Fortinet Document Library

Version:

Version:

Version:


Table of Contents

CLI Reference

Download PDF
Copy Link

Connecting to the CLI

You can access the CLI in three ways:

  • Local console — Connect your computer directly to the console port of your FortiGate. Local access is required in some cases:
    • If you are installing your FortiGate for the first time and it is not yet configured to connect to your network, you may only be able to connect to the CLI using a local serial console connection, unless you reconfigure your computer’s network settings for a peer connection.
    • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, making local CLI access the only viable option.
  • SSH or Telnet access — Connect your computer through any network interface attached to one of the network ports on your FortiGate. The network interface must have enabled Telnet or SSH administrative access if you connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI Console in the GUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-out window.
  • FortiExplorer for iOS — Use the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate.

Local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:

  • A console cable to connect the console port on the FortiGate to a communications port on the computer. Depending on your device, this is one of:
    • null modem cable (DB-9 to DB-9)
    • DB-9 to RJ-45 cable (a DB-9-to-USB adapter can be used)
    • USB to RJ-45 cable
  • A computer with an available communications port
  • Terminal emulation software
To connect to the CLI using a local serial console connection
  1. Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.
  2. Start a terminal emulation program on the management computer, select the COM port, and use the following settings:

    Bits per second

    9600

    Data bits

    8

    Parity

    None

    Stop bits

    1

    Flow control

    None

  3. Press Enter on the keyboard to connect to the CLI.
  4. Log in to the CLI using your username and password (default: admin and no password).

    You can now enter CLI commands, including configuring access to the CLI through SSH.

SSH or Telnet access

SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its RJ‑45 network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

note icon

If you do not want to use an SSH/Telnet client and you have access to the GUI, you can alternatively access the CLI through the network using the CLI Console widget in the GUI.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiGate unit with a static route to a router that can forward packets from the FortiGate unit to your computer. You can do this using either a local console connection or the GUI.

Requirements

  • A computer with an available serial communications (COM) port and RJ-45 port
  • Terminal emulation software such as HyperTerminal for Microsoft Windows
  • The console cable
  • A network cable
  • Prior configuration of the operating mode, network interface, and static route.
To enable SSH or Telnet access to the CLI using a local console connection
  1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiGate unit.
  2. Note the number of the physical network port.
  3. Using a local console connection, connect and log into the CLI.
  4. Enter the following command:

    config system interface

    edit <interface_str>

    set allowaccess <protocols_list>

    end

    where:

    • <interface_str> is the name of the network interface associated with the physical network port and containing its number, such as port1.
    • <protocols_list> is the complete, space-delimited list of permitted administrative access protocols, such as https ssh telnet.
  5. To confirm the configuration, enter the command to display the network interface’s settings:

    show system interface <interface_str>

  6. The CLI displays the settings, including the allowed administrative access protocols, for the network interfaces.

Connecting using SSH

Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate units support 3DES and Blowfish encryption algorithms for SSH.

Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSH connections. The following procedure uses PuTTY. Steps may vary with other SSH clients.

To connect to the CLI using SSH
  1. On your management computer, start an SSH client.
  2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH administrative access.
  3. Set Port to 22.
  4. For the Connection type, select SSH.
  5. Select Open. The SSH client connects to the FortiGate unit.

    The SSH client may display a warning if this is the first time you are connecting to the FortiGate unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiGate unit but used a different IP address or SSH key. This is normal if your management computer is directly connected to the FortiGate unit with no network hosts between them.

  6. Click Yes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until you have accepted the key.
  7. The CLI displays a login prompt.
  8. Type a valid administrator account name (such as admin) and press Enter.
  9. Type the password for this administrator account and press Enter.

    The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect login or password attempts occur in a row, you will be disconnected. If this occurs, wait one minute, then reconnect to attempt the login again.

Connecting using Telnet

Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

caution icon

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnet connections.

To connect to the CLI using Telnet
  1. On your management computer, start a Telnet client.
  2. Connect to a FortiGate network interface on which you have enabled Telnet.
  3. Type a valid administrator account name (such as admin) and press Enter.
  4. Type the password for this administrator account and press Enter. The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect login or password attempts occur in a row, you will be disconnected. If this occurs, wait one minute, then reconnect to attempt the login again.

 

Connecting to the CLI

You can access the CLI in three ways:

  • Local console — Connect your computer directly to the console port of your FortiGate. Local access is required in some cases:
    • If you are installing your FortiGate for the first time and it is not yet configured to connect to your network, you may only be able to connect to the CLI using a local serial console connection, unless you reconfigure your computer’s network settings for a peer connection.
    • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, making local CLI access the only viable option.
  • SSH or Telnet access — Connect your computer through any network interface attached to one of the network ports on your FortiGate. The network interface must have enabled Telnet or SSH administrative access if you connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI Console in the GUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-out window.
  • FortiExplorer for iOS — Use the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate.

Local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:

  • A console cable to connect the console port on the FortiGate to a communications port on the computer. Depending on your device, this is one of:
    • null modem cable (DB-9 to DB-9)
    • DB-9 to RJ-45 cable (a DB-9-to-USB adapter can be used)
    • USB to RJ-45 cable
  • A computer with an available communications port
  • Terminal emulation software
To connect to the CLI using a local serial console connection
  1. Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.
  2. Start a terminal emulation program on the management computer, select the COM port, and use the following settings:

    Bits per second

    9600

    Data bits

    8

    Parity

    None

    Stop bits

    1

    Flow control

    None

  3. Press Enter on the keyboard to connect to the CLI.
  4. Log in to the CLI using your username and password (default: admin and no password).

    You can now enter CLI commands, including configuring access to the CLI through SSH.

SSH or Telnet access

SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its RJ‑45 network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

note icon

If you do not want to use an SSH/Telnet client and you have access to the GUI, you can alternatively access the CLI through the network using the CLI Console widget in the GUI.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiGate unit with a static route to a router that can forward packets from the FortiGate unit to your computer. You can do this using either a local console connection or the GUI.

Requirements

  • A computer with an available serial communications (COM) port and RJ-45 port
  • Terminal emulation software such as HyperTerminal for Microsoft Windows
  • The console cable
  • A network cable
  • Prior configuration of the operating mode, network interface, and static route.
To enable SSH or Telnet access to the CLI using a local console connection
  1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiGate unit.
  2. Note the number of the physical network port.
  3. Using a local console connection, connect and log into the CLI.
  4. Enter the following command:

    config system interface

    edit <interface_str>

    set allowaccess <protocols_list>

    end

    where:

    • <interface_str> is the name of the network interface associated with the physical network port and containing its number, such as port1.
    • <protocols_list> is the complete, space-delimited list of permitted administrative access protocols, such as https ssh telnet.
  5. To confirm the configuration, enter the command to display the network interface’s settings:

    show system interface <interface_str>

  6. The CLI displays the settings, including the allowed administrative access protocols, for the network interfaces.

Connecting using SSH

Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate units support 3DES and Blowfish encryption algorithms for SSH.

Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSH connections. The following procedure uses PuTTY. Steps may vary with other SSH clients.

To connect to the CLI using SSH
  1. On your management computer, start an SSH client.
  2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH administrative access.
  3. Set Port to 22.
  4. For the Connection type, select SSH.
  5. Select Open. The SSH client connects to the FortiGate unit.

    The SSH client may display a warning if this is the first time you are connecting to the FortiGate unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiGate unit but used a different IP address or SSH key. This is normal if your management computer is directly connected to the FortiGate unit with no network hosts between them.

  6. Click Yes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until you have accepted the key.
  7. The CLI displays a login prompt.
  8. Type a valid administrator account name (such as admin) and press Enter.
  9. Type the password for this administrator account and press Enter.

    The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect login or password attempts occur in a row, you will be disconnected. If this occurs, wait one minute, then reconnect to attempt the login again.

Connecting using Telnet

Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

caution icon

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnet connections.

To connect to the CLI using Telnet
  1. On your management computer, start a Telnet client.
  2. Connect to a FortiGate network interface on which you have enabled Telnet.
  3. Type a valid administrator account name (such as admin) and press Enter.
  4. Type the password for this administrator account and press Enter. The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect login or password attempts occur in a row, you will be disconnected. If this occurs, wait one minute, then reconnect to attempt the login again.