Fortinet white logo
Fortinet white logo

CLI Reference

CLI command branches

CLI command branches

The FortiAnalyzer CLI consists of the following command branches:

config branch

execute branch

get branch

diagnose branch

show branch

Examples showing how to enter command sequences within each branch are provided in the following sections.

config branch

The config commands configure objects of FortiAnalyzer functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of variables that you can set to particular values. Simpler objects, such as system DNS, are a single set of variables.

To configure an object, you use the config command to navigate to the object’s command “shell”. For example, to configure administrators, you enter the command

config system admin user

The command prompt changes to show that you are in the admin shell.

(user)#

This is a table shell. You can use any of the following commands:

edit

Add an entry to the FortiAnalyzer configuration or edit an existing entry. For example in the config system admin shell:

  • Type edit admin and press Enter to edit the settings for the default admin administrator account.
  • Type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account.

delete

Remove an entry from the FortiAnalyzer configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin.

purge

Remove all entries configured in the current shell. For example in the config user local shell:

  • Type get to see the list of user names added to the FortiAnalyzer configuration,
  • Type purge and then y to confirm that you want to purge all the user names,
  • Type get again to confirm that no user names are displayed.

get

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.

show

Show changes to the default configuration as configuration commands.

end

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You will return to the root FortiAnalyzer CLI prompt.

The end command is also used to save set command changes and leave the shell.

If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name:

edit admin_1

The FortiAnalyzer unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry:

new entry 'admin_1' added

(admin_1)#

From this prompt, you can use any of the following commands:

config

In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add restrict the user to specific devices or VDOMs.

set

Assign values. For example from the edit admin command shell, typing set password newpass changes the password of the admin administrator account to newpass.

When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

unset

Reset values to defaults. For example from the edit admin command shell, typing unset password resets the password of the admin administrator account to the default of no password.

get

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.

show

Show changes to the default configuration in the form of configuration commands.

next

Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell.

  • Type edit User1 and press Enter.
  • Use the set commands to configure the values for the new admin account.
  • Type next to save the configuration for User1 without leaving the config system admin user shell.
  • Continue using the edit, set, and next commands to continue adding admin user accounts.
  • Type end and press Enter to save the last configuration and leave the shell.

abort

Exit an edit shell without saving the configuration.

end

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command.

The end command is also used to save set command changes and leave the shell.

The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.

get branch

Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell.

To use get from the root prompt, you must include a path to a shell.

The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type get in the config system admin user shell, the list of administrators is displayed.

At the (user)# prompt, type:

get

The screen displays:

== [ admin ]

userid: admin

== [ admin2 ]

userid: admin2

== [ admin3 ]

userid: admin3

Example 2

When you type get in the admin user shell, the configuration values for the admin administrator account are displayed.

edit admin

At the (admin)# prompt, type:

get

The screen displays:

userid : admin

login-max : 32

password : *

change-password : enable

trusthost1 : 0.0.0.0 0.0.0.0

trusthost2 : 255.255.255.255 255.255.255.255

trusthost3 : 255.255.255.255 255.255.255.255

trusthost4 : 255.255.255.255 255.255.255.255

trusthost5 : 255.255.255.255 255.255.255.255

trusthost6 : 255.255.255.255 255.255.255.255

trusthost7 : 255.255.255.255 255.255.255.255

trusthost8 : 255.255.255.255 255.255.255.255

trusthost9 : 255.255.255.255 255.255.255.255

trusthost10 : 255.255.255.255 255.255.255.255

ipv6_trusthost1 : ::/0

ipv6_trusthost2 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost3 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost4 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost5 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost6 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost7 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost8 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost9 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost10 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

profileid : Super_User

dev-group : (null)

description : (null)

user_type : local

ssh-public-key1 :

ssh-public-key2 :

ssh-public-key3 :

avatar : (null)

meta-data:

== [ Contact Email ]

fieldname: Contact Email

== [ Contact Phone ]

fieldname: Contact Phone

password-expire : 0000-00-00 00:00:00

force-password-change: disable

rpc-permit : none

use-global-theme : enable

last-name : (null)

first-name : (null)

email-address : (null)

phone-number : (null)

mobile-number : (null)

pager-number : (null)

hidden : 0

dashboard-tabs:

dashboard:

Example 3

You want to confirm the IP address and netmask of the port1 interface from the root prompt.

At the (command) # prompt, type:

get system interface port1

The screen displays:

name : port1

status : enable

ip : ***.**.***.** 255.255.255.0

allowaccess : https ssh

speed : auto

description : (null)

alias : (null)

mtu : 1500

type : physical

ipv6:

ip6-address: ::/0 ip6-allowaccess: ip6-autoconf: enable

show branch

Use show to display the FortiAnalyzer unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.

To display the configuration of all config shells, you can use show from the root prompt. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed.

At the (port1)# prompt, type:

show

The screen displays:

config system interface

edit "port1"

set ip ***.**.***.** 255.255.255.0

set allowaccess https ssh

next

end

Example 2

You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type:

show system dns

The screen displays:

config system dns

set primary 65.39.139.53

set secondary 65.39.139.63

end

execute branch

Use execute to run static commands, to reset the FortiAnalyzer unit to factory defaults, or to back up or restore the FortiAnalyzer configuration. The execute commands are available only from the root prompt.

The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example

At the root prompt, type:

execute reboot

The system will be rebooted.

Do you want to continue? (y/n)

and press Enter to restart the FortiAnalyzer unit.

diagnose branch

Commands in the diagnose branch are used for debugging the operation of the FortiAnalyzer unit and to set parameters for displaying different levels of diagnostic information.

Diagnose commands are intended for advanced users only. Contact Fortinet Technical Support before using these commands.

Example command sequences

The command prompt changes for each shell.

To configure the primary and secondary DNS server addresses:
  1. Starting at the root prompt, type:

    config system dns

    and press Enter. The prompt changes to (dns)#.

  2. At the (dns)# prompt, type (question mark) ?

    The following options are displayed.

    set

    unset

    get

    show

    abort

    end

  3. Type set (question mark)?

    The following options are displayed:

    primary

    secondary

    ip6-primary

    ip6-secondary

  4. To set the primary DNS server address to 172.16.100.100, type:

    set primary 172.16.100.100

    and press Enter.

  5. To set the secondary DNS server address to 207.104.200.1, type:

    set secondary 207.104.200.1

    and press Enter.

  6. To restore the primary DNS server address to the default address, type unset primary and press Enter.
  7. If you want to leave the config system dns shell without saving your changes, type abort and press Enter.
  8. To save your changes and exit the dns sub-shell, type end and press Enter.
  9. To confirm your changes have taken effect after leaving the dns sub-shell, type get system dns and press Enter.

CLI command branches

CLI command branches

The FortiAnalyzer CLI consists of the following command branches:

config branch

execute branch

get branch

diagnose branch

show branch

Examples showing how to enter command sequences within each branch are provided in the following sections.

config branch

The config commands configure objects of FortiAnalyzer functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of variables that you can set to particular values. Simpler objects, such as system DNS, are a single set of variables.

To configure an object, you use the config command to navigate to the object’s command “shell”. For example, to configure administrators, you enter the command

config system admin user

The command prompt changes to show that you are in the admin shell.

(user)#

This is a table shell. You can use any of the following commands:

edit

Add an entry to the FortiAnalyzer configuration or edit an existing entry. For example in the config system admin shell:

  • Type edit admin and press Enter to edit the settings for the default admin administrator account.
  • Type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account.

delete

Remove an entry from the FortiAnalyzer configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin.

purge

Remove all entries configured in the current shell. For example in the config user local shell:

  • Type get to see the list of user names added to the FortiAnalyzer configuration,
  • Type purge and then y to confirm that you want to purge all the user names,
  • Type get again to confirm that no user names are displayed.

get

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.

show

Show changes to the default configuration as configuration commands.

end

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You will return to the root FortiAnalyzer CLI prompt.

The end command is also used to save set command changes and leave the shell.

If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name:

edit admin_1

The FortiAnalyzer unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry:

new entry 'admin_1' added

(admin_1)#

From this prompt, you can use any of the following commands:

config

In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add restrict the user to specific devices or VDOMs.

set

Assign values. For example from the edit admin command shell, typing set password newpass changes the password of the admin administrator account to newpass.

When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

unset

Reset values to defaults. For example from the edit admin command shell, typing unset password resets the password of the admin administrator account to the default of no password.

get

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values.

show

Show changes to the default configuration in the form of configuration commands.

next

Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell.

  • Type edit User1 and press Enter.
  • Use the set commands to configure the values for the new admin account.
  • Type next to save the configuration for User1 without leaving the config system admin user shell.
  • Continue using the edit, set, and next commands to continue adding admin user accounts.
  • Type end and press Enter to save the last configuration and leave the shell.

abort

Exit an edit shell without saving the configuration.

end

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command.

The end command is also used to save set command changes and leave the shell.

The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.

get branch

Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell.

To use get from the root prompt, you must include a path to a shell.

The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type get in the config system admin user shell, the list of administrators is displayed.

At the (user)# prompt, type:

get

The screen displays:

== [ admin ]

userid: admin

== [ admin2 ]

userid: admin2

== [ admin3 ]

userid: admin3

Example 2

When you type get in the admin user shell, the configuration values for the admin administrator account are displayed.

edit admin

At the (admin)# prompt, type:

get

The screen displays:

userid : admin

login-max : 32

password : *

change-password : enable

trusthost1 : 0.0.0.0 0.0.0.0

trusthost2 : 255.255.255.255 255.255.255.255

trusthost3 : 255.255.255.255 255.255.255.255

trusthost4 : 255.255.255.255 255.255.255.255

trusthost5 : 255.255.255.255 255.255.255.255

trusthost6 : 255.255.255.255 255.255.255.255

trusthost7 : 255.255.255.255 255.255.255.255

trusthost8 : 255.255.255.255 255.255.255.255

trusthost9 : 255.255.255.255 255.255.255.255

trusthost10 : 255.255.255.255 255.255.255.255

ipv6_trusthost1 : ::/0

ipv6_trusthost2 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost3 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost4 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost5 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost6 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost7 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost8 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost9 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost10 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

profileid : Super_User

dev-group : (null)

description : (null)

user_type : local

ssh-public-key1 :

ssh-public-key2 :

ssh-public-key3 :

avatar : (null)

meta-data:

== [ Contact Email ]

fieldname: Contact Email

== [ Contact Phone ]

fieldname: Contact Phone

password-expire : 0000-00-00 00:00:00

force-password-change: disable

rpc-permit : none

use-global-theme : enable

last-name : (null)

first-name : (null)

email-address : (null)

phone-number : (null)

mobile-number : (null)

pager-number : (null)

hidden : 0

dashboard-tabs:

dashboard:

Example 3

You want to confirm the IP address and netmask of the port1 interface from the root prompt.

At the (command) # prompt, type:

get system interface port1

The screen displays:

name : port1

status : enable

ip : ***.**.***.** 255.255.255.0

allowaccess : https ssh

speed : auto

description : (null)

alias : (null)

mtu : 1500

type : physical

ipv6:

ip6-address: ::/0 ip6-allowaccess: ip6-autoconf: enable

show branch

Use show to display the FortiAnalyzer unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.

To display the configuration of all config shells, you can use show from the root prompt. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed.

At the (port1)# prompt, type:

show

The screen displays:

config system interface

edit "port1"

set ip ***.**.***.** 255.255.255.0

set allowaccess https ssh

next

end

Example 2

You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type:

show system dns

The screen displays:

config system dns

set primary 65.39.139.53

set secondary 65.39.139.63

end

execute branch

Use execute to run static commands, to reset the FortiAnalyzer unit to factory defaults, or to back up or restore the FortiAnalyzer configuration. The execute commands are available only from the root prompt.

The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example

At the root prompt, type:

execute reboot

The system will be rebooted.

Do you want to continue? (y/n)

and press Enter to restart the FortiAnalyzer unit.

diagnose branch

Commands in the diagnose branch are used for debugging the operation of the FortiAnalyzer unit and to set parameters for displaying different levels of diagnostic information.

Diagnose commands are intended for advanced users only. Contact Fortinet Technical Support before using these commands.

Example command sequences

The command prompt changes for each shell.

To configure the primary and secondary DNS server addresses:
  1. Starting at the root prompt, type:

    config system dns

    and press Enter. The prompt changes to (dns)#.

  2. At the (dns)# prompt, type (question mark) ?

    The following options are displayed.

    set

    unset

    get

    show

    abort

    end

  3. Type set (question mark)?

    The following options are displayed:

    primary

    secondary

    ip6-primary

    ip6-secondary

  4. To set the primary DNS server address to 172.16.100.100, type:

    set primary 172.16.100.100

    and press Enter.

  5. To set the secondary DNS server address to 207.104.200.1, type:

    set secondary 207.104.200.1

    and press Enter.

  6. To restore the primary DNS server address to the default address, type unset primary and press Enter.
  7. If you want to leave the config system dns shell without saving your changes, type abort and press Enter.
  8. To save your changes and exit the dns sub-shell, type end and press Enter.
  9. To confirm your changes have taken effect after leaving the dns sub-shell, type get system dns and press Enter.