Fortinet black logo

FortiGate-7000 Handbook

FortiGate-7000 execute CLI commands

Copy Link
Copy Doc ID a7303a7c-f2e5-11ea-96b9-00505692583a:437650
Download PDF

FortiGate-7000 execute CLI commands

This chapter describes the FortiGate-7000 execute commands. Many of these commands are only available from the FIM CLI.

execute factoryreset3

You can log into an FPM or FIM and use this command to reset the configuration of the module to the factory default configuration and shut the module down. This command is normally used in preparation for resetting and shutting down a FortGate-7000.

execute ha manage <id>

In an HA configuration, use this command to log in to the primary FIM of the secondary FortiGate-7000.

<id> is the ID of the secondary FortiGate-7000. Usually the primary FortiGate-7000 ID is 0 and the secondary ID is 1. You can enter the ? to see the list of IDs that you can connect to.

After you have logged in, you can manage the secondary FortiGate-7000 from the primary FIM or you can use the execute-load-balance slot manage command to connect to the other FIM and the FPMs in the secondary FortiGate-7000.

execute load-balance console-mgmt {disable | enable}

Enable or disable the console disconnect command on the System Management Module (SMM) CLI. If the console disconnect command is enabled, you can log into one of the SMM consoles and use the console disconnect command to disconnect the other SMM console.

The FortiGate-7000 SMM has two consoles that you can use to connect to the SMM CLI or to the CLIs of any of the FIMs or FPMs in the FortiGate-7000 system. However, the system only supports one console connection to a module at a time. So if the other SMM console is connected to an FIM or FPM that you want to connect to, you have to disconnect the other SMM console to be able to connect to the FIM or FPM.

To disconnect the other SMM console, you can log into the SMM CLI and use the console disconnect command to disconnect the other console.

You can use this command to enable or disable this functionality.

execute load-balance console-mgmt disconnect <console>

Disconnect one of the SMM consoles from the FIM or FPM that it is connected to. <console> is the number of the console to disconnect.

This command allows you to disconnect a SMM console session from the FIM CLI without having to log into the SMM CLI.

execute load-balance console-mgmt info

This command shows whether the SMM console disconnect command is enabled or disabled and also shows which modules the SMM consoles are connected to or if they are disconnected.

execute load-balance license-mgmt list

List the licenses that have been added to this FortiGate-7000, including a license for extra VDOMs and FortiClient licenses.

execute load-balance license-mgmt reset {all | crypto-key | forticlient | vdom}

Reset FortiClient and VDOM licenses added to this FortiGate-7000 to factory defaults.

Specify crypto-key to re-generate crypto keys that are generated when the FortiGate-7000 first starts up.

Use all to reset all licenses and crypto keys.

Resetting licenses and crypto keys doesn't restart the ForiGate-7000.

execute set-next-reboot rollback

You can use the following command to change the firmware image that all of the FIMs and FPMs load the next time the FortiGate-7000 starts up.

execute set-next-reboot rollback

This command causes each component to select the firmware image stored on its non-active partition the next time the system starts up. The new command replaces the need to log into each component CLI and running the execute set-next-reboot {primary | secondary} command.

You can install firmware on the secondary partition of a FIM of FPM using the execute restore secondary-image command or from the BIOS.

execute load-balance slot manage <slot>

Log into the CLI of an individual FIM or FPM. Use <slot> to specify the FIM or FPM slot number.

You will be asked to authenticate to connect to the FIM or FPM. Use the exit command to end the session and return to the CLI from which you ran the original command.

execute load-balance slot power-off <slot-map>

Power off selected FPMs. This command shuts down the FPM immediately. You can use the diagnose sys confsync status command to verify that the management board cannot communicate with the FPMs.

You can use the execute load-balance slot power-on command to start up powered off FPMs.

execute load-balance slot power-on <slot-map>

Power on and start up selected FPMs. It may take a few minutes for the FPMs to start up. You can use the diagnose sys confsync status command to verify that the FPMs have started up.

execute load-balance slot reboot <slot-map>

Restart selected FPMs. It may take a few minutes for the FPMs to shut down and restart. You can use the diagnose sys confsync status command to verify that the FPMs have started up.

execute load-balance slot set-master-worker <slot>

Force an FPM to always be the primary or master FPM, <slot> is the FPM slot number.

The change takes place right away and all new primary FPM sessions are sent to the new primary FPM. Sessions that had been processed by the former primary FPM do not switch over, but continue to be processed by the former primary FPM.

This command is most often used for troubleshooting or testing. Since the command does not change the configuration, if the FortiGate-7000 restarts, the usual primary FPM selection process occurs.

FortiGate-7000 execute CLI commands

This chapter describes the FortiGate-7000 execute commands. Many of these commands are only available from the FIM CLI.

execute factoryreset3

You can log into an FPM or FIM and use this command to reset the configuration of the module to the factory default configuration and shut the module down. This command is normally used in preparation for resetting and shutting down a FortGate-7000.

execute ha manage <id>

In an HA configuration, use this command to log in to the primary FIM of the secondary FortiGate-7000.

<id> is the ID of the secondary FortiGate-7000. Usually the primary FortiGate-7000 ID is 0 and the secondary ID is 1. You can enter the ? to see the list of IDs that you can connect to.

After you have logged in, you can manage the secondary FortiGate-7000 from the primary FIM or you can use the execute-load-balance slot manage command to connect to the other FIM and the FPMs in the secondary FortiGate-7000.

execute load-balance console-mgmt {disable | enable}

Enable or disable the console disconnect command on the System Management Module (SMM) CLI. If the console disconnect command is enabled, you can log into one of the SMM consoles and use the console disconnect command to disconnect the other SMM console.

The FortiGate-7000 SMM has two consoles that you can use to connect to the SMM CLI or to the CLIs of any of the FIMs or FPMs in the FortiGate-7000 system. However, the system only supports one console connection to a module at a time. So if the other SMM console is connected to an FIM or FPM that you want to connect to, you have to disconnect the other SMM console to be able to connect to the FIM or FPM.

To disconnect the other SMM console, you can log into the SMM CLI and use the console disconnect command to disconnect the other console.

You can use this command to enable or disable this functionality.

execute load-balance console-mgmt disconnect <console>

Disconnect one of the SMM consoles from the FIM or FPM that it is connected to. <console> is the number of the console to disconnect.

This command allows you to disconnect a SMM console session from the FIM CLI without having to log into the SMM CLI.

execute load-balance console-mgmt info

This command shows whether the SMM console disconnect command is enabled or disabled and also shows which modules the SMM consoles are connected to or if they are disconnected.

execute load-balance license-mgmt list

List the licenses that have been added to this FortiGate-7000, including a license for extra VDOMs and FortiClient licenses.

execute load-balance license-mgmt reset {all | crypto-key | forticlient | vdom}

Reset FortiClient and VDOM licenses added to this FortiGate-7000 to factory defaults.

Specify crypto-key to re-generate crypto keys that are generated when the FortiGate-7000 first starts up.

Use all to reset all licenses and crypto keys.

Resetting licenses and crypto keys doesn't restart the ForiGate-7000.

execute set-next-reboot rollback

You can use the following command to change the firmware image that all of the FIMs and FPMs load the next time the FortiGate-7000 starts up.

execute set-next-reboot rollback

This command causes each component to select the firmware image stored on its non-active partition the next time the system starts up. The new command replaces the need to log into each component CLI and running the execute set-next-reboot {primary | secondary} command.

You can install firmware on the secondary partition of a FIM of FPM using the execute restore secondary-image command or from the BIOS.

execute load-balance slot manage <slot>

Log into the CLI of an individual FIM or FPM. Use <slot> to specify the FIM or FPM slot number.

You will be asked to authenticate to connect to the FIM or FPM. Use the exit command to end the session and return to the CLI from which you ran the original command.

execute load-balance slot power-off <slot-map>

Power off selected FPMs. This command shuts down the FPM immediately. You can use the diagnose sys confsync status command to verify that the management board cannot communicate with the FPMs.

You can use the execute load-balance slot power-on command to start up powered off FPMs.

execute load-balance slot power-on <slot-map>

Power on and start up selected FPMs. It may take a few minutes for the FPMs to start up. You can use the diagnose sys confsync status command to verify that the FPMs have started up.

execute load-balance slot reboot <slot-map>

Restart selected FPMs. It may take a few minutes for the FPMs to shut down and restart. You can use the diagnose sys confsync status command to verify that the FPMs have started up.

execute load-balance slot set-master-worker <slot>

Force an FPM to always be the primary or master FPM, <slot> is the FPM slot number.

The change takes place right away and all new primary FPM sessions are sent to the new primary FPM. Sessions that had been processed by the former primary FPM do not switch over, but continue to be processed by the former primary FPM.

This command is most often used for troubleshooting or testing. Since the command does not change the configuration, if the FortiGate-7000 restarts, the usual primary FPM selection process occurs.