CLI command branches
The FortiAnalyzer CLI consists of the following command branches:
|
Examples showing how to enter command sequences within each branch are provided in the following sections.
config branch
The config
commands configure objects of FortiAnalyzer functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of variables that you can set to particular values. Simpler objects, such as system DNS, are a single set of variables.
To configure an object, you use the config
command to navigate to the object’s command “shell”. For example, to configure administrators, you enter the command
config system admin user
The command prompt changes to show that you are in the admin shell.
(user)#
This is a table shell. You can use any of the following commands:
edit |
Add an entry to the FortiAnalyzer configuration or edit an existing entry. For example in the
|
delete |
Remove an entry from the FortiAnalyzer configuration. For example in the |
purge |
Remove all entries configured in the current shell. For example in the
|
get |
List the configuration. In a table shell, |
show |
Show changes to the default configuration as configuration commands. |
end |
Save the changes you have made in the current shell and leave the shell. Every The |
If you enter the get
command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name:
edit admin_1
The FortiAnalyzer unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry:
new entry 'admin_1' added
(admin_1)#
From this prompt, you can use any of the following commands:
config |
In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add restrict the user to specific devices or VDOMs. |
set |
Assign values. For example from the When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. |
unset |
Reset values to defaults. For example from the |
get |
List the configuration. In a table shell, |
show |
Show changes to the default configuration in the form of configuration commands. |
next |
Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the
|
abort |
Exit an edit shell without saving the configuration. |
end |
Save the changes you have made in the current shell and leave the shell. Every The |
The config
branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.
get branch
Use get
to display settings. You can use get
within a config
shell to display the settings for that shell, or you can use get
with a full path to display the settings for the specified shell.
To use get
from the root prompt, you must include a path to a shell.
The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).
Example 1
When you type get
in the config system admin user
shell, the list of administrators is displayed.
At the (user)#
prompt, type:
get
The screen displays:
== [ admin ]
userid: admin
== [ admin2 ]
userid: admin2
== [ admin3 ]
userid: admin3
Example 2
When you type get
in the admin
user shell, the configuration values for the admin administrator account are displayed.
edit admin
At the (admin)#
prompt, type:
get
The screen displays:
userid : admin
login-max : 32
password : *
change-password : enable
trusthost1 : 0.0.0.0 0.0.0.0
trusthost2 : 255.255.255.255 255.255.255.255
trusthost3 : 255.255.255.255 255.255.255.255
trusthost4 : 255.255.255.255 255.255.255.255
trusthost5 : 255.255.255.255 255.255.255.255
trusthost6 : 255.255.255.255 255.255.255.255
trusthost7 : 255.255.255.255 255.255.255.255
trusthost8 : 255.255.255.255 255.255.255.255
trusthost9 : 255.255.255.255 255.255.255.255
trusthost10 : 255.255.255.255 255.255.255.255
ipv6_trusthost1 : ::/0
ipv6_trusthost2 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128
ipv6_trusthost3 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128
ipv6_trusthost4 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128
ipv6_trusthost5 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128
ipv6_trusthost6 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128
ipv6_trusthost7 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128
ipv6_trusthost8 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128
ipv6_trusthost9 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128
ipv6_trusthost10 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128
profileid : Super_User
dev-group : (null)
description : (null)
user_type : local
ssh-public-key1 :
ssh-public-key2 :
ssh-public-key3 :
avatar : (null)
meta-data:
== [ Contact Email ]
fieldname: Contact Email
== [ Contact Phone ]
fieldname: Contact Phone
password-expire : 0000-00-00 00:00:00
force-password-change: disable
rpc-permit : none
use-global-theme : enable
last-name : (null)
first-name : (null)
email-address : (null)
phone-number : (null)
mobile-number : (null)
pager-number : (null)
hidden : 0
dashboard-tabs:
dashboard:
Example 3
You want to confirm the IP address and netmask of the port1 interface from the root prompt.
At the (command) #
prompt, type:
get system interface port1
The screen displays:
name : port1
status : enable
ip : ***.**.***.** 255.255.255.0
allowaccess : https ssh
speed : auto
description : (null)
alias : (null)
mtu : 1500
type : physical
ipv6:
ip6-address: ::/0 ip6-allowaccess: ip6-autoconf: enable
show branch
Use show
to display the FortiAnalyzer unit configuration. Only changes to the default configuration are displayed. You can use show
within a config
shell to display the configuration of that shell, or you can use show
with a full path to display the configuration of the specified shell.
To display the configuration of all config
shells, you can use show
from the root prompt. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).
Example 1
When you type show
and press Enter
within the port1
interface shell, the changes to the default interface configuration are displayed.
At the (port1)#
prompt, type:
show
The screen displays:
config system interface
edit "port1"
set ip ***.**.***.** 255.255.255.0
set allowaccess https ssh
next
end
Example 2
You are working in the port1
interface shell and want to see the system dns
configuration. At the (port1)#
prompt, type:
show system dns
The screen displays:
config system dns
set primary 65.39.139.53
set secondary 65.39.139.63
end
execute branch
Use execute
to run static commands, to reset the FortiAnalyzer unit to factory defaults, or to back up or restore the FortiAnalyzer configuration. The execute commands are available only from the root prompt.
The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).
Example
At the root prompt, type:
execute reboot
The system will be rebooted.
Do you want to continue? (y/n)
and press Enter
to restart the FortiAnalyzer unit.
diagnose branch
Commands in the diagnose
branch are used for debugging the operation of the FortiAnalyzer unit and to set parameters for displaying different levels of diagnostic information.
Diagnose commands are intended for advanced users only. Contact Fortinet Technical Support before using these commands. |
Example command sequences
The command prompt changes for each shell. |
To configure the primary and secondary DNS server addresses:
- Starting at the root prompt, type:
config system dns
and press
Enter
. The prompt changes to(dns)#
. - At the
(dns)#
prompt, type (question mark)?
The following options are displayed.
set
unset
get
show
abort
end
- Type
set (question mark)?
The following options are displayed:
primary
secondary
ip6-primary
ip6-secondary
- To set the primary DNS server address to
172.16.100.100
, type:set primary 172.16.100.100
and press
Enter
. - To set the secondary DNS server address to
207.104.200.1
, type:set secondary 207.104.200.1
and press
Enter
. - To restore the primary DNS server address to the default address, type
unset primary
and pressEnter
. - If you want to leave the
config system dns
shell without saving your changes, typeabort
and pressEnter
. - To save your changes and exit the
dns
sub-shell, typeend
and pressEnter
. - To confirm your changes have taken effect after leaving the
dns
sub-shell, typeget system dns
and pressEnter
.