Fortinet black logo

FortiGate-6000 Handbook

FortiGate-6000 execute CLI commands

FortiGate-6000 execute CLI commands

This chapter describes the FortiGate-6000 execute commands. Many of these commands are only available from the management board CLI.

execute factoryreset-shutdown

You can use this command to reset the configuration of the FortiGate-6000 management board and all of the FPCs before shutting the system down. This command is normally used in preparation for resetting and shutting down a FortiGate-6000.

execute ha manage <id>

In an HA configuration, use this command to log in to the management board of the secondary FortiGate-6000.

<id> is the ID of the secondary FortiGate-6000. Usually the primary FortiGate-6000 ID is 0 and the secondary ID is 1. You can enter the ? to see the list of IDs that you can connect to.

After you have logged in, you can manage the secondary FortiGate-6000 from the management board or you can use the execute-load-balance slot manage command to connect to the different FPCs in the secondary FortiGate-6000.

execute load-balance load-backup-image <slot>

After uploading a firmware image onto the FortiGate-6000 internal TFTP server, use this command to install this firmware image onto an FPC as the backup firmware image. <slot> is the FPC slot number.

Use the execute upload image command to upload the firmware image file onto the FortiGate-6000 internal TFTP server. See execute upload image {ftp | tftp | usb}.

execute load-balance slot manage <slot>

Log into the CLI of an individual FPC. Use <slot> to specify the FPC slot number.

You will be asked to authenticate to connect to the FPC. Use the exit command to end the session and return to the CLI from which you ran the original command.

execute load-balance slot nmi-reset <slot-map>

Perform an NMI reset on selected FPCs. The NMI reset dumps registers and backtraces of one or more FPCs to the console. After the data is dumped, the FPCs reboot. While the FPCs are rebooting, traffic is distributed to the remaining FPCs. The FPCs should restart normally and traffic can resume once they are up and running. You can use the diagnose sys confsync status command to verify that the FPCs have started up.

<slot-map> can be one or more FPC slot numbers or slot number ranges with no spaces and separated by commas. For example, to perform an NMI reset of slots 1, 3, 4, and 5, enter

execute load-balance slot nmi-reset 1,3-5

execute load-balance slot power-off <slot-map>

Power off selected FPCs. This command shuts down the FPC immediately. You can use the diagnose sys confsync status command to verify that the management board cannot communicate with the FPCs.

You can use the execute load-balance slot power-on command to start up powered off FPCs.

execute load-balance slot power-on <slot-map>

Power on and start up selected FPCs. It may take a few minutes for the FPCs to start up. You can use the diagnose sys confsync status command to verify that the FPCs have started up.

execute load-balance slot reboot <slot-map>

Restart selected FPCs. It may take a few minutes for the FPCs to shut down and restart. You can use the diagnose sys confsync status command to verify that the FPCs have started up.

execute load-balance slot set-master-worker <slot>

Force an FPC to always be the primary or master FPC, <slot> is the FPC slot number.

The change takes place right away and all new primary FPC sessions are sent to the new primary FPC. Sessions that had been processed by the former primary FPC do not switch over, but continue to be processed by the former primary FPC.

This command is most often used for troubleshooting or testing. Since the command does not change the configuration, if the FortiGate-6000 restarts, the usual primary FPC selection process occurs.

execute load-balance update image <slot>

After uploading a firmware image onto the FortiGate-6000 internal TFTP server, use this command to install this firmware image onto an FPC. <slot> is the FPC slot number. The firmware image is installed and the FPC restarts running the new firmware.

For more information, see Installing firmware on an individual FPC.

execute set-next-reboot rollback

You can use the following command to change the firmware image that the management board and all of the FPCs load the next time the FortiGate-6000 starts up.

execute set-next-reboot rollback

This command causes each component to select the firmware image stored on its non-active partition the next time the system starts up. The new command replaces the need to log into each component CLI and running the execute set-next-reboot {primary | secondary} command.

You can install firmware on the backup partition of the management board or an FPC using the execute restore secondary-image command or from the BIOS.

execute system console-server {clearline | connect | showline}

From the management board CLI, the execute system console server command provides access to individual FPC consoles in your FortiGate-6000. Console access can be useful for troubleshooting. For example, if an FPC does not boot properly you can use console access to view the state of the FPC and enter commands to fix the problem or restart the FPC.

Note The execute system console-server commands allow access only to FPCs in the FortiGate-6000 that you are logged into. You can't use this command to access FPCs in the other FortiGate-6000 in an HA configuration.

You can use the config system console-server command to enable or disable the console server (enabled by default). For more information, see config system console-server.

execute system console-server clearline <line>

Clear an active console server. You can use this command to stop a console-server session that you have started with the execute system console-server connect command. <line> is the console server session number. Use the execute system console-server showline command to view the active console server sessions.

execute system console-server connect <slot>

Start a console-server connection from the management board CLI to an FPC CLI. <slot> is the FPC slot number. Authenticate to log into the console and use CLI commands to view information, make changes, or restart the FPC. When you are done, use Ctrl-X to exit from the console back to the management board CLI.

Using Ctrl-X may not work if you are accessing the CLI console from the GUI. Instead you may need to log out of the GUI and then log back in.

execute system console-server showline

Show active console-server sessions.

execute upload image {ftp | tftp | usb}

Use this command to upload a firmware image to the FortiGate-6000 internal TFTP server. Once you have uploaded this firmware image, you can install it on an FPC using the execute load-balance load-backup-image <slot> command.

You can get the firmware image from an external FTP server, an external TFTP server, or from a USB key plugged in the FortiGate-6000 USB port. Use the following syntax:

execute upload image ftp <image-file-and-path> <comment> <ftp-server-address> <username> <password>

execute upload image tftp <image-file> <comment> <tftp-server-address>

execute upload image usb <image-file-and-path> <comment>

FortiGate-6000 execute CLI commands

This chapter describes the FortiGate-6000 execute commands. Many of these commands are only available from the management board CLI.

execute factoryreset-shutdown

You can use this command to reset the configuration of the FortiGate-6000 management board and all of the FPCs before shutting the system down. This command is normally used in preparation for resetting and shutting down a FortiGate-6000.

execute ha manage <id>

In an HA configuration, use this command to log in to the management board of the secondary FortiGate-6000.

<id> is the ID of the secondary FortiGate-6000. Usually the primary FortiGate-6000 ID is 0 and the secondary ID is 1. You can enter the ? to see the list of IDs that you can connect to.

After you have logged in, you can manage the secondary FortiGate-6000 from the management board or you can use the execute-load-balance slot manage command to connect to the different FPCs in the secondary FortiGate-6000.

execute load-balance load-backup-image <slot>

After uploading a firmware image onto the FortiGate-6000 internal TFTP server, use this command to install this firmware image onto an FPC as the backup firmware image. <slot> is the FPC slot number.

Use the execute upload image command to upload the firmware image file onto the FortiGate-6000 internal TFTP server. See execute upload image {ftp | tftp | usb}.

execute load-balance slot manage <slot>

Log into the CLI of an individual FPC. Use <slot> to specify the FPC slot number.

You will be asked to authenticate to connect to the FPC. Use the exit command to end the session and return to the CLI from which you ran the original command.

execute load-balance slot nmi-reset <slot-map>

Perform an NMI reset on selected FPCs. The NMI reset dumps registers and backtraces of one or more FPCs to the console. After the data is dumped, the FPCs reboot. While the FPCs are rebooting, traffic is distributed to the remaining FPCs. The FPCs should restart normally and traffic can resume once they are up and running. You can use the diagnose sys confsync status command to verify that the FPCs have started up.

<slot-map> can be one or more FPC slot numbers or slot number ranges with no spaces and separated by commas. For example, to perform an NMI reset of slots 1, 3, 4, and 5, enter

execute load-balance slot nmi-reset 1,3-5

execute load-balance slot power-off <slot-map>

Power off selected FPCs. This command shuts down the FPC immediately. You can use the diagnose sys confsync status command to verify that the management board cannot communicate with the FPCs.

You can use the execute load-balance slot power-on command to start up powered off FPCs.

execute load-balance slot power-on <slot-map>

Power on and start up selected FPCs. It may take a few minutes for the FPCs to start up. You can use the diagnose sys confsync status command to verify that the FPCs have started up.

execute load-balance slot reboot <slot-map>

Restart selected FPCs. It may take a few minutes for the FPCs to shut down and restart. You can use the diagnose sys confsync status command to verify that the FPCs have started up.

execute load-balance slot set-master-worker <slot>

Force an FPC to always be the primary or master FPC, <slot> is the FPC slot number.

The change takes place right away and all new primary FPC sessions are sent to the new primary FPC. Sessions that had been processed by the former primary FPC do not switch over, but continue to be processed by the former primary FPC.

This command is most often used for troubleshooting or testing. Since the command does not change the configuration, if the FortiGate-6000 restarts, the usual primary FPC selection process occurs.

execute load-balance update image <slot>

After uploading a firmware image onto the FortiGate-6000 internal TFTP server, use this command to install this firmware image onto an FPC. <slot> is the FPC slot number. The firmware image is installed and the FPC restarts running the new firmware.

For more information, see Installing firmware on an individual FPC.

execute set-next-reboot rollback

You can use the following command to change the firmware image that the management board and all of the FPCs load the next time the FortiGate-6000 starts up.

execute set-next-reboot rollback

This command causes each component to select the firmware image stored on its non-active partition the next time the system starts up. The new command replaces the need to log into each component CLI and running the execute set-next-reboot {primary | secondary} command.

You can install firmware on the backup partition of the management board or an FPC using the execute restore secondary-image command or from the BIOS.

execute system console-server {clearline | connect | showline}

From the management board CLI, the execute system console server command provides access to individual FPC consoles in your FortiGate-6000. Console access can be useful for troubleshooting. For example, if an FPC does not boot properly you can use console access to view the state of the FPC and enter commands to fix the problem or restart the FPC.

Note The execute system console-server commands allow access only to FPCs in the FortiGate-6000 that you are logged into. You can't use this command to access FPCs in the other FortiGate-6000 in an HA configuration.

You can use the config system console-server command to enable or disable the console server (enabled by default). For more information, see config system console-server.

execute system console-server clearline <line>

Clear an active console server. You can use this command to stop a console-server session that you have started with the execute system console-server connect command. <line> is the console server session number. Use the execute system console-server showline command to view the active console server sessions.

execute system console-server connect <slot>

Start a console-server connection from the management board CLI to an FPC CLI. <slot> is the FPC slot number. Authenticate to log into the console and use CLI commands to view information, make changes, or restart the FPC. When you are done, use Ctrl-X to exit from the console back to the management board CLI.

Using Ctrl-X may not work if you are accessing the CLI console from the GUI. Instead you may need to log out of the GUI and then log back in.

execute system console-server showline

Show active console-server sessions.

execute upload image {ftp | tftp | usb}

Use this command to upload a firmware image to the FortiGate-6000 internal TFTP server. Once you have uploaded this firmware image, you can install it on an FPC using the execute load-balance load-backup-image <slot> command.

You can get the firmware image from an external FTP server, an external TFTP server, or from a USB key plugged in the FortiGate-6000 USB port. Use the following syntax:

execute upload image ftp <image-file-and-path> <comment> <ftp-server-address> <username> <password>

execute upload image tftp <image-file> <comment> <tftp-server-address>

execute upload image usb <image-file-and-path> <comment>