Fortinet black logo

Cookbook

Connecting to the CLI

Copy Link
Copy Doc ID 30be976a-bbb3-11ee-8673-fa163e15d75b:901037
Download PDF

Connecting to the CLI

You can connect to the CLI using a direct console connection, SSH, the CLI console in the GUI, or the FortiExplorer app on your iOS device.

You can access the CLI outside of the GUI in three ways:

  • Console connection: Connect your computer directly to the console port of your FortiGate.
  • SSH access: Connect your computer through any network interface attached to one of the network ports on your FortiGate.
  • FortiExplorer: Connect your device to the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate. See FortiExplorer for iOS for details.

Console connection

A direct console connections to the CLI is created by directly connecting your management computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port.

Direct console access to the FortiGate may be required if:

  • You are installing the FortiGate for the first time and it is not configured to connect to your network.
  • You are restoring the firmware using a boot interrupt. Network access to the CLI will not be available until after the boot process has completed, making direct console access the only option.

To connect to the FortiGate console, you need:

  • A console cable to connect the console port on the FortiGate to a communications port on the computer. Depending on your device, this is one of:
    • null modem cable (DB-9 to DB-9)
    • DB-9 to RJ-45 cable (a DB-9-to-USB adapter can be used)
    • USB to RJ-45 cable
  • A computer with an available communications port
  • Terminal emulation software
To connect to the CLI using a direct console connection:
  1. Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.
  2. Start a terminal emulation program on the management computer, select the COM port, and use the following settings:

    Bits per second

    9600

    Data bits

    8

    Parity

    None

    Stop bits

    1

    Flow control

    None

  3. Press Enter on the keyboard to connect to the CLI.
  4. Log in to the CLI using your username and password (default: admin and no password).

    You can now enter CLI commands, including configuring access to the CLI through SSH.

SSH access

SSH access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

note icon

If you do not want to use an SSH client and you have access to the GUI, you can access the CLI through the network using the CLI console in the GUI.

The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-out window. For policies and objects, the CLI can be also be accessed by right clicking on the element and selecting Edit in CLI.

SSH must be enabled on the network interface that is associated with the physical network port that is used.

If your computer is not connected either directly or through a switch to the FortiGate, you must also configure the FortiGate with a static route to a router that can forward packets from the FortiGate to the computer. This can be done using a local console connection, or in the GUI.

To connect to the FortiGate CLI using SSH, you need:

  • A computer with an available serial communications (COM) port and RJ-45 port
  • The console cable
  • Terminal emulation software
  • A network cable
  • Prior configuration of the operating mode, network interface, and static route.
To enable SSH access to the CLI using a local console connection:
  1. Using the network cable, connect the FortiGate unit’s port either directly to your computer’s network port, or to a network through which your computer can reach the FortiGate unit.
  2. Note the number of the physical network port.
  3. Using direct console connection, connect and log into the CLI.
  4. Enter the following command:
    config system interface
        edit <interface_str>
            append allowaccess ssh
        next
    end

    Where <interface_str> is the name of the network interface associated with the physical network port, such as port1.

  5. Confirm the configuration using the following command to show the interface’s settings:
    show system interface <interface_str>

    For example:

    show system interface port1
        config system interface
            edit "port1"
                set vdom "root"
                set ip 192.168.1.99 255.255.255.0
                set allowaccess ping https ssh
                set type hard-switch
                set stp enable
                set role lan
                set snmp-index 6
            next
        end

Connecting using SSH

Once the FortiGate unit is configured to accept SSH connections, use an SSH client on your management computer to connect to the CLI.

The following instructions use PuTTy. The steps may vary in other terminal emulators.

To connect to the CLI using SSH:
  1. On your management computer, start PuTTy.
  2. In the Host Name (or IP address) field, enter the IP address of the network interface that you are connected to and that has SSH access enabled.
  3. Set the port number to 22, if it is not set automatically.
  4. Select SSH for the Connection type.
  5. Click Open. The SSH client connect to the FortiGate.

    The SSH client may display a warning if this is the first time that you are connecting to the FortiGate and its SSH key is not yet recognized by the SSH client, or if you previously connected to the FortiGate using a different IP address or SSH key. This is normal if the management computer is connected directly to the FortiGate with no network hosts in between.

  6. Click Yes to accept the FortiGate unit's SSH key.

    The CLI displays the log in prompt.

  7. Enter a valid administrator account name, such as admin, then press Enter.
  8. Enter the administrator account password, then press Enter.

    The CLI console shows the command prompt (FortiGate hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect log in or password attempts occur in a row, you will be disconnected. If this occurs, wait for one minute, then reconnect and attempt to log in again.

Connecting to the CLI

You can connect to the CLI using a direct console connection, SSH, the CLI console in the GUI, or the FortiExplorer app on your iOS device.

You can access the CLI outside of the GUI in three ways:

  • Console connection: Connect your computer directly to the console port of your FortiGate.
  • SSH access: Connect your computer through any network interface attached to one of the network ports on your FortiGate.
  • FortiExplorer: Connect your device to the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate. See FortiExplorer for iOS for details.

Console connection

A direct console connections to the CLI is created by directly connecting your management computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port.

Direct console access to the FortiGate may be required if:

  • You are installing the FortiGate for the first time and it is not configured to connect to your network.
  • You are restoring the firmware using a boot interrupt. Network access to the CLI will not be available until after the boot process has completed, making direct console access the only option.

To connect to the FortiGate console, you need:

  • A console cable to connect the console port on the FortiGate to a communications port on the computer. Depending on your device, this is one of:
    • null modem cable (DB-9 to DB-9)
    • DB-9 to RJ-45 cable (a DB-9-to-USB adapter can be used)
    • USB to RJ-45 cable
  • A computer with an available communications port
  • Terminal emulation software
To connect to the CLI using a direct console connection:
  1. Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.
  2. Start a terminal emulation program on the management computer, select the COM port, and use the following settings:

    Bits per second

    9600

    Data bits

    8

    Parity

    None

    Stop bits

    1

    Flow control

    None

  3. Press Enter on the keyboard to connect to the CLI.
  4. Log in to the CLI using your username and password (default: admin and no password).

    You can now enter CLI commands, including configuring access to the CLI through SSH.

SSH access

SSH access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

note icon

If you do not want to use an SSH client and you have access to the GUI, you can access the CLI through the network using the CLI console in the GUI.

The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-out window. For policies and objects, the CLI can be also be accessed by right clicking on the element and selecting Edit in CLI.

SSH must be enabled on the network interface that is associated with the physical network port that is used.

If your computer is not connected either directly or through a switch to the FortiGate, you must also configure the FortiGate with a static route to a router that can forward packets from the FortiGate to the computer. This can be done using a local console connection, or in the GUI.

To connect to the FortiGate CLI using SSH, you need:

  • A computer with an available serial communications (COM) port and RJ-45 port
  • The console cable
  • Terminal emulation software
  • A network cable
  • Prior configuration of the operating mode, network interface, and static route.
To enable SSH access to the CLI using a local console connection:
  1. Using the network cable, connect the FortiGate unit’s port either directly to your computer’s network port, or to a network through which your computer can reach the FortiGate unit.
  2. Note the number of the physical network port.
  3. Using direct console connection, connect and log into the CLI.
  4. Enter the following command:
    config system interface
        edit <interface_str>
            append allowaccess ssh
        next
    end

    Where <interface_str> is the name of the network interface associated with the physical network port, such as port1.

  5. Confirm the configuration using the following command to show the interface’s settings:
    show system interface <interface_str>

    For example:

    show system interface port1
        config system interface
            edit "port1"
                set vdom "root"
                set ip 192.168.1.99 255.255.255.0
                set allowaccess ping https ssh
                set type hard-switch
                set stp enable
                set role lan
                set snmp-index 6
            next
        end

Connecting using SSH

Once the FortiGate unit is configured to accept SSH connections, use an SSH client on your management computer to connect to the CLI.

The following instructions use PuTTy. The steps may vary in other terminal emulators.

To connect to the CLI using SSH:
  1. On your management computer, start PuTTy.
  2. In the Host Name (or IP address) field, enter the IP address of the network interface that you are connected to and that has SSH access enabled.
  3. Set the port number to 22, if it is not set automatically.
  4. Select SSH for the Connection type.
  5. Click Open. The SSH client connect to the FortiGate.

    The SSH client may display a warning if this is the first time that you are connecting to the FortiGate and its SSH key is not yet recognized by the SSH client, or if you previously connected to the FortiGate using a different IP address or SSH key. This is normal if the management computer is connected directly to the FortiGate with no network hosts in between.

  6. Click Yes to accept the FortiGate unit's SSH key.

    The CLI displays the log in prompt.

  7. Enter a valid administrator account name, such as admin, then press Enter.
  8. Enter the administrator account password, then press Enter.

    The CLI console shows the command prompt (FortiGate hostname followed by a #). You can now enter CLI commands.

caution icon

If three incorrect log in or password attempts occur in a row, you will be disconnected. If this occurs, wait for one minute, then reconnect and attempt to log in again.