CLI Reference

Introduction
- FortiAnalyzer documentation
What’s New in FortiAnalyzer 6.4
Using the Command Line Interface
Administrative Domains
- About ADOMs
- Configuring ADOMs
system
fmupdate
fortirecorder
- camera
- global
- schedule
execute
- add-mgmt-license
- add-on-license
- add-vm-license
- backup
- bootimage
- certificate
  - certificate ca
  - certificate local
  - certificate remote
- console
- date
- device
- erase-disk
- factory-license
- fmupdate
  - Syntax
  - fmupdate cdrom
- format
- fortirecorder
- iotop
- iotps
- log
  - log adom disk-quota
  - log device disk-quota
  - log device logstore
  - log device permissions
  - log device vdom
  - log dlp-files clear
  - log import
  - log ips-pkt clear
  - log quarantine-files clear
  - log storage-warning
- log-aggregation
- log-fetch
  - log-fetch client
  - log-fetch server
- log-integrity
- lvm
- migrate
- ping
- ping6
- raid
- reboot
- remove
- reset
- restore
- sensor
- shutdown
- sql-local
- sql-query-dataset
- sql-query-generic
- sql-report
- ssh
- ssh-known-hosts
- tac
- time
- top
  - Syntax
  - execute top help menu
- traceroute
- traceroute6
diagnose
- auto-delete
- cdb
- debug
  - debug application
  - debug backup-oldformat-script-logs
  - debug cdbchk
  - debug cli
  - debug console
  - debug coredump
  - debug crashlog
  - debug disable
  - debug enable
  - debug gui
  - debug info
  - debug klog
  - debug library
  - debug reset
  - debug service
  - debug sysinfo
  - debug sysinfo-log
  - debug sysinfo-log-backup
  - debug sysinfo-log-list
  - debug timestamp
  - debug vmd
  - debug vminfo
- dlp-archives
- docker
- dvm
  - dvm adom
  - dvm capability
  - dvm chassis
  - dvm check-integrity
  - dvm csf
  - dvm dbstatus
  - dvm debug
  - dvm device
  - dvm device-tree-update
  - dvm extender
  - dvm fap
  - dvm fsw
  - dvm group
  - dvm lock
  - dvm proc
  - dvm remove
  - dvm supported-platforms
  - dvm task
  - dvm taskline
  - dvm transaction-flag
  - dvm workflow
- faz-cdb
- fmnetwork
  - fmnetwork arp
  - fmnetwork interface
  - fmnetwork netstat
- fmupdate
- fortilogd
- fortirecorder
- fwmanager
- ha
- hardware
- incident
- license
- log
- pm2
- report
- rtm
- siem
- sniffer
- sql
- svctools
- system
- test
  - test application
  - test connection
  - test policy-check
  - test search
  - test sftp
- upload
  - upload clear
  - upload status
- vpn
get
show
Appendix A - Object Tables
Appendix B - CLI Error Codes

Home FortiAnalyzer 6.4.11 CLI Reference

6.4.11

fips

Use this command to set the Federal Information Processing Standards (FIPS) status. FIPS mode is an enhanced security option for some FortiAnalyzer models. Installation of FIPS firmware is required only if the unit was not ordered with this firmware pre-installed.

FIPS mode can only be enabled via console.

Syntax

config system fips

set status enable

set entropy-token {enable | disable | dynamic}

set re-seed-interval <integer>

end

Variable	Description
status enable	Enable the FIPS-CC mode of operation. Note: enable option is available only via console and when the device is not in FIPS mode.
entropy-token {enable \| disable \| dynamic}	Configure support for the FortiTRNG entropy token when switching to FIPS mode: `enable`: The token must be present during boot up and reseeding. If the token is not present, the boot up or reseeding is interrupted until the token is inserted. `disable`: The current entropy implementation is used to seed the Random Number Generator (RNG) (default). `dynamic`: The token is used to seed or reseed the RNG if it is present. If the token is not present, the boot process is not blocked and the old entropy implementation is used.
re-seed-interval <integer>	The amount of time between RNG reseeding, in minutes (0 - 1440, default = 1440).

Variable

Description

status enable

Enable the FIPS-CC mode of operation.

Note: enable option is available only via console and when the device is not in FIPS mode.

entropy-token {enable | disable | dynamic}

Configure support for the FortiTRNG entropy token when switching to FIPS mode:

enable: The token must be present during boot up and reseeding. If the token is not present, the boot up or reseeding is interrupted until the token is inserted.
disable: The current entropy implementation is used to seed the Random Number Generator (RNG) (default).
dynamic: The token is used to seed or reseed the RNG if it is present. If the token is not present, the boot process is not blocked and the old entropy implementation is used.

re-seed-interval <integer>

The amount of time between RNG reseeding, in minutes (0 - 1440, default = 1440).

fips

FIPS mode can only be enabled via console.

Syntax

config system fips

set status enable

set entropy-token {enable | disable | dynamic}

set re-seed-interval <integer>

end

Variable	Description
status enable	Enable the FIPS-CC mode of operation. Note: enable option is available only via console and when the device is not in FIPS mode.
entropy-token {enable \| disable \| dynamic}	Configure support for the FortiTRNG entropy token when switching to FIPS mode: `enable`: The token must be present during boot up and reseeding. If the token is not present, the boot up or reseeding is interrupted until the token is inserted. `disable`: The current entropy implementation is used to seed the Random Number Generator (RNG) (default). `dynamic`: The token is used to seed or reseed the RNG if it is present. If the token is not present, the boot process is not blocked and the old entropy implementation is used.
re-seed-interval <integer>	The amount of time between RNG reseeding, in minutes (0 - 1440, default = 1440).

Variable

Description

status enable

Enable the FIPS-CC mode of operation.

Note: enable option is available only via console and when the device is not in FIPS mode.

entropy-token {enable | disable | dynamic}

Configure support for the FortiTRNG entropy token when switching to FIPS mode:

enable: The token must be present during boot up and reseeding. If the token is not present, the boot up or reseeding is interrupted until the token is inserted.
disable: The current entropy implementation is used to seed the Random Number Generator (RNG) (default).
dynamic: The token is used to seed or reseed the RNG if it is present. If the token is not present, the boot process is not blocked and the old entropy implementation is used.

re-seed-interval <integer>

The amount of time between RNG reseeding, in minutes (0 - 1440, default = 1440).

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

fips

fips

Syntax

fips

fips

Syntax