Fortinet black logo

CLI Reference

Using the CLI

Using the CLI

The command-line interface (CLI) is an alternative to the web UI.

You can use either interface or both to configure the FortiADC appliance. In the web UI, you use buttons, icons, and forms, while, in the CLI, you either type text commands or upload batches of commands from a text file, like a configuration script.

If you are new to Fortinet products, or if you are new to the CLI, this section can help you to become familiar.

Connecting to the CLI

You can access the CLI in two ways:

  • Locally — Connect your computer, terminal server, or console directly to the console port.
  • Through the network — Connect your computer through any network attached to one of the network ports. To connect using an Secure Shell (SSH) or Telnet client, enable the network interface for Telnet or SSH administrative access. Enable HTTP/HTTPS administrative access to connect using the CLI Console widget in the web UI.

Local access is required in some cases:

  • If you are installing your FortiADC appliance for the first time and it is not yet configured to connect to your network, unless you reconfigure your computer’s network settings for a peer connection, you might only be able to connect to the CLI using a local console connection. See the FortiADC Handbook.
  • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process completes, and therefore local CLI access is the only viable option.

Before you can access the CLI through the network, you usually must enable SSH and/or HTTP/HTTPS and/or Telnet on the network interface through which you will access the CLI.

Connecting to the CLI using a local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiADC appliance, using its DB-9 console port.

Requirements
  • A computer with an available serial communications (COM) port
  • Console cable (RJ-45-to-DB-9 or null modem cable) included in your FortiADC package
  • Terminal emulation software such as PuTTY
The following procedure describes connection using PuTTY software; steps may vary with other terminal emulators.

To connect to the CLI using a local console connection
  1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiADC appliance’s console port to the serial communications (COM) port on your management computer.
  2. On your management computer, start PuTTY.
  3. In the Category tree on the left, go to Connection > Serial and configure the following:
  4. Serial port

    COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)

    Speed (baud)

    9600

    Data bits

    8

    Stop bits

    1

    Parity

    None

    Flow control

    None

  5. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial.
  6. Click Open.
  7. Press the Enter key to initiate a connection.
  8. The login prompt appears. When the system first boots up, the admin account is forced to set up a new password.

  9. Type a valid administrator account name then press Enter.
  10. Type the password for that administrator account and press Enter.

The CLI displays the following text, followed by a command line prompt:

Welcome!

You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

Enabling access to the CLI through the network

SSH, Telnet, or CLI Console widget (via the web UI) access to the CLI requires connecting your computer to the FortiADC appliance using one of its RJ‑45 network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

If you do not want to use an SSH/Telnet client and you have access to the web UI, you can alternatively access the CLI through the network using the CLI Console widget in the web UI.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiADC appliance with a static route to a router that can forward packets from the FortiADC appliance to your computer.

You can do this using either:

  • a local console connection (see the following procedure)
  • the web UI
Requirements
  • a computer with an available serial communications (COM) port and RJ-45 port
  • terminal emulation software such as PuTTY
  • the RJ-45-to-DB-9 or null modem cable included in your FortiADC package
  • a crossover Ethernet cable (if connecting directly) or straight-through Ethernet cable (if connecting through a switch or router)
To enable SSH or Telnet access to the CLI using a local console connection
  1. Using the network cable, connect the FortiADC appliance’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiADC appliance.
  2. Note the number of the physical network port.
  3. Using a local console connection, connect and log into the CLI.
  4. Enter the following commands:
  5. config system interface

    edit <interface_name>

    set allowaccess {http https ping snmp ssh telnet}

    end

    where:

    <interface_name> is the name of the network interface associated with the physical network port, such as port1

    {http https ping snmp ssh telnet} is the complete, space-delimited list of permitted administrative access protocols, such as https ssh telnet; omit protocols that you do not want to permit

    For example, to exclude HTTP, SNMP, and Telnet, and allow only HTTPS, ICMP ECHO (ping), and SSH administrative access on port1:

    config system interface

    edit "port1"

    set allowaccess ping https ssh

    next

    end

    Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.
  6. To confirm the configuration, enter the command to view the access settings for the interface.
  7. show system interface <interface_name>

    The CLI displays the settings, including the management access settings, for the interface.

  8. If you will be connecting indirectly, through one or more routers or firewalls, configure the appliance with at least one static route so that replies from the CLI can reach your client.

Connecting to the CLI using SSH

Once you configure the FortiADC appliance to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. Supported SSH protocol versions, ciphers, and bit strengths vary by whether or not you have enabled FIPS-CC mode or are using a low encryption (LENC) version, but generally include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1.

Requirements
  • a computer with an RJ-45 Ethernet port
  • a crossover Ethernet cable
  • an SSH client such as PuTTY
To connect to the CLI using SSH
  1. On your management computer, start PuTTY.
  2. Initially, the Session category of settings is displayed.

  3. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled SSH administrative access.
  4. In Port, type 22.
  5. From Connection type, select SSH.
  6. Click Open.
  7. The SSH client connects to the FortiADC appliance.

    The SSH client may display a warning if this is the first time you are connecting to the FortiADC appliance and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiADC appliance but it used a different IP address or SSH key. If your management computer is directly connected to the FortiADC appliance with no network hosts between them, this is normal.

  8. Click Yes to verify the fingerprint and accept the FortiADC appliance’s SSH key. You will not be able to log in until you have accepted the key.
  9. The CLI displays a login prompt.

  10. Type a valid administrator account name (such as admin) and press Enter.
  11. Type the password for this administrator account and press Enter.
If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

The FortiADC appliance displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

Connecting to the CLI using Telnet

Once the FortiADC appliance is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.
Requirements
  • a computer with an RJ-45 Ethernet port
  • a crossover Ethernet cable
  • a FortiADC network interface configured to accept Telnet connections
  • terminal emulation software such as PuTTY
To connect to the CLI using Telnet
  1. On your management computer, start PuTTY.
  2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled Telnet administrative access.
  3. In Port, type 23.
  4. From Connection type, select Telnet.
  5. Click Open.
  6. Type a valid administrator account name (such as admin) and press Enter.
  7. Type the password for this administrator account and press Enter.
If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.

Using the CLI

Using the CLI

The command-line interface (CLI) is an alternative to the web UI.

You can use either interface or both to configure the FortiADC appliance. In the web UI, you use buttons, icons, and forms, while, in the CLI, you either type text commands or upload batches of commands from a text file, like a configuration script.

If you are new to Fortinet products, or if you are new to the CLI, this section can help you to become familiar.

Connecting to the CLI

You can access the CLI in two ways:

  • Locally — Connect your computer, terminal server, or console directly to the console port.
  • Through the network — Connect your computer through any network attached to one of the network ports. To connect using an Secure Shell (SSH) or Telnet client, enable the network interface for Telnet or SSH administrative access. Enable HTTP/HTTPS administrative access to connect using the CLI Console widget in the web UI.

Local access is required in some cases:

  • If you are installing your FortiADC appliance for the first time and it is not yet configured to connect to your network, unless you reconfigure your computer’s network settings for a peer connection, you might only be able to connect to the CLI using a local console connection. See the FortiADC Handbook.
  • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process completes, and therefore local CLI access is the only viable option.

Before you can access the CLI through the network, you usually must enable SSH and/or HTTP/HTTPS and/or Telnet on the network interface through which you will access the CLI.

Connecting to the CLI using a local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiADC appliance, using its DB-9 console port.

Requirements
  • A computer with an available serial communications (COM) port
  • Console cable (RJ-45-to-DB-9 or null modem cable) included in your FortiADC package
  • Terminal emulation software such as PuTTY
The following procedure describes connection using PuTTY software; steps may vary with other terminal emulators.

To connect to the CLI using a local console connection
  1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiADC appliance’s console port to the serial communications (COM) port on your management computer.
  2. On your management computer, start PuTTY.
  3. In the Category tree on the left, go to Connection > Serial and configure the following:
  4. Serial port

    COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)

    Speed (baud)

    9600

    Data bits

    8

    Stop bits

    1

    Parity

    None

    Flow control

    None

  5. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial.
  6. Click Open.
  7. Press the Enter key to initiate a connection.
  8. The login prompt appears. When the system first boots up, the admin account is forced to set up a new password.

  9. Type a valid administrator account name then press Enter.
  10. Type the password for that administrator account and press Enter.

The CLI displays the following text, followed by a command line prompt:

Welcome!

You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

Enabling access to the CLI through the network

SSH, Telnet, or CLI Console widget (via the web UI) access to the CLI requires connecting your computer to the FortiADC appliance using one of its RJ‑45 network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

If you do not want to use an SSH/Telnet client and you have access to the web UI, you can alternatively access the CLI through the network using the CLI Console widget in the web UI.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiADC appliance with a static route to a router that can forward packets from the FortiADC appliance to your computer.

You can do this using either:

  • a local console connection (see the following procedure)
  • the web UI
Requirements
  • a computer with an available serial communications (COM) port and RJ-45 port
  • terminal emulation software such as PuTTY
  • the RJ-45-to-DB-9 or null modem cable included in your FortiADC package
  • a crossover Ethernet cable (if connecting directly) or straight-through Ethernet cable (if connecting through a switch or router)
To enable SSH or Telnet access to the CLI using a local console connection
  1. Using the network cable, connect the FortiADC appliance’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiADC appliance.
  2. Note the number of the physical network port.
  3. Using a local console connection, connect and log into the CLI.
  4. Enter the following commands:
  5. config system interface

    edit <interface_name>

    set allowaccess {http https ping snmp ssh telnet}

    end

    where:

    <interface_name> is the name of the network interface associated with the physical network port, such as port1

    {http https ping snmp ssh telnet} is the complete, space-delimited list of permitted administrative access protocols, such as https ssh telnet; omit protocols that you do not want to permit

    For example, to exclude HTTP, SNMP, and Telnet, and allow only HTTPS, ICMP ECHO (ping), and SSH administrative access on port1:

    config system interface

    edit "port1"

    set allowaccess ping https ssh

    next

    end

    Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.
  6. To confirm the configuration, enter the command to view the access settings for the interface.
  7. show system interface <interface_name>

    The CLI displays the settings, including the management access settings, for the interface.

  8. If you will be connecting indirectly, through one or more routers or firewalls, configure the appliance with at least one static route so that replies from the CLI can reach your client.

Connecting to the CLI using SSH

Once you configure the FortiADC appliance to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. Supported SSH protocol versions, ciphers, and bit strengths vary by whether or not you have enabled FIPS-CC mode or are using a low encryption (LENC) version, but generally include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1.

Requirements
  • a computer with an RJ-45 Ethernet port
  • a crossover Ethernet cable
  • an SSH client such as PuTTY
To connect to the CLI using SSH
  1. On your management computer, start PuTTY.
  2. Initially, the Session category of settings is displayed.

  3. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled SSH administrative access.
  4. In Port, type 22.
  5. From Connection type, select SSH.
  6. Click Open.
  7. The SSH client connects to the FortiADC appliance.

    The SSH client may display a warning if this is the first time you are connecting to the FortiADC appliance and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiADC appliance but it used a different IP address or SSH key. If your management computer is directly connected to the FortiADC appliance with no network hosts between them, this is normal.

  8. Click Yes to verify the fingerprint and accept the FortiADC appliance’s SSH key. You will not be able to log in until you have accepted the key.
  9. The CLI displays a login prompt.

  10. Type a valid administrator account name (such as admin) and press Enter.
  11. Type the password for this administrator account and press Enter.
If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

The FortiADC appliance displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

Connecting to the CLI using Telnet

Once the FortiADC appliance is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.
Requirements
  • a computer with an RJ-45 Ethernet port
  • a crossover Ethernet cable
  • a FortiADC network interface configured to accept Telnet connections
  • terminal emulation software such as PuTTY
To connect to the CLI using Telnet
  1. On your management computer, start PuTTY.
  2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled Telnet administrative access.
  3. In Port, type 23.
  4. From Connection type, select Telnet.
  5. Click Open.
  6. Type a valid administrator account name (such as admin) and press Enter.
  7. Type the password for this administrator account and press Enter.
If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.