Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

Connecting to the CLI

You can access the CLI in three ways:

  • Local console — Connect your computer directly to the console port of your FortiGate. Local access is required in some cases:
    • If you are installing your FortiGate for the first time and it is not yet configured to connect to your network, you may only be able to connect to the CLI using a local serial console connection, unless you reconfigure your computer’s network settings for a peer connection.
    • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, making local CLI access the only viable option.
  • SSH or Telnet access — Connect your computer through any network interface attached to one of the network ports on your FortiGate. The network interface must have enabled Telnet or SSH administrative access if you connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI Console in the GUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-out window.
  • FortiExplorer for iOS — Use the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate.

Local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:

  • A computer with an available serial communications (COM) port.
  • The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.
  • Terminal emulation software such as HyperTerminal for Microsoft Windows.

The following procedure describes the connection using Microsoft HyperTerminal software; steps may vary with other terminal emulators.

To connect to the CLI using a local serial console connection
  1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.
  2. On your management computer, start HyperTerminal.
  3. For the Connection Description, enter a Name for the connection, and select OK.
  4. On the Connect using drop-down, select the communications (COM) port on your management computer you are using to connect to the FortiGate unit.
  5. Select OK.
  6. Select the following Port settings and select OK.

    Bits per second 9600
    Data bits 8
    Parity None
    Stop bits 1
    Flow control None
  7. Press Enter or Return on your keyboard to connect to the CLI.
  8. Type a valid administrator account name (such as admin) and press Enter.
  9. Type the password for that administrator account and press Enter. (In its default state, there is no password for the admin account.)

The CLI displays the following text:

Welcome!

Type ? to list available commands.

You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

SSH or Telnet access

SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its RJ‑45 network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

note icon

If you do not want to use an SSH/Telnet client and you have access to the GUI, you can alternatively access the CLI through the network using the CLI Console widget in the GUI.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiGate unit with a static route to a router that can forward packets from the FortiGate unit to your computer. You can do this using either a local console connection or the GUI.

Requirements

  • A computer with an available serial communications (COM) port and RJ-45 port
  • Terminal emulation software such as HyperTerminal for Microsoft Windows
  • The RJ-45-to-DB-9 or null modem cable included in your FortiGate package
  • A network cable
  • Prior configuration of the operating mode, network interface, and static route.
To enable SSH or Telnet access to the CLI using a local console connection
  1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiGate unit.
  2. Note the number of the physical network port.
  3. Using a local console connection, connect and log into the CLI.
  4. Enter the following command:

    config system interface

    edit <interface_str>

    set allowaccess <protocols_list>

    end

    where:

    • <interface_str> is the name of the network interface associated with the physical network port and containing its number, such as port1.
    • <protocols_list> is the complete, space-delimited list of permitted administrative access protocols, such as https ssh telnet.
  5. To confirm the configuration, enter the command to display the network interface’s settings:

    show system interface <interface_str>

  6. The CLI displays the settings, including the allowed administrative access protocols, for the network interfaces.

Connecting using SSH

Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate units support 3DES and Blowfish encryption algorithms for SSH.

Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSH connections. The following procedure uses PuTTY. Steps may vary with other SSH clients.

To connect to the CLI using SSH
  1. On your management computer, start an SSH client.
  2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH administrative access.
  3. Set Port to 22.
  4. For the Connection type, select SSH.
  5. Select Open. The SSH client connects to the FortiGate unit.

    The SSH client may display a warning if this is the first time you are connecting to the FortiGate unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiGate unit but used a different IP address or SSH key. This is normal if your management computer is directly connected to the FortiGate unit with no network hosts between them.

  6. Click Yes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until you have accepted the key.
  7. The CLI displays a login prompt.
  8. Type a valid administrator account name (such as admin) and press Enter.
  9. Type the password for this administrator account and press Enter.

    The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect login or password attempts occur in a row, you will be disconnected. If this occurs, wait one minute, then reconnect to attempt the login again.

Connecting using Telnet

Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

caution icon

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnet connections.

To connect to the CLI using Telnet
  1. On your management computer, start a Telnet client.
  2. Connect to a FortiGate network interface on which you have enabled Telnet.
  3. Type a valid administrator account name (such as admin) and press Enter.
  4. Type the password for this administrator account and press Enter. The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect login or password attempts occur in a row, you will be disconnected. If this occurs, wait one minute, then reconnect to attempt the login again.

 

Connecting to the CLI

You can access the CLI in three ways:

  • Local console — Connect your computer directly to the console port of your FortiGate. Local access is required in some cases:
    • If you are installing your FortiGate for the first time and it is not yet configured to connect to your network, you may only be able to connect to the CLI using a local serial console connection, unless you reconfigure your computer’s network settings for a peer connection.
    • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, making local CLI access the only viable option.
  • SSH or Telnet access — Connect your computer through any network interface attached to one of the network ports on your FortiGate. The network interface must have enabled Telnet or SSH administrative access if you connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI Console in the GUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-out window.
  • FortiExplorer for iOS — Use the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate.

Local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:

  • A computer with an available serial communications (COM) port.
  • The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.
  • Terminal emulation software such as HyperTerminal for Microsoft Windows.

The following procedure describes the connection using Microsoft HyperTerminal software; steps may vary with other terminal emulators.

To connect to the CLI using a local serial console connection
  1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.
  2. On your management computer, start HyperTerminal.
  3. For the Connection Description, enter a Name for the connection, and select OK.
  4. On the Connect using drop-down, select the communications (COM) port on your management computer you are using to connect to the FortiGate unit.
  5. Select OK.
  6. Select the following Port settings and select OK.

    Bits per second 9600
    Data bits 8
    Parity None
    Stop bits 1
    Flow control None
  7. Press Enter or Return on your keyboard to connect to the CLI.
  8. Type a valid administrator account name (such as admin) and press Enter.
  9. Type the password for that administrator account and press Enter. (In its default state, there is no password for the admin account.)

The CLI displays the following text:

Welcome!

Type ? to list available commands.

You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

SSH or Telnet access

SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its RJ‑45 network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

note icon

If you do not want to use an SSH/Telnet client and you have access to the GUI, you can alternatively access the CLI through the network using the CLI Console widget in the GUI.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiGate unit with a static route to a router that can forward packets from the FortiGate unit to your computer. You can do this using either a local console connection or the GUI.

Requirements

  • A computer with an available serial communications (COM) port and RJ-45 port
  • Terminal emulation software such as HyperTerminal for Microsoft Windows
  • The RJ-45-to-DB-9 or null modem cable included in your FortiGate package
  • A network cable
  • Prior configuration of the operating mode, network interface, and static route.
To enable SSH or Telnet access to the CLI using a local console connection
  1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiGate unit.
  2. Note the number of the physical network port.
  3. Using a local console connection, connect and log into the CLI.
  4. Enter the following command:

    config system interface

    edit <interface_str>

    set allowaccess <protocols_list>

    end

    where:

    • <interface_str> is the name of the network interface associated with the physical network port and containing its number, such as port1.
    • <protocols_list> is the complete, space-delimited list of permitted administrative access protocols, such as https ssh telnet.
  5. To confirm the configuration, enter the command to display the network interface’s settings:

    show system interface <interface_str>

  6. The CLI displays the settings, including the allowed administrative access protocols, for the network interfaces.

Connecting using SSH

Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate units support 3DES and Blowfish encryption algorithms for SSH.

Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSH connections. The following procedure uses PuTTY. Steps may vary with other SSH clients.

To connect to the CLI using SSH
  1. On your management computer, start an SSH client.
  2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH administrative access.
  3. Set Port to 22.
  4. For the Connection type, select SSH.
  5. Select Open. The SSH client connects to the FortiGate unit.

    The SSH client may display a warning if this is the first time you are connecting to the FortiGate unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiGate unit but used a different IP address or SSH key. This is normal if your management computer is directly connected to the FortiGate unit with no network hosts between them.

  6. Click Yes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until you have accepted the key.
  7. The CLI displays a login prompt.
  8. Type a valid administrator account name (such as admin) and press Enter.
  9. Type the password for this administrator account and press Enter.

    The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect login or password attempts occur in a row, you will be disconnected. If this occurs, wait one minute, then reconnect to attempt the login again.

Connecting using Telnet

Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

caution icon

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnet connections.

To connect to the CLI using Telnet
  1. On your management computer, start a Telnet client.
  2. Connect to a FortiGate network interface on which you have enabled Telnet.
  3. Type a valid administrator account name (such as admin) and press Enter.
  4. Type the password for this administrator account and press Enter. The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect login or password attempts occur in a row, you will be disconnected. If this occurs, wait one minute, then reconnect to attempt the login again.