Fortinet black logo

CLI Reference

Sub-commands

Sub-commands

Each command line consists of a command word that is usually followed by configuration data or other specific item that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level, the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:

config system interface

edit port1

set status up

next

end

Sub-command scope is indicated by indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

  • commands affecting fields
  • commands affecting tables
Commands for tables

clone <table>

Clone (or make a copy of) a table from the current object.

For example, in config firewall policy, you could enter the following command to clone security policy 27 to create security policy 30:

clone 27 to 30

In config antivirus profile, you could enter the following command to clone an antivirus profile named av_pro_1 to create a new antivirus profile named av_pro_2:

clone av_pro_1 to av_pro_2

clone may not be available for all tables.

delete <table>

Remove a table from the current object.

For example, in config system admin, you could delete an administrator account named newadmin by typing delete newadmin and pressing Enter. This deletes newadmin and all its fields, such as newadmin’s first-name and email-address.

delete is only available within objects containing tables.

edit <table>

Create or edit a table in the current object.

For example, in config system admin:

  • edit the settings for the default admin administrator account by typing edit admin.
  • add a new administrator account with the name newadmin and edit newadmin‘s settings by typing edit newadmin.

edit is an interactive sub-command: further sub-commands are available from within edit.

edit changes the prompt to reflect the table you are currently editing.

edit is only available within objects containing tables.

In objects such as security policies, <table> is a sequence number. To create a new entry without the risk of overwriting an existing one, enter edit 0. The CLI initially confirms the creation of entry 0, but assigns the next unused number after you finish editing and enter end.

end

Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.

get List the configuration of the current object or table.• In objects, get lists the table names (if present), or fields and their values.• In a table, get lists the fields and their values.For more information on get commands, see the CLI Reference.
purge Remove all tables in the current object.For example, in config user local, you could type get to see the list of user names, then type purge and then y to confirm that you want to delete all users.purge is only available for objects containing tables.Caution: Back up the FortiGate before performing a purge. purge cannot be undone. To restore purged tables, the configuration must be restored from a backup.Caution: Do not purge system interface or system admin tables. purge does not provide default tables. This can result in being unable to connect or log in, requiring the FortiGate to be formatted and restored.
rename <table> to <table> Rename a table.For example, in config system admin, you could rename admin3 to fwadmin by typing rename admin3 to fwadmin.rename is only available within objects containing tables.
show Display changes to the default configuration. Changes are listed in the form of configuration commands.

Example of table commands

From within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1 table:

new entry 'admin_1' added

(admin_1)#

Commands for fields

abort

Exit both the edit and/or config commands without saving the fields.

append

Add an option to an existing list.

end

Save the changes made to the current table or object fields, and exit the config command (to exit without saving, use abort instead).

get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.

move

Move an object within a list, when list order is important. For example, rearranging security policies within the policy list.

next

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt (to save and exit completely to the root prompt, use end instead).

next is useful when you want to create or edit several tables in the same object, without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

select

Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all users except for B, use the command select member B.

set <field> <value>

Set a field’s value.

For example, in config system admin, after typing edit admin, you could type set password newpass to change the password of the admin administrator to newpass.

Note: When using set to change a field containing a space-delimited list, type the whole new list. For example, set <field> <new‑value> will replace the list with the <new-value> rather than appending <new-value> to the list.

show

Display changes to the default configuration. Changes are listed in the form of configuration commands.

unselect

Remove an option from an existing list.

unset <field>

Reset the table or object’s fields to default values.

For example, in config system admin, after typing edit admin, typing unset passwordresets the password of the admin administrator account to the default (in this case, no password).

Example of field commands

To assign the value my1stExamplePassword to the password field, enter the following command from within the admin_1 table:

set password my1stExamplePassword

Next, to save the changes and edit the next administrator's table, enter the next command.

Sub-commands

Each command line consists of a command word that is usually followed by configuration data or other specific item that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level, the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:

config system interface

edit port1

set status up

next

end

Sub-command scope is indicated by indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

  • commands affecting fields
  • commands affecting tables
Commands for tables

clone <table>

Clone (or make a copy of) a table from the current object.

For example, in config firewall policy, you could enter the following command to clone security policy 27 to create security policy 30:

clone 27 to 30

In config antivirus profile, you could enter the following command to clone an antivirus profile named av_pro_1 to create a new antivirus profile named av_pro_2:

clone av_pro_1 to av_pro_2

clone may not be available for all tables.

delete <table>

Remove a table from the current object.

For example, in config system admin, you could delete an administrator account named newadmin by typing delete newadmin and pressing Enter. This deletes newadmin and all its fields, such as newadmin’s first-name and email-address.

delete is only available within objects containing tables.

edit <table>

Create or edit a table in the current object.

For example, in config system admin:

  • edit the settings for the default admin administrator account by typing edit admin.
  • add a new administrator account with the name newadmin and edit newadmin‘s settings by typing edit newadmin.

edit is an interactive sub-command: further sub-commands are available from within edit.

edit changes the prompt to reflect the table you are currently editing.

edit is only available within objects containing tables.

In objects such as security policies, <table> is a sequence number. To create a new entry without the risk of overwriting an existing one, enter edit 0. The CLI initially confirms the creation of entry 0, but assigns the next unused number after you finish editing and enter end.

end

Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.

get List the configuration of the current object or table.• In objects, get lists the table names (if present), or fields and their values.• In a table, get lists the fields and their values.For more information on get commands, see the CLI Reference.
purge Remove all tables in the current object.For example, in config user local, you could type get to see the list of user names, then type purge and then y to confirm that you want to delete all users.purge is only available for objects containing tables.Caution: Back up the FortiGate before performing a purge. purge cannot be undone. To restore purged tables, the configuration must be restored from a backup.Caution: Do not purge system interface or system admin tables. purge does not provide default tables. This can result in being unable to connect or log in, requiring the FortiGate to be formatted and restored.
rename <table> to <table> Rename a table.For example, in config system admin, you could rename admin3 to fwadmin by typing rename admin3 to fwadmin.rename is only available within objects containing tables.
show Display changes to the default configuration. Changes are listed in the form of configuration commands.

Example of table commands

From within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1 table:

new entry 'admin_1' added

(admin_1)#

Commands for fields

abort

Exit both the edit and/or config commands without saving the fields.

append

Add an option to an existing list.

end

Save the changes made to the current table or object fields, and exit the config command (to exit without saving, use abort instead).

get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.

move

Move an object within a list, when list order is important. For example, rearranging security policies within the policy list.

next

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt (to save and exit completely to the root prompt, use end instead).

next is useful when you want to create or edit several tables in the same object, without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

select

Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all users except for B, use the command select member B.

set <field> <value>

Set a field’s value.

For example, in config system admin, after typing edit admin, you could type set password newpass to change the password of the admin administrator to newpass.

Note: When using set to change a field containing a space-delimited list, type the whole new list. For example, set <field> <new‑value> will replace the list with the <new-value> rather than appending <new-value> to the list.

show

Display changes to the default configuration. Changes are listed in the form of configuration commands.

unselect

Remove an option from an existing list.

unset <field>

Reset the table or object’s fields to default values.

For example, in config system admin, after typing edit admin, typing unset passwordresets the password of the admin administrator account to the default (in this case, no password).

Example of field commands

To assign the value my1stExamplePassword to the password field, enter the following command from within the admin_1 table:

set password my1stExamplePassword

Next, to save the changes and edit the next administrator's table, enter the next command.