FortiAnalyzer CLI Reference

FortiAnalyzer CLI Reference
FortiAnalyzer ™
Version 4.0.0
CLI Reference
FortiAnalyzer CLI Reference
Version 4.0.0
6 May 2009
05-400-82624-20090506
© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.
Dispose of Used Batteries According to the Instructions.
Contents
Contents
What’s new ............................................................................................... 7
Introduction .............................................................................................. 9
Registering your Fortinet product................................................................................. 9
Customer service and technical support...................................................................... 9
Fortinet documentation ................................................................................................. 9
Conventions .................................................................................................................. 10
Using the CLI .......................................................................................... 15
Connecting to the CLI................................................................................................... 15
Command syntax .......................................................................................................... 18
CLI basics ...................................................................................................................... 24
Administrative domains (ADOMs) ........................................................ 29
About administrative domains (ADOMs) .................................................................... 29
Configuring ADOMs...................................................................................................... 32
Accessing ADOMs as the admin administrator ......................................................... 34
Assigning administrators to an ADOM ....................................................................... 35
system..................................................................................................... 37
global.............................................................................................................................. 38
interface ......................................................................................................................... 40
ip-alias............................................................................................................................ 42
dns.................................................................................................................................. 42
accprofile ....................................................................................................................... 43
radius ............................................................................................................................. 45
ldap................................................................................................................................. 46
authgrp........................................................................................................................... 47
console........................................................................................................................... 48
route ............................................................................................................................... 49
raid.................................................................................................................................. 50
admin.............................................................................................................................. 51
snmp............................................................................................................................... 53
syslog............................................................................................................................. 56
mail ................................................................................................................................. 57
event............................................................................................................................... 58
alert-console.................................................................................................................. 62
auto-delete ..................................................................................................................... 63
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
3
Contents
fortiguard ....................................................................................................................... 65
report....................................................................................................... 67
language ........................................................................................................................ 68
output ............................................................................................................................. 69
filter ................................................................................................................................ 71
layout.............................................................................................................................. 73
schedule......................................................................................................................... 79
nas ........................................................................................................... 83
group .............................................................................................................................. 83
nfs................................................................................................................................... 83
protocol.......................................................................................................................... 84
share............................................................................................................................... 85
user................................................................................................................................. 85
log............................................................................................................ 87
device ............................................................................................................................. 88
device-group.................................................................................................................. 92
unregistered .................................................................................................................. 93
settings .......................................................................................................................... 95
aggregation.................................................................................................................. 104
forwarding.................................................................................................................... 105
vm .......................................................................................................... 107
sensor .......................................................................................................................... 108
scan-profile.................................................................................................................. 111
host-asset .................................................................................................................... 113
asset-group.................................................................................................................. 115
map-config................................................................................................................... 117
schedule....................................................................................................................... 120
business-risk ............................................................................................................... 122
gui.......................................................................................................... 127
console......................................................................................................................... 128
execute.................................................................................................. 129
reboot ........................................................................................................................... 130
shutdown ..................................................................................................................... 130
reload ........................................................................................................................... 130
restore .......................................................................................................................... 131
4
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Contents
backup.......................................................................................................................... 134
import logs................................................................................................................... 137
import-lang .................................................................................................................. 138
formatlogdisk .............................................................................................................. 139
factoryreset.................................................................................................................. 139
ping............................................................................................................................... 139
ping-options ................................................................................................................ 140
disconnect ................................................................................................................... 141
set-time ........................................................................................................................ 141
set-date ........................................................................................................................ 142
traceroute..................................................................................................................... 142
vm ................................................................................................................................. 143
update-vm .................................................................................................................... 144
content-files................................................................................................................. 144
quarantine_files........................................................................................................... 144
ips-pkt .......................................................................................................................... 145
admin-cert.................................................................................................................... 146
column-settings .......................................................................................................... 147
Index...................................................................................................... 149
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
5
Contents
6
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
What’s new
What’s new
All commands and keywords containing rvs were replaced with vm. This includes ADOMs as well.
The tables below list commands which have changed since the previous release, FortiAnalyzer 3.0 MR7.
Command
Change
config global
config vm sensor
config vm scan-profile
config vm host-asset
config vm asset-group
config vm map-config
config vm-schedule
config vm business-risk
execute vm
execute update-vm
config adom
config adom devices
config adom virutal-domains
config adom email-domain
execute ips-pkt
execute column-settings
The keywords that concern rvs were replaced with vm.
Vulnerability Management replaced RVS in FortiAnalyzer 4.0
config system interface
Removed options keyword and added fdp.
Replaced the following commands within global:
• config rvs upgrade
• execute rvs modules-list
• execute rvs update-now
• execute rvs update-statuslist-list
• execute rvs update-refresh
Removed the following commands within each adom:
• config rvs jobs
• execute rvs jobs
• execute rvs stop-job
• execute rvs report-list
• execute rvs report-clear
• execute rvs report-delete
set fdp
config system accprofile
set vuln-mgmt
set net-monitor
Removed the following keywords:
• vulnerability_scan
• network_summaries
• ip_alias
Added vuln-mgmt and net-monitor keywords.
config system radius
edit <radius_name>
Removed specified_proto and raidus-port.
set auth-prot
Added auth-prot and port keywords.
set port
config system ldap
edit <ldap_name>
set secure
set ca-cert
Removed secure and ca-cert keywords.
config system raid
New for 4.0. RAID levels can now be configured using this
command.
config system event
Added severity-level-dlp-logs and severityset severity-level-dlp-logs {no check level-dlp-comp keywords. These keywords were added to
reflect the new Data Leak Prevention logs.
| information | notify | warning |
error | critical | alert | emrgency}
set severity-level-dlp-comp
{>= | = | <=}
config system auto-delete
New for 4.0. This command automatically removes report,
content archives and local logs at a specified time.
config system fortiguard
New for 4.0. This command can configure scheduled updates of
vulnerabilities.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
7
What’s new
Command
Change
config vm
New for 4.0. This command configures sensors that are
available from the Vulnerability Management feature.
execute rvs
Removed. This command was removed because the feature
RVS was replaced with Vulnerability Management.
execute traffic
Removed.
execute vm
New command. This command runs or stops scheduled updates
of vulnerabilities, runs or stops map config, including listing all
reports.
execute update-vm
New command. Updates vulnerabilities from the FortiGuard
network.
execute import logs
Revised. Previously, the command importlog was used; it has
been renamed in 4.0 to be import logs.
execute restore config-secure {[ftp | Added the following keywords:
sftp | scp | tftp]} <ip_address>
• <arg_1>
• <arg_2>
<arg_1> <arg_2> <arg_3> <arg_4>
• <arg_3>
• <arg_4>
These keywords are available when restoring backups,
firmware, or logs and reports from an FTP, SFTP, SCP, or TFTP
server. These keywords are available for image, config,
config-secure, https-cert, and vm.
Added the commands, config-secure and vm.
execute backup config-secure {[ftp | Added the following keywords:
sftp | scp | tftp]} <ip_address>
• <arg_1>
• <arg_2>
<arg_1> <arg_2> <arg_3> <arg_4>
• <arg_3>
• <arg_4>
These keywords are available when backing up configurations,
firmware, or logs and reports from an FTP, SFTP, SCP, or TFTP
server. These keywords are available for image, config,
config-secure, and https-cert.
The command, config-secure, was also added.
8
execute ips-pkt
New command. This command deletes files from a specified
device.
execute column-settings
New command. This command clones an administrator’s
settings so that those settings can be used as the basis of
another administrator’s settings.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Introduction
Registering your Fortinet product
Introduction
FortiAnalyzer units are network appliances that provide integrated log collection, analysis
tools and data storage. Detailed log reports provide historical as well as current analysis of
network traffic, such as email, FTP and web browsing activity, to help identify security
issues and reduce network misuse and abuse.
This document describes how to use the FortiAnalyzer Command Line Interface (CLI).
This section describes:
•
Registering your Fortinet product
•
Customer service and technical support
•
Fortinet documentation
•
Conventions
Note: Diagnose commands are also available from the FortiAnalyzer CLI. These
commands are used for gathering detailed information useful to Fortinet technical support
for debugging. Because diagnose commands are not a part of normal product use,
diagnose commands are not covered in this document. Contact Fortinet technical support
before using diagnose commands.
Registering your Fortinet product
Before you begin, take a moment to register your Fortinet product at the Fortinet Technical
Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Center article Registration Frequently
Asked Questions.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your Fortinet
products install quickly, configure easily, and operate reliably in your network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Center article What does
Fortinet Technical Support require in order to best assist the customer?
Fortinet documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
9
Conventions
Introduction
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.
Fortinet Tools and Documentation CD
Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Center
The Fortinet Knowledge Center provides additional Fortinet technical documentation,
such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary,
and more. Visit the Fortinet Knowledge Center at http://kc.fortinet.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this or any Fortinet technical
document to techdoc@fortinet.com.
Conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
CLI constraints
CLI constraints, such as <address_ipv4>, indicate which data types or string patterns
are acceptable input for a given parameter or variable value.
This guide uses some conventions to indicate command syntax.
Indentation
Indentation indicates required context. Some commands are valid only from within the
context of another command.
For example, if the syntax is:
config system admin
edit admin_1
you must be within the interactive command config system admin when entering the
command edit admin_1.
Angle brackets < >
Angle brackets < > indicate input type.
10
•
<xxx_int> indicates an integer
•
<xxx_str> indicates a text string
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Introduction
Conventions
•
<xxx_ipv4> indicates a text string in IPv4 address format
For example, if the syntax is:
execute restore config <filename_str>
you could enter:
execute restore config myfile.bak
Curly brackets containing vertical bars { | }
Curly brackets containing vertical bars { | } indicate mutually exclusive options.
For example, if the syntax is:
set ntpsync {enable | disable}
you might enter:
set ntpsync enable
or:
set ntpsync disable
but not:
set ntpsync enable disable
Notes, Tips and Cautions
Fortinet technical documentation uses the following guidance and styles for notes, tips
and cautions.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Note: Also presents useful information, but usually focused on an alternative, optional
method, such as a shortcut, to perform a step.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 1: Typographical conventions in Fortinet technical documentation
Convention
Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input
CLI output
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
config system dns
set primary <address_ipv4>
end
FGT-602803030703 # get system settings
comments
: (null)
opmode
: nat
11
Introduction
Table 1: Typographical conventions in Fortinet technical documentation (Continued)
12
Emphasis
HTTP connections are not secure and can be intercepted by
a third party.
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink
Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry
Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation
Go to VPN > IPSEC > Auto Key (IKE).
Publication
For details, see the FortiGate Administration Guide.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Using the CLI
Connecting to the CLI
Using the CLI
This section explains how to connect to the CLI and describes the basics of using the CLI.
You can use CLI commands to view all system information and to change all system
configuration settings.
This section describes:
•
Connecting to the CLI
•
Command syntax
•
CLI basics
Connecting to the CLI
The CLI is accessed using either a console or network connection. Connecting to the
console or network connection varies by FortiAnalyzer model. For example, a
FortiAnalyzer-2000 unit connects using a RJ-45 to DB-9 cable, but a FortiAnalyzer-2000A
unit connects using a null-modem cable. See your FortiAnalyzer install guide to verify
which cable is correct for your FortiAnalyzer model.
This topic contains the following:
•
Connecting to the console
•
Configuring network CLI access (SSH or Telnet)
•
Connecting to the CLI using SSH
•
Connecting to the CLI using Telnet
Connecting to the console
When connecting to the console, you need:
•
a computer with an available serial (communications) port
•
a null modem cable or RJ-45 to DB-9 cable (whichever is correct for your FortiAnalyzer
model).
•
terminal emulation software, such as HyperTerminal for Windows.
See your FortiAnalyzer install guide to verify which cable is correct for your FortiAnalyzer
model.
The following procedure describes a console connection using terminal emulator
Windows HyperTerminal; steps may vary with other terminal emulators.
To connect to the console of a FortiAnalyzer unit
1 Connect the FortiAnalyzer unit’s console port to the communications port on your
management computer using the null modem or RJ-45 to DB-9 cable.
2 Verify that the FortiAnalyzer unit is powered on.
3 On your management computer, start HyperTerminal.
4 Cancel any dialogs requesting phone or modem information such as area codes or
tone dialing.
5 On Connection Description, enter a Name for the connection, and select OK.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
15
Connecting to the CLI
Using the CLI
6 Cancel any dialogs requesting phone or modem information such as area codes or
tone dialing.
7 On Connect To, from Connect using, select the communications port where you
connected the FortiAnalyzer unit.
This is usually COM1 for DB-9 cable connections, and TCP/IP for RJ-45 cable
connections.
8 Select OK.
9 Select the following Port settings and select OK.
Bits per second 9600
Data bits
8
Parity
None
Stop bits
1
Flow control
None
10 Press Enter to connect to the FortiAnalyzer CLI.
A prompt appears.
11 Type a valid administrator name and press Enter.
12 Type the password for this administrator and press Enter.
You can now enter CLI commands.
Note: If too many incorrect login or password attempts occur in a row, you will be
disconnected. You must reconnect to attempt the login again.
Configuring network CLI access (SSH or Telnet)
Caution: Telnet is not a secure access method. SSH should be used to access the
FortiAnalyzer CLI from the Internet or any other unprotected network.
You can access the CLI over the network using SSH or Telnet. Network CLI access may
be configured using either the CLI or the web-based manager.
•
To configure CLI access using the web-based manager, see the “Configuring” chapter
in the FortiAnalyzer Administration Guide.
•
To configure CLI access using the CLI, use the following procedure.
To use the CLI to configure SSH or Telnet access
1 Establish a console or network connection to the CLI.
2 Log in.
3 Enter the command to configure an interface to accept SSH and / or Telnet
administrative connections.
For example, to allow both SSH and Telnet on port1:
config system interface
edit port1
set allowaccess ssh telnet
end
Note: Press Enter at the end of each command. Type end and press Enter to save the
changes to the FortiAnalyzer configuration.
16
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Using the CLI
Connecting to the CLI
4 To confirm the configuration, enter the command to view the access settings for the
interface.
get system interface
The CLI displays the settings, including the management access settings, for the
interface.
Connecting to the CLI using SSH
After configuring the FortiAnalyzer unit to accept SSH connections, you can use an SSH
client on your management computer to connect to the FortiAnalyzer CLI.
Secure Shell (SSH) provides both secure authentication and secure communications to
the FortiAnalyzer CLI from your internal network or the Internet.
To connect to the CLI using SSH
1 Start an SSH client.
2 Connect to a FortiAnalyzer interface that is configured for SSH connections.
3 Type a valid administrator name and press Enter.
4 Type the password for this administrator and press Enter.
The FortiAnalyzer model name followed by a # is displayed:
FortiAnalyzer-400 #
You can now enter CLI commands.
Note: FortiAnalyzer units support 3DES and Blowfish encryption algorithms for SSH.
If four incorrect login or password attempts occur in a row, you will be disconnected.
Reconnect to attempt the login again.
Connecting to the CLI using Telnet
Caution: Telnet is not a secure access method. SSH should be used to access the
FortiAnalyzer CLI from the Internet or any other unprotected network.
After configuring the FortiAnalyzer unit to accept Telnet connections, you can use a Telnet
client on your management computer to connect to the FortiAnalyzer CLI.
To connect to the CLI using Telnet
1 Start a Telnet client.
2 Connect to a FortiAnalyzer interface that is configured for Telnet connections.
3 Type a valid administrator name and press Enter.
4 Type the password for this administrator and press Enter.
The FortiAnalyzer model name followed by a # is displayed:
FortiAnalyzer-400 #
You can now enter CLI commands.
Note: If three incorrect login or password attempts occur in a row, you will be disconnected.
You must reconnect to attempt the login again.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
17
Command syntax
Using the CLI
Command syntax
The FortiAnalyzer CLI syntax consists of configuration data and the commands that affect
or use that data.
Typical command structures include:
<command> <general-object> <specific-object>
<sub-command> <table>
<sub-command> <field> <value>
This topic includes the following:
•
Objects
•
Command branches
Objects
Objects categorize components of FortiAnalyzer configuration data.
The hierarchy of categories is:
1 top-level objects
2 low-level objects
3 tables (if present)
4 fields
Top-level objects represent the most generic areas of FortiAnalyzer configuration.
Table 1: Top-level CLI objects
system
Includes configuration of FortiAnalyzer unit ports and other basic
settings.
report
Includes the configuration of reports, report schedules, and the language
of the report.
nas
Includes the configuration of user access to the FortiAnalyzer hard disk
over the network.
log
Includes the configuration of log connections, device connections and
configuring report profiles.
backup
Includes the configuration of scheduled backups of configuration files.
vm
Includes the configuration of vulnerabilities, such as sensors, schedules,
and business-risk.
gui
Includes configuration of the Dashboard’s CLI console.
Each of these top-level objects contain more specific, lower-level objects.The lowest-level
objects contain either configurable fields or tables.
Tables are sets of similar data sets within an object. They are usually user-created data
such as administrator accounts or report settings. They also contain fields, similar to
standard objects but not all low-level objects contain tables. For example, the system
global object contains fields.
Fields are the most atomic type of configuration data. They contain no other objects or
tables. Fields can be set to a value, such as an IP address, a list of protocols, or a user
name.
18
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Using the CLI
Command syntax
Command branches
Commands branches define all of a command’s possible object parameters, as well as
sub-commands available when using an interactive command such as config.
Some commands require object parameters; others require tables or fields.
When using a command which requires object parameters, you must specify all objects
down to the most specific. For example, config system admin is a valid command,
but config system is not valid, because it is not specific enough: it does not specify
which object within system.
Command branches include:
•
config branch
•
get branch
•
show branch
•
execute branch
•
diagnose branch
config branch
The config command configures lowest-level objects.
To configure an object using config, first specify an object, from its most general
container to the specific lowest-level object, which contains either tables or fields. For
example, to configure administrators, enter:
config system admin
config changes the command prompt to reflect the object which you are currently
configuring:
(admin)#
config is an interactive command: further sub-commands are available from within
config. From an object’s prompt within config, two types of sub-commands might
become available:
•
commands affecting fields
•
commands affecting tables
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
19
Command syntax
Using the CLI
Table 2: Commands for tables
delete
<table>
Remove a table from the current object.
For example, in config system admin, you could delete an
administrator account named newadmin by typing delete
newadmin and pressing Enter. This deletes newadmin and all its
fields, such as newadmin’s name and email-address.
delete is only available within objects containing tables.
edit <table> Create or edit a table in the current object.
For example, in config system admin:
• edit the settings for the default admin administrator account by typing
edit admin.
• add a new administrator account with the name newadmin and edit
newadmin‘s settings by typing edit newadmin.
edit is an interactive sub-command: further sub-commands are
available from within edit.
edit changes the prompt to reflect the table you are currently editing.
edit is only available within objects containing tables.
end
Save the changes to the current object and exit the config command.
This returns you to the root FortiAnalyzer CLI prompt.
get
List the configuration of the current object or table.
• In objects, get lists the table names (if present), or fields and their
values.
• In a table, get lists the fields and their values.
purge
Remove all tables in the current object.
For example, in config forensic user, you could type get to see
the list of user names, then type purge and then y to confirm that you
want to delete all users.
purge is only available for objects containing tables.
Caution: Back up the FortiAnalyzer unit before performing a purge.
purge cannot be undone. To restore purged tables, the configuration
must be restored from backup.
Caution: Do not purge system interface or system admin tables.
purge does not provide default tables. This can result in being unable
to connect or log in, requiring the FortiAnalyzer unit to be formatted and
restored.
rename
<table> to
<table>
Rename a table.
For example, in config system admin, you could rename admin3
to fwadmin by typing rename admin3 to fwadmin.
rename is only available within objects containing tables.
show
Display changes to the default configuration. Changes are listed in the
form of configuration commands.
Example of table commands
From within the system admin object, you might enter:
edit admin_1
The CLI acknowledges the new table, and changes the command prompt to show that you
are now within the admin_1 table:
new entry 'admin_1' added
(admin_1)#
20
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Using the CLI
Command syntax
Table 3: Commands for fields
abort
Exit both the edit and / or config commands without saving the
fields.
end
Save the changes made to the current table or object fields, and exit
the config command. (To exit without saving, use abort instead.)
get
List the configuration of the current object or table.
• In objects, get lists the table names (if present), or fields and their
values.
• In a table, get lists the fields and their values.
next
Save the changes you have made in the current table’s fields, and exit
the edit command to the object prompt. (To save and exit completely
to the root prompt, use end instead.)
next is useful when you want to create or edit several tables in the
same object, without leaving and re-entering the config command
each time.
next is only available from a table prompt; it is not available from an
object prompt.
set <field>
<value>
Set a field’s value.
For example, in config system admin, after typing edit admin,
you could type set passwd newpass to change the password of the
admin administrator to newpass.
Note: When using set to change a field containing a space-delimited
list, type the whole new list. For example, set <field> <newvalue> will replace the list with the <new-value> rather than
appending <new-value> to the list.
show
Display changes to the default configuration. Changes are listed in the
form of configuration commands.
unset
<field>
Reset the table or object’s fields to default values.
For example, in config system admin, after typing edit admin,
typing unset passwd resets the password of the admin
administrator account to the default (in this case, no password).
Example of field commands
From within the admin_1 table, you enter:
set passwd my1stExamplePassword
This assigns the value my1stExamplePassword to the passwd field. You can then enter
the next command to save the changes and edit the next administrator’s table.
get branch
The get command displays all settings for the specified object or table.
To display settings for an object or table, you can:
•
first use config to navigate to a lowest-level object, then type get
•
first use config to navigate to a lowest-level object, edit a table, then type get
•
from the root prompt, type get and then the full object (or table) path, such as get
forensic user forensicuser1
Example
When you type get in config system interface, information about all of the
interfaces is displayed.
At the (interface)# prompt, type:
get
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
21
Command syntax
Using the CLI
The screen displays:
== [ port1 ]
name: port1 status: up
speed: auto
ip: 192.168.1.99
255.255.255.0 lockout: enable mtu-override: disable
== [ port2 ]
name: port2
status: up
speed: auto
ip: 192.168.2.99
255.255.255.0
lockout: enable
mtu-override: enable
== [ port3 ]
name: port3
status: up
speed: auto
ip: 192.168.3.99
255.255.255.0
lockout: enable
mtu-override: disable
Example
When you type get in config system interface port1, the configuration values for
the port1 interface are displayed.
edit port1
At the (port1)# prompt, type:
get
The screen displays:
name
: port1
status
: up
speed
: auto
fdp
: disable
ip
: 192.168.1.99 255.255.255.0
allowaccess
: ping https ssh http
lockout
: enable
mtu-override : disable
show branch
The show command displays only changes to the default FortiAnalyzer unit configuration.
Changes are displayed in the format of equivalent commands. Only changes to the default
configuration are displayed.
To display changes to the default configuration for an object or table, you can:
•
first use config to navigate to a lowest-level object, then type show
•
first use config to navigate to a lowest-level object, edit a table, then type show
•
from the root, object or table prompt, type show and then the full object (or table) path,
such as show forensic user forensicuser1
Example
When you type show in config system interface port1, the changes to the
default internal interface port1 are displayed.
At the (port1)# prompt, type:
show
The screen displays:
config system interface
edit "port1"
set speed auto
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh http
next
22
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Using the CLI
Command syntax
end
Example
While you are working in system interface, you want to see the system global
configuration.
At the (interface)# prompt, type:
show system global
The screen displays:
config system global
set admintimeout 480
set hostname "FortiAnalyzer-400B"
set ntpserver "10.10.10.1"
set ntpsync enable
set syncinterval 60
set timezone 04
end
execute branch
The execute command runs commands.
The execute commands are available only from the root prompt.
execute commands can be used to reset the FortiAnalyzer unit to factory defaults, to
back up or restore FortiAnalyzer configuration files.
Example
You want to reboot the FortiAnalyzer unit.
At the root prompt, type:
execute reboot
diagnose branch
Caution: Diagnose commands are intended for advanced users only. Contact Fortinet
technical support before using these commands.
The diagnose command is used for debugging the operation of the FortiAnalyzer unit
and to set parameters for displaying different levels of diagnostic information. The
diagnose commands are not documented in this document.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
23
CLI basics
Using the CLI
CLI basics
There are several basic features and characteristics of the CLI environment that provide
support and ease of use for many CLI tasks. For example, the command help provides
additional information for you whenever you need it and is accessible by typing Shift + (?).
Command help
To display help during command entry, press the question mark (?) key:
•
Press the question mark (?) key at the command prompt to display a list of the
commands available and a description of each command.
•
Type a command followed by a space and press the question mark (?) key to display a
list of available options (such as objects or tables) for that command, and to display a
description of each option.
•
Type a command followed by an option (such as objects or tables) and press the
question mark (?) key to display a list of additional options available for that command
option sequence, and to display a description of each option.
Command completion
To auto-complete commands, press the tab key or the question mark (?) key:
•
Press the tab key at any prompt to scroll through the options available for that prompt.
•
Type the first characters of any command and press the tab key or the question mark
(?) key to complete the command, or to scroll through the options that are available at
the current cursor position.
•
After completing the first word of a command, press the space bar and then the tab key
to scroll through the options available at the current cursor position.
Recalling commands
To recall previously entered commands, press the Up or Down arrow keys to scroll
through commands previously entered that session.
Editing commands
Typed commands can be edited before they are entered.
To edit a command, press the left and right arrow keys to move the cursor; then press the
backspace or delete key to delete characters, or type to add characters. You can also use
the control key combinations listed in Table 4.
Table 4: Control keys for editing commands
24
Function
Key combination
Beginning of line
CTRL+A
End of line
CTRL+E
Back one character
CTRL+B
Forward one character
CTRL+F
Delete current character
CTRL+D
Previous command
CTRL+P
Next command
CTRL+N
Abort the command
CTRL+C
If used at the root prompt, exit the CLI
CTRL+C
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Using the CLI
CLI basics
Line continuation
To wrap a long command over multiple lines, use a backslash (\) at the end of each line.
Command abbreviation
You can abbreviate commands and command options to the smallest number of
non-ambiguous characters. For example, the command get system status can be
abbreviated to g sy st.
Environment variables
The FortiAnalyzer CLI supports the following environment variables.
$USERFROM
The management access type (SSH, Telnet and so on) and the IP
address of the logged in administrator.
$USERNAME
The user account name of the logged-in administrator.
$SerialNum
The serial number of the FortiAnalyzer unit.
For example, the unit host name can be set to the serial number.
config system global
set hostname $SerialNum
end
Variable names are case sensitive.
Encrypted password support
After you enter a clear text password using the CLI, the FortiAnalyzer unit encrypts the
password and stores it in the configuration file with the prefix ENC. For example:
show system admin user1
lists the administrator user1’s password as follows:
config system admin
edit "user1"
set password ENC XXNFKpSV3oIVk
next
end
It is also possible to enter an already encrypted password. For example, type:
config system admin
and press Enter.
Type:
edit user1
and press Enter.
Type:
set password ENC XXNFKpSV3oIVk
and press Enter.
Type:
end
and press Enter.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
25
CLI basics
Using the CLI
Entering spaces in strings
To enter a string value that contains a space, do one of the following:
•
Enclose the string in quotation marks: "Security Administrator".
•
Enclose the string in single quotes: 'Security Administrator'.
•
Precede the space with a backslash (\): Security\ Administrator.
Entering quotation marks in strings
To include a quotation mark, single quote or apostrophe in a string, precede the character
with a backslash (\) character. To include a backslash, enter two backslashes.
Entering a question mark in a string
To include a question mark in a string, press CTRL+V then press the question mark (?)
key.
International characters
The CLI supports accented characters, such as é, in strings.
Special characters
The characters <, >, (,), #, ’, and ” are not permitted in most CLI fields. The exception is
when entering a password.
IP address formats
You can enter an IP address and subnet using either dotted-decimal or slash-bit (CIDR)
format. For example you can type either:
set ip 192.168.1.1 255.255.255.0
or
set ip 192.168.1.1/24
The IP address is displayed in the configuration file in dotted decimal format.
Editing the configuration file on an external host
Caution: The first line(s) of the configuration file (preceded by a # character) contains
information about the firmware version and FortiAnalyzer model. Do not edit this line. If you
change this information, the FortiAnalyzer unit will reject the configuration file when you
attempt to restore it.
You can edit the FortiAnalyzer configuration on an external host by first backing up the
configuration file to a TFTP server. Then edit the configuration file and restore it to the
FortiAnalyzer unit.
1 Use execute backup config to back up the configuration file to a TFTP server.
2 Edit the configuration file using a plain text editor.
3 Use the execute restore config command to copy the edited configuration file
back to the FortiAnalyzer unit.
The FortiAnalyzer unit receives the configuration file and checks that the firmware
version and model information is correct. If it is, the FortiAnalyzer unit loads the
configuration file and checks each command for errors. If the FortiAnalyzer unit finds
an error, an error message is displayed after the command and the command is
rejected. Then the FortiAnalyzer unit restarts and loads the new configuration.
26
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Using the CLI
CLI basics
Setting screen paging
The CLI can be configured to pause to display each page-full of text. This is convenient for
viewing lengthy command output, such as show log report.
When the display pauses, the bottom line of the console displays --More--. You can
then either:
•
Press the spacebar to continue.
•
Type Q to end the display. One more line of output is displayed, followed by the
command prompt.
To configure the CLI display to pause when the screen is full:
config system console
set output more
end
Changing the baud rate
To change the default console connection baud rate, use config system console and
set baudrate.
For example:
config system console
set baudrate 38400
end
Valid baudrate values are:
•
9600
•
19200
•
38400
•
57600
•
115200
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
27
CLI basics
28
Using the CLI
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Administrative domains (ADOMs)
About administrative domains (ADOMs)
Administrative domains (ADOMs)
Administrative Domains ADOMs) enable the admin administrator to constrain other
FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device
list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict
access to only data from a specific FortiGate VDOM.
This section contains the following topics:
•
About administrative domains (ADOMs)
•
Configuring ADOMs
•
Accessing ADOMs as the admin administrator
•
Assigning administrators to an ADOM
About administrative domains (ADOMs)
Enabling ADOMs alters the structure and available functionality of the web-based
manager and CLI according to whether you are logging in as the admin administrator,
and, if you are not logging in as the admin administrator, the administrator account’s
assigned access profile.
Table 1: Characteristics of the CLI and web-based manager when ADOMs are enabled
admin administrator account
Other administrators
Access to config global
Yes
No
Access to config adom
devices (can create
ADOMs)
Yes
No
Can create administrator
accounts
Yes
No
Can enter all ADOMs
Yes
No
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
29
About administrative domains (ADOMs)
Administrative domains (ADOMs)
Table 2: Command locations when ADOMs are enabled
Within Global Configuration
(config global):
Within each ADOM:
config system global
config system ip-alias
config system interface
config system ldap
config system ip-alias
config system mail
config system dns
config report output
config system accprofile
config report filter
config system radius
config report layout
config system ldap
config report schedule
config system authgrp
config adom devices (only available when
logged in as admin administrator)
config system console
config adom virtual-domains (only
available when logged in as admin administrator)
config system route
config adom email-domains (only available
when logged in as admin administrator)
config system raid
config log device-group
config system admin
config system snmp
config system syslog
config system mail
config system event
config system alert_console
config system auto-delete
config system fortiguard
config report language
config report output
config report filter
execute content_files
config report layout
execute quarantine_files
config report schedule
execute ips-pkt
config nas protocol
execute column-settings
config nas user
config nas group
config nas share
config nas nfs
config log device (devices assigned to an
ADOM other than root cannot be deleted)
config log device-group
config log unregistered
config log settings
config log aggregration
config log forwarding
config backup schedule
30
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Administrative domains (ADOMs)
About administrative domains (ADOMs)
Table 2: Command locations when ADOMs are enabled
config vm sensor
config vm scan-profile
config vm host-asset
config vm asset-group
config vm map-config
config vm schedule
config vm business-risk
config gui console
execute reboot
execute shutdown
execute reload
execute restore
execute backup
execute import
execute import-lang
execute formatlogdisk
execute factoryreset
execute ping
execute ping-options
execute disconnect
execute set-time
execute set-date
execute traceroute
execute vm
execute update-vm
execute content-files
execute quarantine_files
execute ips-pkt
execute admin-cert
execute column-settings
execute run (arg)
•
If ADOMs are enabled and you log in as admin, a superset of the typical CLI
commands appear, allowing unrestricted access and ADOM configuration.
•
config global contains settings used by the FortiAnalyzer unit itself and settings
shared by ADOMs, such as the device list, RAID, and administrator accounts. It
does not include ADOM-specific settings or data, such as logs and reports. When
configuring other administrator accounts, an additional option appears allowing you
to restrict other administrators to an ADOM.
•
config adom allows you to configure or access ADOMs. You can add a device to
one or more ADOMs. If you enter an ADOM, a Main Menu item appears in the
menu, enabling you to return to the top level menu area, Administrative Domain
Configuration.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
31
Configuring ADOMs
Administrative domains (ADOMs)
•
If ADOMs are enabled and you log in as any other administrator, you enter the ADOM
assigned to your account. A subset of the typical menus or CLI commands appear,
allowing access only to only logs, reports, quarantine files, content archives, IP aliases,
and LDAP queries specific to your ADOM. You cannot access Global Configuration, or
enter other ADOMs.
By default, administrator accounts other than the admin account are assigned to the
root ADOM, which includes all devices in the device list. By creating ADOMs that
contain a subset of devices in the device list, and assigning them to administrator
accounts, you can restrict other administrator accounts to a subset of the FortiAnalyzer
unit’s total devices or VDOMs.
The admin administrator account cannot be restricted to an ADOM. Other administrators
are restricted to their ADOM, and cannot configure ADOMs or Global Configuration.
The maximum number of ADOMs varies by FortiAnalyzer model.
FortiAnalyzer Model
Number of Administrative Domains
FortiAnalyzer-400
10
FortiAnalyzer-800/800B
50
FortiAnalyzer-2000/2000A
100
FortiAnalyzer-4000/4000A
250
Note: ADOMs are not available on the FortiAnalyzer-100 or FortiAnalyzer-100A/100B.
The admin administrator can further restrict other administrators’ access to specific
configuration areas within their ADOM by using access profiles. For more information, see
“global” on page 38.
Configuring ADOMs
Administrative domains (ADOMs) are disabled by default. When enabled, there is initially
only one ADOM, the root ADOM, that all devices belong to. All existing administrator
accounts except the admin account are assigned to the root ADOM. To restrict
administrators to a subset of devices or virtual domains (VDOMs), you must first create
ADOMs, then assign administrator accounts to the new ADOMs.
To disable ADOMs, you must first delete all ADOMs except the root ADOM. Disabling
the administrative domains feature then removes any administrator accounts associated
with ADOMs other than the root ADOM. If you do not wish to delete those administrator
accounts, assign them to the root ADOM before disabling ADOMs.
Caution: Enabling ADOMs moves non-global configuration items to the root ADOM. Back
up the FortiAnalyzer unit configuration before beginning this procedure. For more
information, see “execute backup” on page 134.
To enable ADOMs
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Enter the following commands:
config system global
set adom enable
end
32
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Administrative domains (ADOMs)
Configuring ADOMs
exit
3 To confirm that ADOMs are enabled, log in again as admin and enter:
config ?
These top-level objects appear:
• global
• adom
To create ADOMs, see “To add an ADOM” on page 33. To assign an administrator to
an ADOM, see “Assigning administrators to an ADOM” on page 35.
To add an ADOM
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Add the ADOM and define which devices belong to that ADOM.
For example, where the name of the ADOM is <adom_str> and a name of a device in
the global device list is <device_str>, enter the following commands:
config adom
edit <adom_str>
config adom devices
edit <device_str>
end
end
If the ADOM should contain multiple devices, enter the command edit <device_str>
once for each device.
3 To confirm that the ADOM contains the correct devices, enter:
For example, where the name of the ADOM is <adom_str>, enter the following
commands:
config adom
edit <adom_str>
show adom devices
end
A list of devices belonging to the ADOM appears.
Caution: Deleting ADOMs, which can occur when disabling the ADOM feature, removes
administrator accounts assigned to ADOMs other than the root ADOM. Back up the
FortiAnalyzer unit configuration before beginning this procedure. For more information, see
“execute backup” on page 134.
To disable ADOMs
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Enter the command config adom, then delete all ADOMs other than the root
ADOM.
For example, if you have the ADOMs root, adom_a and adom_b, you would enter
these commands:
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
33
Accessing ADOMs as the admin administrator
Administrative domains (ADOMs)
config adom
delete adom_a
delete adom_b
end
If any other ADOMs except the root ADOM remain, the command to disable ADOMs
will not succeed.
3 Enter the following commands:
config global
config system global
set adom disable
end
end
exit
4 To confirm that ADOMs are disabled, log in again as admin and enter:
config ?
These top-level objects appear:
• system
• report
• nas
• log
• backup
• vm
• gui
Accessing ADOMs as the admin administrator
When ADOMs are enabled, additional ADOM commands become available to the admin
administrator and the structure of the CLI changes. After logging in, other administrators
implicitly access the subset of the CLI tree that pertains only to their ADOM, while the
admin administrator accesses the root of the CLI tree and can use all commands. To
configure items specific to an ADOM, the admin administrator must explicitly enter the
part of the CLI tree that contains an ADOM’s table.
To access an ADOM
1 Log in as admin.
Other administrators cannot access ADOMs other than the one assigned to their
account.
2 Enter the ADOM’s table.
For example, where the name of the ADOM is <adom_str>, enter the following
commands:
config adom
edit <adom_str>
3 You can now configure settings specific to that ADOM. To confirm that you are
configuring an ADOM and not global settings, enter:
34
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Administrative domains (ADOMs)
Assigning administrators to an ADOM
config ?
These top-level objects appear:
• system
• report
• log
• adom
Assigning administrators to an ADOM
The admin administrator can create other administrators and assign an ADOM to their
account, constraining them to configurations and data that apply only to devices in their
ADOM.
For example, you could create an administrator example_admin that is constrained to
configurations and data applicable to the administrative domain ADOM_A.
config global
config system admin
edit example_admin
set accprofile prof_admin
set password sw0rdf1sh
set adom ADOM_A
end
end
Note: By default, when ADOMs are enabled, existing administrator accounts other than
admin are assigned to the root ADOM, which contains all devices in the device list. For
more information about creating other ADOMs, see “Configuring ADOMs” on page 32.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
35
Assigning administrators to an ADOM
36
Administrative domains (ADOMs)
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
system
Use system commands to configure options related to the overall operation of the FortiAnalyzer unit, such
as network interfaces and administrative access.
global
syslog
interface
mail
ip-alias
event
dns
alert-console
accprofile
auto-delete
radius
fortiguard
ldap
authgrp
console
route
raid
admin
snmp
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
37
global
system
global
Use this command to configure global settings that affect basic FortiAnalyzer system configurations.
Syntax
config system global
set hostname <host_str>
set adom <enable | disable>
set language {english | french | japanese | korean | simch | trach}
set admintimeout <timeout_int>
set remoteauthtimeout <integer>
set ldapconntimeout <timeout_int>
set max-concurrent-users <administrators_int>
set refresh_interval <refresh_int>
set timezone <timezone_int>
set ntpserver <ntp_ip>
set ntpsync {enable | disable}
set syncinterval <ntpsync_int>
end
38
Keywords and variables
Description
Default
hostname <host_str>
Type a name for this FortiAnalyzer unit.
FortiAnalyzer
model name.
adom <enable | disable>
Enable or disable the administrative domains mode.
disable
language {english |
french | japanese | korean
| simch | trach}
Set the web-based manager display language. You can set english
<language> to one of english, french, japanese,
korean, simch (Simplified Chinese) or trach (Traditional
Chinese).
admintimeout
<timeout_int>
Set the administrator idle timeout to control the amount of 5
inactive time (in minutes) before the administrator must log
in again. The maximum admintimeout is 480 minutes (8
hours). To improve security keep the idle timeout at the
default value.
Note that sessions will not time out when viewing real-time
logs.
remoteauthtimeout
<integer>
Set the remote authentication timeout value in seconds.
10
ldapconntimeout
<timeout_int>
Set the LDAP connection timeout in milliseconds.
60000
max-concurrent-users
<administrators_int>
Set the maximum number of concurrent administrators.
20
refresh_interval
<refresh_int>
Set the Automatic Refresh Interval, in seconds, for the
0
web-based manager System Status Monitor. Enter 0 for no
automatic refresh.
timezone <timezone_int>
The number corresponding to your time zone. Press ? to
00
list time zones and their numbers. Choose the time zone for
the FortiGate unit from the list and enter the correct
number.
ntpserver <ntp_ip>
Enter the domain name or IP address of a Network Time
Protocol (NTP) server.
10.10.10.1
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
global
Keywords and variables
Description
Default
ntpsync
{enable | disable}
Enable or disable automatically updating the system date
and time by connecting to a Network Time Protocol (NTP)
server. For more information about NTP and to find the IP
address of an NTP server that you can use, see
http://www.ntp.org.
disable
syncinterval
<ntpsync_int>
Enter how often, in minutes, the FortiAnalyzer unit should
synchronize its time with the Network Time Protocol (NTP)
server. The syncinterval number can be 1 to 1440; 0
disables time synchronization.
60
Example
This example shows how to change the host name.
config system global
set hostname corporate_logs
end
History
3.0 MR2
Keywords Admin_Domain, radius-port and remoteauthtimeout added.
Keyword refresh changed to refresh_interval.
3.0 MR4
Added command ldapconntimeout.
3.0 MR5
Removed Admin_Domain keyword.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
39
interface
system
interface
Use this command to edit the configuration of FortiAnalyzer network interfaces.
Syntax
config system interface
edit <interface_str>
set status {down | up}
set speed {1000baseT_Full | 100baseT_Full | 100baseT_Half | 10baseT_Full |
10baseT_Half | Speed_unknown | auto}
set fdp {enable | disable}
set ip <interface_ip>
set allowaccess <access_str>
set lockout {enable | disable}
set mtu-override <enable | disable>
end
Keywords and variables
Description
Default
edit <interface_str>
Edit an existing interface.
No default.
status {down | up}
Start or stop the interface. If the interface is stopped it does not up
accept or send packets.
speed {1000baseT_Full |
100baseT_Full |
100baseT_Half |
10baseT_Full |
10baseT_Half |
Speed_unknown | auto}
Configure the maximum speed of the interface.
fdp {enable | disable}
Enable or disable to use the Fortinet Discovery Protocol (FDP ) disable
for FortiGate units.
ip <interface_ip>
Enter the interface IP address and netmask.
The IP address cannot be on the same subnet as any other
interface.
allowaccess <access_str> Enter the types of management access permitted on this
interface.
Valid types are:
• ping
• https
• ssh
• http
• telnet
• aggregator
• webservice
Separate multiple access types with spaces.
If you want to add or remove an option from the list, retype the
entire space-delimited list.
auto
Varies by
interface.
Varies by
interface.
lockout
{enable | disable}
Enable administrator lock out when the administrator fails to log disable
in after three attempts.
mtu-override
<enable | disable>
Enable override of MTU.
disable
Example
This example shows how to set a FortiAnalyzer unit’s port 1 IP address and netmask to
192.168.100.159 255.255.255.0, and the management access to ping, https, and ssh.
40
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
interface
config system interface
edit internal
set allowaccess ping https ssh
set ip 192.168.110.26 255.255.255.0
end
History
3.0 MR1
Added lockout and options variables.
3.0 MR3
Added speed command.
4.0
Removed options keyword and added fdp keyword.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
41
ip-alias
system
ip-alias
Use this command to add or modify the alias names for IP addresses. When generating reports, the
FortiAnalyzer unit displays the alias name rather than the IP address.
Syntax
config system ip-alias
edit <user_str>
set ip-range <user_ip>
end
Keywords and variables
Description
Default
edit <user_str>
Edit an or add an IP alias entry.
No default.
ip-range <user_ip>
Enter the IP address and netmask or range of
addresses.
No default.
Example
This example shows how to add an IP alias for the user User1.
config system ip-alias
edit user1
set ip-range 10.10.10.1/24
end
dns
Use this command to set a primary and alternate DNS server address. For features which use domain
names, the FortiAnalyzer unit will forward DNS lookups to those IP addresses.
Syntax
config system dns
set primary <dns_ip>
set secondary <dns_ip>
end
Keywords and variables
Description
Default
primary <dns_ip>
Enter the primary DNS server IP address.
0.0.0.0
secondary <dns_ip>
Enter the secondary DNS IP server address.
0.0.0.0
Example
You could set the primary FortiAnalyzer DNS server IP address to 172.16.35.133 and the secondary
FortiAnalyzer DNS server IP address to 172.16.25.132.
config system dns
set primary 172.16.35.133
set secondary 172.16.25.132
end
42
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
accprofile
accprofile
Use this command to configure access profiles, which control rights of administrators to access parts of the
FortiAnalyzer configuration.
Syntax
config system accprofile
edit <profile_name>
set network {none | read | read-write}
set admin {none | read | read-write}
set system {none | read | read-write}
set devices {none | read | read-write}
set alerts {none | read | read-write}
set content {none | read | read-write}
set reports {none | read | read-write}
set logs {none | read | read-write}
set quar {none | read | read-write}
set net-monitor {none | read | read-write}
set vuln-mgmt {none | read | read-write}
end
Keywords and variables
Description
Default
network {none | read |
read-write}
Set the administrative privileges for the network traffic reports
none
admin {none | read |
read-write}
Set the administrative privilege for the administrative settings.
none
system {none | read |
read-write}
Set the administrative privileges for the FortiAnalyzer system
configuration settings.
none
ip_alias {none | read |
read-write}
Set the administrative privileges for the IP alias configuration.
none
devices {none | read |
read-write}
Set the administrative privileges for the connected device
settings.
none
alerts {none | read |
read-write}
Set the administrative privileges for the alert email settings.
none
content {none | read |
read-write}
Set the administrative privileges for the content archive logs.
none
reports {none | read |
read-write}
Set the administrative privileges for the report configuration
none
logs {none | read | read- Set the administrative privileges for the logs.
write}
none
quar {none | read | read- Set the administrative privileges for the quarantine options and none
quarantined files.
write}
net-monitor {none | read
| read-write}
Set the administrative privileges for the network analyzer
monitor options.
none
vuln-mgmt {none | read |
read-write}
Set the administrative privileges for the vulnerability scanner
reports and configuration.
none
Example
The following example creates an access account called report. The profile enables an administrator to
read the various reports from the FortiAnalyzer unit, but cannot modify any configuration.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
43
accprofile
system
config system accprofile
edit report
set devices read-write
set network read
set reports read
end
History
44
3.0 MR2
New command.
3.0 MR3
Removed sec_event and traffic_sum.
Added network_summaries.
3.0 MR4
Added admin_domains.
3.0 MR7
Removed the following keywords:
• admin_domains
• forensic
• sec_event
The option write has been removed.
4.0
Removed vulnerability_scan, network_summaries, and
ip_alias. Added the keywords vuln-mgmt and net-monitor.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
radius
radius
Use the these commands to configure a RADIUS authentication server.
Syntax
config system radius
edit <raidus_name>
set server <nameip_str>
set secret <password_str>
set auth-prot {auto | mmschap2 | mschap | chap | pap}
set port <udp_port>
end
Keywords and variables
Description
Default
server <nameip_str>
Enter the RADIUS server domain name or IP address.
No default.
secret <password_str>
Enter the password for the RADIUS server.
No default.
auth-prot {auto | mmschap2 |
mschap | chap | pap}
Select which protocol to use when communicating with
the RADIUS server.
No default
port <udp_port>
Enter the UDP port number.
No default
Example
This example shows how to add a RADIUS server named corporate and specify the CHAP protocol on
port 1811.
config system radius
edit corporate
set server 10.10.20.155
set secret pa55w0rd
set auth-prot chap
set port 1811
end
History
3.0 MR2
New command.
3.0 MR5
Added radius-port, specified_proto and use_default_auth.
3.0 MR6
Removed variable use_default_auth. The configured RAIDUS protocol is
now always used.
4.0
Removed specified_proto and radius-port. Added the following:
• auth-prot
• port
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
45
ldap
system
ldap
Use this command to add or modify LDAP or Windows Active Directory servers for features which can look
up users, such as reports utilizing LDAP queries.
Syntax
config system ldap
edit <ldap_string>
set server <server_ipv4>
set cnid <cnid_str>
set dn <dn_str>
set port <port_int>
set type {anonymous | regular}
set group <name_str>
set filter <filter_criteria>
end
Keywords and variables
Description
Default
server <server_ipv4>
Enter the LDAP server domain name or IP address.
No default.
cnid <cnid_str>
Enter the Common Name Identifier.
cn
dn <dn_str>
Enter the Distinguished Name information.
No default.
port <port_int>
Enter the server port, typically port 389.
389
type {anonymous | regular}
Select the server’s LDAP binding type.
If type is regular, you must also enter configure
username and password.
anonymous
group <name_str>
Enter a group name.
No default.
filter <filter_criteria>
Enter a filter criteria. This is used for group searching. For
example:
(&(objectcategory=group)(member=*))
(&(objectclass=groupofnames)(member=*))
(&(objectclass=groupofuniquenames)(uniqueme
mber=*))
(&(objectclass=posixgroup)(memberuid=*))
(&(object
category=
group)(me
mber=*))
Example
The following example configures an LDAP server connection to ldap.example.com.
config system ldap
edit 1
set server ldap.example.com
set type regular
set username faz100
set set password $32659*fdsQeV
end
History
3.0 MR4
46
New command.
3.0 MR7
Removed username and password keywords.
4.0
Removed secure and ca-cert keywords.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
authgrp
authgrp
Use this command add RADIUS authentication servers to an authentication group.
Syntax
config system authgrp
edit <group_str>
set member <radius_str>
end
Keywords and variables
Description
Default
edit <group_str>
Enter the name of the authorization group.
No
default.
member <radius_str>
Enter a list of the names of RADIUS servers configured in
system radius to the group.
No
default.
Example
In this example, two RAIDUS servers are added to an authentication group.
config system authgrp
edit RADIUSGrp
set member RADIUS1 RADIUS_alt
end
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
47
console
system
console
Use this command to configure CLI connections, including the number of lines displayed by the console,
and the baud rate.
Syntax
config system console
set mode {batch | line}
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
set output {standard | more}
end
Keywords and variables
Description
Default
mode {batch | line}
Set the console mode to single line or batch commands.
line
baudrate {9600 | 19200 |
38400 | 57600 | 115200}
Set the console port baud rate.
9600
output {standard | more}
Set console output to standard (no pause) or more (pause after standard
each screen, resume on keypress).
This setting applies to show or get commands only.
Example
In this example, the baud rate is set to 38400.
config system console
set baudrate 38400
end
48
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
route
route
Use the these commands to configure static routes.
Syntax
config system route
edit <sequence_int>
set dst <destination_ip-mask>
set gateway <gateway_ip>
set device {port1 | port2 | port3}
end
Keywords and variables
Description
Default
edit <sequence_int>
Enter a sequence number for the static route. The
sequence number may influence routing priority in the
FortiGate forwarding table.
No default.
dst <destination_ip-mask>
Enter the destination IP address and network mask for
0.0.0.0
this route.
0.0.0.0
You can enter 0.0.0.0 0.0.0.0 to create a new static
default route.
gateway <gateway_ip>
Enter the IP address of the next-hop router to which
traffic is forwarded.
0.0.0.0
device {port1 | port2 |
port3}
Enter the interface for the outbound packets
port1
Example
This example shows how to add a static route that has the sequence number 2.
config system route
edit 2
set device port1
set dst 192.168.22.0 255.255.255.0
set gateway 192.168.22.44
end
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
49
raid
system
raid
Use the this command to configure RAID levels.
Syntax
config system raid
set level [raid10 | linear | raid0 | raid1 | raid5]
end
Keywords and variables
Description
Default
level [raid10 | linear |
raid0 | raid1 | raid5]
Enter the level of RAID you want for your FortiAnalyzer
unit.
No default
Example
This example shows how configure the RAID level on a FortiAnalyzer unit.
config system raid
set level raid1
end
History
4.0
50
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
admin
admin
Use this command to add, edit, and delete administrator accounts.
Use the admin account or an account with system configuration read and write privileges to add new
administrator accounts and control their permission levels. Each administrator account except admin must
include an access profile. You cannot delete the admin administrator account.
Syntax
config system admin
edit <name_str>
set remote-auth {enable | disable}
set password <password_str>
set trusthost1 <remoteaccessip_ipv4> <netmask_ipv4>
set trusthost2 <remoteaccessip_ipv4> <netmask_ipv4>
set trusthost3 <remoteaccessip_ipv4> <netmask_ipv4>
set accprofile <profile_str>
set last-name <lname_str>
set first-name <fname_str>
set email-address <email_addr>
set phone-number <phone_str>
set mobile-number <cellnum_str>
set pager-number <pagernum_str>
set adom <adom_name>
set ssh-public-key1 <pubkey_str>
set ssh-public-key2 <pubkey_str>
set ssh-public-key3 <pubkey_str>
end
Keywords and variables
Description
edit <name_str>
Enter the name of the administrator.
No default.
remote-auth {enable |
disable}
Select to use a RADIUS server for authentication.
disable
password <password_str>
Enter a password for the administrator account. For improved
security, the password should be at least 6 characters.
No default.
trusthost1
<remoteaccessip_ipv4>
<netmask_ipv4>
An IP address or subnet address and netmask from which the 0.0.0.0
administrator can connect to the FortiAnalyzer unit.
0.0.0.0
To enable access to the FortiAnalyzer unit from any address,
set one of the trusted hosts to 0.0.0.0 and the netmask to
0.0.0.0.
trusthost2
<remoteaccessip_ipv4>
<netmask_ipv4>
An IP address or subnet address and netmask from which the 0.0.0.0
administrator can connect to the FortiAnalyzer unit.
0.0.0.0
To enable access to the FortiAnalyzer unit from any address,
set one of the trusted hosts to 0.0.0.0 and the netmask to
0.0.0.0
trusthost3
<remoteaccessip_ipv4>
<netmask_ipv4>
An IP address or subnet address and netmask from which the 127.0.0.1
administrator can connect to the FortiAnalyzer unit.
255.255.2
To enable access to the FortiAnalyzer unit from any address, 55.255
set one of the trusted hosts to 0.0.0.0 and the netmask to
0.0.0.0
accprofile <profile_str>
Enter the access profile to assign to the administrator.
No default.
last-name <lname_str>
Enter the last name of the administrator.
No default.
first-name <fname_str>
Enter the first name of the administrator.
No default.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Default
51
admin
system
Keywords and variables
Description
Default
email-address
<email_addr>
Enter the email address for the administrator.
No default.
phone-number <phone_str>
Enter the phone number of the administrator.
No default.
mobile-number
<cellnum_str>
Enter the number of the administrator’s cell (mobile) phone.
No default.
pager-number
<pagernum_str>
Enter the number of the administrator’s pager.
No default.
adom <adom_name>
Enter the ADOM that you want the administrator to be
associated with.
No default
ssh-public-key1
<pubkey_str>
Enter the user’s public key to allow user to login without
No default.
inputting the admin password. If the configured key matches
the public key of the client PC, then the admin does not have
to enter a password to log into the FortiAnalyzer unit. If the key
does not match, the admin must enter a password.
ssh-public-key2
<pubkey_str>
Enter the user’s public key to allow user to login without
inputting the admin password.
No default.
ssh-public-key3
<pubkey_str>
Enter the user’s public key to allow user to login without
inputting the admin password.
No default.
Example
You could add a new administrator account named jdoe with the password set to p8ssw0rd and an
access profile of reports, with access restricted to a single computer, 192.168.5.4, on the internal
network.
config system admin
edit jdoe
set first_name Jane
set last_name Doe
set phone_number 555-2112
set password p8ssw0rd
set accprofile reports
set trusthost1 192.168.5.4 255.255.255.255
end
History
52
3.0 MR2
Newly revamped with new keywords. permissions keyword removed and
replaced with accprofile.
3.0 MR4
Added is-admin, ssh-public-key1, ssh-public-key2, sshpublic-key3, trusthost2, and trusthost3.
3.0 MR7
Removed Admin_Domain and auth-group keywords.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
snmp
snmp
Use the these commands to configure the SNMP server for alert messages.
Syntax
config system snmp community
edit <snmp_name>
set status {enable | disable]
set query-v1-status [enable | disable]
set query-v1-port <port_number>
set query-v2c-status [enable | disable]
set query-v2c-port <port_number>
set trap-v1-status [enable | disable]
set trap-v1-lport <port_number>
set trap-v1-rport <port_number>
set trap-v2c-status [ enable | disable]
set trap-v2c-lport <port_number>
set trap-v2c-rport <port_number>
set events [cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpntun-down | system_event | raid | log-rate | data-rate]
end
Keywords and variables
Description
Default
status {enable | disable]
Enable to configure an SNMP community
disable
query-v1-status
[enable | disable]
Enable the SNMP v1 query.
enable
query-v1-port <port_number>
Enter the SNMP query port number.
161
query-v2c-status [enable |
disable]
Disable to not configure SNMP v2c query.
enable
query-v2c-port <port_number>
Enter the SNMP query port number.
161
trap-v1-status
[enable | disable]
Disable to not configure the SNMP v1 trap.
enable
trap-v1-lport <port_number>
Enter the SNMP v1 trap local port number.
162
trap-v1-rport <port_number>
Enter the SNMP v1 remote port number.
162
trap-v2c-status
[ enable | disable]
Disable to not configure the SNMP v2c trap.
enable
trap-v2c-lport <port_number>
Enter the SNMP v2c trap local port number.
162
trap-v2c-rport <port_number>
Enter the SNMP v2c trap remote port number.
162
events [cpu-high | mem-low | Enter the event or events. If you are entering multiple
log-full | intf-ip | vpn-tun- events, you need to have a space between each event.
up | vpn-tun-down |
system_event | raid | lograte | data-rate]
No default
config system snmp sysinfo
set description <desc_str>
set contact-info<info_str>
set location <location_str>
set agent {enable | disable}
end
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
53
snmp
system
Keywords and variables
Description
Default
description <desc_str>
Enter a description for the server.
No default.
contact-info<info_str>
Enter an administrative contact for the SNMP server.
No default.
location <location_str>
Enter the location of the server.
No default.
agent {enable | disable}
Enable the SNMP agent.
disable
config system snmp traps {cpu | memory | disk}
set trigger <integer>
set threshold <integer>
set period <integer>
set frequency <integer>
end
Keywords and variables
Description
Default
traps {cpu | memory | disk}
Enter to configure traps for CPU, Memory or Disk.
No default
trigger <integer>
Enter a percentage that will trigger a trap. The number
can be from 1 to 100 (in percent).
No default
threshold <integer>
Enter a number for the number of triggers that occur
before sending a trap.
No default
period <integer>
Enter a time period, in seconds.
No default
frequency <integer>
Enter a time period, in seconds, for the frequency of the
traps that occur.
No default
Example
This example shows how to add an SNMP server.
config system snmp community
edit snmp_server1
set community company_snmp
end
config system snmp sysinfo
set contact_info Johnny_admin
set description corporate_trap
set location HQ
end
54
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
snmp
History
3.0 MR2
config system snmp sysinfo commands added.
3.0 MR7
Added the following keywords to snmp community:
• traps
• cpu_usage
• memory_usage
• disk_usage
• system_event
• intf_ip_change
• hosts
Removed the keyword, ip from snmp community command. Added the
following keyword to snmp sysinfo command:
• agent
Added the following command and keywords:
• snmp traps {cpu | memory | disk}
• trigger
• threshold
• period
• frequency
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
55
syslog
system
syslog
Use the these commands to configure the syslog server for alert messages.
Syntax
config system syslog
edit <syslog_str>
set port <name_str>
set ip <ip-address_fdqn>
end
Keywords and variables
Description
Default
<syslog_str>
Enter a name for the syslog server.
No default.
port <name_str>
Enter the port number for the syslog messages.
No default.
ip <ip-address_fdqn>
Enter the syslog server IP address and network mask or No default.
fully qualified domain name (FQDN).
Example
This example shows how to add a Syslog server.
config system syslog
edit syslog1
set ip syslog.example.com
set port 514
end
56
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
mail
mail
Use this command to add or modify an email server user to enable the FortiAnalyzer to send alert
messages using email.
Syntax
config system mail
edit server <name_str>
set auth {enable | disable}
set passwd <password_str>
set user <username_str>
end
Keywords and variables
Description
Default
server <name_str>
The name/address of the SMTP email server.
No default.
auth {enable | disable}
Select enable to define the email server for alert
messages.
disable.
passwd <password_str>
Enter the password for logging on to the SMTP server to No default.
send alert email. You only need to do this if you selected
SMTP authentication.
user <username_str>
Enter the user name for logging on to the SMTP server
to send alert mails. You only need to do this if you have
enabled the SMTP authentication.
No default.
Example
This example shows how to add SMTP mail server.
config system mail
edit server smtp.server.com
set auth enable
set user admin
set passwd s3cr3t
end
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
57
event
system
event
Use this command to add, edit, and delete alert events.
Syntax
config system event
edit <event_str>
set all-devices {select | all}
set event-time-period <integer>
set num-events <integer>
set severity-level-event-logs {information | notify | warning | error |
critical | alert | emrgency}
set severity-level-event-comp {>= | = | <=}
set severity-level-attack-logs {information | notify | warning | error |
critical | alert | emrgency}
set severity-level-attack-comp {>= | = | <=}
set severity-level-av-logs {information | notify | warning | error |
critical | alert | emrgency}
set severity-level-av-comp {>= | = | <=}
set severity-level-traffic-logs {information | notify | warning | error |
critical | alert | emrgency}
set severity-level-traffic-comp {>= | = | <=}
set severity-level-webfilter-logs {information | notify | warning | error
| critical | alert | emrgency}
set severity-level-webfilter-comp {>= | = | <=}
set severity-level-content-logs {information | notify | warning | error |
critical | alert | emrgency}
set severity-level-content-comp {>= | = | <=}
set severity-level-IM-logs {information | notify | warning | error |
critical | alert | emrgency}
set severity-level-IM-comp {>= | = | <=}
set severity-level-emailfilter-logs {information | notify | warning |
error | critical | alert | emrgency}
set severity-level-emailfilter-comp {>= | = | <=}
set severity-level-dlp-logs {no check | information | notify | warning |
error | critical | alert | emrgency}
set severity-level-dlp-comp {>= | = | <=}
set enable-generic-text {yes | no}
set generic-text <string>
set enable-severity-filter {yes | no}
set severity-filter {high | low | medium | medium-high | medium-low}
config alert-destination
edit <table_index>
set type {mail | snmp | syslog}
set from <email_str>
set to <email_str>
set mail-server-adom
set smtp-name <server_name>
end
end
58
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
event
Keywords and variables
Description
Default
edit <event_str>
Enter the name for the alert event.
No default.
all-devices
{select | all}
Select to watch for events from all devices or from selected
devices.
all
enable-generic-text
{yes | no}
Enable to add a standard text response for the alert
notification.
no
enable-severity-filter
{yes | no}
Enable the alert severity to include in the outgoing alert
message information.
no
event-time-period
<integer>
Select the period of time when the number of events occur.
When the number of events occur in the configured time, the
FortiAnalyzer sends an alert email.
0.5
generic-text <string>
Enter the standard text response for the alert notification. Use No default.
this variable after setting enable-generic-text to yes.
num-events <integer>
Select the number of events to occur within a configured time 1
period.
severity-filter {high |
low | medium | mediumhigh | medium-low}
Select the alert severity to include in the outgoing alert
No default.
message information. Use this variable after setting enableseverity-filter to yes.
severity-level-attackcomp {>= | = | <=}
Select the equivalency in relation to the attack log severity
level.
=
severity-level-attacklogs {information |
notify | warning | error
| critical | alert |
emrgency}
Select the severity level that the FortiAnalyzer unit monitors
for in the attack logs.
No default.
severity-level-av-comp
{>= | = | <=}
Select the equivalency in relation to the attack log severity
level.
=
severity-level-av-logs
{information | notify |
warning | error |
critical | alert |
emrgency}
Select the severity level that the FortiAnalyzer unit monitors
for in the antivirus logs.
No default.
severity-level-contentcomp {>= | = | <=}
Select the equivalency in relation to the content log severity
level.
=
severity-level-contentlogs {information |
notify | warning | error
| critical | alert |
emrgency}
Select the severity level that the FortiAnalyzer unit monitors
for in the content logs.
No default.
severity-levelemailfilter-comp {>= | =
| <=}
Select the equivalency in relation to the email filter log
severity level.
=
severity-levelemailfilter-logs
{information | notify |
warning | error |
critical | alert |
emrgency}
Select the severity level that the FortiAnalyzer unit monitors
for in the email filter logs.
No default.
severity-level-eventcomp {>= | = | <=}
Select the equivalency in relation to the event log severity
level.
=
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
59
event
system
Keywords and variables
Description
Default
severity-level-dlp-logs
{no check | information |
notify | warning | error
| critical | alert |
emrgency}
Select the severity level that the FortiAnalyzer unit monitors
for in the Data Leak Prevention logs.
No default
severity-level-dlp-comp
{>= | = | <=}
Select the severity level that the FortiAnalyzer unit monitors
for in the Data Leak Prevention logs.
=
severity-level-eventlogs {information |
notify | warning | error
| critical | alert |
emrgency}
Select the severity level that the FortiAnalyzer unit monitors
for in the event logs.
No default.
severity-level-IM-comp
{>= | = | <=}
Select the equivalency in relation to the instant message log
severity level.
=
severity-level-IM-logs
{information | notify |
warning | error |
critical | alert |
emrgency}
Select the severity level that the FortiAnalyzer unit monitors
for in the instant message logs.
No default.
severity-level-trafficcomp {>= | = | <=}
Select the equivalency in relation to the traffic log severity
level.
=
severity-level-trafficlogs {information |
notify | warning | error
| critical | alert |
emrgency}
Select the severity level that the FortiAnalyzer unit monitors
for in the traffic logs.
No default.
severity-levelwebfilter-comp {>= | = |
<=}
Select the equivalency in relation to the web filter log severity =
level.
severity-levelwebfilter-logs
{information | notify |
warning | error |
critical | alert |
emrgency}
Select the severity level that the FortiAnalyzer unit monitors
for in the web filter logs.
No default.
alert-destination
Configure where the FortiAnalyzer unit sends the alert
messages.
No default.
from <email_str>
Enter the email address where the alert message originates.
No default.
smtp-name <server_name>
Enter the email server name, configured with the command
config system mail.
No default.
to <email_str>
Enter the email address where the alert message is destined. No default.
mail-server-adom
Enter the virtual domain of the email server.
No default
type {mail | snmp |
syslog}
Select the type of delivery for the alert message.
mail
Example
You could add a new alert event called new_event on the warning message of the event logs for all
devices. The FortiAnalyzer unit will be configured to monitor for two or more events in an hour. The
FortiAnalyzer unit will send a message to the administer using email.
config system event
60
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
event
edit new_event
set all-devices all
set event-time-period 1
set num_events 2
set severity-level-event-logs warning
config alert-destination
edit 0
set smtp-name companyserver
set from f_analyzer@example.com
set to admin@example.com
set type mail
end
end
Example
This example shows how to change the host name.
config system global
set hostname corporate_logs
end
History
3.0 MR7
Added mail_server_vd keyword.
4.0
Added severity-level-dlp-logs and severity-level-dlp-comp
keywords.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
61
alert-console
system
alert-console
Use this command to set the alert console options for the dashboard.
Syntax
config system alert_console
set severity_level {information | notify | warning | error | critical |alert
| emergency}
set period {1 | 2 | 3 | 4 | 5 |6 | 7 }
end
Keywords and variables
Description
Default
severity_level
{information | notify |
warning | error |
critical |alert |
emergency}
Set the alert level to display in the alert console listing.
No default.
period {1 | 2 | 3 | 4 | 5
|6 | 7 }
Set the number of days the alert console keeps the alert
messages.
No default.
Example
You could set alert console to maintain 5 days’ worth of warning level alert messages.
config system alert_console
set period 5
set severity_level warning
end
62
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
auto-delete
auto-delete
Use the this command to automatically remove report, content archives, and local logs at specific times.
Syntax
config system auto-delete
config regular-auto-deletion
set status {enable | disable}
set when {days | hours | months |
set value <age_int>
end
config analyzer-auto-deletion
set status {enable | disable}
set when {days | hours | months |
set value <age_int>
end
config local-auto-deletion
set status {enable | disable}
set when {days | hours | months |
set value <age_int>
end
config report-auto-deletion
set status {enable | disable}
set when {days | hours | months |
set value <age_int>
end
config content-files-auto-deletion
set status {enable | disable}
set when {days | hours | months |
set value <age_int>
end
weeks}
weeks}
weeks}
weeks}
weeks}
Keywords and variables
Description
Default
regular-auto-deletion
Enter to configure automatic deletion of device log files.
No default.
status {enable | disable}
Enable or disable automatic file deletion based upon
age. If you select enable, also configure value and
when.
disable
when {days | hours | months |
weeks}
Select the unit of time for the maximum age of the files.
Also configure value.
This command appears only when status is enable.
No default.
value <age_int>
Select a value for the maximum age of files. Also
configure when.
This command appears only when status is enable.
No default.
analyzer-auto-deletion
Enter to configure automatic deletion of Network
Analyzer log files.
No default.
status {enable | disable}
Enable or disable automatic file deletion based upon
age. If you select enable, also configure value and
when.
disable
when {days | hours | months |
weeks}
Select the unit of time for the maximum age of the files.
Also configure value.
This command appears only when status is enable.
No default.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
63
auto-delete
system
Keywords and variables
Description
Default
value <age_int>
Select a value for the maximum age of files. Also
configure when.
This command appears only when status is enable.
No default.
local-auto-deletion
Enter to configure automatic deletion of the
FortiAnalyzer unit’s own log files.
No default.
status {enable | disable}
Enable or disable automatic file deletion based upon
age. If you select enable, also configure value and
when.
disable
when {days | hours | months |
weeks}
Select the unit of time for the maximum age of the files.
Also configure value.
This command appears only when status is enable.
No default.
value <age_int>
Select a value for the maximum age of files. Also
configure when.
This command appears only when status is enable.
No default.
report-auto-deletion
Enter to configure automatic deletion of report files.
No default.
status {enable | disable}
Enable or disable automatic file deletion based upon
age. If you select enable, also configure value and
when.
disable
when {days | hours | months |
weeks}
Select the unit of time for the maximum age of the files.
Also configure value.
This command appears only when status is enable.
No default.
value <age_int>
Select a value for the maximum age of files. Also
configure when.
This command appears only when status is enable.
No default.
content-files-auto-deletion
Enter to configure automatic deletion of content archived No default.
files. This command does not delete the associated
content logs, which use the same automatic deletion
settings as other device log files.
status {enable | disable}
Enable or disable automatic file deletion based upon
age. If you select enable, also configure value and
when.
disable
when {days | hours | months |
weeks}
Select the unit of time for the maximum age of the files.
Also configure value.
This command appears only when status is enable.
No default.
value <age_int>
Select a value for the maximum age of files. Also
configure when.
This command appears only when status is enable.
No default.
Example
This example shows how set the FortiAnalyzer unit to delete local logs over 40 hours old.
config system auto-delete
config local-auto-deletion
set status enable
set when hours
set value 40
end
History
4.0
64
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
system
fortiguard
fortiguard
Use this command to configure FortiGuard services, including vulnerability management settings such as
proxy server and scheduling of updates of vulnerability management services.
Syntax
config system fortiguard
set fds-override-enabled [enable | disable]
set fds-override-addr <ip_address>
set vm-schedule [enable | disable]
set vm-frequency [every | daily | weekly]
set vm-day [sun | mon | tue | wed | thu | fri | sat]
set vm-hour <hour>
set vm-minute <minutes>
set vm-proxy [enable | disable]
set vm-proxy-ip <ip_address>
set vm-proxy-port <port_number>
set vm-proxy-user <user_name>
set vm-proxy-passwd <user_password>
set vm-auto-stat [enable | disable]
end
Keywords and variables
Description
Default
fds-override-enabled
[enable | disable]
Enable to configure an FDS override server.
disable
fds-override-addr
<ip_address>
Enter the FDS override IP address of the server. This
appears only after enabling the FDS override server.
No default
vm-schedule
[enable | disable]
Enable to configure a schedule for updating vulnerability disable
management services.
vm-frequency [every | daily |
weekly]
Enter either every or daily to schedule when vulnerability weekly
management updates occur.
vm-day [sun | mon | tue | wed
| thu | fri | sat]
Enter the day, if you chose weekly, for what day of the
week that you want vulnerability management services
updated.
sun
vm-hour <hour>
Enter the hour of when to update the vulnerability
management services. The hours are from 0-23.
1
vm-minute <minutes>
Enter the minute of when to update the vulnerability
management services. The minutes are from 0-59.
0
vm-proxy [enable | disable]
Enter to enable the use of SSL proxy server for updating disable
vulnerability services.
vm-proxy-ip <ip_address>
Enter the IP address of the SSL proxy server.
No default
vm-proxy-port <port_number>
Enter the port of the SSL proxy server.
8080
vm-proxy-user <user_name>
Enter the user name for logging in to the SSL proxy
server.
No default
vm-proxy-passwd
<user_password>
Enter the user’s password for logging in to the SSL
proxy server.
No default
vm-auto-stat
[enable | disable]
Enter to disable the automatic report that is generated
that is about the state of vulnerability management.
enable
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
65
fortiguard
system
Example
This example shows how to configure a daily schedule for vulnerabilities and disable the automatically
generated vulnerability report.
config system fortiguard
set vm-schedule enable
set vm-frequency daily
set vm-hour 5
set vm-minute 20
set vm-auto-stat disable
end
History
4.0
66
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
report
report
Use report command to configure report layouts and schedules, including output and filter templates.
language
output
filter
layout
schedule
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
67
language
report
language
Use this command to enter a description for a language that will be included in the report. You need to
import the language file before editing the file. Use the command “execute import-lang” on page 138 to
import the language.
Syntax
config report language
edit <language_name>
set description
end
Keywords and variables
Description
Default
edit <language_name> Enter the language you want to add a description to. The
languages that are available are English, Simplified Chinese,
Traditional Chinese, Japanese, and Spanish.
English
Enter a description for the language you selected. This limit is The name of the
127 lines.
language is the
default description
description
History
3.0 MR7
68
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
report
output
output
Use this command to configure an output template to be used in a report schedule.
Syntax
config report output
edit <output_name>
set description
set email {enable | disable}
set email-subject <string>
set email-body <string>
set email-attachment-name <attachment_name>
set email-attachment-compress {enable | disable}
set email-format {html | pdf | rtf | txt | mht | xml}
set upload {enable | disable}
set upload-server-type {ftp | sfpt | scp}
set upload-server <class_ip>
set upload-user <user_name>
set upload-pass <password>
set upload-dir <dir_path>
set upload-delete {disable | enable}
set upload-compress {disable | enable}
end
Keywords and variables
Description
Default
edit <output_name>
Enter a name for the output template.
No default
description
Enter a description for the output template. This is optional.
If you enter a description, do not use spaces between the
words.
No default
email {enable | disable}
Enable or disable for sending the report to an email
address. All email commands appear after enabling this
command.
disable
email-subject <string>
Enter a subject line for the email.
No default
email-body <string>
Enter a message for the body of the email message. You
need to separate each word with an underscore (_).
No default
email-attachment-name
<attachment_name>
Enter a name for the report when it is sent in an email
message.
No default
email-attachmentcompress
{enable | disable}
Enable or disable to compress the report when it is sent in
an email message.
disable
email-format {html | pdf
| rtf | txt | mht | xml}
Enter the file type of the report when sent in an email
message.
HTML
upload {enable | disable} Enable or disable to upload the report to a specified server.
All other upload commands appear after enabling this
command.
disable
upload-server-type
{ftp | sfpt | scp}
Enter the protocol to use when configuring the uploading
server.
upload-server <class_ip>
Enable or disable to configure a server.
No default
upload-user <user_name>
Enter the user name for accessing the server.
No default
upload-pass <password>
Enter the password for accessing the server.
No default
upload-dir <dir_path>
Enter the directory path where the FortiAnalyzer unit saves
the generated report on the server.
No default
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
No default
69
output
report
Keywords and variables
Description
Default
upload-delete
{disable | enable}
Enable or disable the option to delete the completed report
from the FortiAnalyzer unit’s hard disk once it has been
completely uploaded to the remote server.
disable
upload-compress
{disable | enable}
Enable or disable gzip compression when uploading the
completed report.
disable
Example
The following example configures an output template with uploading to an FTP server.
config report output
edit output_1
set description forbranchofficeuseonly
set upload enable
set upload-server 10.10.16.155
set upload-server-type ftp
set upload-user user_1
set upload-password 2345789
set upload-dir c:\documents and settings\reports_faz
set upload-compress enable
end
History
3.0 MR7
70
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
report
filter
filter
Use this command to configure a filter template to be used with a report schedule.
Syntax
config report filter
edit <filter_name>
set description <string>
set filter-logic {all | any}
set filter-priority {emergency | alert | cirtical | error | warning |
notification | information | debug}
set filter-iwday {sun | mon | tue | wed | thu | fri | sat}
set filter-src <source_ip_address>
set filter-dst <destination_ip_address>
set filter-interface <network_interface>
set filter-policyid <firewallpolicy_number>
set filter-service <service_name>
set filter-email-domain <domain_name>
set filter-email-direction <direction_name>
set filter-web-category [<number_1> | <number_2> | <number_3>…]
set filter-generic <generic_text>
end
Keywords and variables
Description
Default
edit <filter_name>
Enter a name for the filter template.
No default
description <string>
Enter a description to describe the filter template. This is
optional.
No default
filter-logic {all | any}
Enter the filter logic for the filter template. If you select all,
only logs in the report that match all the filter criteria will be
included. If you select any, only logs in the report that match
any of the filter criteria.
No default
filter-priority
{emergency | alert |
cirtical | error |
warning | notification |
information | debug}
Enter the priority level for the filter template. You can enter
multiple priority levels, by separating each with a space.
No default
filter-iwday {sun | mon |
tue | wed | thu | fri |
sat}
Enter a day of the week for filtering. You can enter multiple
days, separated by a space.
No default
filter-src
<source_ip_address>
Enter the source IP address or multiple source IP addresses.
No default
filter-dst
<destination_ip_address>
Enter the destination IP address or multiple destination IP
addresses.
No default
filter-interface
<network_interface>
Enter the network interface or multiple network interfaces to
include matching logs.
No default
filter-policyid
<firewallpolicy_number>
Enter the FortiGate firewall policy ID numbers to include
matching logs.
No default
filter-service
<service_name>
Enter the service to include matching logs.
No default
filter-email-domain
<domain_name>
Enter to filter email messages by domain name for either the
receiver of the email message or sender of the email
message. This is used only for FortiMail logs.
No default
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
71
filter
report
Keywords and variables
Description
Default
filter-email-direction
<direction_name>
Enter to filter the direction of where email messages are
coming from, either out or unknown.
No default
filter-web-category
[<number_1> | <number_2>
| <number_3>…]
Enter a web category. Numbers (1-90) represent each web
No default
category including sub-web categories. You must separate
each number with a comma. For example, if you enter 1,2, the
first web category Potentially Liable is selected, as well as the
first two sub-web categories within Potentially Liable, Drug
Abuse and Occult.
Fortinet recommends reviewing the web-based manager to
verify that the applicable web-categories are selected.
filter-generic
<generic_text>
Enter both the keyword and value number for the generic filter No default
list. Do not include a space between the keyword and value
number.
Example
The following configures a new filter template for a report schedule.
config report filter
edit filter_1
set description for_branch_office_use_only
set filter-logic all
set filter-priority emergency critical warning
set filter-iwday mon wed fri
set filter-interface port1,port2,port3
set filter-web-category 1,2,3,11,7,8.5
set filter-generic june1
end
History
3.0 MR7
72
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
report
layout
layout
Use this command to configure the layout for the generated report. The report layout includes charts,
devices, and if applicable, filter templates.
Syntax
config report layout
edit <layout_name>
set title <title_name>
set description <string>
set dev-type {FortiGate | FortiClient | FortiMail}
set obfuscate-user {enable | disable}
set include-no-data {enable | disable}
set include-summary {enable | disable}
set table-of-content {enable | disable}
set company <name_company>
set header-comment <comment_str>
set footer-options {report-title | custom}
set header-logo-file <directory_path>
set title-logo-file <directory_path>
config object
edit <obj_id>
set type [chart | section | text]
set category [FortiGate{fgt-intrusion | fgt-antivirus |fgt-webfilter |
fgt-mailfilter | fgt-im | fgt-content | fgt-network | fgt-web | fgtmail | fgt-ftp | fgt-terminal | fgt-vpn | fgt-event | fgt-p2p | fgtvoip}] [FortiClient {fct-antivirus | fct-network | fct-webfilter |
fct-mailfilter}] [FortiMail {fml-highlevel | fml-mail | fml-spam |
fml-virus}
set name [<chart_name1> | <chart_name2> | <chart_name3>...]
set order <integer>
set table-graph [all | table | graph]
set style [pie | bar | line]
set topn <integer>
set table-top2 <integer>
set device-mode [variable | specify]
set devices [<device_1> | <device_2> | <device_3> ...]
set vd-mode [variable | specify]
set vd <virtual_domain_name>
set user-mode [variable | specify]
set user <user_name>
set group-mode [variable | specify]
set group <group_name>
set filter-mode [variable | specify]
set filter <filter_name>
set period-mode [variable | specify]
set period-type [today | yesterday | last-n-hours | this-week | last-7days | last-n-days | last-2-weeks | last-14-days | this-month | last30-days | last-n-weeks | this-quarter | last-quarter | this-year |
other]
set period-opt [dev | faz]
set include-referrals [enable | disable]
set source-id [user | ip | both]
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
73
layout
report
set
set
set
set
end
74
resolve-host [enable | disable]
resolve-service [enable | disable]
ldap-query [enable | disable]
ldap-server <server_name>
Keywords and variables
Description
Default
edit <layout_name>
Enter a name for the report profile.
No default
title <title_name>
Enter a name for the report profile.
No default
description <string>
Enter a description for the report profile. This is optional.
No default
dev-type {FortiGate |
FortiClient | FortiMail}
Enter the type of device the log information will come from.
No default
obfuscate-user
{enable | disable}
Enter enable or disable for user.
disable
include-no-data
{enable | disable}
Enable or disable to include or hide empty reports because
there is no matching log data.
disable
include-summary
{enable | disable}
Enable or disable to include a summary of the report
information.
enable
table-of-content
{enable | disable}
Disable to not include a table of content at the beginning of
each chart category.
enable
company <name_company>
Enter the name of the company or organization. This is
optional.
No default
header-comment
<comment_str>
Enter what should be in the header of the report.
No default
footer-options
{report-title | custom}
Enter either report-title, to include the title of the report for the
footer, or customize the footer.
No default
header-logo-file
<directory_path>
Enter the path and file name to small logo to use in the header. No default
The logo will be uploaded to the FortiAnalyzer hard disk.
When adding a logo to the report, consider the following to
ensure you select the correct logo format for the report. If you
select a log that is not supported for a report format, the logo
will not appear in the report.
• PDF reports – JPG and PNG
• RTF reports – JPG, PNG, GIF, and WMF
• HTML reports – all bitmap formats
title-logo-file
<directory_path>
Enter the path and file name to small logo to use in the title.
The logo will be uploaded to the FortiAnalyzer hard disk.
When adding a logo to the report, consider the following to
ensure you select the correct logo format for the report. If you
select a log that is not supported for a report format, the logo
will not appear in the report.
• PDF reports – JPG and PNG
• RTF reports – JPG, PNG, GIF, and WMF
• HTML reports – all bitmap formats
No default
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
report
layout
config object
Use this sub-command to configure the charts that will be used in the report layout.
config object
edit <obj_id>
set type [chart | section | text]
set category [FortiGate{fgt-intrusion | fgt-antivirus |fgt-webfilter |
fgt-mailfilter | fgt-im | fgt-content | fgt-network | fgt-web | fgtmail | fgt-ftp | fgt-terminal | fgt-vpn | fgt-event | fgt-p2p | fgtvoip}] [FortiClient {fct-antivirus | fct-network | fct-webfilter |
fct-mailfilter}] [FortiMail {fml-highlevel | fml-mail | fml-spam |
fml-virus}
set name [<chart_name1> | <chart_name2> | <chart_name3>...]
set order <integer>
set table-graph [all | table | graph]
set style [pie | bar | line]
set topn <integer>
set table-top2 <integer>
set device-mode [variable | specify]
set devices [<device_1> | <device_2> | <device_3> ...]
set vd-mode [variable | specify]
set vd <virtual_domain_name>
set user-mode [variable | specify]
set user <user_name>
set group-mode [variable | specify]
set group <group_name>
set filter-mode [variable | specify]
set filter <filter_name>
set period-mode [variable | specify]
set period-type [today | yesterday | last-n-hours | this-week | last-7days | last-n-days | last-2-weeks | last-14-days | this-month | last30-days | last-n-weeks | this-quarter | last-quarter | this-year |
other]
set period-opt [dev | faz]
set include-referrals [enable | disable]
set source-id [user | ip | both]
set resolve-host [enable | disable]
set resolve-service [enable | disable]
set ldap-query [enable | disable]
set ldap-server <server_name>
end
Keywords and variables
Description
Default
edit <obj_id>
Enter the sequential number for the chart you want to add to
the report layout. For example, 1 puts the first configure chart
at the top, and 2 puts the second configured chart under the
first.
No default
type [chart | section |
text]
Enter to configure charts, section titles or text inserts for the
report layout.
When you choose section or text, only the following are
available:
• type
• order
• title
• description
No default
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
75
layout
76
report
Keywords and variables
Description
Default
category
[FortiGate{fgt-intrusion
| fgt-antivirus |fgtwebfilter | fgtmailfilter | fgt-im |
fgt-content | fgt-network
| fgt-web | fgt-mail |
fgt-ftp | fgt-terminal |
fgt-vpn | fgt-event |
fgt-p2p | fgt-voip}]
[FortiClient {fctantivirus | fct-network |
fct-webfilter | fctmailfilter}]
[FortiMail {fml-highlevel
| fml-mail | fml-spam |
fml-virus}
Enter a chart category. For example, if you are creating a
No default
report layout for a FortiGate unit, the dev-type would be
FortiGate, and the charts available to you would be the
FortiGate charts, such as fgt-intrusion and fgtantivirus.
You can chose only the charts available for the chosen device
type. For example, if you chose FortiClient, only the charts that
are for FortiClient reports are available.
After choosing a chart category, you will need to add what
charts you want to include in that category. For example, after
selecting the fgt-antivirus category, you enter set name
?, and view all available charts for that category, and select a
chart. You can enter only one chart at time.
name [<chart_name1> |
<chart_name2> |
<chart_name3>...]
Enter the name of the charts you want included in that
No default
category. You need to enter each chart separately. For
example, after set chart_name1, you press Enter and then
go on to the next name.
order <integer>
Enter a number to ensure that the chart is placed in the order
you want it to be in.
No default
table-graph [all | table
| graph]
Enter to display either a table or a graph.
all
style [pie | bar | line]
Enter the type of style for the charts. For example, if you select bar
bar, a bar graph displays for the selected charts.
topn <integer>
Enter a number to show the top X values in the chart table for No default
the primary variable. This number can also be the top number
of values in the graph.
Note: When entering a number for the maximum top entries
(with pie chart style selected), any item whose percentage is
less than one percent will not appear in the pie diagram; also,
if no items’ percentage is greater than one percent “Other”
occupies the pie diagram, or 100 percent of the pie diagram.
For example, if you enter the number five, any of the five items
that have less than one percent are considered under “Other”
and only “Other” displays on the page diagram.
table-top2 <integer>
Enter a number to show the top Y values in the chart table for
the secondary variable.
No default
device-mode
[variable | specify]
Enter the device specification mode. If you select specify, the
keyword devices appears. The keyword devices enables
you to specify the devices you want to include.
variable
devices [<device_1> |
<device_2> | <device_3>
...]
Enter the specific devices to be included in the report. For
example, you want to include both the FortiMail-400 unit and
FortiMail-2000 unit.
This keyword is available only when device-mode is set to
specify.
No default
vd-mode
[variable | specify]
Enter to specify if you want to include a specific virtual domain variable
in the report.
vd <virtual_domain_name>
Enter the virtual domain that you want included in the report.
No default
user-mode
[variable | specify]
Enter to specify if you want to include a specific user in the
report.
variable
user <user_name>
Enter the name of the user to include in the report. This
keyword is available only when user-mode is set to
specify.
No default
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
report
layout
Keywords and variables
Description
Default
group-mode
[variable | specify]
Enter to specify if you want to include a specific group in the
report.
variable
group <group_name>
Enter the name of the group to include in the report. This
keyword is available only when group-mode is set to
specify.
No default
filter-mode
[variable | specify]
Enter to specify if you want to include a specific filter template variable
in the report.
filter <filter_name>
Enter the filter template name that will be used for the report.
This keyword is available only when filter-mode is set to
specify.
period-mode
[variable | specify]
Enter to specify if you want to include a specific time period in variable
the report.
period-type [today |
yesterday | last-n-hours
| this-week | last-7-days
| last-n-days | last-2weeks | last-14-days |
this-month | last-30-days
| last-n-weeks | thisquarter | last-quarter |
this-year | other]
Enter the time period that the charts report on. This is
available only when period-mode is set to specify.
period-opt [dev | faz]
Enter the time period based on either the device’s time or the No default
FortiAnalyzer unit’s time. If you choose the FortiAnalyzer unit’s
time period, the time is when logs were received.
include-referrals
[enable | disable]
Enter to include HTTP referrals.
disable
source-id [user | ip |
both]
Enter to include the source’s identity, such as only the user
name or only the IP address. You can also choose to have
both the user and IP address.
This appears if a chart that contains sources is entered.
both
resolve-host
[enable | disable]
Enable to resolve host IP addresses into host names in chart
results.
disable
resolve-service
[enable | disable]
Enable to resolve port numbers into service names in chart
results.
disable
ldap-query
[enable | disable]
Enable to add an LDAP server to the report.
disable
No default
No default
ldap-server <server_name> Enter the LDAP sever for the report. This keyword is available No default
only when ldap-query is enabled.
Example
The following example configures a report layout with one chart and all chart categories included.
config report layout
edit layout_1
set title report_1
set description for_branch_office
set dev-type FortiGate
set obfuscate-user enable
set table-of-content enable
set company A_company
set footer-options report-title
set header-logo-file c:/Company/marketing/marketing_pics/company_pic_1
set title-logo-file c:/Company/marketing/marketing_pics/company_pic_2
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
77
layout
report
config object
edit 1
set type chart
set category fgt-intrusion
set name attacks-type
set name attacks-cat-type
set name attacks-ts
set name attacks-td
set name attacks-time
set name attacks-proto
set name attacks-dir-type
set name attacks-ips-type
set name attacks-proto-type
set name attacks-dir-ip
set name attacks-type-ip
set name attacks-dst-ip
set name attacks-dst-type
set name attacks-dev-type
set name attacsk-dev
set name attacks-type-dev
set order 3
set table-graph table
set style pie
set topn 5
set table-top2 10
set device-mode specify
set devices FGT-602906512797
set filter-mode specify
set filter filter_1
set include-other enable
set period-mode specify
set period-type last-2-weeks
set period-opt dev
set resolve-host enable
set resolve-service enable
end
end
History
3.0 MR7
78
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
report
schedule
schedule
Use this command to configure report schedules.
Note: When configuring a report schedule, which contains both an output template and selected file
formats, the file formats sent by email are determined by the configuration settings. Only those file
formats that are enabled in both the output template and output-profile are sent by email. For
example, if PDF and Text formats are selected in the output template, and then PDF and MHT are
selected in the report schedule, the report’s file format in the email attachment is PDF.
Syntax
config report schedule
edit <schedule_name>
set description <comment_string>
set layout <reportlayout_name>
set language <language_name>
set format {html | pdf | rtf | txt | mht | xml}
set output-profile <output_name>
set devices <device_name>
set vd <virtual_domain_name>
set user <user_name>
set group <group_name>
set ldap-query {enable | disable}
set ldap-server <ipv4>
set filter <filter_name
set type {empheral | demand | once | daily | days | dates}
set dates {1-31}
set days {sun | mon | tue | wed | thu | fri | sat}
set time <hh:mm>
set valid-start <hh:mm yyyy/mm/dd>
set valid-end <hh:mm yyyy/mm/dd>
set period-type {today | yesterday | last-n-hours | this-week | last-7days | last-n-days | last-2-weeks| last-14-days | this-month | lastmonth | last-30-days | last-n-weeks | this-quarter | last-quarter |
this-year | other}
set period-opt {dev | faz}
end
Keywords and variables
Description
Default
edit <schedule_name>
Enter a name for the schedule.
No default
description
<comment_string>
Enter a comment or description for the schedule. This is
optional.
No default
layout
<reportlayout_name>
Enter the report profile to be associated with the schedule.
No default
language <language_name>
Enter the language that will be associated with the schedule.
The default language of the FortiAnalyzer unit displays.
Default
language of
FortiAnalyzer
unit
format {html | pdf | rtf |
txt | mht | xml}
Enter the format type for the generated report. Fortinet
recommends choosing the HTML format because the
FortiAnalyzer unit does not send the report unless it is in
HTML.
HTML
output-profile
<output_name>
Enter the output template to be associated with the schedule.
No default
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
79
schedule
report
Keywords and variables
Description
Default
devices <device_name>
Enter the device name or device group name to report on for
the variable charts.
No default
vd <virtual_domain_name>
Enter the virtual domain or domains to report on for the
variable charts.
No default
user <user_name>
Enter the name of the user to report on for the variable charts. No default
group <group_name>
Enter the name of the group on for the variable charts.
ldap-query {enable |
disable}
Enter enable or disable to use an LDAP query to resolve user disable
names.
ldap-server <ipv4>
Enter the IP address for the LDAP server.
Appears when ldap-query is enabled.
No default
filter <filter_name
Enter the filter template to be associated with the report
schedule. This is optional.
No default
type
{empheral | demand | once
| daily | days | dates}
Enter the type of schedule that the FortiAnalyzer unit
generates the report. For example, if you want the report
generated only once, the type is once and if you want the
report to be generated on the 5, 7, and 20 of every month,
then select dates
once
dates {1-31}
Available when dates is selected for type. Enter the dates
that the report will be generated on.
No default
days {sun | mon | tue |
wed | thu | fri | sat}
Available when days is selected for type. Enter the days of
the week that the report will be generated on.
No default
time <hh:mm>
Enter the time in the format hh:mm.
No default
valid-start
<hh:mm yyyy/mm/dd>
Enter the start date and time for the report schedule.
No default
valid-end
<hh:mm yyyy/mm/dd>
Enter the end date and time for the report schedule.
No default
period-type {today |
yesterday | last-n-hours
| this-week | last-7-days
| last-n-days | last-2weeks| last-14-days |
this-month | last-month |
last-30-days | last-nweeks | this-quarter |
last-quarter | this-year
| other}
Enter a time period the chart reports are based on.
No default
period-opt {dev | faz}
Enter dev to base the time period on the selected devices.
Enter faz to base the time period on when the FortiAnalyzer
unit receives the logs from the devices.
No default
No default
Example
The following example configures a report schedule and includes the report profile, filter and output
templates.
config report schedule
edit schedule_1
set layout report_1
set language English
set format html pdf
set output-profile output_1
set filter filter_1
set type dates
80
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
report
schedule
set
set
set
set
end
dates 1,5,30
time 01:30
period-type this-month
period-opt dev
History
3.0 MR7
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
81
schedule
82
report
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
nas
nas
Users can save, store and access files on the FortiAnalyzer hard disk as an alternate means of storing
important files and work. Users can also access the reports and logs saved on the FortiAnalyzer hard disk.
Use nas commands to add and configure users, set access permissions and file sharing protocols.
group
share
nfs
user
protocol
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
83
group
nas
group
Use this command to add a group for users and add or remove members from the group. When adding
groups, you must first add members using the config nas user command. For more information about
NAS users, see “user” on page 85.
Syntax
config nas group
edit <group_str>
set gid <groupid_int>
set members <usernames_str>
end
Keywords and variables
Description
Default
edit <group_str>
Enter the name for the group.
No default.
gid <groupid_int>
If the group uses NFS shares, enter a group ID.
No default.
members <usernames_str>
Enter a list of the users to include in the group.
No default.
Example
The following commands add user_1 and user_2 to the group local_group.
config nas group
edit local_group
set members user_1 user_2
end
nfs
Use this command to configure NFS network share file permissions.
Syntax
config nas nfs
edit <path_str>
set ro <username_str>
set rw <useruname_str>
end
Keywords and variables
Description
Default
edit <path_str>
Enter the name of the local path which is an NFS share.
No default.
ro <username_str>
Enter a list of users with read-only access to the directory.
No default.
rw <useruname_str>
Enter a list of users with read and write access to the directory. No default.
Example
You could add the user User_1 to the local path /reports with read-only access.
config nas nfs
edit reports
set ro User_1
end
84
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
nas
protocol
protocol
Use this command to enable either NFS or Windows file shares on the FortiAnalyzer unit.
Syntax
config nas protocol
set nfs{enabled | disabled}
set share {enabled | disabled}
set workgroup <workgroupname_str>
end
Keywords and variables
Description
Default
nfs{enabled | disabled}
Enable or disable Network File Sharing (NFS) on the
FortiAnalyzer.
disabled
share {enabled |
disabled}
Enable or disable Windows networking on the FortiAnalyzer.
When enabled, also set the workgroup.
disabled
workgroup
<workgroupname_str>
If share in enabled, enter the name of the Windows
workgroup.
No default.
Example
You could enable Windows networking with a workgroup named Co_Reports.
config nas protocol
set share enabled
set workgroup Co_Reports
end
share
Use this command to configure Windows network share file permissions and paths.
Note: You can only share folders below the /Storage folder.
Syntax
config nas share
edit <share_str>
set path <path_str>
set ro <name_str>
set rw <name_str>
end
Keywords and variables
Description
edit <share_str>
Enter the name of the networking share.
No default.
path <path_str>
Enter the name of the local networking path.
No default.
ro <name_str>
Enter a list of users with read-only access to the directory.
No default.
rw <name_str>
Enter a list of users with read and write access to the directory. No default.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Default
85
user
nas
Example
The following example adds the user User_1 to the local path reports with read-only access.
config nas share
edit reports
set path reports
set ro User_1
end
user
Use this command to add and maintain users who can access the FortiAnalyzer hard disk.
Syntax
config nas user
edit <name_str>
set display <description_str>
set password <password_str>
set uid <userid_int>
end
Keywords and variables
Description
Default
edit <name_str>
Enter the name of the user.
No default.
display <description_str> Enter a description for the user.
No default.
password <password_str>
Enter the user’s password.
No default.
uid <userid_int>
Enter a user ID. Use this keyword only if you are using the
No default.
NFS protocol. The NFS protocol uses the UID to determine the
permissions on files and folders.
Example
The following example adds the user User_1 with a displayed description of A NAS user., a password
of passw0rd and a user id of 15.
config nas user
edit User_1
set display “A NAS user.”
set password passw0rd
set uid 15
end
86
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
log
Use log commands to configure the logs, log-derived reports, and interaction of the FortiAnalyzer unit with
connected devices, including:
•
device configuration and interaction
•
how the FortiAnalyzer unit handles unregistered devices
•
log settings for log rolling and uploading to remote server
•
configuring rolling and uploading of Network Analyzer logs
device
device-group
unregistered
settings
aggregation
forwarding
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
87
device
log
device
Caution: Changing the FortiGate unit’s FortiAnalyzer settings clears sessions to its FortiAnalyzer unit’s
IP address. If the FortiAnalyzer unit is behind a NAT device, this also resets sessions to other devices
behind that same NAT.
To prevent disruption of other devices’ traffic, on the NAT device, create a separate virtual IP for the
FortiAnalyzer unit.
Use this command to add and configure a device connected to the FortiAnalyzer unit, and how the
FortiAnalyzer unit interacts with the device.
Syntax
config log device
edit <device_string>
set type {fgt | fmg | fml | syslog | all_forticlients}
set id <deviceid_str>
set faz_owner <fortianalyzerid_str>
set description <desc_str>
set secure {psk |none}
set psk <presharedkey_str>
set privileges <send-logs> <view-logs> <config-reports> <view-reports>
<send-content> <view-content> <send-quarantine> <access-quarantine>
<none>
set space <diskquota_int>
set when-full {overwrite | stop}
set mode {HA | Standalone}
set default-intf-type {dmz | wan | lan | none}
set members-id <serialnum_str>
config product-intf-type
<interface_name>
set intf-type {lan | wan | dmz | none}
end
config user-intf-types
edit <interface_name>
set intf-type {lan | wan | dmz | none}
end
end
88
Keywords and variables
Description
Default
type {fgt | fmg | fml |
syslog |
all_forticlients}
Select the type of device:
• fgt for a FortiGate unit
• fmg for a FortiManager unit
• fml for a FortiMail unit
• syslog for a Syslog server
• all_forticlients for all FortiClients
Default varies
by detected
device type.
id <deviceid_str>
If secure is psk, enter the device’s device ID (serial
number).
No default.
faz_owner
<fortianalyzerid_str>
If the device is another FortiAnalyzer unit when this
FortiAnalyzer unit is acting as a log aggregation server,
enter the client FortiAnalyzer unit’s serial number.
No default.
description <desc_str>
Enter a description of the device.
No default.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
device
Keywords and variables
Description
Default
secure {psk |none}
Enable (psk) or disable (none) a secure tunnel for
none
communications between the device and FortiAnalyzer unit.
Once secure is set to psk, you must configure the IPSec
VPN; the FortiAnalyzer unit cannot create the secure tunnel
until it is configured.
The secure tunnel must be configured on both ends of the
tunnel: the FortiAnalyzer unit and the device.
On a FortiAnalyzer, set psk <presharedkey_str> and
id <deviceid_str>. On the device, enable the secure
connection, then set the PSK and local ID (device name).
Commands vary by device type. For specific instructions,
see your device’s CLI Reference.
psk <presharedkey_str>
If secure is psk, enter the preshared secret. The psk
value must match the preshared secret (PSK) value
configured on the device.
No default.
privileges <send-logs>
<view-logs> <configreports> <view-reports>
<send-content> <viewcontent>
<send-quarantine>
<access-quarantine>
<none>
Set a list of privileges the device has to send and retrieve
items from the FortiAnalyzer unit. For example, to allow a
device to only send logs and quarantine, enter set
privileges send-logs send-quarantine.
Accessing logs, content logs and quarantined files is
available on FortiGate units running firmware version 3.0 or
later.
accessquarantine
configreports
sendcontent
send-logs
sendquarantine
viewcontent
view-logs
viewreports (all
permissions
granted)
space <diskquota_int>
Set the amount of disk space allocated for the device logs,
content and quarantined files, in megabytes (MB).
Default varies
by settings in
log end.
when-full
{overwrite | stop}
Select what the FortiAnalyzer unit should do once the
allocated disk space has been reached: overwrite older
messages, or stop logging.
overwrite
mode {HA | Standalone}
Select whether the FortiGate unit is a standalone unit or a
part of an HA cluster.
Standalone
default-intf-type {dmz |
wan | lan | none}
Select the default interface where traffic is typically directed none
if it is not defined.
members-id
<serialnum_str>
If the device is an HA cluster, enter the device IDs (serial
numbers) for each subordinate unit in the cluster.
No default.
Example
The following example adds a FortiGate unit named FGT-60 with quarantine send and read and log send
access.
config log device
edit FGT-60
set id FGT-60
set privileges access-quarantine send-quarantine send-logs
set type fgt
end
The following example configures a secure tunnel for log and other data sent between the FortiAnalyzer
unit and a FortiGate unit named FGT-60.
On the FortiAnalyzer unit:
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
89
device
log
config log device
edit FGT-60
set secure psk
set psk SRE2IVN#seWNVd
set id FGT60M2904400103
end
On the FortiGate unit named FGT-60:
config system fortianalyzer
set encrypt enable
set psksecret SRE2IVN#seWNVd
set localid FGT-60
end
History
3.0 MR1
Added description.
3.0 MR2
Added Admin_Domains, faz_owner, members-id and mode.
3.0 MR4
Removed Admin_Domains. It has been moved to config
Admin_Domain and is available when ADOMs are enabled.
3.0 MR5
Added vdom_num.
3.0 MR7
Removed vdom_num keyword.
config product-intf-type
Use this subcommand to define device logical interface types.
FortiAnalyzer Network activity reports include information on inbound and outbound traffic flow. Traffic flow
information is based on the source and destination interfaces of the device and how they are configured to
send and receive information. For more information, see the Devices chapter of the FortiAnalyzer
Administration Guide.
Syntax
config product-intf-types
edit <interface_name>
set intf-type {lan | wan | dmz | none}
end
Keywords and variables
Description
Default
<interface_name>
Enter the name of the interface.
No default.
intf-type {lan | wan |
dmz | none}
Select the logical type of the interface which will be used when No default.
interpreting log messages for report purposes.
Example
The following commands sets port 1 interface on the device FGT-60 to be labeled as a DMZ-type
interface.
config log device
edit FGT-60
config product-intf-types
edit port1
set intf-name port1
set intf-type dmz
end
90
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
device
end
config user-intf-types
Use this subcommand to customize logical interface types.
FortiAnalyzer Network activity reports include information on inbound and outbound traffic flow. Traffic flow
information is based on the source and destination interfaces of the device and how they are configured to
send and receive information. For more information, see the Devices chapter of the FortiAnalyzer
Administration Guide.
Syntax
config user-intf-types
edit <interface_name>
set intf-type {lan | wan | dmz | none}
end
Keywords and variables
Description
Default
<interface_name>
Enter the name of the interface.
No default.
intf-type {lan | wan |
dmz | none}
Select the logical type of the interface which will be used when No default.
interpreting log messages for report purposes.
Example
The following commands sets port 1 interface on the device FGT-60 to be labeled as a DMZ-type
interface.
config log device
edit FGT-60
config user-intf-types
edit port1
set intf-name port1
set intf-type dmz
end
end
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
91
device-group
log
device-group
Use this command to create groups to add and remove devices from this group. Use this command to
group devices belonging to a department or section of the company to keep the devices together for easier
monitoring and reporting.
Syntax
config log device-group
edit <group_name>
set type {fgt | fmg | fml | syslog}
set devices <device_names>
end
Keywords and variables
Description
Default
<group_name>
Enter the name of the device group.
No default.
type
{fgt | fmg | fml |
syslog}
Select the type of devices that can belong to this group.
Device groups cannot contain devices of more than one type.
No default.
devices <device_names>
Select the devices to add to the group. Use the Tab key to
No default.
cycle through the available registered devices, or press the
question mark (?) key to display devices that match your
specified type. Separate multiple device names with a space.
Example
The following commands adds the devices FGT-60 and FGT-500 to the group Finance.
config log device-group
edit Finance
set type fgt
set devices fgt-60 fgt-500
end
92
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
unregistered
unregistered
Use this command to configure how the FortiAnalyzer unit handles unregistered devices as they connect
to the FortiAnalyzer unit.
As devices are configured to send log packets to the FortiAnalyzer unit, you can configure how the
FortiAnalyzer unit handles the connection requests until you can verify they should be accepted. You can
define what the FortiAnalyzer unit does when it receives a request for a connection from a device.
Syntax
config log unregistered
set known-handling {save-logs | drop-all | drop-logs-only}
set known-quota <knownquota_int>
set quota <quota_int>
set handling [drop-logs-only | drop-all | save-logs]
set blocked-devices <serial_number>
end
Keywords and variables
Description
Default
known-handling
{save-logs | drop-all |
drop-logs-only}
Select how the FortiAnalyzer handles a connection request
save-logs
from an known device. Select from the following:
drop-all - All incoming device requests are not accepted
and the FortiAnalyzer will not add them to the unregistered
devices list.
drop-logs-only - Add the device to the unregistered
devices list for future configuration and addition to the
FortiAnalyzer unit, but do not save the incoming log packets to
the hard disk.
save-logs - Add the device to the unregistered devices list
for future configuration and addition to the FortiAnalyzer unit,
and save the log packets to the hard disk, but only to a defined
amount of disk space. Set the disk space using the keyword
known_quota.
known-quota
<knownquota_int>
Enter the amount of disk space to allocate to collecting log
data for a known device until the device is registered.
100
quota <quota_int>
Enter the amount of disk space to allocate to collecting log
data for an unknown device until the device is registered.
20
handling [drop-logs-only
| drop-all | save-logs]
Select how the FortiAnalyzer handles a connection request
dropfrom an unknown device. Select from the following:
logs-only
drop-all - All incoming device requests are not accepted
and the FortiAnalyzer will not add them to the unregistered
devices list.
drop-logs-only - Add the device to the unregistered
devices list for future configuration and addition to the
FortiAnalyzer unit, but do not save the incoming log packets to
the hard disk.
save-logs - Add the device to the unregistered devices list
for future configuration and addition to the FortiAnalyzer unit,
and save the log packets to the hard disk, but only to a defined
amount of disk space. Set the disk space using the keyword
quota.
blocked-devices
<serial_number>
Enter the devices the FortiAnalyzer unit blocks from submitting No default.
log data.
Example
The following commands sets the handling of unknown devices to allow the connection and saving the
logs up to 50 MB.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
93
unregistered
log
config log unregistered
set handling save-logs
set quota 30
end
94
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
settings
settings
Use this command and sub-command to configure the local log settings and log rolling settings for all log
types, including Network Analyzer.
Syntax
config log settings
set analyzer-settings [device | custom]
set analyzer [enable | disable]
set analyzer-gui [enable | disable]
set mms-gui [enable | disable]
set custom-field1 <field_name>
set custom-field2 <field_name>
set custom-field3 <field_name>
set custom-field4 <field_name>
set custom-field5 <field_name>
set analyzer-quota <quota_int>
set analyzer-quota-full {overwrite | stop}
set analyzer-interface [port1 | port2 | port3 | port4]
set local-settings [device | custom]
set local [enable | disable]
set syslog [enable | disable]
set local-quota <interger>
set local-quota-full {overwrite | stop}
set local-level [emergency | alert | critical | error | warning |
notification | information | debug]
set local-filter {config | ipmac | ipsec | login | system}
set syslog-level [emergency | alert | critical | error | warning |
notification | information | debug]
set syslog-csv [enable | disable]
set sylog-ip <ip_address>
set syslog-port <port_number>
set syslog-filter [config | ipsec | login | system | none]
config rolling-analyzer
set filesize <size_int>
set when {daily | weekly | none}
set upload [enable | disable]
set days {mon | tue | wed | thu | fri | sat | sun}
set hour <integer>
set min <integer>
set server_type {FTP | SCP | SFTP}
set ip <ip_address>
set username <username_str>
set password <password_str>
set directory <dir_str>
set gzip-format {enable | disable}
set del-files {enable | disable}
set upload-trigger { on-roll | on-schedule}
set upload-hour [0-24]
end
config rolling-local
set filesize <size_int>
set when {daily | weekly | none}
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
95
settings
log
set upload [enable | disable]
set days {mon | tue | wed | thu | fri | sat | sun}
set hour <integer>
set server_type {FTP | SCP | SFTP}
set ip <ip_address>
set username <username_str>
set password <password_str>
set directory <dir_str>
set gzip_format {enable | disable}
set del_files {enable | disable}
set upload-trigger { on-roll | on-schedule}
set upload-hour [0-24]
set
end
config rolling-regular
set filesize <size_int>
set when {daily | weekly | none}
set upload [enable | disable]
set days {mon | tue | wed | thu | fri | sat | sun}
set hour <integer>
set min <integer>
set server_type {FTP | SCP | SFTP}
set ip <ip_address>
set username <username_str>
set password <password_str>
set directory <dir_str>
set gzip_format {enable | disable}
set del_files {enable | disable
set upload-trigger { on-roll | on-schedule}
set upload-hour [0-24]
end
end
96
Keywords and variables
Description
Default
analyzer-settings
[device | custom]
Enter custom to use the custom settings for rolling and
device
uploading Network Analyzer logs. Enter device to re-use log
settings for rolling and uploading Network Analyzer logs.
analyzer
[enable | disable]
Enter to enable network FortiAnalyzer.
disable
analyzer-gui
[enable | disable]
Enter to enable showing of network FortiAnalyzer from the
web-based manager.
disable
mms-gui
[enable | disable]
Enter to show the archived MMS logs on the web-based
manager. This applies when only there are MMS logs stored
on the FortiAnalyzer unit. MMS logs are recorded when a
FortiGate unit is running FortiOS Carrier.
disable
custom-field1
<field_name>
Enter the custom field that was entered on the FortiGate unit.
This command enables the FortiGate custom field to be
properly indexed by the FortiAnalyzer unit.
You can enter up to five FortiGate custom fields.
No default
custom-field2
<field_name>
Enter the custom field that was entered on the FortiGate unit.
This command enables the FortiGate custom field to be
properly indexed by the FortiAnalyzer unit.
No default
custom-field3
<field_name>
Enter the custom field that was entered on the FortiGate unit.
This command enables the FortiGate custom field to be
properly indexed by the FortiAnalyzer unit.
No default
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
settings
Keywords and variables
Description
Default
custom-field4
<field_name>
Enter the custom field that was entered on the FortiGate unit.
This command enables the FortiGate custom field to be
properly indexed by the FortiAnalyzer unit.
No default
custom-field5
<field_name>
Enter the custom field that was entered on the FortiGate unit.
This command enables the FortiGate custom field to be
properly indexed by the FortiAnalyzer unit.
No default
analyzer-quota
<quota_int>
Enter the amount of disk space to allocate to logging network
traffic. A value of 0 (zero) is unlimited.
1000
analyzer-quota-full
{overwrite | stop}
Set what the FortiAnalyzer unit does when the allocated traffic overwrite
log space is full. Select overwrite to overwrite older log
data, select stop to stop logging until the administrator can
backup the logs and clear the disk space.
analyzer-interface [port1 Enter the network interface that will be recording traffic from.
| port2 | port3 | port4]
No default
local-settings
[device | custom]
Enter to roll and upload local logs. Enter custom to use custom device
settings.
local [enable | disable]
Enter to enable logging to the local hard disk.
syslog [enable | disable] Enter to enable logging to a Syslog server.
disable
disable
local-quota <interger>
Enter the amount of disk space to allocate for local logs. A
value of 0 (zero) is unlimited.
0
local-quota-full
{overwrite | stop}
Set what the FortiAnalyzer unit does when the allocated local
log space is full. Select overwrite to overwrite older log
data, select stop to stop logging until the administrator can
backup the logs and clear the disk space.
overwrite
local-level [emergency |
alert | critical | error
| warning | notification
| information | debug]
Enter the local log severity level.
information
local-filter {config |
ipmac | ipsec | login |
system}
Select the events the FortiAnalyzer logs to the hard disk. Use
this keyword in conjunction with local_loglevel.
config
ipsec login
system
syslog-level [emergency |
alert | critical | error
| warning | notification
| information | debug]
Enter the syslog log severity level.
emergency
syslog-csv
[enable | disable]
Enter to enable the log format CSV for logs.
disable
sylog-ip <ip_address>
Enter the IP address of the Syslog server.
0.0.0.0
syslog-port <port_number> Enter the Syslog server’s port number, if different from the
default port 514.
syslog-filter [config |
ipsec | login | system |
none]
514
Enter to include logs that are related to configuration changes none
(config), IPSec connections (ipsec), administrative logins and
logouts (login), and system activity (system).
If you enter none, no logs will be included.
Example
The following commands enable local logging on the FortiAnalyzer unit.
config log settings
set local enable
set local-settings custom
set local-quota 100
set local-quota-full overwrite
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
97
settings
log
set local-level error
set local-filter login system config
end
History
3.0 MR4
Removed content_reuse_logs and config rolling content commands.
These settings are rolled into config rolling-analyzer.
3.0 MR5
Changed effects of enable_analyzer to also enable Network Analyzer’s
appears on the web-based manager.
3.0 MR7
Removed show_mms_option and added show_mms_archive keyword.
Added the following keywords:
• custom-field1
• custom-field2
• custom-field3
• custom-field4
• custom-field5
The subcommands, rolling-analyzer and rolling-local, were
removed as well.
config rolling-analyzer
Use this sub-command to configure the log rolling of the Network Analyzer logs. You must first set the
analyzer_reuse_logs to no so that you can view the sub-commands. If the log upload fails, such as
when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.
Syntax
config rolling-analyzer
set filesize <size_int>
set when {daily | weekly | none}
set upload [enable | disable]
set days {mon | tue | wed | thu | fri | sat | sun}
set hour <integer>
set min <integer>
set server_type {FTP | SCP | SFTP}
set ip <ip_address>
set username <username_str>
set password <password_str>
set directory <dir_str>
set gzip-format {enable | disable}
set del-files {enable | disable}
set upload-trigger { on-roll | on-schedule}
set upload-hour [0-24]
end
98
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
settings
Keywords and variables
Description
Default
filesize <size_int>
The maximum size of the current log file that the FortiAnalyzer 0
unit saves to the disk. When the log file reaches the specified
maximum size, the FortiAnalyzer unit saves the current log file
and starts a new active log file.
When a log file reaches its maximum size, the FortiAnalyzer
unit saves the log files with an incremental number, and starts
a new log file with the same name. A value of 0 (zero) is
unlimited.
when
{daily | weekly | none}
Set the frequency of when the FortiAnalyzer unit saves the
none
current log file and starts a new active log file. Select this
option if you want to start new log files even if the maximum
log file size has not been reached. For example, you want to
roll a daily log on a FortiAnalyzer unit that does not see a lot of
activity.
upload [enable | disable] Select to enable the FortiAnalyzer unit to upload the rolled log disable
file to an FTP site. When selecting yes, use the set host_ip
and set port_integer to define the FTP location.
days {mon | tue | wed |
thu | fri | sat | sun}
Enter day of the week when the FortiAnalyzer rolls the traffic
analyzer logs. This variable becomes available when setting
the when variable to weekly.
No default.
hour <integer>
Enter the hour of the day when the when the FortiAnalyzer
rolls the traffic analyzer logs.
0
min <integer>
Enter the minute when the FortiAnalyzer rolls the traffic
analyzer logs.
0
server_type
{FTP | SCP | SFTP}
Select the type of upload server.
FTP
ip <ip_address>
Enter the upload server ip address.
0.0.0.0
username <username_str>
Enter the user name for the upload server.
No default
password <password_str>
Enter the password for the upload server user name.
No default.
directory <dir_str>
Select a directory on the upload server where the
FortiAnalyzer unit stores the uploaded logs.
No default.
gzip-format
{enable | disable}
Select yes to compress the log files using the gzip format.
disable
del-files
{enable | disable}
Select yes to delete the log files from the FortiAnalyzer hard
disk one uploading is complete.
disable
upload-trigger
{ on-roll | on-schedule}
Enter what type of trigger will upload log files. The trigger onroll will upload log files whenever they roll. The trigger onschedule will upload log files on a scheduled basis.
on-roll
upload-hour [0-24]
Enter the hour that you want to upload the log files. The
default is zero. Enter the number, without minutes, in the
24-hour format (0-24).
0
Example
The following sub-commands enables log rolling when log files are 100 MB.
config log settings
config rolling-analyzer
set filesize 100
end
end
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
99
settings
log
History
3.0 MR1
Added uploading options for scheduling uploading times and locations.
config rolling-local
Use this sub-command to configure the log rolling of the FortiAnalyzer unit local logs. If the log upload fails,
such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.
This sub-command becomes available only when local-settings is set to custom.
Syntax
config rolling-local
set filesize <size_int>
set when {daily | weekly | none}
set upload [enable | disable]
set days {mon | tue | wed | thu | fri | sat | sun}
set hour <integer>
set min <integer>
set server_type {FTP | SCP | SFTP}
set ip <ip_address>
set username <username_str>
set password <password_str>
set directory <dir_str>
set gzip_format {enable | disable}
set del_files {enable | disable}
set upload-trigger { on-roll | on-schedule}
set upload-hour [0-24]
set
end
Keywords and variables
Description
Default
filesize <size_int>
The maximum size of the current log file that the FortiAnalyzer 0
unit saves to the disk. When the log file reaches the specified
maximum size, the FortiAnalyzer unit saves the current log file
and starts a new active log file.
When a log file reaches its maximum size, the FortiAnalyzer
unit saves the log files with an incremental number, and starts
a new log file with the same name. A value of 0 (zero) is
unlimited.
when
{daily | weekly | none}
Set the frequency of when the FortiAnalyzer unit saves the
none
current local log file and starts a new active log file. Select this
option if you want to start new log files even if the maximum
log file size has not been reached. For example, you want to
roll a daily log on a FortiAnalyzer unit that does not see a lot of
activity.
upload [enable | disable] Select to enable the FortiAnalyzer unit to upload the rolled log no
file to an FTP site. When selecting yes, use the set host_ip
and set host_port to define the FTP location.
100
days {mon | tue | wed |
thu | fri | sat | sun}
Enter day of the week when the FortiAnalyzer rolls the current No default.
logs. This variable becomes available when setting the when
variable to weekly.
hour <integer>
Enter the hour of the day when the when the FortiAnalyzer
rolls the current logs.
0
min <integer>
Enter the minute when the FortiAnalyzer rolls the traffic
analyzer logs.
0
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
settings
Keywords and variables
Description
Default
server_type
{FTP | SCP | SFTP}
Select the type of upload server.
FTP
ip <ip_address>
Enter the upload server ip address.
0.0.0.0
username <username_str>
Enter the user name for the upload server.
No default
password <password_str>
Enter the password for the upload server user name.
No default.
directory <dir_str>
Select a directory on the upload server where the
FortiAnalyzer unit stores the uploaded logs.
No default.
gzip_format
{enable | disable}
Select yes to compress the log files using the gzip format.
disable
del_files
{enable | disable}
Select yes to delete the log files from the FortiAnalyzer hard
disk one uploading is complete.
disable
upload-trigger
{ on-roll | on-schedule}
Enter what type of trigger will upload log files. The trigger onroll will upload log files whenever they roll. The trigger onschedule will upload log files on a scheduled basis.
on-roll
upload-hour [0-24]
Enter the hour that you want to upload the log files. The
default is zero. Enter the number, without minutes, in the
24-hour format (0-24).
0
Example
The following sub-commands enables log rolling when log files are 100 MB.
config log settings
config rolling-local
set filesize 100
end
end
History
3.0 MR1
Added uploading options for scheduling uploading times and locations.
config rolling-regular
Use this sub-command to configure the log rolling of the device logs. If the log upload fails, such as when
the FTP server is unavailable, the logs are uploaded during the next scheduled upload.
Syntax
config rolling-regular
set filesize <size_int>
set when {daily | weekly | none}
set upload [enable | disable]
set days {mon | tue | wed | thu | fri | sat | sun}
set hour <integer>
set min <integer>
set server_type {FTP | SCP | SFTP}
set ip <ip_address>
set username <username_str>
set password <password_str>
set directory <dir_str>
set gzip_format {enable | disable}
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
101
settings
log
set del_files {enable | disable
set upload-trigger { on-roll | on-schedule}
set upload-hour [0-24]
end
Keywords and variables
Description
Default
filesize <size_int>
The maximum size of the current log file that the FortiAnalyzer 0
unit saves to the disk. When the log file reaches the specified
maximum size, the FortiAnalyzer unit saves the current log file
and starts a new active log file.
When a log file reaches its maximum size, the FortiAnalyzer
unit saves the log files with an incremental number, and starts
a new log file with the same name. A value of 0 (zero) is
unlimited.
when
{daily | weekly | none}
Set the frequency of when the FortiAnalyzer unit saves the
none
current log file and starts a new active log file. Select this
option if you want to start new log files even if the maximum
log file size has not been reached. For example, you want to
roll a daily log on a FortiAnalyzer unit that does not see a lot of
activity.
upload [enable | disable] Select to enable the FortiAnalyzer unit to upload the rolled log no
file to an FTP site. When selecting yes, use the set host_ip
and set host_port to define the FTP location.
days {mon | tue | wed |
thu | fri | sat | sun}
Enter day of the week when the FortiAnalyzer rolls the current No default.
logs. This variable becomes available when setting the when
variable to weekly.
hour <integer>
Enter the hour of the day when the when the FortiAnalyzer
rolls the current logs.
min <integer>
Enter the minute when the FortiAnalyzer rolls the current logs. 0
server_type
{FTP | SCP | SFTP}
Select the type of upload server.
FTP
ip <ip_address>
Enter the upload server ip address.
0.0.0.0
username <username_str>
Enter the user name for the upload server.
No default
password <password_str>
Enter the password for the upload server user name.
No default.
directory <dir_str>
Select a directory on the upload server where the
FortiAnalyzer unit stores the uploaded logs.
No default.
gzip_format {enable |
disable}
Select yes to compress the log files using the gzip format.
disable
del_files {enable |
disable
Select yes to delete the log files from the FortiAnalyzer hard
disk one uploading is complete.
disable
upload-trigger { on-roll
| on-schedule}
Enter what type of trigger will upload log files. The trigger onroll will upload log files whenever they roll. The trigger onschedule will upload log files on a scheduled basis.
on-roll
upload-hour [0-24]
Enter the hour that you want to upload the log files. The
default is zero. Enter the number, without minutes, in the
24-hour format (0-24).
0
0
Example
The following sub-commands enables log rolling when log files are 100 MB.
config log settings
config rolling-regular
set filesize 100
end
end
102
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
settings
History
3.0 MR1
Added uploading options for scheduling uploading times and locations.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
103
aggregation
log
aggregation
Use this command to enable log aggregation and configure the server IP address.
Syntax
config log aggregation
set mode {client | server | disabled}
set password <password_str>
set server_ip <ip_address>
set aggregation_time <hour_int>
end
Keywords and variables
Description
Default
mode {client | server |
disabled}
Select to enable log aggregation in either client or server
mode, or to disable log aggregation.
Note: The server option does not appear on FortiAnalyzer100A models.
disabled
password <password_str>
Enter the password of the log aggregation server.
No default.
• If mode is server, clients connecting to this FortiAnalyzer
unit must match this configured password.
• If mode is client, the FortiAnalyzer unit uses this password
when connecting to its log aggregation server.
This option appears only if mode is client or server.
server_ip <ip_address>
Enter the IP address of the log aggregation server.
This option appears only if mode is client.
No default.
aggregation_time
<hour_int>
Enter the hour of the day when the FortiAnalyzer unit sends
logs to the log aggregation server. The range is 0-23.
This option appears only if mode is client.
0
Example
The following example configures the FortiAnalyzer unit as an aggregation client that send logs to an
aggregation server daily at 10 AM.
config log aggregation
set mode client
set server_ip 10.10.35.99
set password **********
set aggregation_time 10
end
History
3.0 MR2
104
New group of keywords and commands.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
log
forwarding
forwarding
Use this command to enable log forwarding and configure the Syslog server IP address. Messages
meeting or exceeding only the minimum severity level will be forwarded.
Syntax
config log forwarding
set forwarding {enabled | disabled}
set forwarding_type {all_logs | permission_only}
set remote_ip <ip_address>
set min_level {emergency | alert | critical | error | warning | notification
| information | debug}
end
Keywords and variables
Description
Default
forwarding {enabled |
disabled}
Enable or disable log forwarding. If enabled, configure
remote_ip to indicate the receiving Syslog server.
disabled
forwarding_type {all_logs Select whether to forward all received log messages or to only all_logs
forward authorized log messages.
| permission_only}
remote_ip <ip_address>
Enter the IP address of the receiving Syslog server.
No default.
min_level {emergency |
alert | critical | error
| warning | notification
| information | debug}
Set the minimum severity threshold that a log message must
meet or exceed to be forwarded to the remote_ip.
information
Example
The following configures the FortiAnalyzer unit to forward all log messages that meet or exceed alert
level severity. The recipient Syslog server has the IP address 10.10.20.155.
config log forwarding
set forwarding enabled
set remote_ip 10.10.20.155
set min_level alert
end
History
3.0 MR5
New command added.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
105
forwarding
106
log
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
vm
vm
Use vm commands to configure vulnerability manager scans, maps, and options.
sensor
scan-profile
host-asset
asset-group
map-config
schedule
business-risk
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
107
sensor
vm
sensor
Sensors define which vulnerabilities the vulnerability scan checks your hosts for. Create different sensors
to specify only the vulnerabilities you need to check for. Sensors can be specified in more than one profile.
Syntax
config vm sensor
edit <sensor_str>
config filter
edit <filter_str>
set authentication {snmp windows unix none}
set bug {existent | ignore | nonexistent}
set category {all Applications Backdoor DOS Database Email
File_Transfer Finger ICMP Instant_Messenger Miscellaneous
Name_Server NetBIOS Operating_System P2P Policy RPC Remote_access
SNMP Tools VoIP Web_Applications Web_Client Web_Server Worm}
set cve {existent | ignore | nonexistent}
set end-date <string>
set exposed {yes | no | ignore}
set ips {existent | ignore | nonexistent}
set patch {existent | ignore | nonexistent}
set severity {information low medium high critical}
set start-date <string>
set top20 {forti20 sans20}
set type {include | exclude}
set vendor {existent | ignore | nonexistent}
end
config override
edit <override_str>
set type {include | exclude}
set fid <string>
end
set comment <comment_str>
end
Variables
Description
<sensor_str>
Enter the name of an existing sensor to edit it, or enter a new name to
create a new sensor.
Default
<filter_str>
Enter the name of an existing filter to edit it, or enter a new name to create
a new filter.
<override_str>
The name of an override. Enter the name of an existing override to edit it, or
enter a new name to create a new override.
authentication {snmp Scanning for some vulnerabilities requires that the FortiAnalyzer unit
authenticate with the hosts to be scanned. Enter the vulnerabilities to
windows unix none}
include by the authentication they require. Enter the required options, or
enter none to indicate no authentication.
bug {existent |
ignore |
nonexistent}
108
No default
Include vulnerabilities depending on whether they’ve been assigned a
ignore
Bug Traq ID.
• existent - restrict the included vulnerabilities to only those with a
Bug Traq ID.
• nonexistent - restrict the included vulnerabilities to only those without a
Bug Traq ID.
• ignore - do not restrict the included vulnerabilities based on whether
they have been assigned a Bug Traq ID.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
vm
sensor
Variables
Description
Default
category {all
Enter a category or categories to limit the vulnerabilities included in the
No default
filter. Enter all to include all categories, effectively disabling categories as
Applications
a means of limiting the vulnerabilities included in the filter.
Backdoor DOS
Database Email
File_Transfer Finger
ICMP
Instant_Messenger
Miscellaneous
Name_Server NetBIOS
Operating_System P2P
Policy RPC
Remote_access SNMP
Tools VoIP
Web_Applications
Web_Client
Web_Server Worm}
comment
<comment_str>
Enter an optional description of the sensor.
cve {existent |
ignore |
nonexistent}
Include vulnerabilities depending on whether they’ve been assigned a
ignore
CVE ID.
• existent - restrict the included vulnerabilities to only those with a
CVE ID.
• nonexistent - restrict the included vulnerabilities to only those without a
CVE ID.
• ignore - do not restrict the included vulnerabilities based on whether
they have been assigned a CVE ID.
end-date <string>
Vulnerabilities include the date they were last modified. No vulnerabilities
updated after the entered date will be included in the filter.
exposed {yes | no |
ignore}
Restrict the vulnerabilities included in the filter based on whether they have ignore
been detected in previous scans using this sensor.
• yes - restrict the included vulnerabilities to only those that have been
detected in previous scans using this sensor.
• no - restrict the included vulnerabilities to only those that have not been
detected in previous scans using this sensor.
• ignore - do not restrict the vulnerabilities included in the filter based on
whether they have been detected in previous scans using this sensor.
fid <string>
Enter the Fortinet Vulnerability ID. Separate multiple FID numbers with
commas.
No default
ips {existent |
ignore |
nonexistent}
Include vulnerabilities depending on whether they are also FortiGuard IPS
signatures.
• existent - restrict the included vulnerabilities to only those that are
FortiGuard IPS signatures.
• nonexistent - restrict the included vulnerabilities to only those that are
not FortiGuard IPS signatures.
• ignore - do not restrict the included vulnerabilities based on whether
they are FortiGuard IPS signatures.
ignore
patch {existent |
ignore |
nonexistent}
ignore
Include vulnerabilities depending on whether a patch exists to fix them.
• existent - restrict the included vulnerabilities to only those with a patch.
• nonexistent - restrict the included vulnerabilities to only those without a
patch.
• ignore - do not restrict the included vulnerabilities based on whether
they have a patch.
severity
{information low
medium high
critical}
All vulnerabilities are assigned a relative severity level. Enter the severity
levels to include in the filter. Enter all five severity levels to effectively
disable severity as a means of limiting the vulnerabilities included in the
filter.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
No default
No default
No default
109
sensor
vm
Variables
Description
Default
start-date <string>
Vulnerabilities include the date they were last modified. No vulnerabilities
updated before the entered date will be included in the filter.
No default
top20
{forti20 sans20}
Specify one or both of these top 20 vulnerability lists to restrict included
vulnerabilities to those also on the list you specify.
No default
type {include |
exclude}
Specify whether the vulnerability attributes you select when creating a filter include
will define the vulnerabilities that are included, or the vulnerabilities that are
excluded.
vendor {existent |
ignore |
nonexistent}
Include vulnerabilities depending on whether they include a link to the
ignore
vendor description of the problem. This link appears in the Vendor
Reference column of the vulnerability database.
• existent - restrict the included vulnerabilities to only those with a link.
• nonexistent - restrict the included vulnerabilities to only those without a
link.
• ignore - do not restrict the included vulnerabilities based on whether
they have a vendor reference link.
Example
This example details the commands required to make a VM sensor called email_only. The sensor
contains a filter named email_filter that includes all signatures with three matching characteristics:
•
The signatures detect email vulnerabilities.
•
The signatures have a severity rating of high or critical.
•
The vulnerabilities have patches.
config vm sensor
edit email_only
config email_filter
edit filter_name
set category email
set severity high critical
set patch existent
end
end
History
4.0
New.
Related commands
•
110
scan-profile
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
vm
scan-profile
scan-profile
Scan profiles are used to define exactly what means are used to scan hosts for vulnerabilities. Various
ports can be specified as well as the sensor used.
Syntax
config vm scan-profile
edit <scan-profile_str>
set comment <string>
set scan-dead-host {enable | disable}
set sensor <sensor_str>
set tcp-3way-handshake {enable | disable}
set tcp-port-adtn <string>
set tcp-port-grp {full | standard | light | none}
set udp-port-adtn <string>
set udp-port-grp {full | standard | light | none}
end
Variables
Description
Default
<scan-profile_str>
Enter the name of the scan profile you want to edit. To create a new scan
profile, enter a new name.
No default
comment <string>
Enter an optional description of the scan profile.
No default
scan-dead-host
{enable | disable}
Enable to force the FortiAnalyzer unit scan hosts that appear to be
unreachable. Some hosts may not return pings although they are still
active. Enabling this option will significantly increase the time required to
complete a scan.
disable
sensor <sensor_str> Enter the name of the sensor this scan profile uses. A sensor is required.
No default
tcp-3way-handshake
{enable | disable}
Enabled to have the FortiAnalyzer unit establish a connection with the host disable
using the TCP-standard 3-way handshake. Closing the connection is also
performed the same way.
tcp-port-adtn
<string>
Enter any ports you want scanned in addition to those specified with the
tcp-port-grp command. Enter individual ports separating by commas.
Enter port ranges, separating the start and end ports with a dash. For
example, set tcp-port-adtn 10,12,14,20-30
No default
tcp-port-grp
{full | standard |
light | none}
Select the type of TCP port scan the VM scan will execute.
• full scans all TCP ports. This is the most thorough scan, but it also
takes the longest.
• standard scans about 1800 of the most commonly used TCP ports.
• light scans about 160 of the most commonly used TCP ports.
• none disables the TCP port scan.
none
udp-port-adtn
<string>
Enter any ports you want scanned in addition to those specified with the
udp-port-grp command. Enter individual ports separating by commas.
Enter port ranges, separating the start and end ports with a dash. For
example, set udp-port-adtn 100,115,200-250,9500
No default
udp-port-grp
{full | standard |
light | none}
Select the type of UDP port scan the VM scan will execute.
• full scans all UDP ports. This is the most thorough scan, but it also
takes the longest.
• standard scans about 180 of the most commonly used UDP ports.
• light scans about 30 of the most commonly used UDP ports.
• none disables the UDP port scan.
none
Example
This example details the commands required to make a scan profile called all_tcp-udp. The profile
calls the email_only sensor and scans all TCP and UDP ports.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
111
scan-profile
vm
config vm scan-profile
edit all_tcp-udp
set sensor email_only
set tcp-port-grp full
set udp-port-grp full
end
History
4.0
New.
Related commands
•
112
sensor
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
vm
host-asset
host-asset
The host-asset command allows you to define your organizations hosts. Hosts not appearing on this list
can not be included in asset groups.
Syntax
config vm host-asset
edit <asset_str>
set auth {snmp | unix | windows}
set comment <string>
set community-string <string>
set dsa-key <key_str>
set function <string>
set ip <ipv4[-<ipv4>]>
set location <string>
set rsa-key <key_str>
set sudo {enable | disable}
set tag <string>
set unix-password <pass_str>
set unix-user-name <id_str>
set win-password <pass_str>
set win-user-name <id_str>
end
Variables
Description
<asset_str>
Enter the name of the asset you want to edit. To create a new asset, enter a
new name.
auth {snmp | unix |
windows}
To allow the FortiAnalyzer to authenticate with the host during VM scans,
enter the authentication type. Depending on the authentication type, other
commands will appear allowing you to enter the appropriate information.
Use the command unset auth to remove authentication.
comment <string>
Enter an optional description of the host-asset profile.
No default
community-string
<string>
Enter the SNMP community.
This command appears only when auth is set to snmp.
No default
dsa-key <key_str>
Enter the PEMencoded private key in text format.
This command appears only when auth is set to unix.
No default
function <string>
Enter the function of the host. This is an optional information-only field.
No default
ip <ipv4[-<ipv4>]>
Enter the host IP address. You can enter an IP range by separating the start No default
and end addresses with a dash.
location <string>
Enter the location of the host. This is an optional information-only field.
No default
rsa-key <key_str>
Enter the PEMencoded private key in text format.
This command appears only when auth is set to unix.
No default
sudo {enable |
disable}
Enable to give the FortiAnalyzer UNIX super-user privileges.
This command appears only when auth is set to unix.
disable
tag <string>
Enter the asset tag of the host. This is an optional information-only field.
No default
unix-password
<pass_str>
Enter the password the FortiAnalyzer uses to authenticate with the UNIX
host.
This command appears only when auth is set to unix.
No default
unix-user-name
<id_str>
Enter the username the FortiAnalyzer uses to authenticate with the UNIX
host.
This command appears only when auth is set to unix.
No default
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Default
113
host-asset
vm
Variables
Description
Default
win-password
<pass_str>
Enter the password the FortiAnalyzer uses to authenticate with the
Windows host.
This command appears only when auth is set to windows.
No default
win-user-name
<id_str>
Enter the username the FortiAnalyzer uses to authenticate with the
Windows host.
This command appears only when auth is set to windows.
No default
Example
This example details the commands required to define a host-asset called email-server. The host is at
IP address 172.20.120.200 and the optional function and location commands indicate that it is an
email server on the third floor.
config vm host-asset
edit email-server
set ip 172.20.120.200
set location "third floor"
set set function "email server"
end
History
4.0
New.
Related commands
•
114
asset-group
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
vm
asset-group
asset-group
Before hosts can be scanned, they must be grouped. These groups are then selected within network map
configuration profiles and scan schedules. Grouping hosts eliminates the need to select every host in each
scan profile. When your groups have been created, simply specify the required group in the scan profile.
Hosts can be included in multiple groups.
Syntax
config vm asset-group
edit <group_str>
set comment <string>
set division <string>
set function <string>
set host <host_str> [<host_str> <host_str>...]
set impact-level {low | minor | medium | high | critical}
set location <string>
end
Variables
Description
Default
<group_str>
Enter the name of the asset group you want to edit. To create a new asset
group, enter a new name.
No default
comment <string>
Enter an optional description of the asset group.
No default
division <string>
Enter the division the asset group is a part of. This is an optional
information-only field.
No default
function <string>
Enter the function of the asset group. This is an optional information-only
field.
No default
host <host_str>
[<host_str>
<host_str>...]
Enter the hosts that are in the asset group. Separate multiple hosts with
spaces. Enter set host ? to list the available hosts.
No default
impact-level
{low | minor |
medium | high |
critical}
A rating indicating the relative importance of the hosts in the group.
high
location <string>
Enter the location of the asset group. This is an optional information-only
field.
No default
Example
This example details the commands required to define an asset group called all-servers. The asset
group contains three hosts previously defined with the host-asset command. The three hosts are named
email-server, web-server, and db-server. The asset group is assigned a high impact-level and a
function of “all servers”.
config vm asset-group
edit all-servers
set function "all servers"
set impact-level high
set host email-server web-server db-server
end
History
4.0
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
115
asset-group
vm
Related commands
•
116
host-asset
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
vm
map-config
map-config
Network map reports are generated based on network map configuration profiles. Multiple profiles can be
created to make reports containing only the required information.
Syntax
config vm map-config
edit <config_str>
set approved-host <ipv4> [<ipv4> <ipv4>...]
set asset-group <grp_str>
set date <date_str>
set domain <domain_str>
set exclude-dns-only-host {enable | disable}
set format {html mht pdf rtf txt}
set grp-update {enable | disable}
set hour <hour_int>
set ip-range <ipv4>
set live-host-sweep {enable | disable}
set max-occurrence <max_int>
set minute <minute_int>
set output-profile <profile_str>
set recurrence {daily | weekly | monthly}
set schedule {run-now | run-later}
set tcp-port-adtn <string>
set tcp-standard-scan {enable | disable}
set udp-port-adtn <string>
set udp-standard-scan {enable | disable}
end
Variables
Description
Default
<config_str>
Enter the name of the map configuration you want to edit. To create a new
map configuration, enter a new name.
No default
approved-host
<ipv4> [<ipv4>
<ipv4>...]
Enter the IP addresses of approved hosts. Enter multiple addresses
separated by spaces.
No default
asset-group
<grp_str>
Enter the asset group on which the network map scan will run.
No default
date <date_str>
Enter the date a scheduled scan will start. The date must be formatted as a No default
four digit year, a two digit month, and a two digit day, each separated by a
dash. For example, 2009-12-01 would be formatted properly.
If left blank, the schedule will start on the current day, subject to the
schedule itself.
domain <domain_str> Enter a domain name in which the scan will be executed.
No default
exclude-dns-onlyhost {enable |
disable}
Enable to exclude hosts discovered only in the DNS.
disable
format {html mht
pdf rtf txt}
Enter the required output format or formats of the map report.
html
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
117
map-config
vm
Variables
Description
grp-update
{enable | disable}
Enable to have the network map scan automatically update the specified
disable
asset group if new hosts are discovered. No hosts will be removed even if
they unreachable. A domain or IP range must be entered if grp-update is
enabled.
You must specify an asset group with the asset-group command before
configuring this setting.
hour <hour_int>
Specify when during the day a scheduled scan will run. Use this command
with minute to specify an exact time.
12
ip-range <ipv4>
Enter the IP address range the FortiAnalyzer scans.
No default
live-host-sweep
{enable | disable}
Enable to have the FortiAnalyzer discover live hosts in the IP address range enable
specified with the ip-range command.
max-occurrence
<max_int>
Enter the maximum number of times this scheduled scan runs. Enter 0 for
no maximum.
0
minute <minute_int> Specify when during the day a scheduled scan will run. Use this command
with hour to specify an exact time.
0
output-profile
<profile_str>
Default
Enter the report output profile name.
No default
recurrence {daily | Enter how often a scheduled scan is run.
daily
weekly | monthly}
• daily has the FortiAnalyzer run the scan once a day. Use the hour and
minute commands to specify when during the day the scan is run.
• weekly has the FortiAnalyzer run the scan once a week. Use the
day-of-week, hour, and minute commands to specify when during the
week the scan is run.
• monthly has the FortiAnalyzer run the scan once a month. Use the
day-of-month, hour, and minute commands to specify when during
the month the scan is run.
schedule {run-now |
run-later}
Specify whether the schedule will run once or at regular intervals.
• run-now will have the FortiAnalyzer run the specified map configuration
immediately, and only once.
• run-later will have the FortiAnalyzer run the map configuration at
regular intervals, as specified with the recurrence command.
tcp-port-adtn
<string>
No default
Enter any ports you want scanned in addition to those specified with the
tcp-standard-scan command. Enter individual ports separating by
commas. Enter port ranges, separating the start and end ports with a dash.
For example, set tcp-port-adtn 10,12,14,20-30
tcp-standard-scan
{enable | disable}
Enable to scan 13 standard TCP ports: 21-23, 25, 53, 80, 88, 110, 111, 135, enable
139, 443, 445.
udp-port-adtn
<string>
Enter any ports you want scanned in addition to those specified with the
No default
udp-standard-scan command. Enter individual ports separating by
commas. Enter port ranges, separating the start and end ports with a dash.
For example, set udp-port-adtn 100,115,200-250,9500
udp-standard-scan
{enable | disable}
Enable to scan 6 standard UDP ports: 53, 11, 135, 137, 161, 500.
run-now
disable
Example
This example details the commands required to create a map-config named servers. This map-config
will scan the all-servers asset-group daily at 1 A.M. every day.
config vm map-config
edit servers
set asset-group all-servers
set domain example.com
set grp-update disable
set schedule run-later
set recurrence daily
118
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
vm
map-config
set hour 1
set minute 0
end
History
4.0
New.
Related commands
•
asset-group
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
119
schedule
vm
schedule
Vulnerability reports are generated based on schedules. Multiple schedules can be created to
automatically generate the required reports whenever needed.
Syntax
config vm schedule
edit <schedule_str>
set
set
set
set
set
set
set
set
set
set
set
set
asset-group <grp_str>
date <date_str>
day-of-month <date_int>
day-of-week {sun | mon | tue | wed | thu | fri | sat}
format {html mht pdf rtf txt}
hour <hour_int>
max-occurrence <max_int>
minute <minute_int>
output-profile <profile_str>
recurrence {daily | weekly | monthly}
scan-profile <profile_str>
schedule {run-now | run-later}
end
120
Variables
Description
Default
<schedule_str>
Enter the name of the schedule you want to edit. To create a schedule,
enter a new name.
No default
asset-group
<grp_str>
Enter the asset group on which the network map scan will run.
No default
date <date_str>
Enter the date a scheduled scan will start. The date must be formatted as a No default
four digit year, a two digit month, and a two digit day, each separated by a
dash. For example, 2009-12-01 would be formatted properly.
If left blank, the schedule will start on the current day, subject to the
schedule itself.
day-of-month
<date_int>
Specify the date on which a monthly schedule runs.
No default
day-of-week
{sun | mon |
tue | wed | thu |
fri | sat}
Specify the day of the week on which a weekly schedule runs.
No default
format {html mht
pdf rtf txt}
Enter the required output format or formats of the scan report.
html
hour <hour_int>
Specify when during the day a scheduled scan will run. Use this command
with minute to specify an exact time.
12
max-occurrence
<max_int>
Enter the maximum number of times this scheduled scan runs. Enter 0 for
no maximum.
0
minute
<minute_int>
Specify when during the day a scheduled scan will run. Use this command
with hour to specify an exact time.
0
output-profile
<profile_str>
Enter the report output profile name.
No default
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
vm
schedule
Variables
Description
Default
recurrence
{daily | weekly |
monthly}
Enter how often a scheduled scan is run.
daily
• daily has the FortiAnalyzer run the scan once a day. Use the hour and
minute commands to specify when during the day the scan is run.
• weekly has the FortiAnalyzer run the scan once a week. Use the
day-of-week, hour, and minute commands to specify when during the
week the scan is run.
• monthly has the FortiAnalyzer run the scan once a month. Use the
day-of-month, hour, and minute commands to specify when during
the month the scan is run.
scan-profile
<profile_str>
Enter the name of the scan profile to use.
No default
schedule
{run-now |
run-later}
Specify whether the schedule will run once or at regular intervals.
• run-now will have the FortiAnalyzer run the schedule immediately, and
only once.
• run-later will have the FortiAnalyzer run the schedule at regular
intervals, as specified with the recurrence command.
run-now
Example
This example details the commands required to create a vm scan schedule named fri-servers. This
schedule will scan the all-servers asset-group every Friday at 3:15 A.M. using the all_tcp-udp
scan profile.
config vm schedule
edit fri-servers
set asset-group all-servers
set schedule run-later
set recurrence weekly
set day-of-week fri
set hour 3
set minute 15
set scan-profile all_tcp-udp
end
History
4.0
New.
Related commands
•
asset-group
•
scan-profile
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
121
business-risk
vm
business-risk
The business risk table values form the basis of the business risk calculation, used to order the Top 10
Vulnerable Hosts list located in Vulnerability Mgmt > Summary > Host Status. The calculation uses the
severity of the detected vulnerabilities, the business impact you assigned to the asset group, and the
business risk table.
When creating an asset group, you assign it a business impact:
•
low
•
minor
•
medium
•
high
•
critical
Vulnerabilities are rated by severity and each severity has a numeric security risk value:
•
information: 1
•
low: 2
•
medium: 3
•
high: 4
•
critical: 5
To determine the business risk of the host, a look-up is performed. The security risk and the business
impact are compared and the appropriate value is taken from the business risk table. For example, if a
medium severity vulnerability is found on a host in an asset group with a critical business impact, the
business risk table indicates a business risk of 36.
If multiple vulnerabilities are discovered when scanning the host, the default behavior is to average the
security risk ratings. With the business impact, this security risk average is used to determine the business
risk. If the security risk is not a whole number, the fractional value is used to determine the same fractional
value between the two nearest business risk values.
For example, if a medium and a high severity vulnerability are discovered on a medium business impact
host, the security risk value is 3.5. A security risk of 3 and a medium business impact result in a business
risk of 9, while a security risk of 4 and a medium business impact result in a business risk of 16. The
security risk average of 3.5 falls half way between 3 and 4, therefore the business risk falls half way
between 9 and 16, which is 12.5. The report will drop all decimals so the final business risk is 12.
The security-risk command can be used to instead report the highest security risk found rating rather
than the average of all of them. If the security risk command is set to highest for the example
above, the security risk values of the two vulnerabilities would not be averaged. Rather the highest would
be used, which is 4, resulting in a business risk of 16.
Use the business-risk command to change the values in the table, and therefore the security risk
result.
Syntax
config vm business-risk
edit DEFAULT
set
set
set
set
set
set
security-risk {average | highest}
low-1 <risk_int>
low-2 <risk_int>
low-3 <risk_int>
low-4 <risk_int>
low-5 <risk_int>
set minor-1 <risk_int>
122
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
vm
business-risk
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
end
minor-2 <risk_int>
minor-3 <risk_int>
minor-4 <risk_int>
minor-5 <risk_int>
medium-1 <risk_int>
medium-2 <risk_int>
medium-3 <risk_int>
medium-4 <risk_int>
medium-5 <risk_int>
high-1 <risk_int>
high-2 <risk_int>
high-3 <risk_int>
high-4 <risk_int>
high-5 <risk_int>
critical-1 <risk_int>
critical-2 <risk_int>
critical-3 <risk_int>
critical-4 <risk_int>
critical-5 <risk_int>
Variables
Description
DEFAULT
Enter the business risk table. Currently, all FortiAnalyzer models support
only one table named DEFAULT.
security-risk
{average | highest}
Specify how the security risk is calculated. Either by the average security
level or the highest security level.
average
low-1 <risk_int>
Enter the business risk value when the business impact is low and the
security risk is 1. The valid range for <risk_int> is 0 to 100.
1
low-2 <risk_int>
Enter the business risk value when the business impact is low and the
security risk is 2. The valid range for <risk_int> is 0 to 100.
1
low-3 <risk_int>
Enter the business risk value when the business impact is low and the
security risk is 3. The valid range for <risk_int> is 0 to 100.
2
low-4 <risk_int>
Enter the business risk value when the business impact is low and the
security risk is 4. The valid range for <risk_int> is 0 to 100.
4
low-5 <risk_int>
Enter the business risk value when the business impact is low and the
security risk is 5. The valid range for <risk_int> is 0 to 100.
9
minor-1 <risk_int>
Enter the business risk value when the business impact is minor and the
security risk is 1. The valid range for <risk_int> is 0 to 100.
1
minor-2 <risk_int>
Enter the business risk value when the business impact is minor and the
security risk is 2. The valid range for <risk_int> is 0 to 100.
2
minor-3 <risk_int>
Enter the business risk value when the business impact is minor and the
security risk is 3. The valid range for <risk_int> is 0 to 100.
4
minor-4 <risk_int>
Enter the business risk value when the business impact is minor and the
security risk is 4. The valid range for <risk_int> is 0 to 100.
9
minor-5 <risk_int>
Enter the business risk value when the business impact is minor and the
security risk is 5. The valid range for <risk_int> is 0 to 100.
16
medium-1 <risk_int>
Enter the business risk value when the business impact is medium and the 2
security risk is 1. The valid range for <risk_int> is 0 to 100.
medium-2 <risk_int>
Enter the business risk value when the business impact is medium and the 4
security risk is 2. The valid range for <risk_int> is 0 to 100.
medium-3 <risk_int>
Enter the business risk value when the business impact is medium and the 9
security risk is 3. The valid range for <risk_int> is 0 to 100.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Default
123
business-risk
vm
Variables
Description
Default
medium-4 <risk_int>
Enter the business risk value when the business impact is medium and the 16
security risk is 4. The valid range for <risk_int> is 0 to 100.
medium-5 <risk_int>
Enter the business risk value when the business impact is medium and the 36
security risk is 5. The valid range for <risk_int> is 0 to 100.
high-1 <risk_int>
Enter the business risk value when the business impact is high and the
security risk is 1. The valid range for <risk_int> is 0 to 100.
4
high-2 <risk_int>
Enter the business risk value when the business impact is high and the
security risk is 2. The valid range for <risk_int> is 0 to 100.
9
high-3 <risk_int>
Enter the business risk value when the business impact is high and the
security risk is 3. The valid range for <risk_int> is 0 to 100.
16
high-4 <risk_int>
Enter the business risk value when the business impact is high and the
security risk is 4. The valid range for <risk_int> is 0 to 100.
36
high-5 <risk_int>
Enter the business risk value when the business impact is high and the
security risk is 5. The valid range for <risk_int> is 0 to 100.
64
critical-1 <risk_int> Enter the business risk value when the business impact is critical and the
security risk is 1. The valid range for <risk_int> is 0 to 100.
9
critical-2 <risk_int> Enter the business risk value when the business impact is critical and the
security risk is 2. The valid range for <risk_int> is 0 to 100.
16
critical-3 <risk_int> Enter the business risk value when the business impact is critical and the
security risk is 3. The valid range for <risk_int> is 0 to 100.
36
critical-4 <risk_int> Enter the business risk value when the business impact is critical and the
security risk is 4. The valid range for <risk_int> is 0 to 100.
64
critical-5 <risk_int> Enter the business risk value when the business impact is critical and the
security risk is 5. The valid range for <risk_int> is 0 to 100.
100
History
4.0
New.
Related commands
124
•
asset-group
•
schedule
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
gui
gui
Use the gui command to configure the Dashboard CLI console.
console
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
127
console
gui
console
Use this command to configure the console.
Syntax
config gui console
set preferences <filedata>
end
Keywords and variables
Description
Default
preferences <filedata>
Enter the preferences for the file data. Base-64 encoded files
are recommended.
No default
History
3.0 MR7
128
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
execute
The execute commands perform immediate operations on the FortiAnalyzer unit. This command can:
•
back up and restore the system configuration, log files, HTTPS certificates, or reset the unit to default
settings
•
set the unit date and time
•
diagnose network problems by using ping
•
import logs that have been backed up
•
update vulnerability management services.
When ADOMs are enabled, there are only four execute commands available within each ADOM,
including the root ADOM. These four execute commands are:
• column-settings
• content-files
• quarantine_files
• ips-pkt
This chapter contains the following sections:
reboot
update-vm
shutdown
content-files
reload
quarantine_files
restore
ips-pkt
backup
admin-cert
import logs
column-settings
import-lang
formatlogdisk
factoryreset
ping
ping-options
disconnect
set-time
set-date
traceroute
vm
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
129
reboot
execute
reboot
Use this command to restart the FortiAnalyzer unit.
Syntax
execute reboot
shutdown
Use this command to shut down the FortiAnalyzer unit.
Syntax
execute shutdown
reload
Use this command to reload the FortiAnalyzer unit configuration.
Syntax
execute reload
History
3.0 MR1
130
New command added.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
restore
restore
Use this command to:
•
restore configuration backups
•
change the FortiAnalyzer firmware
•
restore device log or report backups to the FortiAnalyzer unit
Syntax
execute restore image {[ftp | sftp | scp | tftp] <ip_address> <arg_1> <arg_2>
<arg_3> <arg_4>}
execute restore config {[ftp | sftp | scp | tftp] <ip_address> <arg_1> <arg_2>
<arg_3> <arg_4>}
execute restore config-secure {[ftp | sftp | scp | tftp] <ip_address> <arg_1>
<arg_2> <arg_3> <arg_4>}
execute restore logs {[all | All_FortiClients | <device_name(s)] [ftp | sftp |
scp] <ip_address> <user_name> <password> <directory_str>
execute restore logs-only {[all | All_FortiClients | <device_name(s)>][ftp |
sftp | scp] <ip_address> <user_name> <password> <directory>}
execute restore reports {[all | <report_name(s) | <report_name_pattern>] [ftp
| sftp | scp] <user_name> <password> <directory>
execute restore https-cert {[ftp | sftp | scp | tftp] <ip_address> <arg_1>
<arg_2> <arg_3> <arg_4>}
execute restore vm {[ftp | sftp | scp |tftp]> <ip_address> <arg_1> <arg_2>
<arg_3> arg_4>}
Variables
Description
image {[ftp | sftp | scp | tftp]
Upload a firmware image from a TFTP server to the
FortiAnalyzer unit. The FortiAnalyzer unit reboots,
loading the new firmware.
• arg_1 – For FTP, SFTP or SCP enter a user name.
For TFTP enter a directory or filename.
• arg_2 – For FTP, SFTP or SCP enter a password
or enter ‘-’. For TFTP enter the filename or press
Enter.
• arg_3 – For FTP, SFTP or SCP enter a directory or
filename. For TFTP, press Enter.
• arg_4 – Enter a filename or press Enter.
<ip_address> <arg_1> <arg_2> <arg_3>
<arg_4>}
config {[ftp | sftp | scp | tftp]
<ip_address> <arg_1> <arg_2> <arg_3>
<arg_4>}
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Restore the system configuration from a backup file on
a TFTP server. The new configuration replaces the
existing configuration, including administrator
accounts and passwords.
• arg_1 – For FTP, SFTP or SCP enter a user name.
For TFTP enter a directory.
• arg_2 – For FTP, SFTP or SCP enter a password
or enter ‘-’. For TFTP enter the filename.
• arg_3 – For FTP, SFTP or SCP enter a directory.
For TFTP, press Enter.
• arg_4 – Enter a filename and press Enter.
131
restore
execute
Variables
Description
config-secure {[ftp | sftp | scp |
Restore the encrypted configuration file.
• arg_1 – For FTP, SFTP or SCP enter a user name.
For TFTP enter a directory or filename.
• arg_2 – For FTP, SFTP or SCP enter a password
or enter ‘-’. For TFTP enter the filename or press
Enter.
• arg_3 – For FTP, SFTP or SCP enter a directory or
filename. For TFTP, press Enter.
• arg_4 – Enter a filename or press Enter.
tftp] <ip_address> <arg_1> <arg_2>
<arg_3> <arg_4>}
logs {[all | All_FortiClients |
<device_name(s)] [ftp | sftp | scp]
<ip_address> <user_name> <password>
<directory_str>
Restore log files and content archives to the
FortiAnalyzer hard disk.
• device_name(s) – Separate multiple device
names with a comma. If you want to restore all log
files, use the keyword, all.
logs-only {[all | All_FortiClients |
<device_name(s)>][ftp | sftp | scp]
<ip_address> <user_name> <password>
<directory>}
Restore device logs from a specific device.
• All_FortiClients – This will restore all log files
that were recorded by FortiClients.
• device_name(s) – Multiple device names need to
be separated by a comma. If you want to restore all
log files, use the all keyword.
reports {[all | <report_name(s) |
<report_name_pattern>] [ftp | sftp | scp]
Restore device report files to the FortiAnalyzer hard
disk.
• report_name(s) – Multiple report names need to
be separated by a comma; if you want to restore all
reports use the keyword all.
• report_name_pattern – Use this keyword when
you want to specify group of reports that contain a
certain pattern. For example, you enter foo* all
reports starting with the letters foo will be restored.
<user_name> <password> <directory>
https-cert {[ftp | sftp | scp | tftp]
<ip_address> <arg_1> <arg_2> <arg_3>
<arg_4>}
Restore the HTTPS certificate and private key. The file
that you are restoring must be in the format, PKCS12;
no other format is accepted.
• arg_1 – For FTP, SFTP or SCP enter a user name.
For TFTP enter a directory.
• arg_2 – For FTP, SFTP or SCP enter a password
or enter ‘-’. For TFTP enter the filename.
• arg_3 – For FTP, SFTP or SCP enter a directory or
filename. For TFTP, enter a PKCS12 file password
or ‘-’.
• arg_4 – For FTP, SFTP or SCP enter a file name or
PKCS12 file password, or ‘-’. For TFTP, press Enter.
vm {[ftp | sftp | scp |tftp]>
<ip_address> <arg_1> <arg_2> <arg_3>
arg_4>}
Restore vulnerabilities from an FTP, SFTP, SCP or
TFTP server.
• arg_1 – For FTP, SFTP or SCP enter a user name.
For TFTP enter a directory or filename.
• arg_2 – For FTP, SFTP or SCP enter a password
or enter ‘-’. For TFTP enter the filename or press
Enter.
• arg_3 – For FTP, SFTP or SCP enter a directory or
filename. For TFTP, press Enter.
• arg_4 – Enter a filename or press Enter.
Example
You could upload a configuration file from a TFTP server to the FortiAnalyzer unit and restart the
FortiAnalyzer unit with this configuration. The name of the configuration file on the TFTP server is
backupconfig.cfg. The IP address of the TFTP server is 192.168.1.23.
execute restore config backupconfig.cfg 192.168.1.23
You could restore device log files for a FortiGate-50B named FGT50B02803033050.
132
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
restore
execute restore logs FGT50B2803033050 192.168.1.24 juser m00#wer
A confirmation message appears:
Note: This command restores all logs from a specified server which were
backed up prior to changing the RAID level or formatting the disks.
Executing it frequently is not recommended!
Do you want to continue? (y/n)y
A second confirmation message appears:
Restore operation may overwrite some logs already in FortiAnalyzer. System will
reboot after restoration.
Do you want to continue? (y/n)y
If you elect to continue by entering ‘y,’ status messages appear:
Restoring device FGT50B2803033050 ...
Restore has been finished successfully.
System is rebooting...
After the FortiAnalyzer unit reboots, you could reconnect to the CLI.
History
3.0 MR1
Added logs. This replaces the command backup_restore_logs.
3.0 MR5
New command execute restore reports. Restores report backup
from an FTP server.
3.0 MR7
Added new keyword, https-cert.
4.0
New keywords were added:
• <arg_1>
• <arg_2>
• <arg_3>
• <arg_4>
The commands, config-secure and vm were also added in this release.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
133
backup
execute
backup
Use this command to back up the FortiAnalyzer configuration, device log or report files to a server.
Syntax
execute backup config {[ftp | sftp | scp | tftp] <ip_address> <arg_1> <arg_2>
<arg_3> <arg_4>}
execute backup config-secure {[ftp | sftp | scp | tftp] <ip_address> <arg_1>
<arg_2> <arg_3> <arg_4>}
execute backup logs {[all | <devices_str>] [ftp | scp | sftp | tftp]
<server_ipv4> <username_str> <password_str> <directory_str>}
execute backup logs-only {[ftp | sftp | scp | tftp] <ip_address> <arg_1>
<arg_2> <arg_3> <arg_4>}
execute backup reports {all | <devices_str>} {ftp | scp | sftp | tftp}
<server_ipv4> <username_str> <password_str> <directory_str>
execute backup https-cert {[ftp | sftp | scp | tftp] <ip_address> <arg_1>
<arg_2> <arg_3> <arg_4>}
134
Keywords and variables
Description
config {[ftp | sftp | scp | tftp]
<ip_address> <arg_1> <arg_2> <arg_3>
<arg_4>}
Back up the system configuration to a file on a TFTP
server.
<password_str> is optional.
config-secure {[ftp | sftp | scp |
tftp] <ip_address> <arg_1> <arg_2>
<arg_3> <arg_4>}
Back up an encrypted system configuration file to a FTP,
SFTP, SCP, or TFTP server.
• arg_1 – For FTP, SFTP or SCP enter a user name. For
TFTP enter a directory or filename.
• arg_2 – For FTP, SFTP or SCP enter a password or
enter ‘-’. For TFTP enter the filename or press Enter.
• arg_3 – For FTP, SFTP or SCP enter a directory or
filename. For TFTP, press Enter.
• arg_4 – Enter a filename or press Enter.
logs {[all | <devices_str>] [ftp | scp
| sftp | tftp] <server_ipv4>
<username_str> <password_str>
<directory_str>}
Back up device log file, content archives and quarantines
to an FTP, SCP (SSH), SFTP, or TFTPserver.
<devices_str> indicates the devices to which the log
files belong. It can be a single device name, a commaseparated list of device names, or all for all devices.
<directory_str> is optional. If it is not specified, then
the FortiAnalyzer unit creates a directory named
backup_logs on the server.
If you select the protocol tftp, do not enter
<username_str>; <password_str> is optional.
logs-only {[ftp | sftp | scp | tftp]
<ip_address> <arg_1> <arg_2> <arg_3>
<arg_4>}
Back up only logs from the specified device.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
backup
Keywords and variables
Description
reports {all | <devices_str>} {ftp |
scp | sftp | tftp} <server_ipv4>
<username_str> <password_str>
<directory_str>
Back up device report file(s) to an FTP, SCP (SSH),
SFTP, or TFTP server.
<devices_str> indicates the devices to which the log
files belong. It can be a single device name, a commaseparated list of device names, or all for all devices.
<directory_str> is optional. If it is not specified, then
the FortiAnalyzer unit creates a directory named
backup_logs on the server.
If you select the protocol tftp, do not enter
<username_str>; <password_str> is optional.
Only completed reports will be backed up. Reports which
are being generated or have not yet started when this
command is executed will not be backed up.
https-cert {[ftp | sftp | scp | tftp]
<ip_address> <arg_1> <arg_2> <arg_3>
<arg_4>}
Back up current HTTPS certificate and private key to
either an FTP server or TFTP server.
The
Examples
You could back up a FortiAnalyzer-800 system configuration to a file named fa800.cfg to a TFTP server
at IP address 192.168.1.23.
execute backup config fa800.cfg 192.168.1.23 ******
You could back up log files for a device named FG50B12205400050 to an FTP server at IP address
192.168.1.24.
execute backup logs FG50B12205400050 192.168.1.24 juser m00#wer
ftpbackup/FGT500/
A confirmation message appears:
Note: This command is designed to backup all logs to an FTP server
in the case of Changing RAID/Formatting Logdisks.
Executing it frequently is not recommended!
Do you want to continue? (y/n)y
If you elect to continue by entering ‘y,’ status messages appear:
Preparing for FG50B12205400050
log files...
email content archived files...
http content archived files...
ftp content archived files...
im content archived files...
mms content archived files...
quarantined files...
Backing up FG50B12205400050 ...
Backup has been finished successfully.
History
3.0 MR1
Added logs. This replaces the command backup_restore_logs.
3.0 MR5
New command execute backup restore. Backs up reports to an FTP
or TFTP server.
3.0 MR6
New options sftp and scp for execute backup logs and execute
backup reports. Select SFTP and SCP protocols for log or report
backup.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
135
backup
136
execute
3.0 MR7
Added new keyword, https-cert.
4.0
New keywords were added:
• <arg_1>
• <arg_2>
• <arg_3>
• <arg_4>
The command, config-secure, was also added in this release.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
import logs
import logs
Use this command to import logs from a specific device or from FortiClient.
Syntax
execute import logs [<device_1> | <device_2> | <device_3>…]
execute import logs from-file [ftp | sftp | scp | tftp]
execute import logs All_FortiClients
Keywords and variables
Description
[<device_1> | <device_2> | <device_3>…] Enter the device you want to import logs from.
from-file [ftp | sftp | scp | tftp]
Enter to use the device_id in the imported files.
All_FortiClients
Enter to import all FortiClient logs.
Examples
The following shows how to import logs from a device.
execute import logs FGT_50B
History
4.0
Revised. Updates the importlog command.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
137
import-lang
execute
import-lang
Use this command to import a report language customization file.
Syntax
execute import-lang <language_name> <tftp_ip_address> <language_format_name>
<language_string_name> <language_font_name>
Keyword
Description
<language_name>
Enter the name of the language format file located in the TFTP server’s
root directory.
<tftp_ip_address>
Enter the TFTP server’s IP address.
<language_format_name>
Enter the name of the language format file located in the TFTP server’s
root directory.
<language_string_name>
Enter the name of the language string file located in the TFTP server’s
root directory.
<language_font_name>
Enter the name of the language font file located in the TFTP server’s root
directory. This is optional.
Example
You could create a report language customization named English_Custom.
execute importlog English_Custom 192.168.1.23 English_Custom.format
English_Custom.string myfont.ttf
History
3.0 MR6
138
New command execute import-lang. Uploads report language
customization files from a TFTP server.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
formatlogdisk
formatlogdisk
Caution: This operation will erase all data on the hard disk, including quarantine and log files.
Use this command to format the FortiAnalyzer hard disk to enhance performance for logging.
Syntax
execute formatlogdisk
factoryreset
Caution: This procedure deletes all changes that you have made to the FortiAnalyzer configuration and reverts
the system to the installed firmware version’s default configuration, including resetting interface addresses.
Use this command to reset the FortiAnalyzer configuration to the firmware’s default settings.
Syntax
execute factoryreset
ping
Use this command to send an ICMP echo request (ping) to test the network connection between the
FortiAnalyzer unit and another network device.
Syntax
execute ping <address_ipv4>
Example
You could ping a host with the IP address 192.168.1.23.
execute ping 192.168.1.23
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
139
ping-options
execute
ping-options
Use this command to set ICMP echo request (ping) options to control the way ping tests the network
connection between the FortiAnalyzer unit and another network device.
Syntax
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
data-size <bytes>
df-bit {yes | no}
pattern <2-byte_hex>
repeat_count <repeats_int>
source {auto | <source-intf_ip>}
timeout <seconds_int>
tos <service_type_int>
ttl <hops_int>
validate_reply {yes | no}
view_settings
Keyword
Description
Default
data-size <bytes>
Specify the datagram size in bytes.
56
df-bit {yes | no}
Set df-bit to yes to prevent the ICMP packet from being
fragmented. Set df-bit to no to allow the ICMP packet to be
fragmented.
no
pattern <2-byte_hex>
Used to fill in the optional data buffer at the end of the ICMP
No
packet. The size of the buffer is specified using the data_size default.
parameter. This allows you to send out packets of different sizes
for testing the effect of packet size on the connection.
repeat_count
<repeats_int>
Specify how many times to repeat ping.
5
source
Specify the FortiAnalyzer interface from which to send the ping.
{auto | <source-intf_ip>} If you specify auto, the FortiAnalyzer unit selects the source
address and interface based on the route to the <hostname_str> or <host_ip>. Specifying the IP address of a
FortiAnalyzer interface tests connections to different network
segments from the specified interface.
auto
timeout <seconds_int>
Specify, in seconds, how long to wait until ping times out.
2
tos <service_type_int>
Set the ToS (Type of Service) field in the packet header to
provide an indication of the quality of service wanted.
• lowdelay = minimize delay
• throughput = maximize throughput
• reliability = maximize reliability
• lowcost = minimize cost
• default = 0
default
/0
ttl <hops_int>
Specify the time to live. Time to live is the number of hops the
ping packet should be allowed to make before being discarded
or returned.
64
validate_reply {yes | no} Select yes to validate reply data.
view_settings
Display the current ping-option settings.
no
No
default.
Example
Use the following command to increase the number of pings sent.
execute ping_options repeat_count 10
140
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
disconnect
Use the following command to send all pings from the FortiAnalyzer interface with IP address
192.168.10.23.
execute ping_options source 192.168.10.23
disconnect
Use this command to disconnect an administrator from the FortiAnalyzer unit by logging them out of the
system.
Syntax
execute disconnect <administratorlogin_id>
Keywords and variables
Description
disconnect <administratorlogin_id>
Enter the administrator login ID, which is found in the
Index column.
By entering the command followed by a question mark
(?), you can view all currently connected administrative
users.
Example
You could determine who is logged in by entering:
execute disconnect ?
A list of currently logged-in administrators appears:
Index
Login name
Login type
Login from
0
admin
CLI
ssh (10.10.20.154)
1
admin
WEB
10.20.10.15
You could then disconnect the administrator currently connected to the web-based manager:
execute disconnect 1
set-time
Set the system time.
Syntax
execute set_time <time_str>
time_str has the form hh:mm:ss, where
•
hh is the hour and can be 00 to 23
•
mm is the minutes and can be 00 to 59
•
ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current system time.
Example
This example sets the system time to 15:31:03:
execute set_time 15:31:03
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
141
set-date
execute
set-date
Use this command to set the system date.
Syntax
execute set_date <date_str>
date_str has the form mm/dd/yyyy, where
•
mm is the month and can be 01 to 12
•
dd is the day of the month and can be 01 to 31
•
yyyy is the year and can be 2001 to 2037
If you do not specify a date, the command returns the current system date.
Example
This example sets the date to 17 March 2009:
execute set_date 17/03/2009
traceroute
Use this command to show a list of routers taken to reach a network IP address or domain name.
Syntax
execute traceroute <address_ipv4>
History
3.0 MR3
142
New command.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
vm
vm
Use this command to schedule, view vulnerability reports, import hosts, and update vulnerabilities.
Syntax
execute vm
execute vm
execute vm
execute vm
execute vm
endtime]
execute vm
execute vm
execute vm
execute vm
execute vm
execute vm
execute vm
schedule-run <schedule_name>
schedule-stop <schedule_name>
map-config-run <map-config-name>
map-config-stop <map-config-name>
report-list <report-type [scan | map]> <type> [name| starttime |
report-clear <report-type [scan | map]>
report-delete <report-type [scan <reportname> | map <reportname> ]
import-hosts <report_name> <group_name> <force>
update-fds
update-manual <service [ftp | sftp | scp | tftp]
update-status-list
update-refresh
Keywords and variables
Description
schedule-run <schedule_name>
Enter to run a schedule one time.
schedule-stop <schedule_name>
Enter to stop a running schedule.
map-config-run <map-config-name>
Enter to run a map configuration only one time.
map-config-stop <map-config-name>
Enter to stop a running map configuration.
report-list <report-type [scan | map]>
<type> [name| starttime | endtime]
Enter to list all reports.
report-clear <report-type [scan | map]>
Enter to clear all scan or map reports.
report-delete <report-type [scan
<reportname> | map <reportname> ]
Enter to delete one report at a time.
import-hosts <report_name>
<group_name> <force>
Enter to import the hosts from a map report.
update-fds
Immediately update the Vulnerability Management
packages through the FortiGuard network. This takes a
few minutes.
update-manual <service [ftp | sftp |
scp | tftp]
Enter to manually update the vulnerability management
package.
update-status-list
Enter to list the status of the update.
update-refresh
Enter to refresh the FortiGuard network status.
Example
The following example shows how to schedule when updates for vulnerabilities should occur.
execute vm schedule-run schedule_1
History
4.0
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
143
update-vm
execute
update-vm
Use this command to immediately update vulnerabilities.
Syntax
execute update-vm
History
4.0
New.
content-files
Use this command to delete selected information from the content log files. When ADOMs are enabled,
this command is not available within the global command; however, it is available within each ADOM and
the root ADOM.
Syntax
execute content-files clear {all | email | im | ftp | http | mms} <device_str>
Keywords and variables
Description
clear {all | email | im | ftp | http |
mms} <device_str>
Delete the content information for the specified device
and protocol from the content logs.
Example
You could clear all email content logs for a device named fgt-50B.
execute content-files clear email fgt-50B
History
3.0 MR4
New command.
3.0 MR5
Added mms option.
quarantine_files
Use this command to delete the quarantine files for a FortiGate unit. When ADOMs are enabled, this
command is not available within the global command; however, it is available within each ADOM and the
root ADOM.
Syntax
execute quarantine_files clear <device_str>
Example
You could delete quarantines files from the FortiAnalyzer unit for a FortiGate named fgt-50B.
execute quarantine_files clear fgt-50B
144
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
ips-pkt
History
3.0 MR4
New command.
ips-pkt
Use this command to delete files from a specified device. When ADOMs are enabled, this command is not
available within the global command; however, it is available within each ADOM and the root ADOM.
Syntax
execute ips-pkt clear <device_name>
Keywords and variables
Description
clear <device_name>
Enter to delete files from a specific device.
History
4.0
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
145
admin-cert
execute
admin-cert
Use this command to change a HTTPS certificate to a new certificate signed by a regular Certificate
Authority instead of Fortinet.
Syntax
execute admin-cert self-sign
execute admin-cert show
Keywords and variables
Description
self-sign
Delete the current certificate and regenerate the self-signed one. You will need to
reboot your FortiAnalyzer unit to incorporate the new certificate.
show
Displays the information about the current certificate.
Examples
The following example shows what displays when you enter the command syntax execute admin-cert
show:
Subject:
C = US
ST = CA
L = Santa Clara
O = “Fortinet, Inc.”
CN = Fortinet
emailAddress = support@fortinet.com
Issuer:
C = US
ST = CA
L = Sanata Clara
O = “Fortinet, Inc.”
CN = Fortinet
emailAddress = support@fortinet.com
Valid from:
2009-01-07 13:08:31 GMT
Valid to:
2019-01-12 13:08:31 GMT
Version:
3
SN:
0
History
3.0 MR7
146
New command.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
execute
column-settings
column-settings
Use this command to change column settings for administrators. When ADOMs are enabled, this
command is not available within the global command; however, it is available within each ADOM and the
root ADOM.
Syntax
execute column-settings reset <administrator_name>
execute column-settings clone <from_administrator>
Keywords and variables
Description
reset
<administrator_name>
Enter one administrator name or multiple administrator names to reset their
column settings to default.
clone
<from_administrator>
Enter an administrator name to duplicate those same settings for another
administrator. For example, you want to clone admin_1 settings to admin_2
settings, so you enter admin_1.
Examples
The following example shows how to clone settings from the administrator admin_headquarters to
admin_branchoffice.
execute column-settings clone admin_headquarters
History
4.0
New.
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
147
column-settings
148
execute
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Index
Index
A
abort, 21
access privileges
ADOMs, 29
access profile
ADOM restrictions, 32
accprofile, 51
adding, configuring or defining
ADOMs, 32
admin, 43
admin administrator
accessing ADOMs, 34
administrative domains. See ADOMs
administrator
admin, accessing ADOMs, 34
assigning to ADOMs, 35
admintimeout, 38
ADOMs
access privileges, 29
access profile restrictions, 32
accessing as admin administrator, 34
adding, configuring or defining, 32
admin account privileges, 29
assigning adminstrators, 35
config Admin_Domain, 31
config global, 31
disabling, 33
enabling, 32
maximum number on FortiAnalyzer, 32
permissions, 29
aggregation
password, 104
server_ip, 104
aggregation_time, 104
alert console
period, 62
severity level, 62
alert-destination, system event, 60
alerts, 43
all-devices, system event, 59
allowaccess, 40
interface, 40
analyzer_quota, 97
analyzer_quota_full, 97
auth, system mail, 57
B
baudrate, 48
blocked-devices, 93
C
CLI
conventions, 10, 12
cnid, 46
comments, documentation, 10
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
config
execute backup, 134
execute restore, 131
gui, 128
restore, 131
config Admin_Domain
ADOMs, 31
config global
ADOMs, 31
config router, 7
console
baudrate, 48
mode, 48
screen output, 48
content, 43
content_files, 144
customer service, 9
D
data-size, 140
days
rolling-analyzer, 99
rolling-regular, 100, 102
default-intf-type, 89
define device port interfaces, 90, 91
del_files
rolling-analyzer, 99
rolling-local, 101
rolling-regular, 102
delete, shell command, 20
description, device, 88
destination ip, 49
device
description, 88
system route, 49
Device ID, 90
Device Name, 90
devices, 43
log device-group, 92
unregistered, 93
df-bit, 140
Diagnose commands, 9
directory
rolling-analyzer, 99
rolling-local, 101
rolling-regular, 102
disabling
ADOMs, 33
disconnect, 141
disk quota
known_quota, 93
local logs, 97
unknown device, 93
disk space, 89
display, nas user, 85
dn, 46
149
Index
dns
primary ip, 42
secondary ip, 42
documentation
commenting on, 10
Fortinet, 9
drop logs, 93
dst
router static, 49
system route, 49
duration, 63, 64
E
edit
shell command, 20
email-address, 52
enable-generic-text, 59
enabling
ADOMs, 32
end
command in an edit shell, 21
shell command, 20
event-time-period, 59
execute, 129
admin-cert, 146
execute command
factoryreset, 139
ping, 139
ping-options, 140
reboot, 130
restore, 131
execute restore, image, 131
F
factoryreset, execute, 139
faz_owner, 88
filesize
log settings rolling-analyzer, 99
rolling-local, 100
rolling-regular, 102
filter, 46
first-name, 51
FortiAnalyzer
maximum number of ADOMs, 32
FortiGate documentation
commenting on, 10
FortiGate unit
port interfaces, 90, 91
Fortinet customer service, 9
Fortinet documentation, 9
Fortinet Knowledge Center, 10
forwarding, 105
remote_ip, 105
from, system event, 60
G
gateway
router static, 49
system route, 49
generic-text, event, 59
150
get
edit shell command, 21
shell command, 20
GID, 83
group
ldap, 46
gzip_format
rolling-analyzer, 99
rolling-local, 101
rolling-regular, 102
H
handling unregistered devices, 93
hostname, 38
hour
rolling-analyzer, 99
rolling-regular, 100, 102
https, 40
I
id, log device, 88
image, 131
image, execute restore, 131
interface, 89, 90, 91
interface status, 40
intf-type, log device, 91
introduction
Fortinet documentation, 9
ip
alias, 42
ntpserver, 38
rolling-analyzer, 99
rolling-local, 101
rolling-regular, 102
router destination, 49
router gateway, 49
system interface, 40
system syslog, 56
trusted host, 51
ip_alias, 43
ip_range, 42
IPSec, 89
K
known_quota, 93
known-handling, 93
L
language, 38
last-name, 51
ldapconntimeout, 38
Local ID, 90
local_filter, 97
local_quota, 97
local_quota_full, 97
lockout, interface, 40
log rolling
FortiAnalyzer logs, 102
local logs, 100
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
Index
logs, 43
execute backup, 134
M
member, 47
members
nas group, 83
members_id, 89
min
rolling-analyzer, 99, 100
rolling-regular, 102
mobile-number, 52
mode, 48, 89, 104
N
nas, 83
network, 43
network attached storage, 83
network file sharing, 84
network path, 85
next, 21
nfs, 84
ntpserver, 38
ntpsync, 39
num-events, 59
O
output, system console, 48
overwrite, 89
P
pager-number, 52
password
aggregation, 104
nas user, 85
rolling-analyzer, 99
rolling-local, 101
rolling-regular, 102
system admin, 51
system mail, 57
path, nas share, 85
pattern, ping-options, 140
period
system alert_console, 62
permissions
ADOMs, 29
phone-number, 52
ping, 40
ping, execute, 139
ping-options, execute, 140
port
interfaces, 90, 91
ldap, 46
system syslog, 56
preshared key, 89
pre-shared secret, 90
preshared secret, 89
primary dns, 42
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
privileges, device, 89
product-intf-types, 90
PSK, 90
psk, 89
purge, shell command, 20
Q
quar, 43
quarantine_files, 144
quota, 93
R
read-only access, 84, 85
read-write access, 84, 85
reboot, execute, 130
refresh, 38
remote_ip, 105
remote-auth, 51
remoteauthtimeout, 38
rename, shell command, 20
repeat-count, 140
report
filter, 71
language, 68
layout, 73
output, 69
schedule, 79
reports, 43
execute backup, 135
execute restore, 132
restore, execute, 131
ro
nas nfs, 84
nas share, 85
route, device, 49
router
destination ip, 49
gateway, 49
rw
nas nfs, 84
nas share, 85
S
save logs, 93
secondary dns, 42
secret, 45
secure connection, 89
server
ldap, 46
mail, 57
server_ip, 104
server_type
rolling-analyzer, 99
rolling-local, 101
rolling-regular, 102
server, mail, 57
server, radius, 45
set, 21
set_date, 142
151
Index
severity
alert console, 62
severity_level, 62
severity-filter, event, 59
severity-level-attack-comp, 59
severity-level-attack-logs, 59
severity-level-av-comp, 59
severity-level-av-logs, 59
severity-level-content-comp, 59
severity-level-content-logs, 59
severity-level-emailfilter-comp, 59
severity-level-emailfilter-logs, 59
severity-level-event-comp, 59, 60
severity-level-event-logs, 60
severity-level-IM-logs, 60
severity-level-traffic-comp, 60
severity-level-webfilter-logs, 60
share, 84
shell command
delete, 20
edit, 20
end, 20
get, 20
purge, 20
rename, 20
show, 20
show, shell command, 20
shutdown, 130
smtp-name, 60
snmp, 40, 53
system, 53
source, ping-options, 140
space, log device, 89
spaces,entering in strings, 26
special characters, 26
ssh, 40
ssh-public-key1, 52
ssh-public-key2, 52
ssh-public-key3, 52
status
system interface, 40
system settings, 63, 64
stop logging, 89
syncinterval, 39
syslog
ip address, 56
port number, 56
system, 43
system settings
delete logs, 63, 64
duration, 63, 64
status, 63, 64
152
T
technical support, 9
telnet, 40
timeout, ping-options, 140
timezone, 38
to, system event, 60
tos, 140
traffic analysis
disk space, 97
full quota, 97
traffic flow on a FortiGate unit, 90, 91
trusthost1, 51
trusthost2, 51
trusthost3, 51
ttl, 140
tunnel, secure, 89
type
log device, 88
system event, 60
U
uid, 85
unregistered devices, 93
unset, 21
uploading
rolling-analyzer, 99
rolling-local, 100
rolling-regular, 102
user
id, 85
name display, 85
password, 85
system mail, 57
username
rolling-analyzer, 99
rolling-local, 101
rolling-regular, 102
V
validate-reply, 140
value, system settings, 63, 64
view-settings, 140
VPN, 89
vulnerabilty_scan, 43
W
when
rolling-analyzer, 99
rolling-local, 100
rolling-regular, 102
system settings, 63, 64
when-full, log device, 89
workgroup, 84
FortiAnalyzer Version 4.0.0 CLI Reference
05-400-82624-20090506
http://docs.fortinet.com/ • Feedback
www.fortinet.com
www.fortinet.com
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising