You can connect to the CLI using a direct console connection, SSH, the FortiExplorer app on your iOS device, or the CLI console in the GUI.
You can access the CLI outside of the GUI in three ways:
- Console connection: Connect your computer directly to the console port of your FortiGate.
- SSH access: Connect your computer through any network interface attached to one of the network ports on your FortiGate.
- FortiExplorer: Connect your device to the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate. See FortiExplorer for iOS for details.
To open a CLI console, click the _> icon in the top right corner of the GUI. The console opens on top of the GUI. It can be minimized and multiple consoles can be opened.
To edit policies and objects directly in the CLI, right-click on the element and select Edit in CLI.
A direct console connection to the CLI is created by directly connecting your management computer or console to the FortiGate using its DB-9 or RJ-45 console port.
Direct console access to the FortiGate may be required if:
- You are installing the FortiGate for the first time and it is not configured to connect to your network.
- You are restoring the firmware using a boot interrupt. Network access to the CLI will not be available until after the boot process has completed, making direct console access the only option.
To connect to the FortiGate console, you need:
- A console cable to connect the console port on the FortiGate to a communications port on the computer. Depending on your device, this is one of:
- null modem cable (DB-9 to DB-9)
- DB-9 to RJ-45 cable (a DB-9-to-USB adapter can be used)
- USB to RJ-45 cable
- A computer with an available communications port
- Terminal emulation software
- Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.
- Start a terminal emulation program on the management computer, select the COM port, and use the following settings:
Bits per second
- Press Enter on the keyboard to connect to the CLI.
- Log in to the CLI using your username and password (default: admin and no password).
You can now enter CLI commands, including configuring access to the CLI through SSH.
SSH access to the CLI is accomplished by connecting your computer to the FortiGate using one of its network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.
If you do not want to use an SSH client and you have access to the GUI, you can access the CLI through the network using the CLI console in the GUI.
SSH must be enabled on the network interface that is associated with the physical network port that is used.
If your computer is not connected either directly or through a switch to the FortiGate, you must also configure the FortiGate with a static route to a router that can forward packets from the FortiGate to the computer. This can be done using a local console connection, or in the GUI.
To connect to the FortiGate CLI using SSH, you need:
- A computer with an available serial communications (COM) port and RJ-45 port
- An appropriate console cable
- Terminal emulation software
- A network cable
- Prior configuration of the operating mode, network interface, and static route.
- Using the network cable, connect the FortiGate unit’s port either directly to your computer’s network port, or to a network through which your computer can reach the FortiGate.
- Note the number of the physical network port.
- Using direct console connection, connect and log into the CLI.
- Enter the following command:
config system interface edit <interface_str> append allowaccess ssh next end
<interface_str>is the name of the network interface associated with the physical network port, such as
- Confirm the configuration using the following command to show the interface’s settings:
show system interface <interface_str>
show system interface port1 config system interface edit "port1" set vdom "root" set ip 192.168.1.99 255.255.255.0 set allowaccess ping https ssh set type hard-switch set stp enable set role lan set snmp-index 6 next end
Once the FortiGate is configured to accept SSH connections, use an SSH client on your management computer to connect to the CLI.
The following instructions use PuTTy. The steps may vary in other terminal emulators.
- On your management computer, start PuTTy.
- In the Host Name (or IP address) field, enter the IP address of the network interface that you are connected to and that has SSH access enabled.
- Set the port number to 22, if it is not set automatically.
- Select SSH for the Connection type.
- Click Open. The SSH client connect to the FortiGate.
The SSH client may display a warning if this is the first time that you are connecting to the FortiGate and its SSH key is not yet recognized by the SSH client, or if you previously connected to the FortiGate using a different IP address or SSH key. This is normal if the management computer is connected directly to the FortiGate with no network hosts in between.
- Click Yes to accept the FortiGate's SSH key.
The CLI displays the log in prompt.
- Enter a valid administrator account name, such as
admin, then press Enter.
- Enter the administrator account password, then press Enter.
The CLI console shows the command prompt (FortiGate hostname followed by a
#). You can now enter CLI commands.
If three incorrect log in or password attempts occur in a row, you will be disconnected. If this occurs, wait for one minute, then reconnect and attempt to log in again.