export-profile

"execute" on page 155 "execute" on page 155 "execute" on page 156

Variable

<adom>

<profile-id>

Description

Enter the name of the ADOM.

Enter the profile ID.

CLI Reference

Fortinet Technologies Inc.

155

execute fmprofile

Variable

<output>

Description

Enter the output file name.

fmprofile import-from-device

Use this command to import profile settings from a device to a profile.

Syntax

execute fmprofile import-from-device

"execute" on page 156 "execute" on page 156 "execute" on page 156

Variable

<adom>

<devname>

<profile-id>

Description

Enter the name of the ADOM.

Enter the device ID.

Enter the profile ID.

fmprofile import-profile

Use this command to import profile configurations.

Syntax

execute fmprofile import-profile

"execute" on page 156 "execute" on page 156 "execute" on page 156

Variable

<adom>

<profile-id>

<filename>

Description

Enter the name of the ADOM.

Enter the profile ID.

Enter the full path to the input file containing CLI configuration.

fmprofile list-profiles

Use this command to list all profiles in an ADOM.

Syntax

execute fmprofile list-profiles

"execute" on page 157

156 CLI Reference

Fortinet Technologies Inc.

fmscript

Variable

<adom>

Description

Enter the name of the ADOM.

execute

fmscript

Use these commands to perform script related actions.

fmscript clean-sched

Clean the script schedule table for all non-exist devices.

Syntax

execute fmscript clean-sched

fmscript delete

Delete a script from FortiManager.

Syntax

execute fmscript delete

"execute" on page 157

Variable

<scriptid>

Description

The name of the script to delete.

fmscript import

Import a script from an FTP server to FortiManager.

Syntax

execute fmscript import

"execute" on page 157 "execute" on page 157 "execute" on page 157

"execute" on page 158 "execute" on page 158 "execute" on page 158 "execute" on page 158 "execute" on page 158 "execute" on page 158 "execute" on page 158 "execute" on page 158 "execute" on page

158 "execute" on page 158 "execute" on page 158 "execute" on page 158

Variable

<ftpserver_ipv4>

<filename>

<username>

Description

The IP address of the FTP server.

The filename of the script to be imported to the system.

The user name used to access the FTP server.

CLI Reference

Fortinet Technologies Inc.

157

execute

Variable

<password>

<scriptname>

<scripttype>

<comment>

<adom_name>

<os_type>

<os_version>

<platform>

<devicename>

<buildno>

<hostname>

<serialno> fmscript

Description

The password used to access the FTP server.

The name of the script to import.

The type of script as one of CLI or TCL.

A comment about the script being imported, such as a brief description.

Name of the administrative domain.

The operating system type, such as FortiOS. Options include any, FortiOS, and others.

The operating system version, such as FortiOS. Options include any, 400, and 500.

The hardware platform this script can be run on. Options include any, or the model of the device such as Fortigate 60C.

The device name to run this script on. Options include any, or the specific device name as it is displayed on the FortiManager system

The specific build number this script can be run on. Options include any, or the three digit build number. Build numbers can be found in the firmware name for the device.

The host name of the device this script can be run on. Options include any, or the specific host name.

The serial number of the device this script can be run on. Options include any, or the specific serial number of the device, such as FGT60C3G28033042.

fmscript list

List the scripts on the FortiManager device.

Syntax

execute fmscript list

Example

This is a sample output of the execute fmscript list command.

FMG400C # execute fmscript list scriptid=8,name=new account profile,type=CLI scriptid=7,name=import_script,type=CLI scriptid=6,name=group1,type=CLIGROUP scriptid=5,name=basic_test,type=CLI scriptid=3,name=interface info,type=CLI scriptid=1,name=xml_script1,type=CLI

158 CLI Reference

Fortinet Technologies Inc.

fmscript execute

fmscript run

Run a script on a device, the device’s object database, or on the global database. Only CLI scripts can be run on databases, and they must contain only complete commands. Any scripts that use shortened CLI commands will generate errors.

When a script is run on the database, the device will be updated with any configuration changes the next time the configuration is uploaded from the FortiManager system to the device.

Syntax

execute fmscript run

page 159

"execute" on page 159 "execute" on page 159 "execute" on page 159 "execute" on

Variable

<scriptid_int>

<run_on>

<devname>

<adomname>

Description

The ID number of the script to run.

Select where to run the script: l l l l device

: on the device group

: on a group devicedb

: on the device’s object database globaldb

: on the global database

Enter the device name to run the script on.

This is required if device or devicedb were chosen for where to run the script.

Name of the administrative domain.

fmscript showlog

Display the log of scripts that have run on the selected device.

Syntax

execute fmscript showlog

"execute" on page 159

Variable

<devicename>

Description

The name of a managed FortiGate device.

Example

This example shows the output of execute fmscript showlog Dev3 that displays the output from a CLI script called xml_script1 that was run on the object database.

execute fmscript showlog Dev3

Starting log

CLI Reference

Fortinet Technologies Inc.

159

execute fmupdate config firewall address edit 33 set subnet 33.33.33.33 255.255.255.0

config firewall address edit 33

Running script(xml_script1) on DB success cdb_find_entry_by_canon,52:parent=1,category=2,key=(null)

fmupdate

Use these commands to import and export packages.

fmupdate {ftp | scp | tftp} import

You can import packages using the FTP, SCP, or TFTP servers. You can use this command to import a list of custom

URLs. Use the

custom-url-list

command to configure the URL database that FortiManager will use for rating queries.

Syntax

execute fmupdate

"execute" on page 160

import

"execute" on page 160 "execute" on page 160

"execute" on page 160 "execute" on page 160 "execute" on page 160 "execute" on page 160 "execute" on page 160

Variable

{ftp | scp | tftp}

<type>

<remote_file>

<ip>

<port>

<remote_path>

<user>

<password_string>

Description

Select ftp, scp, or tftp as the file transfer protocol to use.

Select the type of file to export or import. Options include: av-ips, fct-av, url

, spam, file-query, license-fgt, license-fct, custom-url, and domp.

Update manager packet file name on the server or host.

Enter the FQDN or the IP address of the server.

Enter the port to connect to on the remote SCP host.

Enter the name of the directory of the file to download from the FTP server or SCP host. If the directory name has spaces, use quotes instead.

Enter the user name to log into the FTP server or SCP host

Enter the password to log into the FTP server or SCP host

fmupdate {ftp | scp | tftp} export

You can export packages using the FTP, SCP, or TFTP servers.

160 CLI Reference

Fortinet Technologies Inc.

format execute

Syntax

execute fmupdate

"execute" on page 161

export

"execute" on page 161 "execute" on page 161

"execute" on page 161 "execute" on page 161 "execute" on page 161 "execute" on page 161 "execute" on page 161

Variable

{ftp | scp | tftp}

<type>

<remote_file>

<ip>

<port>

<remote_path>

<user>

<password>

Description

Select ftp, scp, or tftp as the file transfer protocol to use.

Select the type of file to export or import. Options include: url, spam, license-package

, license-info-in-xml, custom-url, and domp.

Update manager packet file name on the server or host.

Enter the FQDN or the IPv4 address of the server.

Enter the port to connect to on the remote SCP host.

Enter the name of the directory of the file to download from the FTP server or SCP host. If the directory name has spaces, use quotes instead.

Enter the user name to log into the FTP server or SCP host

Enter the password to log into the FTP server or SCP host

format

Format the hard disk on the FortiManager system.

Syntax

execute format

"execute" on page 161 "execute" on page 162

When you run this command, you will be prompted to confirm the request.

Executing this command will erase all device settings/images, VPN & Update Manager databases, and log data on the FortiManager system’s hard drive. The FortiManager device’s IP address, and routing information will be preserved.

Variable

<disk | disk-ext4>

<disk_partition_2>

Description

Select to format the hard disk or format the hard disk with ext4 file system.

Format hard disk partition 2 (static)

CLI Reference

Fortinet Technologies Inc.

161

execute

Variable

<disk_partition_2-ext4>

<disk_partition_3>

<disk_partition_3-ext4>

<disk_partition_4>

<disk_partition_4-ext4>

<RAID level> log

Description

Format hard disk partition 2 (static) with ext4 file system.

Format hard disk partition 3 (dynamic)

Format hard disk partition 3 (dynamic) with ext4 file system.

Format hard disk partition 4 (misc)

Format hard disk partition 4 (misc) with ext4 file system.

Enter the RAID level to be set on the device. This option is only available on FortiManager models that support RAID. Press the

Enter key to show available RAID levels.

log

Use these commands to manage device logs.

log device disk_quota

Set the log device disk quota.

Syntax

execute log device disk_quota

"execute" on page 162 "execute" on page 162

Variable

<device_id>

<value>

Description

Enter the log device ID number, or All for all devices.

Enter the disk quota value, in MB.

log device permissions

Set or view the log device permissions.

Syntax

execute log device permissions

"execute" on page 162 "execute" on page 163 "execute" on page 163

Variable

<device_id>

Description

Enter the log device ID number, or All for all devices.

162 CLI Reference

Fortinet Technologies Inc.

log execute

Variable

<permission>

{enable | disable}>

Description

Select one of the following: l l l l l all

: All permissions logs

: Log permission content

: Content permission quar

: Quarantine permission ips

: IPS permission

Enable/disable the option.

log dlp-files clear

Delete log DLP files.

Syntax

execute log dlp-files clear

"execute" on page 163 "execute" on page 163

Variable

<string>

<string>

Description

Enter the device name.

Enter the device archive type. Select one of: all, email, im, ftp, http, or mms

.

log import

Use this command to import log files from another device and replace the device ID on imported logs.

Syntax

execute log import

"execute" on page 163 "execute" on page 163 "execute" on page 163 "execute" on

page 163 "execute" on page 164 "execute" on page 164

Variable

<service>

<ipv4_address>

<user-name>

<password_string>

Description

Enter the transfer protocol. Select one of: ftp, sftp, scp, or tftp.

Enter the server IPv4 address.

Enter the username.

Enter the password or - for no password.

The <password> field is not required when <service> is tftp.

CLI Reference

Fortinet Technologies Inc.

163

execute log-integrity

Variable

<file-name>

<device-id>

Description

The file name (e.g. dir/fgt.alog.log) or directory name (e.g. dir/subdir/).

Replace the device ID on imported logs. Enter a device serial number of one of your log devices.

For example, FG100A2104400006.

log ips-pkt clear

Delete IPS packet files.

Syntax

execute log ips-pkt clear

"execute" on page 164

Variable

<string>

Description

Enter the device name.

log quarantine-files clear

Delete log quarantine files.

Syntax

execute log quarantine-files clear

"execute" on page 164

Variable

<string>

Description

Enter the device name.

log-integrity

Query the log file’s MD5 checksum and timestamp.

Syntax

execute log-integrity

"execute" on page 164 "execute" on page 164

Variable

<device name>

<string>

Description

Enter the name of the log device.

Example: FWF40C3911000061

The log file name

164 CLI Reference

Fortinet Technologies Inc.

lvm execute

lvm

With Logical Volume Manager (LVM), a FortiManager VM device can have up to twelve total log disks added to an instance. More space can be added by adding another disk and running the LVM extend command.

This command is only available on FortiManager VM models.

Syntax

execute lvm execute lvm execute lvm

"execute" on page 165 "execute" on page 165

"execute" on page 165

"execute" on page 165

Variables

extend

[arg...] info start

Description

Extend the LVM logical volume.

Argument list (0 to 11).

Get system LVM information.

Start using LVM.

Example

View LVM information: execute lvm info disk01 In use 80.0(GB) disk02 Not present disk03 Not present disk04 Not present disk05 Not present disk06 Not present disk07 Not present disk08 Not present disk09  Not present disk10  Not present disk11  Not present disk12  Not present

ping

Send an ICMP echo request (ping) to test the network connection between the FortiManager system and another network device.

CLI Reference

Fortinet Technologies Inc.

165

execute

Syntax

execute ping {

"execute" on page 166

|

"execute" on page 166

}

Variable

<ipv4_address>

<hostname>

Description

IPv4 address of network device to contact.

DNS resolvable hostname of network device to contact.

Example

This example shows how to ping a host with the IP address 192.168.1.23: execute ping 192.168.1.23

ping6

ping6

Send an ICMP echo request (ping) to test the network connection between the FortiManager system and another network device.

Syntax

execute ping6 {

"execute" on page 166

|

"execute" on page 166

}

Variable Description

<ipv6_address> IPv6 address of network device to contact.

<hostname> DNS resolvable hostname of network device to contact.

Example

This example shows how to ping a host with the IP address 8001:0DB8:AC10:FE01:0:0:0:0: execute ping6

8001:0DB8:AC10:FE01:0:0:0:0:

raid

Use these commands to add or delete a hard disk to RAID.

Syntax

execute raid add-disk <disk index> execute raid delete-disk <disk index>

166 CLI Reference

Fortinet Technologies Inc.

reboot execute

This command is only available on FortiManager models that support RAID.

reboot

Restart the FortiManager system. This command will disconnect all sessions on the FortiManager system.

Syntax

execute reboot

Example

execute reboot

The system will be rebooted.

Do you want to continue? (y/n)

remove

Use this command to remove all reports for a specific device from the FortiManager system.

Syntax

execute remove

"execute" on page 167 "execute" on page 167

Variable Description

<reports> Remove all reports.

<device-id> Enter the device identifier

Example

execute remove reports FGT60C3G00000002

This operation will ERASE ALL reports that include FGT60C3G00000002!

Do you want to continue? (y/n)y

All reports that include FGT60C3G00000002 were removed.

reset

Use this command to reset the FortiManager unit to factory defaults. This command will disconnect all sessions and restart the FortiManager unit.

CLI Reference

Fortinet Technologies Inc.

167

execute

Syntax

execute reset all-settings

Example

execute reset all-settings

This operation will reset all settings to factory defaults

Do you want to continue? (y/n) reset-sqllog-transfer

reset-sqllog-transfer

Use this command to resend SQL logs to the database.

Syntax

execute reset-sqllog-transfer <enter>

restore

Use these commands to: l l restore the configuration or database from a file change the FortiManager unit image

This command will disconnect all sessions and restart the FortiManager unit

Syntax

execute restore

"execute" on page 168 "execute" on page 169 "execute" on page 169 "execute" on page

169 "execute" on page 169 "execute" on page 169 "execute" on page 169 "execute" on page 169

"execute" on page 169

execute restore

"execute" on page 169 "execute" on page 169 "execute" on page 169 "execute" on page

169 "execute" on page 169 "execute" on page 169

execute restore

"execute" on page 169 "execute" on page 169 "execute" on page 169 "execute" on page

169 "execute" on page 169 "execute" on page 169 "execute" on page 169

execute restore

"execute" on page 169 "execute" on page 169 "execute" on page 169 "execute" on page

169 "execute" on page 169 "execute" on page 169 "execute" on page 169

execute restore

"execute" on page 169 "execute" on page 169 "execute" on page 169 "execute" on page

169 "execute" on page 169 "execute" on page 169 "execute" on page 169

execute restore

"execute" on page 169 "execute" on page 169 "execute" on page 169 "execute" on page

169 "execute" on page 169 "execute" on page 169 "execute" on page 169

Variable

all-settings

Description

Restore all FortiManager settings from a file on a server. The new settings replace the existing settings, including administrator accounts and passwords.

168 CLI Reference

Fortinet Technologies Inc.

restore

Variable

image logs logs-only reports reports-config

{ftp | tftp}

{ftp | scp | sftp}

<device name(s)>

<report schedule name(s)>

<adom name(s)>

<filepath>

<ip>

<string>

<username>

<password_string>

<ssh-cert>

<crptpassword_string>

<directory>

[option1+option2+...]

<remote_path>

CLI Reference

Fortinet Technologies Inc.

execute

Description

Upload a firmware image from a TFTP server to the FortiManager unit. The FortiManager unit reboots, loading the new firmware.

Restore the device logs.

Restore only the device logs.

Restore device reports.

Restore the reports configuration.

Enter the type of server to retrieve the image from.

Enter the type of server.

Enter the device name(s) separated by a comma, or enter all for all devices.

Enter the report schedule name(s) separated by a comma, or enter all for all reports schedules.

Enter the ADOM name(s) separated by a comma, or enter all for all ADOMs.

The file to get from the server. You can enter a path with the filename, if required.

IP address of the server to get the file from.

The file to get from the server. You can enter a path with the filename, if required.

The username to log on to the server. This option is not available for restore operations from TFTP servers.

The password for username on the server. This option is not available for restore operations from TFTP servers.

The SSH certification for the server. This option is only available for restore operations from SCP servers.

Optional password to protect backup content. Use any for no password.

Enter the directory.

Select whether to keep IP, routing, and HA info on the original unit.

The path to the file/image on the TFTP server. If the path includes spaces, enclose the path in quotes.

169

execute shutdown

Example

This example shows how to upload a configuration file from a FTP server to the FortiManager unit. The name of the configuration file on the FTP server is backupconfig. The IP address of the FTP server is 192.168.1.23. The user is admin with a password of mypassword. The configuration file is located in the /usr/local/backups/ directory on the TFTP server.

execute restore all-settings 192.168.1.23 /usr/local/backups/backupconfig admin mypasword

shutdown

Shut down the FortiManager system. This command will disconnect all sessions.

Syntax

execute shutdown

Example

execute shutdown

The system will be halted.

Do you want to continue? (y/n)

sql-local

Use these commands to remove the SQL database and logs from the FortiManager system and to rebuild the database and devices.

When rebuilding the SQL database, new logs will not be available until the rebuild is complete. The time required to rebuild the database is dependent on the size of the database. Please plan a maintenance window to complete the database rebuild. You can use the diagnose sql status rebuild-db command to display the SQL log database rebuild status.

sql-local rebuild-db

Syntax

execute sql-local

"execute" on page 170

Variable

<rebuild-db>

Description

Rebuild the entire local SQL database.

170 CLI Reference

Fortinet Technologies Inc.

sql-query-dataset execute

sql-local remove-db

Syntax

execute sql-local

"execute" on page 171

Variable

<remove-db>

Description

Remove entire local SQL database.

sql-local remove-logtype

Syntax

execute sql-local

"execute" on page 171 "execute" on page 171

Variable

<remove-logtype>

<log type>

Description

Remove all log entries of the designated log type.

Enter the log type from available log types. Example: app-ctrl

Example

execute sql-local remove-logtype app-ctrl

All SQL logs with log type 'app-ctrl' will be erased!

Do you want to continue? (y/n)

sql-query-dataset

Use this command to execute a SQL dataset against the system.

Syntax

execute sql-query-dataset

"execute" on page 171 "execute" on page 171 "execute" on page 171 "execute"

on page 171 "execute" on page 172 "execute" on page 172

Variable

<adom>

<dataset-name>

<device/group name>

<faz/dev>

Description

Enter the ADOM name.

Enter the dataset name.

Enter the name of the device or device group.

Enter the name of the FortiAnalyzer.

CLI Reference

Fortinet Technologies Inc.

171

execute

Variable

<start-time>

<end-time>

Description

Enter the log start time.

Enter the log end time.

Example

execute sql-query-dataset Top-App-By-Bandwidth

sql-query-generic

Use this command to execute a SQL statement against the system.

Syntax

execute sql-query-generic

"execute" on page 172

Variable

<string>

Description

Enter the SQL statement to run.

sql-query-generic

sql-report

Use these commands to import and display language translation files and run a SQL report once against the

FortiManager system.

sql-report hcache-check

Use this command to check the report hcache.

Syntax

execute sql-report hcache-check <adom> <report-name> <start-time> <end-time>

Variable

<adom>

<report-name>

<start-time>

<end-time>

Description

The ADOM name to run the report.

Enter the report name.

Enter the start date and time of the report schedule in the format

HH:MM yyyy/mm/dd.

Enter the end date and time of the report schedule in the format

HH:MM yyyy/mm/dd.

172 CLI Reference

Fortinet Technologies Inc.

sql-report execute

sql-report import-lang

Use this command to import a user defined language translation file.

Syntax

execute sql-report import-lang <name> <service> <ip> <argument 1> <argument 2> <argument

3>

Variable

<name>

<service>

<ip>

<argument 1>

<argument 2>

<argument 3>

Description

Enter the new language name to import a new language translation file.

Transfer protocol. Type one of the following: l l l l ftp: FTP sftp: SFTP scp: SCP tftp: TFTP

Server IP address.

For FTP, SFTP, or SCP, enter a user name. For TFTP, enter a file name.

For FTP, SFTP, or SCP, enter a password or ‘-’. For TFTP, press

<enter>.

Enter a filename and press <enter>.

sql-report list

Use this command to list recent reports generated.

Syntax

execute sql-report list <adom> <days-range> <layout-name>

Variable

<adom>

<days-range>

<layout-name>

Description

The name of the ADOM.

Enter the number of days.

Range: 1 to 99

Select one of the available SQL report layout names.

CLI Reference

Fortinet Technologies Inc.

173

execute sql-report

sql-report list-lang

Use this command to display all supportedd language translation files.

Syntax

execute sql-report list-lang

sql-report list-schedule

Use this command to list all report schedules.

Syntax

execute sql-report list-schedule <adom>

Variable

<adom>

Description

The name of the ADOM.

sql-report run

Use this command to run a report once.

Syntax

execute sql-report run <adom> <schedule-name> <num-threads>

Variable Description

<name> Enter the new language name to import a new language translation file.

<service> Transfer protocol. Type one of the following:

<ip>

<argument 1>

<argument 2> l l l l ftp: FTP sftp: SFTP scp: SCP tftp: TFTP

Server IP address.

For FTP, SFTP, or SCP, enter a user name. For TFTP, enter a file name.

For FTP, SFTP, or SCP, enter a password or ‘-’. For TFTP, press

<enter>.

174 CLI Reference

Fortinet Technologies Inc.

ssh

Variable

<argument 3>

<adom>

<schedule-name>

<num-threads>

Description

Enter a filename and press <enter>.

The ADOM name to run the report.

Select one of the available report schedule names.

Select the number of threads.

sql-report view

Use this command to view report data.

Syntax

execute sql-report view <data-type> <adom> <report-name>

Variable

<data-type>

Description

Enter the data type to view. For example "report-data".

<adom>

<report-name>

Enter the name of the ADOM.

Enter the name of the report to view.

execute

ssh

Use this command to establish an SSH session with another system.

Syntax

execute ssh <destination> <username>

Variable

<destination>

<username>

Description

Enter the IP address or FQ DNS resolvable hostname of the system you are connecting to.

Enter the user name to use to log on to the remote system.

To leave the SSH session type exit.

To confirm you are connected or disconnected from the SSH session, verify the command prompt has changed.

CLI Reference

Fortinet Technologies Inc.

175

execute ssh-known-hosts

ssh-known-hosts

Use these commands to remove all known SSH hosts.

Syntax

execute ssh-known-hosts remove-all execute ssh-known-hosts remove-host <host/ip>

Variable

<host/ip>

Description

Enter the hostname or IP address of the SSH host to remove.

time

Get or set the system time.

Syntax

execute time [<time_str>] time_str has the form hh:mm:ss , where

• hh is the hour and can be 00 to 23

• mm is the minutes and can be 00 to 59

• ss is the seconds and can be 00 to 59

All parts of the time are required. Single digits are allowed for each of hh, mm, and ss.

If you do not specify a time, the command returns the current system time.

execute time <enter> current time is: 12:54:22

Example

This example sets the system time to 15:31:03: execute time 15:31:03

top

Use this command to view the processes running on the FortiManager system.

Syntax

execute top

176 CLI Reference

Fortinet Technologies Inc.

top

execute top help menu

W q u n or # k,r d or s

F or O

<,>

R,H c,i,S x,y z,b

Command

Z,B l,t,m

1,I f,o

Description

Global: 'Z' change color mappings; 'B' disable/enable bold.

Toggle Summaries: 'l' load average; 't' task/cpu statistics; 'm' memory information.

Toggle SMP view: '1' single/separate states; 'I' Irix/Solaris mode.

Fields/Columns: 'f' add or remove; 'o' change display order.

Select sort field.

Move sort field: '<' next column left; '>' next column right.

Toggle: 'R' normal/reverse sort; 'H' show threads.

Toggle: 'c' command name/line; 'i' idle tasks; 'S' cumulative time.

Toggle highlights: 'x' sort field; 'y' running tasks.

Toggle: 'z' color/mono; 'b' bold/reverse (only if 'x' or 'y').

Show specific user only.

Set maximum tasks displayed.

Manipulate tasks: 'k' kill; 'r' renice.

Set update interval.

Write configuration file.

Example

The execute top command displays the following information: top_bin - 12:50:25 up 1:48, 0 users, load average: 0.00, 0.02, 0.05

Tasks: 168 total, 1 running, 167 sleeping, 0 stopped, 0 zombie

Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st

Mem: 6108960k total, 923440k used, 5185520k free, 24716k buffers

Swap: 2076536k total, 0k used, 2076536k free, 306136k cached

H

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

5566 root 20 0 187m 159m 4432 S 0 2.7 0:04.63 dmserver

13492 root 20 0 2072 956 708 R 0 0.0 0:00.01 top_bin

1 root 20 0 186m 159m 5016 S 0 2.7 0:11.77 initXXXXXXXXXXX

2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd

3 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0

4 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:0

5 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/u:0

6 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0 execute

CLI Reference

Fortinet Technologies Inc.

177

execute traceroute

7 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1

8 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:0

9 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1

10 root 20 0 0 0 0 S 0 0.0 0:00.18 kworker/0:1

11 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2

12 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:0

13 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/2

14 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3

traceroute

Test the connection between the FortiManager system and another network device, and display information about the network hops between the device and the FortiManager system.

Syntax

execute traceroute <host>

Variable

<host>

Description

IPv4 address or hostname of network device.

Example

This example shows how trace the route to a host with the IP address 172.18.4.95: execute traceroute 172.18.4.95

traceroute to 172.18.4.95 (172.18.4.95), 32 hops max, 72 byte packets

1 172.18.4.95 0 ms 0 ms 0 ms

2 172.18.4.95 0 ms 0 ms 0 ms

traceroute6

Test the connection between the FortiManager system and another network device, and display information about the network hops between the device and the FortiManager system.

Syntax

execute traceroute6 <host>

Variable

<host>

Description

IPv6 address or hostname of network device.

Example

This example shows how trace the route to a host with the IPv6 address 8001:0DB8:AC10:FE01:0:0:0:0: execute traceroute6 8001:0DB8:AC10:FE01:0:0:0:0

178 CLI Reference

Fortinet Technologies Inc.

diagnose

The diagnose commands display diagnostic information that help you to troubleshoot problems.

CLI commands and variables are case sensitive.

auto-delete

Use this command to diagnose auto deletion of DLP files, log files, quarantine files, and report files.

Syntax

diagnose auto-delete dlp-files {delete-now | list} diagnose auto-delete log-files {delete-now | list} diagnose auto-delete quar-files {delete-now | list} diagnose auto-delete report-files {delete-now | list}

Variable

dlp-files {delete-now | list} log-files {delete-now | list}

Description

Delete DLP files right now according to the system automatic deletion policy or list DLP files. Select one of the following: l l delete-now

: Delete files right now according to system automatic deletion policy.

list

: List files according to system automatic deletion policy.

Delete log files right now according to the system automatic deletion policy or list log files. Select one of the following: l l delete-now

: Delete files right now according to system automatic deletion policy.

list

: List files according to system automatic deletion policy.

179 CLI Reference

Fortinet Technologies Inc.

cdb check

Variable

quar-files {delete-now | list} report-files {delete-now | list} diagnose

Description

Delete quarantine files right now according to the system automatic deletion policy or list quarantine files. Select one of the following: l l delete-now

: Delete files right now according to system automatic deletion policy.

list

: List files according to system automatic deletion policy.

Delete report files right now according to the system automatic deletion policy or list report files. Select one of the following: l l delete-now

: Delete files right now according to system automatic deletion policy.

list

: List files according to system automatic deletion policy.

cdb check

Use this command to check the object configuration database integrity, the global policy assignment table, and repair configuration database.

Syntax

diagnose cdb check objcfg-integrity diagnose cdb check policy-assignment diagnose cdb check update-devinfo <item> <new-value> [0 | 1] [model-name]

Variable

objcfg-integrity policy-assignment update-devinfo

<item>

<new-value>

[0 | 1]

Description

Check object configuration database integrity.

Check the global policy assignment table.

Update device information by directing changing the database.

Device information item.

Item new value. Default dump summary only.

0: Default only update empty (0) value item.

1: Always update.

Only update on model name. default on all models.

[model-name]

Example

# diagnose cdb check policy-assignment

Checking global policy assignment ... correct

CLI Reference

Fortinet Technologies Inc.

180

diagnose debug

debug

Use the following commands to debug the FortiManager:

debug application

Use this command to set the debug levels for applications.

Syntax

diagnose debug application alertmail <integer> diagnose debug application curl <integer> diagnose debug application ddmd <integer> [deviceName] diagnose debug application depmanager <integer> diagnose debug application dmapi <integer> diagnose debug application fazcfgd <integer> diagnose debug application fazsvcd <integer> diagnose debug application fgdsvr <integer> diagnose debug application fgdupd <integer> diagnose debug application fgfmsd <integer> [deviceName] diagnose debug application fnbam <integer> diagnose debug application

"diagnose" on page 182

diagnose debug application diagnose debug application

"diagnose" on page 182

"diagnose" on page 182

diagnose debug application diagnose debug application diagnose debug application diagnose debug application

"diagnose" on page 182

"diagnose" on page 182

"diagnose" on page 182

"diagnose" on page 182

diagnose debug application diagnose debug application diagnose debug application diagnose debug application

"diagnose" on page 182

"diagnose" on page 182

"diagnose" on page 183

"diagnose" on page 183

diagnose debug application diagnose debug application diagnose debug application diagnose debug application diagnose debug application diagnose debug application diagnose debug application diagnose debug application diagnose debug application diagnose debug application diagnose debug application diagnose debug application diagnose debug application

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

"diagnose" on page 183

Variable

alertmail <integer>

Description

Set the debug level of the alert email daemon.

Default

0

181 CLI Reference

Fortinet Technologies Inc.

debug

Variable

curl <integer> ddmd <integer> [deviceName] depmanager <integer> dmworker <Integer> dmapi <integer> fazcfgd <integer> fazsvcd <integer> fgdsvr <integer> fgdupd <integer> fgfmsd <integer> [deviceName] fnbam <integer> fortilogd <integer>

FortiManagerws <integer> gui <integer> ha <integer> ipsec <integer> localmod <integer> logd <integer> logfiled <integer> lrm <integer>

CLI Reference

Fortinet Technologies Inc.

diagnose

Description

Set the debug level of the curl daemon. Use this CLI command to enable debug for monitoring progress when performing a backup/restore of a large database via FTP.

Default

Set the debug level of the dynamic data monitor.

Enter a device name to only show messages related to that device.

0

0 Set the debug level of the deployment manager.

Set the debug level of the deployment manager worked.

Set the debug level of the dmapi.

Set the debug level of the fazcfgd daemon.

Set the debug level of the fazsvcd daemon.

0

Set the debug level of the FortiGuard query daemon.

0

0

0

Set the debug level of the FortiGuard update daemon.

Set the debug level of FGFM daemon. Enter a device name to only show messages related to that device.

Set the debug level of the Fortinet authentication module.

Set the debug level of the fortilogd daemon.

Set the debug level of the Web Service.

Set the debug level of the Web-based Manager.

Set the debug level of high availability daemon.

Set the debug level of the IPsec daemon.

Set the debug level of the localmod daemon.

0

0

0

Set the debug level of the log daemon.

Set the debug level of the logfilled daemon.

Set the debug level of the Log and Report Manager.

0

0

0

0

0

0

0

0

0

182

diagnose debug

Variable

ntpd <integer> oftpd <integer> [IP/deviceSerial/deviceName] ptmgr <integer> ptsessionmgr <integer> securityconsole <integer> snmpd <integer> sql_dashboard_rpt <integer> sql-integration <integer> sqlplugind <integer> sqlrptcached <integer> srchd <integer> ssh <integer> sshd <Integer> storaged <integer>

Description

Set the debug level of the NTP daemon.

Set the debug level of the oftpd daemon. Enter an IP address, device serial number, or device name to only show messages related to that device or IP address.

0

Default

0

Set the debug level of the Portal Manager.

Set the debug level of the Portal Session Manager.

0

0

Set the debug level of the security console daemon.

0

Set the debug level of the SNMP daemon from 0-8.

0

Set the debug level of the SQL dashboard report daemon.

0

Set the debug level of SQL applications.

Set the debug level of the SQL plugin daemon.

Set the debug level of the SQL report caching daemon.

0

0

0

Set the debug level of the SRCHD.

Set the debug level of SSH protocol transactions.

Set the debug level of the SSH daemon.

Set the debug level of communication with java clients.

Set the debug level of the upload daemon.

0

0

0

0 uploadd <integer>

Example

This example shows how to set the debug level to 7 for the upload daemon: diagnose debug application uploadd 7

debug cli

Use this command to set the debug level of CLI.

Syntax

diagnose debug cli <integer>

183 CLI Reference

Fortinet Technologies Inc.

debug

Variable

<integer>

Description

Set the debug level of the CLI from 0-8.

Default: 3

Example

This example shows how to set the CLI debug level to 5: diagnose debug cli 5

debug console

Use this command to enable or disable console debugging.

Syntax

diagnose debug console {enable | disable}

Variable

{enable | disable}

Description

Enable/disable console debugging.

debug crashlog

Use this command to manage crash logs.

Syntax

diagnose debug crashlog clear diagnose debug crashlog read

Variable

clear read

Description

Delete backtrace and core files.

Show the crash logs. This command is hidden.

diagnose

debug disable

Use this command to disable debug.

Syntax

diagnose debug disable

CLI Reference

Fortinet Technologies Inc.

184

diagnose

debug dpm

Use this command to manage the deployment manager.

Syntax

diagnose debug dpm comm-trace {enable | disable | status} diagnose debug dpm conf-trace {enable | disable | status} diagnose debug dpm probe-device <ip>

Variable

comm-trace {enable | disable | status} conf-trace {enable | disable | status}

Description

Enable a DPM to FortiGate communication trace.

Type one of the following: l l l enable

: Enable communication trace.

disable

: Disable communication trace.

status

: Get the status of setting.

Enable a DPM to FortiGate configuration trace.

Type one of the following: l l l enable

: Enable configuration trace.

disable

: Disable configuration trace.

status

: Get the status of setting.

Check device status.

probe-device <ip>

Example

This example shows how to enable a communication trace between the DPM and a FortiGate: diagnose debug dpm comm-trace enable

debug enable

Use this command to enable debug.

Syntax

diagnose debug enable

debug info

Use this command to show active debug level settings.

Syntax

diagnose debug info debug

185 CLI Reference

Fortinet Technologies Inc.

debug diagnose

Example

Here is an example of the output from diagnose debug info:

General cli debug level: 3 console debug output: enable debug timestamps: disable terminal session debug output: disable

Application ddmd debug filter: disable fgfmsd debug filter: disable oftpd debug filter: disable

debug reset

Use this command to reset the debug level settings. All debug settings will be reset.

Syntax

diagnose debug reset

debug service

Use this command to debug services.

Syntax

diagnose debug service

"diagnose" on page 186

diagnose debug service cmdb <integer> diagnose debug service diagnose debug service diagnose debug service diagnose debug service diagnose debug service diagnose debug service

"diagnose" on page 186

"diagnose" on page 186

"diagnose" on page 186

"diagnose" on page 186

"diagnose" on page 187

"diagnose" on page 187

Variable

cdb <integer> cmdb <integer> dvmcmd <integer> dvmdb <integer> fazconf <integer> main <integer>

Description

Debug the CDB daemon service. Enter the debug level.

Debug the CMDB daemon service. Enter the debug level.

Debug the DVMCMD daemon service. Enter the debug level.

Debug the DVMDB daemon service. Enter the debug level.

Debug the NCMDB daemon service. Enter the debug level.

Debug the Main daemon service. Enter the debug level.

CLI Reference

Fortinet Technologies Inc.

186

diagnose

Variable

sys <integer> task <integer>

Description

Debug the SYS daemon service. Enter the debug level.

Debug the Task daemon service. Enter the debug level.

debug sysinfo

Use this command to show system information.

Syntax

diagnose debug sysinfo

Example

Here is an example of the output from diagnose debug sysinfo:

=== file system information ===

Filesystem 1K-blocks Used Available Use% Mounted on none 1471952 0 1471952 0% /dev/shm none 65536 24 65512 0% /tmp

/dev/sda1 516040 75360 440680 15% /data

/dev/mdvg/mdlv 82561712 47014896 35546816 57% /var

/dev/mdvg/mdlv 82561712 47014896 35546816 57% /drive0

/dev/mdvg/mdlv 82561712 47014896 35546816 57% /Storage

/dev/loop0 9911 1122 8277 12% /var/dm/tcl-root

=== /tmp system information === drwxrwxrwx 2 root root 40 Sep 30 09:24 FortiManagerWS srwxrwxrwx 1 root root 0 Sep 30 09:23 alertd.req

srw-rw-rw- 1 root root 0 Sep 30 09:23 alertmail.sock

srw-rw-rw- 1 root root 0 Sep 30 09:23 alertmail_workflow.sock

-rw-rw-rw- 1 root root 4 Sep 30 09:22 cmdb_lock srwxrwxrwx 1 root root 0 Sep 30 09:22 cmdbsocket

-rw-r--r-- 1 root root 52 Sep 30 09:23 crontab

-rw-r--r-- 1 root root 0 Sep 30 09:23 crontab.lock

srw-rw-rw- 1 root root 0 Sep 30 09:24 ddmclt.sock

-rw-rw-rw- 1 root root 4 Sep 30 09:24 django.pid

srw-rw-rw- 1 root root 0 Sep 30 09:23 dmserver.sock

-rw-rw-rw- 1 root root 0 Sep 30 09:22 dvm_sync_init

-rw-rw-rw- 1 root root 8 Sep 30 09:23 dvm_timestamp drwx------ 2 root root 40 Sep 30 09:23 dynamic srwxrwxrwx 1 root root 0 Sep 30 09:23 faz_svc srwxrwxrwx 1 root root 0 Sep 30 09:24 fcgi.sock

srwxrwxrwx 1 root root 0 Sep 30 09:23 fmgd.domain

srwxrwxrwx 1 root root 0 Sep 30 09:24 httpcli.msg

srw-rw-rw- 1 root root 0 Sep 30 09:24 hwmond.req

srwxrwxrwx 1 root root 0 Sep 30 09:23 log_stat.svr

srwxrwxrwx 1 root root 0 Sep 30 09:23 reliable_logging_path srwxrwxrwx 1 root root 0 Sep 30 09:23 sql_plugin srwxrwxrwx 1 root root 0 Sep 30 09:23 sql_report

-----wx--- 1 root root 0 Sep 30 09:37 sqlrpt.lck

srw-rw-rw- 1 root root 0 Sep 30 09:24 srchd.sock

srwxrwxrwx 1 root root 0 Sep 30 09:42 upm_forticlient.sock

187 debug

CLI Reference

Fortinet Technologies Inc.

debug

=== resource use information ===

Program uses most memory: [gui control], pid 491, size 203m

Program uses most cpu: [/bin/cmdbsvr], pid 220, percent 0%

=== db locks information ===

debug sysinfo-log

Use this command to generate one system log information log file every two minutes.

Syntax

diagnose debug sysinfo-log {on | off}

debug sysinfo-log-backup

Use this command to backup all system information log files to an FTP server.

Syntax

diagnose debug sysinfo-log-backup <ip> <string> <username> <password>

Variable

<ip>

<string>

<username>

<password>

Description

Enter the FTP server IP address.

Enter the path or filename to save to the FTP server.

Enter the user name for the FTP server.

Enter the password for the FTP server.

debug sysinfo-log-list

Use this command to show system information elogs.

Syntax

diagnose debug sysinfo-log-list <integer>

Variable

<integer>

Description

Display the last n elogs. Default: The default value of n is 10

debug timestamp

Use this command to enable or disable debug timestamp.

diagnose

CLI Reference

Fortinet Technologies Inc.

188

diagnose

Syntax

diagnose debug timestamp {enable | disable}

debug vminfo

Use this command to show VM license information.

Syntax

diagnose debug vminfo

This command is only available on FortiManager VM models.

Example

Here is an example of the output from diagnose debug vminfo:

ValidLicense Type: 5000UG

Table size:

Maximum dev: 6120

dlp-archives

Use this command to manage the DLP archives.

Syntax

diagnose dlp-archives diagnose dlp-archives diagnose dlp-archives diagnose dlp-archives diagnose dlp-archives

"diagnose" on page 189

"diagnose" on page 189

"diagnose" on page 189

"diagnose" on page 190

"diagnose" on page 190

Variable

quar-cache list-all-process quar-cache kill-process <pid> rebuild-quar-db

Description

List all processes that are using the quarantine cache.

Kill a process that is using the quarantine cache.

Rebuild Quarantine Cache DB dlp-archives

189 CLI Reference

Fortinet Technologies Inc.

dvm

Variable

statistics {show | flush} diagnose

Description

Display or flush the quarantined and DLP archived file statistics. Select one of the following: l l flush

: Flush quarantined and DLP archived file statistics.

show

: Display quarantined and DLP archived file statistics.

Running status.

status

dvm

Use the following commands for DVM related settings:

dvm adom

Use this command to list ADOMs.

Syntax

diagnose dvm adom

"diagnose" on page 190

Variable

list

Description

List ADOMs, state, product, OS version (OSVER), major release (MR), name, mode, and VPN management.

dvm capability

Use this command to set the DVM capability.

Syntax

diagnose dvm capability

"diagnose" on page 190

diagnose dvm capability show

Variable

set {all | standard} show

Description

Set the capability to all or standard.

Show what the capability is set to.

dvm chassis

Use this command to list chassis.

CLI Reference

Fortinet Technologies Inc.

190

diagnose

Syntax

diagnose dvm chassis list

Variable

list

Description

List chassis.

dvm check-integrity

Use this command to check the DVM database integrity.

Syntax

diagnose dvm check-integrity

Example

Here is an example of the output from diagnose dvm check-integrity:

[1/11] Checking object memberships ... correct

[2/11] Checking device nodes ... correct

[3/11] Checking device vdoms ... correct

[4/11] Checking device ADOM memberships ... correct

[5/11] Checking devices being deleted ... correct

[6/11] Checking devices not supported ... correct

[7/11] Checking devices state ... correct

[8/11] Checking groups ... correct

[9/11] Checking group membership ... correct

[10/11] Checking device locks ... correct

[11/11] Checking task database ... correct

dvm debug

Use this command to enable or disable debug channels.

Syntax

diagnose dvm debug {enable | disable} <channel> <channel> ... <channel>

dvm device

Use this command to list devices or objects referencing a device.

Syntax

diagnose dvm device

"diagnose" on page 192

diagnose dvm device list <device> <vdom> diagnose dvm device

"diagnose" on page 192

191 dvm

CLI Reference

Fortinet Technologies Inc.

dvm

Variable

dynobj <device> list <device> <vdom> delete <adom> <device>

Description

List dynamic objects on this device.

List devices. Optionally, enter a device or VDOM name.

Delete devices.

Example

Here is an example of the output from diagnose dvm device dynobj <device>:

=== VDOM root ===

Dynamic interface

Dynamic firewall address name: SSLVPN_TUNNEL_ADDR1 name: all

Dynamic firewall address6

Dynamic firewall vip

Dynamic firewall vip6

Dynamic firewall vip46

Dynamic firewall vip64

Dynamic firewall ippool

Dynamic firewall ippool6

Dynamic certificate local

Dynamic vpn tunnel

dvm device-tree-update

Use this command to enable or disable device tree automatic updates.

Syntax

diagnose dvm device-tree-update {enable | disable}

dvm extender

Use these commands to list FortiExtender devices and synchronize data by JSON.

Syntax

diagnose dvm extender diagnose dvm extender diagnose dvm extender

"diagnose" on page 192

"diagnose" on page 192 "diagnose" on page 193

"diagnose" on page 193 "diagnose" on page 193

<id>

Variable

list sync-extender-data

Description

List FortiExtender devices.

Synchronize FortiExtender data by JSON.

diagnose

CLI Reference

Fortinet Technologies Inc.

192

diagnose

Variable

get-extender-modem-ip

<device>

<id>

Description

Get the FortiExtender modem IP address by JSON.

Enter the device name.

Enter the FortiExtender ID.

dvm group

Use this command to list groups.

Syntax

diagnose dvm group list

dvm lock

Use this command to print the DVM lock states.

Syntax

diagnose dvm lock

Example

Here is an example of the output from diagnose dvm lock:

DVM lock state = unlocked

Global database pending read: unlocked

Global database pending write: unlocked

Global database reserved read: unlocked

Global database reserved write: unlocked

Global database shared read: unlocked

Global database shared write: unlocked

dvm proc

Use this command to list DVM processes.

Syntax

diagnose dvm proc list

Example

This example shows the output from diagnose dvm proc list: dvmcmd group id=3632 dvmcmd process 3632 is running control

Process is healthy.

dvmcore is running normally.

dvm

193 CLI Reference

Fortinet Technologies Inc.

dvm diagnose

dvm supported-platforms

Use this command to list supported platforms and firmware versions.

Syntax

diagnose dvm supported-platforms list detail

Variable

list detail

Description

List support platforms.

Show detail with syntax support.

dvm task

Use this command to repair or reset the task database.

Syntax

diagnose dvm task list <adom> <type> diagnose dvm task

"diagnose" on page 194

diagnose dvm task

"diagnose" on page 194

Variable

list <adom> <type> repair reset

Description

List task database information.

Repair the task database while preserving existing data where possible. The

FortiManager will reboot after the repairs.

Reset the task database to its factory default state. All existing tasks and the task history will be erased. The FortiManager will reboot after the reset.

Example

This example shows the output for diagnose dvm task root all:

ADOM: root

ID Source Description User Status Start Time

--------------------------------------------

112 device_manager adddevtitle admin done Wed Jan 23 15:39:24 2013

113 device_manager deldevtitle admin done Wed Jan 23 15:51:10 2013

114 device_manager adddevtitle admin done Wed Jan 23 15:52:19 2013

115 import_dev_objs Import Device Objs/Policy admin done Wed Jan 23 15:52:55 2013

116 import_dev_objs Import Device Objs/Policy admin done Wed Jan 23 15:53:04 2013

117 import_dev_objs Import Device Objs/Policy admin done Wed Jan 23 15:53:08 2013

118 import_dev_objs Import Device Objs/Policy admin done Wed Jan 23 15:53:13 2013

132 device_manager adddeldevtitle admin done Thu Jan 24 17:55:17 2013

133 device_manager adddeldevtitle admin done Thu Jan 31 18:34:25 2013

134 device_manager adddeldevtitle admin done Mon Mar 25 16:26:35 2013

CLI Reference

Fortinet Technologies Inc.

194

diagnose

135 device_manager upddevtitle admin done Tue Mar 26 09:15:20 2013

136 device_manager deldevtitle admin done Tue Mar 26 09:16:48 2013

137 device_manager adddeldevtitle admin done Tue Mar 26 09:18:32 2013

138 device_manager deldevtitle admin done Tue Mar 26 09:22:49 2013

139 device_manager adddeldevtitle admin done Tue Mar 26 09:23:48 2013

140 device_manager deldevtitle admin done Tue Mar 26 09:30:20 2013

141 device_manager adddeldevtitle admin done Tue Mar 26 09:33:34 2013

142 device_manager deldevtitle admin done Tue Mar 26 09:35:06 2013

143 device_manager adddeldevtitle admin done Tue Mar 26 09:38:41 2013

144 device_manager adddeldevtitle admin done Tue Mar 26 09:59:18 2013

145 device_manager deldevtitle admin done Tue Mar 26 10:08:16 2013

146 device_manager deldevtitle admin done Tue Mar 26 10:08:26 2013

147 device_manager adddevtitle admin done Tue Mar 26 14:40:54 2013

148 import_dev_objs Import Device Objs/Policy admin done Tue Mar 26 14:42:05 2013

dvm transaction-flag

Use this command to edit or display DVM transaction flags.

Syntax

diagnose dvm transaction-flag {abort | debug | none} fgfm

fgfm

Use this command to get installation session, object, and session lists.

Syntax

diagnose fgfm diagnose fgfm

"diagnose" on page 195

"diagnose" on page 195

diagnose fgfm session-list <device ID>

Variable

install-session object-list session-list <device ID>

Description

Get installations session lists.

Get object lists.

Get session lists.

fmnetwork

Use the following commands for network related settings.

fmnetwork arp

Use this command to manage ARP.

195 CLI Reference

Fortinet Technologies Inc.

fmnetwork diagnose

Syntax

diagnose fmnetwork arp diagnose fmnetwork arp

"diagnose" on page 196

"diagnose" on page 196

Variable

del <intf-name> <IP> list

Description

Delete an ARP entry.

List ARP entries.

Example

This example shows the output for diagnose fmnetwork apr list: index=2 ifname=port1 10.2.115.20 00:09:0f:ed:bc:f3 state=00000002 use=2954 confirm=2954 update=2508 ref=3 index=1 ifname=lo 0.0.0.0 00:00:00:00:00:00 state=00000040 use=172515 confirm=835387 update=2096758 ref=2 index=2 ifname=port1 10.2.115.36 00:0c:29:ce:81:98 state=00000004 use=2978 confirm=2978 update=23 ref=2 index=2 ifname=port1 10.2.115.37 00:0c:29:8f:a2:8e state=00000002 use=2658 confirm=2658 update=2508 ref=3 index=2 ifname=port1 10.2.117.138 00:09:0f:77:05:28 state=00000002 use=2996 confirm=2996 update=2510 ref=3 index=2 ifname=port1 10.2.0.250 00:09:0f:48:91:b7 state=00000002 use=706 confirm=0 update=553 ref=19 index=2 ifname=port1 10.2.66.95 00:09:0f:09:00:00 state=00000002 use=2828 confirm=2828 update=2483 ref=3 index=2 ifname=port1 10.2.118.24 state=00000020 use=2701 confirm=2094709 update=2401 ref=2

fmnetwork interface

Use this command to view interface information.

Syntax

diagnose fmnetwork interface diagnose fmnetwork interface

"diagnose" on page 196

"diagnose" on page 196

Variable

detail <portX> list <portX>

Description

View a specific interface’s details.

List all interface details.

Example

Here is an example of the output from diagnose fmnetwork interface list port1: port1 Link encap:Ethernet HWaddr D4:AE:52:86:F4:52 inet addr:10.2.60.101 Bcast:10.2.255.255 Mask:255.255.0.0

inet6 addr: fe80::d6ae:52ff:fe86:f452/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

CLI Reference

Fortinet Technologies Inc.

196

diagnose

RX packets:26988508 errors:0 dropped:0 overruns:0 frame:0

TX packets:38322005 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000

RX bytes:4165017288 (3.8 GiB) TX bytes:54518196952 (50.7 GiB)

Interrupt:28 Memory:d6000000-d6012800

fmnetwork netstat

Use this command to view network statistics.

Syntax

diagnose fmnetwork netstat diagnose fmnetwork netstat diagnose fmnetwork netstat

"diagnose" on page 197

"diagnose" on page 197

"diagnose" on page 197

Variable

list [-r] tcp [-r] udp [-r]

Description

List all connections, or use -r to list only resolved IP addresses.

List all TCP connections, or use -r to list only resolved IP addresses.

List all UDP connections, or use -r to list only resolved IP addresses.

Example

Here is an example of the output from diagnose fmnetwork netstat tcp -r:

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 FMG-VM:9090 *:* LISTEN tcp 0 0 *:6020 *:* LISTEN tcp 0 0 *:8900 *:* LISTEN tcp 0 0 *:8901 *:* LISTEN tcp 0 0 *:8080 *:* LISTEN tcp 0 0 *:22 *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:8890 *:* LISTEN tcp 0 0 *:8891 *:* LISTEN tcp 0 0 *:541 *:* LISTEN fmupdate

fmupdate

Use this command to diagnose update services.

Syntax

diagnose fmupdate add-device <serial> <ip> <firmware> <build> diagnose fmupdate deldevice {fct | fds | fgd | fgc} <serialnum> <uid> diagnose fmupdate dellog diagnose fmupdate fct-configure diagnose fmupdate fct-dbcontract diagnose fmupdate fct-delserverlist diagnose fmupdate fct-getobject

197 CLI Reference

Fortinet Technologies Inc.

fmupdate diagnose diagnose fmupdate fct-serverlist diagnose fmupdate fct-update-status diagnose fmupdate fct-updatenow diagnose fmupdate fds-configure diagnose fmupdate fds-dbcontract diagnose fmupdate fds-delserverlist diagnose fmupdate fds-dump-breg diagnose fmupdate fds-dump-srul diagnose fmupdate fds-get-downstream-device <serialnum> diagnose fmupdate fds-getobject diagnose fmupdate fds-serverlist diagnose fmupdate fds-service-info diagnose fmupdate fds-update-status diagnose fmupdate fds-updatenow diagnose fmupdate fgc-configure diagnose fmupdate fgc-delserverlist diagnose fmupdate fgc-serverlist diagnose fmupdate fgc-update-status diagnose fmupdate fgd-bandwidth {1h | 6h | 12h | 24h | 7d | 30d} diagnose fmupdate fgd-configure diagnose fmupdate fgd-dbcontract diagnose fmupdate fgd-dbver {wf | as | av-query} diagnose fmupdate fgd-delserverlist diagnose fmupdate fgd-get-downstream-device diagnose fmupdate fgd-serverlist diagnose fmupdate fgd-service-info diagnose fmupdate fgd-test-client <ip> <serialnum> <string> diagnose fmupdate fgd-update-status diagnose fmupdate fgd-updatenow diagnose fmupdate fgd-url-rating <serialnum> <version> <url> diagnose fmupdate fgd-wfas-clear-log diagnose fmupdate fgd-wfas-log {name | ip} <string> diagnose fmupdate fgd-wfas-rate {wf | av | as_ip | as_url | as_hash} diagnose fmupdate fgd-wfdevice-stat {10m | 30m | 1h | 6h | 12h | 24h | 7d} <serialnum> diagnose fmupdate fgd-wfserver-stat {top10sites | top10devices} {10m | 30m | 1h | 6h |

12h | 24h | 7d} diagnose fmupdate fgt-del-statistics diagnose fmupdate fgt-del-um-db diagnose fmupdate fmg-statistic-info diagnose fmupdate fortitoken {seriallist | add | del} {add | del | required} diagnose fmupdate getdevice {fct | fds | fgd | fgc} <serialnum> diagnose fmupdate service-restart {fds | fct | fgd | fgc} diagnose fmupdate show-bandwidth {fct | fgt | fml | faz} <serialnum> diagnose fmupdate show-dev-obj <serialnum> diagnose fmupdate view-linkd-log {fct | fds | fgd | fgc} diagnose fmupdate vm-license

Variable

add-device <serial> <ip> <firmware> <build>

Description

Add an unregistered device. The build number is optional.

deldevice {fct | fds | fgd | fgc} <serialnum> <uid> Delete a device. The UID applies only to FortiClient devices.

dellog Delete log for FDS and FortiGuard update events.

CLI Reference

Fortinet Technologies Inc.

198

diagnose fmupdate

Variable

fct-configure fct-dbcontract fct-delserverlist fct-getobject fct-serverlist fct-update-status fct-updatenow fds-configure fds-dbcontract fds-delserverlist fds-dump-breg fds-dump-srul fds-get-downstream-device <serialnum> fds-getobject fds-serverlist fds-service-info fds-update-status fds-updatenow fgc-configure fgc-delserverlist fgc-serverlist fgc-update-status fgd-bandwidth {1h | 6h | 12h | 24h | 7d | 30d} fgd-configure fgd-dbcontract

Description

Dump the FortiClient running configuration.

Dump the FortiClient subscriber contract.

Dump the FortiClient server list file fdni.dat.

Get the version of all FortiClient objects.

Dump the FortiClient server list.

Display the FortiClient update status.

Update the FortiClient antivirus/IPS immediately.

Dump the FDS running configuration.

Dump the FDS subscriber contract

Delete the FDS server list file fdni.dat.

Dump the FDS beta serial numbers.

Dump the FDS select filtering rules.

Get information of all downstream FortiGate antivirus-IPS devices. Optionally, enter the device serial number.

Get the version of all FortiGate objects.

Dump the FDS server list.

Display FDS service information.

Display the FDS update status.

Update the FortiGate antivirus/IPS immediately.

Dump the FGC running configuration.

Delete the FGC server list file fdni.dat.

Dump the FGC server list.

Display the FGC update status.

Display the download bandwidth.

Dump the FortiGuard running configuration.

Dump the FortiGuard subscriber contract.

199 CLI Reference

Fortinet Technologies Inc.

fmupdate diagnose

Variable

fgd-dbver {wf | as | av-query} fgd-delserverlist fgd-get-downstream-device fgd-serverlist fgd-service-info fgd-test-client <ip> <serialnum> <string> fgd-update-status fgd-updatenow fgd-url-rating <serialnum> <version> <url>

Description

Get the version of the database. Optionally, enter the database type.

Delete the FortiGuard server list file fdni.dat.

Get information on all downstream FortiGate web filter and spam devices.

Dump the FortiGuard server list.

Display FortiGuard service information.

Execute FortiGuard test client. Optionally, enter the hostname or

IP address of the FGD server, the serial number of the device, and the query number per second or URL.

Display the Fortiguard update status.

Update the FortiGate web filter / antispam immediately.

Rate URLs within the FortiManager database using the

FortiGate serial number. Optionally, enter the category version and URL.

fgd-wfas-clear-log fgd-wfas-log {name | ip} <string>

Clear the FortiGuard service log file.

View the FortiGuard service log file. Optionally, enter the device filter type, and device name or IP address.

fgd-wfas-rate {wf | av | as_ip | as_url | as_hash} Get the web filter / antispam rating speed. Optionally, enter the server type.

fgd-wfdevice-stat {10m | 30m | 1h | 6h | 12h |

24h | 7d} <serialnum>

Display web filter device statistics. Optionally, enter a specific device’s serial number.

fgd-wfserver-stat {top10sites | top10devices}

{10m | 30m | 1h | 6h | 12h | 24h | 7d} fgt-del-statistics fgt-del-um-db

Display web filter server statistics for the top 10 sites or devices.

Optionally, enter the time apn to cover.

Remove all statistics (antivirus / IPS and web filter / antispam).

This command requires a reboot.

Remove UM and UM-GUI databases. This command requires a reboot.

Note: um.db is a sqlite3 database that update manager uses internally. It will store AV/IPS package information of downloaded packages. This command removed the database file information. The package is not removed. After the reboot, the database will be recreated. Use this command if you suspect the database file is corrupted.

CLI Reference

Fortinet Technologies Inc.

200

diagnose fortilogd

Variable

fmg-statistic-info fortitoken {seriallist | add | del} {add | del | required} getdevice {fct | fds | fgd | fgc} <serialnum>

Description

Display statistic information for FortiManager and Java Client.

FortiToken related operations.

Get device information. Optionally, enter a serial number.

Restart linkd service.

service-restart {fds | fct | fgd | fgc} show-bandwidth {fct | fgt | fml | faz} <serialnum> Display download bandwidth. Optionally, enter a serial number.

show-dev-obj <serialnum> view-linkd-log {fct | fds | fgd | fgc} vm-license

Display an objects version of a device. Optionally, enter a serial number.

View the linkd log file.

Dump the FortiGate VM license.

Example

To view antispam server statistics for the past seven days, enter the following: diagnose fmupdate fgd-asserver_stat 7d

The command returns information like this:

Server Statistics

Total Spam Look-ups: 47

Total # Spam: 21(45%)

Total # Non-spam:26(55%)

Estimated bandwidth usage:17MB

fortilogd

Use this command to view FortiLog daemon information.

Syntax

diagnose fortilogd msgrate diagnose fortilogd msgrate-device diagnose fortilogd msgrate-total diagnose fortilogd msgrate-type diagnose fortilogd msgstat <flush> diagnose fortilogd lograte diagnose fortilogd status

Variable

msgrate

Description

Display log message rate.

201 CLI Reference

Fortinet Technologies Inc.

fwmanager diagnose

Variable

msgrate-device msgrate-total msgrate-type msgstat lograte

<flush> status

Description

Display log message rate devices.

Display log message rate totals.

Display log message rate types.

Display log message status.

Display the log rate.

Reset the log message status.

Running status.

Example

This example shows the output for diagnose fortilogd status: fortilogd is starting config socket OK cmdb socket OK cmdb register log.device OK cmdb register log.settings OK log socket OK reliable log socket OK

fwmanager

Use this command to manage firmware.

Syntax

diagnose fwmanager cancel-devsched <string> <firmware_version> <release_type> <build_ num> <date_time> diagnose fwmanager cancel-grpsched <string> <firmware_version> <release_type> <build_ num> <date_time> diagnose fwmanager delete-all diagnose fwmanager delete-imported-images diagnose fwmanager delete-offical-images diagnose fwmanager delete-serverlist diagnose fwmanager fwm-log diagnose fwmanager getall-schedule diagnose fwmanager getdev-schedule <string> diagnose fwmanager getgrp-schedule <string> diagnose fwmanager imported-imagelist diagnose fwmanager official-imagelist diagnose fwmanager reset-schedule-database diagnose fwmanager set-devsched <string> <firmware_version> <release_type> <build_num>

<date_time> diagnose fwmanager set-grpsched <string> <firmware_version> <release_type> <build_num>

<date_time>

CLI Reference

Fortinet Technologies Inc.

202

diagnose ha

Variable

cancel-devsched <string> <firmware_version>

<release_type> <build_num> <date_time> cancel-grpsched <string> <firmware_version>

<release_type> <build_num> <date_time> delete-all delete-imported-images delete-offical-images delete-serverlist fwm-log getall-schedule getdev-schedule <string> getgrp-schedule <string> imported-imagelist official-imagelist reset-schedule-database set-devsched <string> <firmware_version>

<release_type> <build_num> <date_time>

Description

Cancel an upgrade schedule for a device. For special branches, the release type is the branch point. The build number for official releases is always -1, for special releases it is the build number.

The date and time format is: YYYY/MM/DD_hh:mm:ss

Cancel an upgrade schedule for a group. For special branches, the release type is the branch point. The build number for official releases is always -1, for special releases it is the build number.

The date and time format is: YYYY/MM/DD_hh:mm:ss

Remove everything in the firmware manager folder. This command requires a reboot.

Remove all imported images. This command requires a reboot.

Remove all official images. This command requires a reboot.

Remove the server list file (fdni.dat). This command requires a reboot.

View the firmware manager log file.

Display all upgrade schedules recorded.

Get scheduled upgrades for the device.

Get scheduled upgrades for this group.

Get the imported firmware image list

Get the official firmware image list.

Cleanup and initialize the schedule database and restart the server.

Create an upgrade schedule for a device.

set-grpsched <string> <firmware_version>

<release_type> <build_num> <date_time>

Create an upgrade schedule for a group.

ha

Use this command to manage high availability.

203 CLI Reference

Fortinet Technologies Inc.

hardware

Syntax

diagnose ha diagnose ha diagnose ha diagnose ha

"diagnose" on page 204

"diagnose" on page 204

"diagnose" on page 204

"diagnose" on page 204

Variable

debug-sync {on | off} dump-datalog force-resync stats

Description

Turn on synchronized data debug.

Dump the HA data log.

Force re-synchronization.

Get HA statistics.

Example

To turn on debug synchronization, enter the following: diagnose ha debug-sync on diagnose

hardware

Use this command to view hardware information.

Syntax

diagnose hardware info

Example

This example shows the output for diagnose hardware info:

### CPU info processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 45 model name : Intel(R) Xeon(R) CPU E5-2420 0 @ 1.90GHz

stepping : 7 cpu MHz : 1899.992

cache size : 15360 KB fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx lm constant_tsc up rep_good pni pclmulqdq ssse3 cx16 sse4_1 sse4_2 popcnt aes xsave avx hypervisor lahf_lm xsaveopt bogomips : 3799.98

clflush size : 64 cache_alignment : 64

CLI Reference

Fortinet Technologies Inc.

204

diagnose address sizes : 42 bits physical, 48 bits virtual power management:

### Memory info

MemTotal: 2060172 kB

MemFree: 359316 kB

Buffers: 140056 kB

Cached: 668136 kB

SwapCached: 0 kB

Active: 1034340 kB

Inactive: 431328 kB

Active(anon): 693372 kB

Inactive(anon): 17144 kB

Active(file): 340968 kB

Inactive(file): 414184 kB

Unevictable: 76660 kB

Mlocked: 76136 kB

SwapTotal: 2076536 kB

SwapFree: 2076536 kB

Dirty: 72 kB

Writeback: 0 kB

AnonPages: 734132 kB

Mapped: 79244 kB

Shmem: 39060 kB

Slab: 101752 kB

SReclaimable: 87052 kB

SUnreclaim: 14700 kB

KernelStack: 1928 kB

PageTables: 30772 kB

NFS_Unstable: 0 kB

Bounce: 0 kB

WritebackTmp: 0 kB

CommitLimit: 3106620 kB

Committed_AS: 6981052 kB

VmallocTotal: 34359738367 kB

VmallocUsed: 2736 kB

VmallocChunk: 34359727840 kB

DirectMap4k: 4032 kB

DirectMap2M: 2093056 kB

### Disk info major minor #blocks name

7 0 10240 loop0

3 0 2099200 hda

3 64 41943040 hdb

22 64 41943040 hdd

8 16 41943040 sdb

8 0 2099200 sda

8 1 524288 sda1

8 32 41943040 sdc

253 0 83877888 dm-0

### RAID info

N/A

### System time local time: Tue Oct 21 14:54:43 2014

UTC time: Tue Oct 21 21:54:43 2014

205 hardware

CLI Reference

Fortinet Technologies Inc.

log diagnose

log

Use this commands to view and manage device logging.

log device

Use this command to manage device logging.

Syntax

diagnose log device

Example

This example shows the output for diagnose log device:

Device Name Device ID Used Space(logs/database/quar/content/IPS) Allocated Space % Used

FK3K8A3407600133 FK3K8A3407600133 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00%

FOC-32bit FGVM01EW12000001 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00% b147-37 FGVM02EW12000001 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00%

FWF-60CM-Gen4 FW60CM3G11004076 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00%

FG200B3911601438 FG200B3911601438 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00%

FortiGate-VM64 FGVM04QX10091530 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00%

FW60CM3G10003021 FW60CM3G10003021 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00% m-fwf60cm FW60CM1738042MDL 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00%

FW60CM3G11000082 FW60CM3G11000082 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00% fgtha-m-95 FGHA002041334518_CID 0MB(0 / 0 / 0 / 0 / 0 ) 1000MB 0.00%

pm2

Use this command to print from and check the integrity of the policy manager database.

Syntax

diagnose pm2

"diagnose" on page 206

diagnose pm2 print <log-type>

Variable

check-integrity {all adom device global ips} print <log-type>

Description

Check policy manager database integrity. Multiple database categories can be checked at once.

Print policy manager database log messages.

report

Use these commands to check the SQL database.

CLI Reference

Fortinet Technologies Inc.

206

diagnose

Syntax

diagnose report clean diagnose report

"diagnose" on page 207

Variable

clean status {pending | running}

Description

Cleanup the SQL report queue.

Check status information on pending and running reports list.

sniffer

sniffer

Use this command to perform a packet trace on one or more network interfaces.

Packet capture, also known as sniffing, records some or all of the packets seen by a network interface. By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect.

FortiManager units have a built-in sniffer. Packet capture on FortiManager units is similar to that of FortiGate units.

Packet capture is displayed on the CLI, which you may be able to save to a file for later analysis, depending on your

CLI client.

Packet capture output is printed to your CLI display until you stop it by pressing Control + C, or until it reaches the number of packets that you have specified to capture.

Packet capture can be very resource intensive. To minimize the performance impact on your FortiManager unit, use packet capture only during periods of minimal traffic, with a serial console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.

Syntax

diagnose sniffer packet

page 208

"diagnose" on page 207

<filter_str>

"diagnose" on page 208 "diagnose" on

Variable

<interface_name>

Description

Type the name of a network interface whose packets you want to capture, such as port1, or type any to capture packets on all network interfaces.

207 CLI Reference

Fortinet Technologies Inc.

sniffer diagnose

Variable

<filter_str>

Description

Type either none to capture all packets, or type a filter that specifies which protocols and port numbers that you do or do not want to capture, such as 'tcp port 25'. Surround the filter string in quotes.

The filter uses the following syntax:

'[[src|dst] host {<host1_fqdn> | <host1_ ipv4>}] [and|or] [[src|dst] host

{<host2_fqdn> | <host2_ipv4>}] [and|or]

[[arp|ip|gre|esp|udp|tcp] port <port1_ int>] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port2_int>]'

To display only the traffic between two hosts, specify the IP addresses of both hosts. To display only forward or only reply packets, indicate which host is the source, and which is the destination.

For example, to display UDP port 1812 traffic between 1.example.com and either 2.example.com or 3.example.com, you would enter:

'udp and port 1812 and src host

1.example.com and dst \

( 2.example.com or 2.example.com \)

'

<verbose>

<count>

Type one of the following numbers indicating the depth of packet headers and payloads to capture: l l l

1

: header only

2

: IP header and payload

3

: Ethernet header and payload

For troubleshooting purposes, Fortinet Technical Support may request the most verbose level (3).

Default: 1

Type the number of packets to capture before stopping.

If you do not specify a number, the command will continue to capture packets until you press Control + C.

Example 1

The following example captures the first three packets’ worth of traffic, of any port number or protocol and between any source and destination (a filter of none), that passes through the network interface named port1. The capture uses a low level of verbosity (indicated by 1).

Commands that you would type are highlighted in bold; responses from the Fortinet unit are not in bold.

FortiManager#

diag sniffer packet port1 none 1 3

interfaces=[port1] filters=[none]

0.918957 192.168.0.1.36701 -> 192.168.0.2.22: ack 2598697710

0.919024 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697710 ack 2587945850

CLI Reference

Fortinet Technologies Inc.

208

diagnose sniffer

0.919061 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697826 ack 2587945850

If you are familiar with the TCP protocol, you may notice that the packets are from the middle of a TCP connection.

Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be from an SSH session.

Example 2

The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1 and

192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either host as the source or destination in the IP header (src or dst), the sniffer captures both forward and reply traffic.

A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Control + C. The sniffer then confirms that five packets were seen by that network interface.

Commands that you would type are highlighted in bold; responses from the Fortinet unit are not in bold.

FortiManager#

diag sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp port 80' 1

192.168.0.2.3625 -> 192.168.0.1.80: syn 2057246590

192.168.0.1.80 -> 192.168.0.2.3625: syn 3291168205 ack 2057246591

192.168.0.2.3625 -> 192.168.0.1.80: ack 3291168206

192.168.0.2.3625 -> 192.168.0.1.80: psh 2057246591 ack 3291168206

192.168.0.1.80 -> 192.168.0.2.3625: ack 2057247265

5 packets received by filter

0 packets dropped by kernel

Example 3

The following example captures all TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its source or destination IP address. The capture uses a high level of verbosity (indicated by 3).

A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Control + C. The sniffer then confirms that five packets were seen by that network interface.

Verbose output can be very long. As a result, output shown below is truncated after only one packet.

Commands that you would type are highlighted in bold; responses from the Fortinet unit are not in bold.

FortiManager #

diag sniffer port1 'tcp port 443' 3

interfaces=[port1] filters=[tcp port 443]

10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898

0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E.

0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W....

0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........

0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............

0x0040 86bb 0000 0000 0103 0303 ..........

Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using encoding other than

US-ASCII. It is usually preferable to analyze the output by loading it into in a network protocol analyzer application such as Wireshark ( http://www.wireshark.org/ ).

For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output. Methods may vary. See the documentation for your CLI client.

209 CLI Reference

Fortinet Technologies Inc.

sniffer diagnose

Requirements

l l l l terminal emulation software such as

PuTTY a plain text editor such as Notepad a

Perl interpreter network protocol analyzer software such as Wireshark

To view packet capture output using PuTTY and Wireshark:

1. On your management computer, start PuTTY.

2. Use PuTTY to connect to the Fortinet appliance using either a local serial console, SSH, or Telnet connection.

3. Type the packet capture command, such as: diag sniffer packet port1 'tcp port 541' 3 100 but do not press Enter yet.

4. In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select

Change Settings.

A dialog appears where you can configure PuTTY to save output to a plain text file.

5. In the Category tree on the left, go to Session > Logging.

6. In Session logging, select Printable output.

7. In Log file name, click the Browse button, then choose a directory path and file name such as

C:\Users\MyAccount\packet_capture.txt

to save the packet capture to a plain text file. (You do not need to save it with the .log file extension.)

8. Click Apply.

9. Press Enter to send the CLI command to the unit, beginning packet capture.

10. If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze, press Control + C to stop the capture.

11. Close the PuTTY window.

12. Open the packet capture file using a plain text editor such as Notepad.

13. Delete the first and last lines, which look like this:

=~=~=~=~=~=~=~=~= PuTTY log 2015-01-28.07.25 11:34:40 =~=~=~=~=~=~=~=~=

Fortinet-2000 #

These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not delete them, they could interfere with the script in the next step.

14. Convert the plain text file to a format recognizable by your network protocol analyzer application.

You can convert the plain text file to a format (.pcap) recognizable by Wireshark (formerly called Ethereal) using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet Knowledge Base article

Using the FortiOS built-in packet sniffer .

The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and requires that you first install a Perl module compatible with your operating system.

CLI Reference

Fortinet Technologies Inc.

210

diagnose

To use fgt2eth.pl, open a command prompt, then enter a command such as the following:

Methods to open a command prompt vary by operating system.

On Windows XP, go to

Start > Run and enter cmd.

On Windows 7, click the Start (Windows logo) menu to open it, then enter cmd.

sql fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap

where: l l l fgt2eth.pl

is the name of the conversion script; include the path relative to the current directory, which is indicated by the command prompt packet_capture.txt

is the name of the packet capture’s output file; include the directory path relative to your current directory packet_capture.pcap

is the name of the conversion script’s output file; include the directory path relative to your current directory where you want the converted output to be saved

15. Open the converted file in your network protocol analyzer application. For further instructions, see the documentation for that application.

For additional information on packet capture, see the Fortinet Knowledge Base article

Using the FortiOS built-in packet sniffer

.

sql

Use these commands to diagnose the SQL database.

Syntax

diagnose sql diagnose sql diagnose sql diagnose sql

"diagnose" on page 212

"diagnose" on page 212

"diagnose" on page 212

"diagnose" on page 212

diagnose sql process list [full] diagnose sql diagnose sql diagnose sql diagnose sql diagnose sql diagnose sql diagnose sql

"diagnose" on page 212

"diagnose" on page 212

"diagnose" on page 212

"diagnose" on page 212

"diagnose" on page 212

"diagnose" on page 212

"diagnose" on page 212

diagnose sql status rebuild-db diagnose sql status run_sql_rpt diagnose sql status sql_hcache_chk diagnose sql status sqlplugind diagnose sql status sqlreportd diagnose sql

"diagnose" on page 212

211 CLI Reference

Fortinet Technologies Inc.

system diagnose

Variable

config debug-filter [{set | test} <string>] config deferred-index-timespan [set <value>]

Description

Set or test the sqlplugin debug filter.

Set the timespan for the deferred index.

config top-dev set [{log-thres | num-max}]

<integer>

Set the SQL plugin top devices settings including: gui-rpt-shm {list-all | clear} <num> l l log-thres

: Log threshold of top devices.

num-max

: Maximum number of top devices. Select a number between 0 and 1000.

List or clear all asynchronous GUI report shared memory slot information.

process list [full] process kill <pid>

List running query processes.

Kill a running query.

rebuild-report-hcache <start-time> <end-time> Rebuild hcache for report. Enter the start time/end time in the format “yyyy-mm-dd hh:mm:ss”.

remove hcache <device-id> Remove hcache.

remove query-cache remove tmp-table show <db-size | hcache-size | log-stfile}

Remove SQL query cache for log search.

Remove temporary tables.

Show the database or hcache size and logstatus file.

show log-filters status rebuild-db

Show log view searching filters.

Show the SQL log database rebuild status.

status run_sql_rpt status sql_hcache_chk status sqlplugind status sqlreportd upload <host> <directory> <username> <password>

Show the run_sql_rpt status.

Show the report hcache status.

Show the sqlplugind daemon status.

Show the sqlreportd daemon status.

Upload sqlplugind messages or pgsvr logs via FTP.

system

Use the following commands for system related settings.

CLI Reference

Fortinet Technologies Inc.

212

diagnose

system admin-session

Use this command to view login session information.

Syntax

diagnose system admin-session diagnose system admin-session diagnose system admin-session

"diagnose" on page 213

"diagnose" on page 213

"diagnose" on page 213

Variable

kill <sid> list status

Description

Kill a current session.

List login sessions.

Show the current session.

Example

Here is an example of the output from diagnose system admin-session status: session_id: 31521 (seq: 4) username: admin admin template: admin from: jsconsole(10.2.0.250) profile: Super_User (type 3) adom: root session length: 198 (seconds) system disk

Use this command to view disk diagnostic information.

Syntax

diagnose system disk diagnose system disk diagnose system disk diagnose system disk diagnose system disk diagnose system disk

"diagnose" on page 213

"diagnose" on page 213

"diagnose" on page 213

"diagnose" on page 213

"diagnose" on page 214

"diagnose" on page 214

Variable

attributes disable enable health

Description

Show vendor specific SMART attributes.

Disable SMART support.

Enable SMART support.

Show the SMART health status.

213 system

CLI Reference

Fortinet Technologies Inc.

system diagnose

Variable

info errors

Description

Show the SMART information.

Show the SMART error logs.

Example

This is an example of the output from diagnose system disk health:

Disk 1: SMART overall-health self-assessment test result: PASSED

Disk 2: SMART overall-health self-assessment test result: PASSED

Disk 3: SMART overall-health self-assessment test result: PASSED

Disk 4: SMART overall-health self-assessment test result: PASSED

system export

Use this command to export logs.

Syntax

diagnose system export diagnose system export diagnose system export diagnose system export

"diagnose" on page 214

"diagnose" on page 214

"diagnose" on page 214

"diagnose" on page 214

diagnose system export upgradelog <ftp server>

Variable

crashlog <ftp server> <user> <password> [remote path]

[filename]

Description

Export the crash log.

dminstallog <devid> <server> <user> <password>

[remote path] [filename] fmwslog <sftp | ftp> <type> <ftp server> <username>

<password> <directory> <filename>

Export deployment manager install log.

Export web service log files.

umlog {ftp | sftp} <type> <server> <user> <password>

[remote path] [filename] upgradelog <ftp server>

Export the update manager and firmware manager log files.

The type options are: fdslinkd, fctlinkd, fgdlinkd

, usvr, update, service, misc, umad, and fwmlinkd

Export the upgrade error log.

system flash

Use this command to diagnose the flash memory.

Syntax

diagnose system flash list

CLI Reference

Fortinet Technologies Inc.

214

diagnose

Example

Here is an example of the output from diagnose system flash list:

ImageName Version TotalSize(KB) Used(KB) Use% BootImage RunningImage primary FM-3KC-4.01-FW-build8308-200212 63461 29699 47% No No secondary FM-3KC-5.00-FW-build0254-131025 63461 41812 66% Yes Yes

system fsck

Use this command to check and repair the filesystem.

Syntax

diagnose system fsck harddisk

Variable

harddisk

Description

Check and repair the file system, then reboot the system.

system

system geoip

Use these commands to obtain geoip information. FortiManager uses a MaxMind GeoLite database of mappings between geographic regions and all public IP addresses that are known to originate from them.

Syntax

diagnose system geoip dump diagnose system geoip info diagnose system geoip ip

Example

This example shows the output for diagnose system geoip info:

Version: 1.019

Date: Fri Oct 4 16:56:02 2013

Copyright: Copyright (c) 2011 MaxMind Inc. All Rights Reserved.

This example shows the output for diagnose system geoip ip 223.255.254.0:

223.255.254.0 : SG - Singapore

system ntp

Use this command to list NTP server information.

Syntax

diagnose system ntp status

215 CLI Reference

Fortinet Technologies Inc.

system

Example

This example shows the output for diagnose system ntp status: server ntp1.fortinet.net (208.91.112.50) -- Clock is synchronized server-version=4, stratum=11 reference time is d5049d6a.4c80f64e -- UTC Mon Apr 1 23:57:30 2013 clock offset is 0.052517 msec, root delay is 0 msec root dispersion is 752 msec, peer dispersion is 4 msec

system print

Use this command to print server information.

Syntax

diagnose system print diagnose system print diagnose system print diagnose system print diagnose system print diagnose system print diagnose system print diagnose system print diagnose system print diagnose system print diagnose system print diagnose system print

"diagnose" on page 216

"diagnose" on page 216

"diagnose" on page 216

"diagnose" on page 216

"diagnose" on page 216

"diagnose" on page 216

"diagnose" on page 216

"diagnose" on page 216

"diagnose" on page 216

"diagnose" on page 216

"diagnose" on page 217

"diagnose" on page 217

diagnose system print uptime

Variable

certificate cpuinfo df hosts interface <interface> loadavg netstat partitions route rtcache

Description

Print the IPsec certificate.

Print the CPU information.

Print the file system disk space usage.

Print the static table lookup for host names.

Print the information of the interface

Print the average load of the system.

Print the network statistics.

Print the partition information of the system.

Print the main route list.

Print the contents of the routing cache.

diagnose

CLI Reference

Fortinet Technologies Inc.

216

diagnose

Variable

slabinfo sockets uptime

Description

Print the slab allocator statistics.

Print the currently used socket ports.

Print how long the system has been running.

Example

Here is an example of the output from diagnose system print df:

Filesystem 1K-blocks Used Available Use% Mounted on none 65536 0 65536 0% /dev/shm none 65536 20 65516 1% /tmp

/dev/sda1 47595 28965 16173 65% /data

/dev/sdb3 9803784 723128 8582652 8% /var

/dev/sdb2 61927420 224212 58557480 1% /var/static

/dev/sdb4 9803784 132164 9173616 2% /var/misc

/dev/sdb4 9803784 132164 9173616 2% /drive0

/dev/sdb4 9803784 132164 9173616 2% /Storage

/dev/loop0 9911 1043 8356 12% /var/dm/tcl-root

system process

Use this command to view and kill processes.

Syntax

diagnose system process diagnose system process

"diagnose" on page 217

"diagnose" on page 217

diagnose system process list

Variable

kill <signal> <pid> killall <module> list

Description

Kill a process.

Kill all the related processes.

List all processes.

system raid

Use this command to view RAID information.

Syntax

diagnose system raid diagnose system raid

"diagnose" on page 218

"diagnose" on page 218

diagnose system raid status system

217 CLI Reference

Fortinet Technologies Inc.

system diagnose

Variable

alarms hwinfo status

Description

Show RAID alarm logs.

Show RAID controller hardware information.

Show RAID status. This command displays the following information:

RAID level, RAID status, RAID size, and hard disk information.

Example

Here is an example of the output from diagnose system raid status:

RAID Level: Raid-1

RAID Status: OK

RAID Size: 1953GB

Disk 1: OK Used 1953GB

Disk 2: Unavailable Not-Used 0GB

Disk 3: Unavailable Not-Used 0GB

Disk 4: Unavailable Not-Used 0GB

system route

Use this command to diagnose routes.

Syntax

diagnose system route list

Example

Here is an example of the output from diagnose system route list:

Destination Gateway Genmask Flags Metric Ref Use Iface

10.2.0.0 0.0.0.0 255.255.0.0 U 0 0 0 port1

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 svr_fgfm

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 svr_fgfm

0.0.0.0 10.2.115.20 0.0.0.0 UG 1 0 0 port1

system route6

Use this command to diagnose IPv6 routes.

Syntax

diagnose system route6 list

Example

Here is an example of the output from diagnose system route list:

Destination Gateway Intf Metric Priority fe80::/64 :: port1 131080 256 fe80::/64 :: port2 131080 256 fe80::/64 :: port3 131080 256

CLI Reference

Fortinet Technologies Inc.

218

diagnose fe80::/64 :: port4 131080 256

system server

Use this command to start the FortiManager server.

Syntax

diagnose system server start test

test

Use the following commands to test the FortiManager.

test application

Use this command to test applications. Leave the integer value blank to see the available options for each command.

Syntax

diagnose test application diagnose test application diagnose test application diagnose test application diagnose test application diagnose test application diagnose test application diagnose test application

"diagnose" on page 219

"diagnose" on page 219

"diagnose" on page 219

"diagnose" on page 219

"diagnose" on page 219

"diagnose" on page 219

"diagnose" on page 219

"diagnose" on page 219

diagnose test application fazautormd <integer>

Variable

fazcfgd <integer> fazsvcg <integer> fortilogd <integer> logfiled <integer> oftpd <integer> snmpd <integer> sqllogd <integer> sqlrptcached <integer> fazautormd <integer>

Description

Test the FortiAnalyzer config daemon.

Test the FortiAnalyzer service daemon.

Test the FortiAnalyzer fortilogd daemon.

Test the FortiAnalyzer log file daemon.

Test the FortiAnalyzer oftpd daemon.

Test the SNMP daemon.

Test the FortiAnalyzer sqllog daemon.

Test the FortiAnalyzer sqlrptcache daemon.

Test the FortiAnalyzer autodelete daemon.

219 CLI Reference

Fortinet Technologies Inc.

test diagnose

test connection

Use this command to test connections.

Syntax

diagnose test connection mailserver <server-name> <account> diagnose test connection syslogserver <server-name>

Variable

mailserver <server-name> <account> syslogserver <server-name>

Description

Test the connection to the mail server.

Test the connection to the syslog server.

test deploymanager

Use this command to test the deployment manager.

Syntax

diagnose test deploymanager getcheckin <devid> diagnose test deploymanager reloadconf <devid>

Variable

getcheckin <devid> reloadconf <devid>

Description

Get configuration check-in information from the FortiGate.

Reload configuration from the FortiGate.

test policy-check

Use this command to test applications.

Syntax

diagnose test policy-check flush diagnose test policy-check list

Variable

flush list

Description

Flush all policy check sessions.

List all policy check sessions.

CLI Reference

Fortinet Technologies Inc.

220

diagnose upload

test search

Use this command to test the search daemon.

Syntax

diagnose test search flush diagnose test search list

Variable

flush list

Description

Flush all search sessions.

List all search sessions.

test sftp

Use this command to test the secure file transfer protocol (SFTP).

Syntax

diagnose test sftp auth <sftp server> <username> <password> <directory>

Variable

auth <sftp server> <username> <password> <directory>

Description

Test the scheduled backup.

The directory variable represents the directory on the SFTP server where you want to put the file. The default directory is "/".

upload

Use these commands to perform request related actions.

upload clear

Use this command to clear the upload request.

Syntax

diagnose upload clear all diagnose upload clear failed

Variable

all

Description

Clear all upload requests.

221 CLI Reference

Fortinet Technologies Inc.

vpn

Variable

failed

Description

Clear the failed upload requests.

upload force-retry

Use this command to retry the last failed upload request.

Syntax

diagnose upload force-entry

Example

Here is an example of the output from diagnose upload force-retry:

Force retry command has been issued.

upload status

Use this command to get the running status.

Syntax

diagnose upload status

vpn

Use this command to flush SAD entries and list tunnel information.

Syntax

diagnose vpn tunnel flush-SAD diagnose vpn tunnel list

Variable

flush-SAD list

Description

Flush the SAD entries.

List tunnel information.

diagnose

CLI Reference

Fortinet Technologies Inc.

222

get

The get command displays all settings, even if they are still in their default state.

Although not explicitly shown in this section, for all config commands, there are related get and show commands that display that part of the configuration. Get and show commands use the same syntax as their related config command, unless otherwise specified.

CLI commands and variables are case sensitive.

Unlike the show command, get requires that the object or table whose settings you want to display are specified, unless the command is being used from within an object or table.

For example, at the root prompt, this command would be valid: get system status and this command would not: get

fmupdate analyzer

Use this command to view forward virus report to FDS setting.

Syntax

get fmupdate analyzer virusreport

fmupdate av-ips

Use these commands to view AV/IPS update settings.

Syntax

get fmupdate av-ips advanced-log get fmupdate av-ips fct server-override get fmupdate av-ips fgt server-override get fmupdate av-ips push-override get fmupdate av-ips push-override-to-client get fmupdate av-ips update-schedule get fmupdate av-ips web-proxy

223 CLI Reference

Fortinet Technologies Inc.

fmupdate custom-url-list

Example

This example shows the output for get fmupdate av-ips web-proxy: ip : 0.0.0.0

mode : proxy password : * port : 80 status : disable username : (null)

fmupdate custom-url-list

Use this command to view the custom URL database.

Syntax

get fmupdate custom-url-list

fmupdate device-version

Use this command to view device version objects.

Syntax

get fmupdate device-version

Example

This example shows the output for get fmupdate device-version: faz : 4.0 5.0

fct : 5.0

fgt : 3.0 4.0 5.0

fml : 3.0 4.0

fsa : 1.0

fsw :

fmupdate disk-quota

Use this command to view the disk quota for the update manager.

Syntax

get fmupdate disk-quota

CLI Reference

Fortinet Technologies Inc.

get

224

get

fmupdate fct-services

Use this command to view FortiClient update services configuration.

Syntax

get fmupdate fct-services

Example

This example shows the output for get fmupdate fct-services: status : enable port : 80

fmupdate fds-setting

Use this command to view FDS parameters.

Syntax

get fmupdate fds-setting

Example

This example shows the output for get fmupdate fds-setting: fds-pull-interval : 10 max-av-ips-version : 20

fmupdate multilayer

Use this command to view multilayer mode configuration.

Syntax

get fmupdate multilayer

fmupdate publicnetwork

Use this command to view public network configuration.

Syntax

get fmupdate publicnetwork

225 fmupdate fct-services

CLI Reference

Fortinet Technologies Inc.

fmupdate server-access-priorities

fmupdate server-access-priorities

Use this command to view server access priorities.

Syntax

get fmupdate server-access-priorities

Example

This example shows the output for get fmupdate server-access-priorities: access-public : disable av-ips : disable private-server: web-spam : enable

fmupdate server-override-status

Use this command to view server override status configuration.

Syntax

get fmupdate server-override status

fmupdate service

Use this command to view update manager service configuration.

Syntax

get fmupdate service

Example

This example shows the output for get fmupdate service: avips : disable query-antispam : disable query-antivirus : disable query-filequery : disable query-webfilter : disable use-cert : BIOS

fmupdate support-pre-fgt43

Use this command to view support for pre-fgt43 configuration.

CLI Reference

Fortinet Technologies Inc.

get

226

get

Syntax

get fmupdate support-pre-fgt43

fmupdate web-spam

Use these commands to view web spam configuration.

Syntax

get fmupdate web-spam fct server-override get fmupdate web-spam fgd-log get fmupdate web-spam fgd-setting get fmupdate web-spam fgt server-override get fmupdate web-spam poll-frequency get fmupdate web-spam web-proxy

Example

This example shows the output for get fmupdate web-spam web-proxy: ip : 0.0.0.0

mode : proxy password : * port : 80 status : disable username : (null)

system admin

Use these commands to view admin configuration.

Syntax

get system admin group <group name> get system admin ldap <server entry name> get system admin profile <profile ID> get system admin radius <server entry name> get system admin setting get system admin tacacs <server entry name> get system admin user <username>

Example

This example shows the output for get system admin setting: access-banner : disable admin-https-redirect: enable admin_server_cert : server.crt

allow_register : disable auto-update : disable banner-message : (null)

227 fmupdate web-spam

CLI Reference

Fortinet Technologies Inc.

system alert-console chassis-mgmt : enable chassis-update-interval: 15 demo-mode : disable device_sync_status : enable http_port : 80 https_port : 443 idle_timeout : 480 install-ifpolicy-only: enable mgmt-addr : (null) mgmt-fqdn : (null) offline_mode : disable register_passwd : * show-add-multiple : enable show-adom-central-nat-policies: disable show-adom-devman : enable show-adom-dos-policies: disable show-adom-dynamic-objects: enable show-adom-icap-policies: disable show-adom-implicit-policy: disable show-adom-ipv6-settings: enable show-adom-policy-consistency-button: disable show-adom-rtmlog : disable show-adom-sniffer-policies: disable show-adom-taskmon-button: disable show-adom-terminal-button: disable show-adom-voip-policies: disable show-adom-vpnman : enable show-adom-web-portal: enable show-device-import-export: enable show-foc-settings : disable show-fortimail-settings: disable show-fsw-settings : disable show-global-object-settings: enable show-global-policy-settings: enable show_automatic_script: disable show_grouping_script: disable show_schedule_script: disable show_tcl_script : disable unreg_dev_opt : add_allow_service webadmin_language : auto_detect

system alert-console

Use this command to view alert console information.

Syntax

get system alert-console

system alert-event

Use this command to view alert event information.

CLI Reference

Fortinet Technologies Inc.

get

228

get

Syntax

get system alert-event <alert name>

system alertemail

Use this command to view alert email configuration.

Syntax

get system alertemail

Example

This example shows the output for get system alertemail: authentication : enable fromaddress : (null) fromname : (null) smtppassword : * smtpport : 25 smtpserver : (null) smtpuser : (null) system alertemail

system auto-delete

Use this command to view automatic deletion policies for logs, reports, archived and quarantined files.

Syntax

get system auto-delete

system backup

Use the following commands to view backups:

Syntax

get system backup all-settings get system backup status

Example

This example shows the output for get system backup status:

All-Settings Backup

Last Backup: Tue Jan 15 16:55:35 2013

Next Backup: N/A

229 CLI Reference

Fortinet Technologies Inc.

system certificate

system certificate

Use these commands to view certificate configuration.

Syntax

get system certificate ca <certificate name> get system certificate crl <crl name> get system certificate local <certificate name> get system certificate oftp <certificate name> get system certificate ssh <certificate name>

system dm

Use this command to view device manager information on your device.

Syntax

get system dm

Example

This example shows the output for get system dm: concurrent-install-limit: 60 concurrent-install-script-limit: 60 discover-timeout : 6 dpm-logsize : 10000 fgfm-sock-timeout : 360 fgfm_keepalive_itvl : 120 force-remote-diff : disable max-revs : 100 nr-retry : 1 retry : enable retry-intvl : 15 rollback-allow-reboot: disable script-logsize : 100 verify-install : enable

system dns

Use this command to view DNS configuration.

Syntax

get system dns

CLI Reference

Fortinet Technologies Inc.

get

230

get

system fips

Use this command to view FIPS configuration.

Syntax

get system fips

system global

Use this command to view global configuration.

Syntax

get system global

Example

This example shows the output for get system global: admin-https-pki-required: disable admin-lockout-duration: 60 admin-lockout-threshold: 3 admin-maintainer : enable admintimeout : 5 adom-mode : normal adom-rev-auto-delete: disable adom-status : enable auto-register-device: enable clt-cert-req : disable console-output : standard daylightsavetime : enable default-disk-quota : 1000 enc-algorithm : low faz-status : enable hostname : FMG-VM64-HV language : english ldapconntimeout : 60000 log-checksum : none max-concurrent-users: 20 max-running-reports : 1 partial-install : disable pre-login-banner : disable remoteauthtimeout : 10 search-all-adoms : disable ssl-low-encryption : enable ssl-protocol : tlsv1 sslv3 task-list-size : 2000 timezone : (GMT-8:00) Pacific Time (US & Canada).

unregister-pop-up : enable vdom-mirror : disable

231 system fips

CLI Reference

Fortinet Technologies Inc.

system ha webservice-proto : tlsv1 workspace-mode : disabled

system ha

Use this command to view HA configuration.

Syntax

get system ha

Example

This example shows the output for get system ha: clusterid : 1 hb-interval : 5 hb-lost-threshold : 3 mode : standalone password : * peer:

system interface

Use this command to view interface configuration.

Syntax

get system interface

Example

This example shows the output for get system interface:

== [ port1 ] name: port1 status: up ip: 10.2.115.82 255.255.0.0 speed: auto

== [ port2 ] name: port2 status: up ip: 0.0.0.0 0.0.0.0 speed: auto

== [ port3 ] name: port3 status: up ip: 0.0.0.0 0.0.0.0 speed: auto

== [ port4 ] name: port4 status: up ip: 1.1.1.1 255.255.255.255 speed: auto

This example shows the output for get system interface port1: name : port1 status : up ip : 172.16.81.70 255.255.255.0

allowaccess : ping https ssh snmp telnet http speed : auto description : (null) alias : (null) ipv6: ip6-address: ::/0 ip6-allowaccess:

CLI Reference

Fortinet Technologies Inc.

get

232

get

system locallog

Use these commands to view local log configuration.

Syntax

get system locallog disk filter get system locallog disk setting get system locallog fortianalyzer filter get system locallog fortianalyzer setting get system locallog memory filter get system locallog memory setting get system locallog [syslogd | syslogd2 | syslogd3] filter get system locallog [syslogd | syslogd2 | syslogd3] setting

Example

This example shows the output for get system locallog disk setting: status : enable severity : debug upload : disable server-type : FTP max-log-file-size : 100 roll-schedule : none diskfull : overwrite log-disk-full-percentage: 80

system log

Use these commands to view log configuration.

Syntax

get system log alert get system log fortianalyzer get system log settings

Example

This example shows the output for get system log settings:

FAZ-custom-field1 : (null)

FCH-custom-field1 : (null)

FCT-custom-field1 : (null)

FGT-custom-field1 : (null)

FML-custom-field1 : (null)

FWB-custom-field1 : (null) rolling-regular:

233 system locallog

CLI Reference

Fortinet Technologies Inc.

system mail

system mail

Use this command to view alert email configuration.

Syntax

get system mail <server name>

system metadata

Use this command to view metadata configuration.

Syntax

get system metadata <admin name>

system ntp

Use this command to view NTP configuration.

Syntax

get system ntp

system password-policy

Use this command to view the password policy setting on your device.

Syntax

get system password-policy

Example

This example shows the output for get system password-policy: status : enable minimum-length : 11 must-contain : upper-case-letter lower-case-letter number non-alphanumeric change-4-characters : disable expire : 30 get

CLI Reference

Fortinet Technologies Inc.

234

get

system performance

Use this command to view performance statistics on your device.

Syntax

get system performance

Example

This example shows the output for get system performance:

CPU:

Used: 2.2%

Used(Excluded NICE): 1.6%

CPU_num: 1.

CPU[0] usage: 4.72%

Usage: %user %nice %sys %idle %iowait %irq %softirq

1.18 1.77 0.79 95.28 0.98 0.00 0.00

Memory:

Total: 4,136,736 KB

Used: 608,908 KB 14.7%

Hard Disk:

Total: 61,923,324 KB

Used: 2,965,900 KB 4.8%

Flash Disk:

Total: 253,871 KB

Used: 46,426 KB 18.3%

system report

Use this command to view report configuration.

Syntax

get system report auto-cache get system report est-browse-time get system report setting

Example

This example shows the output for get system report auto-cache: aggressive-drilldown: disable drilldown-interval : 168 status : enable system performance

235 CLI Reference

Fortinet Technologies Inc.

system route

system route

Use this command to view IPv4 routing table configuration.

Syntax

get system route <entry number>

system route6

Use this command to view IPv6 routing table configuration.

Syntax

get system route6 <entry number>

system snmp

Use these commands to view SNMP configuration.

Syntax

get system snmp community <community ID> get system snmp sysinfo get system snmp user <SNMP user name>

Example

This example shows the output for get system snmp sysinfo: contact_info : (null) description : (null) engine-id : (null) location : (null) status : disable trap-cpu-high-exclude-nice-threshold: 80 trap-high-cpu-threshold: 80 trap-low-memory-threshold: 80

system sql

Use this command to view SQL configuration.

Syntax

get system sql

CLI Reference

Fortinet Technologies Inc.

get

236

get system sql

Example

This example shows the output for get system sql: custom-index: prompt-sql-upgrade : enable status : local text-search-index : disable ts-index-field:

== [ FGT-app-ctrl ] category: FGT-app-ctrl value: user,group,srcip,dstip,dstport,service,app,action,status,hostname

== [ FGT-attack ] category: FGT-attack value: severity,srcip,dstip,status,user,attackname

== [ FGT-content ] category: FGT-content value: from,to,subject,action,srcip,dstip,hostname,status

== [ FGT-dlp ] category: FGT-dlp value: user,srcip,service,action,file

== [ FGT-emailfilter ] category: FGT-emailfilter value: user,srcip,from,to,subject

== [ FGT-event ] category: FGT-event value: subtype,ui,action,msg

== [ FGT-traffic ] category: FGT-traffic value: user,srcip,dstip,service,app,utmaction,utmevent

== [ FGT-virus ] category: FGT-virus value: service,srcip,dstip,service,status,file,virus,user

== [ FGT-voip ] category: FGT-voip value: action,user,src,dst,from,to

== [ FGT-webfilter ] category: FGT-webfilter value: user,srcip,dstip,service,status,catdesc,hostname

== [ FGT-netscan ] category: FGT-netscan value: user,dstip,vuln,severity,os

== [ FML-emailfilter ] category: FML-emailfilter value: client_name,dst_ip,from,to,subject

== [ FML-event ] category: FML-event value: subtype,msg

== [ FML-history ] category: FML-history value: classifier,disposition,from,to,client_ name,direction,domain,virus

== [ FML-virus ] category: FML-virus value: src,msg,from,to

== [ FWB-attack ] category: FWB-attack value: http_host,http_url,src,dst,msg,action

== [ FWB-event ] category: FWB-event value: ui,action,msg

== [ FWB-traffic ] category: FWB-traffic value: src,dst,service,http_method,msg auto-table-upgrade : disable database-type : postgres logtype : app-ctrl attack content dlp emailfilter event generic history traffic virus voip webfilter netscan rebuild-event : enable rebuild-event-start-time: 00:00 1992/01/01 start-time : 23:49 2014/03/14

237 CLI Reference

Fortinet Technologies Inc.

system status

system status

Use this command to view the status of your device.

Syntax

get system status

Example

This example shows the output for get system status:

Platform Type : FMG-VM64-HV

Platform Full Name : FortiManager-VM64-HV

Version : v5.0.0-build0345 141020

Serial Number : FMG-VM0A11000XXX

BIOS version : 04000002

Hostname : FMG-VM64-HV

Max Number of Admin Domains : 1120

Max Number of Device Groups : 1120

Admin Domain Configuration : Enabled

HA Mode : Stand Alone

Branch Point : 345

Release Version Information : Interim

Current Time : Tue Oct 21 14:40:13 PDT 2014

Daylight Time Saving : Yes

Time Zone : (GMT-8:00) Pacific Time (US & Canada).

64-bit Applications : Yes

Disk Usage : Free 31.16GB, Total 78.74GB

License Status : Valid

system syslog

Use this command to view syslog information.

Syntax

get system syslog <syslog server name> get

CLI Reference

Fortinet Technologies Inc.

238

show

The show commands display a part of your Fortinet unit’s configuration in the form of commands that are required to achieve that configuration from the firmware’s default state.

Although not explicitly shown in this section, for all config commands, there are related show commands that display that part of the configuration.The show commands use the same syntax as their related config command.

CLI commands and variables are case sensitive.

Unlike the get command, show does not display settings that are assumed to remain in their default state.

239 CLI Reference

Fortinet Technologies Inc.

Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s

General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Download PDF

advertisement

Table of contents