Fortinet white logo
Fortinet white logo

Administration Guide

CLI commands

CLI commands

The FortiAuthenticator has CLI commands that are accessed using SSH or through the CLI console if a FortiAuthenticator is installed on a FortiHypervisor. The commands can be used to initially configure the unit, perform a factory reset, or reset the values if the GUI is not accessible.

All FortiAuthenticator CLI commands fall under the following initial setup commands:

    config router static
  • config system dns
  • config system global
  • config system ha
  • config system interface
note icon

The FortiAuthenticator-VM's console allows scrolling up and down through the CLI output by using Shift+PageUp and Shift+PageDown.

Like FortiOS, the ? key can be used to display all possible options available to you, depending upon where you are hierarchically-situated.

Note that get, execute, and diagnose commands are also available.

Command Description
? Display list of valid CLI commands.
exit Terminate the CLI session.
show Display bootstrap configuration.
set port1-ip <IP/netmask> Enter the IPv4 address and netmask for the port1 interface. Netmask is expected in the /xx format, for example 192.168.0.1/24.
After this port is configured, you can use the GUI to configure the remaining ports.
set default-gw <IP> Enter the IPv4 address of the default gateway for this interface. This is the default route for this interface.
set date <YYYY-MM-DD> Enter the current date. Valid format is four digit year, two digit month, and two digit day. For example: set date 2014-08-12 sets the date to August 12, 2014.
set time <HH:MM:SS> Enter the current time. Valid format is two digits each for hours, minutes, and seconds. 24-hour clock is used. For example 15:10:00 is 3:10pm.
set tz <timezone_index> Enter the current time zone using the time zone index. To see a list of index numbers and their corresponding time zones, enter set tz ?.
set ha-mode {enable | disable} Enable or disable (default) HA mode.
set ha-port <interface> Select a network interface to use for communication between the two cluster members. This interface must not already have an IP address assigned and it cannot be used for authentication services. Both units must use the same interface for HA communication.
set ns-gw <gateway> Set a default gateway for the HA management interface.
set ha-priority {high | low} Set to low on one unit and high on the other. Normally, the unit with High priority is the primary unit.
set ha-password <password> Set the HA password.
set ha-mgmt-ip <IP/netmask>

Enter the IP address, with netmask, that this unit uses for HA related communication with the other FortiAuthenticator unit (e.g. 1.2.3.4/24.

The two units must have different addresses. Usually, you should assign addresses on the same private subnet.

set ha-mgmt-access {ssh | https | http} Select the types of administrative access to allow.
set ha-dbg-level <level> Enter the level for HA service debug logs. Range: -4 (fatal) to 4 (debug high). Default: -2 (warn).
unset <setting> Restore default value. For each set command listed above, there is an unset command, for example unset port1-ip.
raid-add-disk <slot> Add a disk to a degraded RAID array.
ha-rebuild Rebuild the configuration database from scratch using the HA peer's configuration.
restore-admin Restore factory reset's admin access settings to the port1 network interface.
reboot Perform a hard restart of FortiAuthenticator. All sessions are terminated. The unit goes offline and a delay occurs while it restarts.
factory-reset Enter this command to reset the FortiAuthenticator settings to factory default settings. This includes clearing the user database.
This procedure deletes all changes that you have made to the FortiAuthenticator configuration and reverts the system to its original configuration, including resetting interface addresses.
shutdown Turn off the FortiAuthenticator.
status Display basic system status information including firmware version, build number, serial number of the unit, and system time.
hardware-info Display general hardware status information.
disk-attributes Display system disk attributes.
disk-errors Display any system disk errors.
disk-health Display disk health information.
disk-info Display disk hardware status information.
raid-hwinfo Display RAID hardware status information.
nslookup Basic tool for DNS debugging.
dig Advanced DNS debugging.
ping Test network connectivity to another network host.
tcpdump Examine local network traffic.
tcpdumpfile

Same as tcpdump, but the output is written to a downloadable file that can be downloaded in the debug logs.

Debug logs can be accessed via your web browser by navigating to https://<FortiAuthenticator-IP-Address>/debug. For more information, see Debug logs.

traceroute Examine the route taken to another network host.

CLI commands

CLI commands

The FortiAuthenticator has CLI commands that are accessed using SSH or through the CLI console if a FortiAuthenticator is installed on a FortiHypervisor. The commands can be used to initially configure the unit, perform a factory reset, or reset the values if the GUI is not accessible.

All FortiAuthenticator CLI commands fall under the following initial setup commands:

    config router static
  • config system dns
  • config system global
  • config system ha
  • config system interface
note icon

The FortiAuthenticator-VM's console allows scrolling up and down through the CLI output by using Shift+PageUp and Shift+PageDown.

Like FortiOS, the ? key can be used to display all possible options available to you, depending upon where you are hierarchically-situated.

Note that get, execute, and diagnose commands are also available.

Command Description
? Display list of valid CLI commands.
exit Terminate the CLI session.
show Display bootstrap configuration.
set port1-ip <IP/netmask> Enter the IPv4 address and netmask for the port1 interface. Netmask is expected in the /xx format, for example 192.168.0.1/24.
After this port is configured, you can use the GUI to configure the remaining ports.
set default-gw <IP> Enter the IPv4 address of the default gateway for this interface. This is the default route for this interface.
set date <YYYY-MM-DD> Enter the current date. Valid format is four digit year, two digit month, and two digit day. For example: set date 2014-08-12 sets the date to August 12, 2014.
set time <HH:MM:SS> Enter the current time. Valid format is two digits each for hours, minutes, and seconds. 24-hour clock is used. For example 15:10:00 is 3:10pm.
set tz <timezone_index> Enter the current time zone using the time zone index. To see a list of index numbers and their corresponding time zones, enter set tz ?.
set ha-mode {enable | disable} Enable or disable (default) HA mode.
set ha-port <interface> Select a network interface to use for communication between the two cluster members. This interface must not already have an IP address assigned and it cannot be used for authentication services. Both units must use the same interface for HA communication.
set ns-gw <gateway> Set a default gateway for the HA management interface.
set ha-priority {high | low} Set to low on one unit and high on the other. Normally, the unit with High priority is the primary unit.
set ha-password <password> Set the HA password.
set ha-mgmt-ip <IP/netmask>

Enter the IP address, with netmask, that this unit uses for HA related communication with the other FortiAuthenticator unit (e.g. 1.2.3.4/24.

The two units must have different addresses. Usually, you should assign addresses on the same private subnet.

set ha-mgmt-access {ssh | https | http} Select the types of administrative access to allow.
set ha-dbg-level <level> Enter the level for HA service debug logs. Range: -4 (fatal) to 4 (debug high). Default: -2 (warn).
unset <setting> Restore default value. For each set command listed above, there is an unset command, for example unset port1-ip.
raid-add-disk <slot> Add a disk to a degraded RAID array.
ha-rebuild Rebuild the configuration database from scratch using the HA peer's configuration.
restore-admin Restore factory reset's admin access settings to the port1 network interface.
reboot Perform a hard restart of FortiAuthenticator. All sessions are terminated. The unit goes offline and a delay occurs while it restarts.
factory-reset Enter this command to reset the FortiAuthenticator settings to factory default settings. This includes clearing the user database.
This procedure deletes all changes that you have made to the FortiAuthenticator configuration and reverts the system to its original configuration, including resetting interface addresses.
shutdown Turn off the FortiAuthenticator.
status Display basic system status information including firmware version, build number, serial number of the unit, and system time.
hardware-info Display general hardware status information.
disk-attributes Display system disk attributes.
disk-errors Display any system disk errors.
disk-health Display disk health information.
disk-info Display disk hardware status information.
raid-hwinfo Display RAID hardware status information.
nslookup Basic tool for DNS debugging.
dig Advanced DNS debugging.
ping Test network connectivity to another network host.
tcpdump Examine local network traffic.
tcpdumpfile

Same as tcpdump, but the output is written to a downloadable file that can be downloaded in the debug logs.

Debug logs can be accessed via your web browser by navigating to https://<FortiAuthenticator-IP-Address>/debug. For more information, see Debug logs.

traceroute Examine the route taken to another network host.