Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

Connecting to the CLI

You can access the CLI in two ways:

  • Locally — Connect your computer directly to the FortiMail unit’s console port.
  • Through the network — Connect your computer through any network attached to one of the FortiMail unit’s network ports. The network interface must have enabled Telnet or Secure Shell (SSH) administrative access if you will connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you will connect using the CLI Console widget in the web-based manager.

Local access is required in some cases.

If you are installing your FortiMail unit for the first time and it is not yet configured to connect to your network, unless you reconfigure your computer’s network settings for a peer connection, you may only be able to connect to the CLI using a local serial console connection.

Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, and therefore local CLI access is the only viable option.

Before you can access the CLI through the network, you usually must enable SSH and/or HTTP/HTTPS and/or Telnet on the network interface through which you will access the CLI.

This section includes:

Local console connection and initial configuration

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiMail unit, using its DB-9 or RJ-45 console port.

Requirements
  • a computer with an available serial communications (COM) port
  • the RJ-45-to-DB-9 or null modem cable included in your FortiMail package
  • terminal emulation software such as PuTTY

The following procedure describes connection using PuTTY software; steps may vary with other terminal emulators.

To connect to the CLI using a local serial console connection
  1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiMail unit’s console port to the serial communications (COM) port on your management computer.
  2. On your management computer, start PuTTY.
  3. In the Category tree on the left, go to Connection > Serial and configure the following:
  4. Serial line to connect to

    COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)

    Speed (baud)

    9600

    Data bits

    8

    Stop bits

    1

    Parity

    None

    Flow control

    None

  5. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial.
  6. Click Open.
  7. Press the Enter key to initiate a connection.
  8. The login prompt appears.
  9. Type a valid administrator account name (such as admin) and press Enter.
  10. Type the password for that administrator account then press Enter (in its default state, there is no password for the admin account).
  11. The CLI displays the following text, followed by a command line prompt:

Welcome!

Initial configurations

Once you’ve physically connected your computer to the FortiMail unit, you can configure the basic FortiMail system settings through the CLI. For more information on other CLI commands, see the FortiMail CLI Guide.

To change the admin password:

config system admin

edit <admin_name>

set password <new_password>

end

To change the operation mode:

config system global

set operation-mode {gateway | server | transparent}

end

To configure the interface IP address:

config system interface

edit <interface_name>

set ip <ip_address>

end

To configure the system route/gateway:

config system route

edit <route_int>

set destination <destination_ip4mask>

set gateway <gateway_ipv4>

set interface <interface_name>

end

To configure the DNS servers:

config system dns

set primary <ipv4_address>

set secondary <ipv4_ address>

end

To configure the NTP time synchronization:

config system time ntp

set ntpserver {<address_ipv4 | <fqdn_str>}

set ntpsync {enable | disable}

set syncinterval <interval_int>

end

To configure the SNMP v3 user settings:

config system snmp user

edit <user_name>

set query-status {enable | disable}

set queryport <port_number>

set security-level {authnopriv | authpriv | noauthnopriv}

set auth-proto {sha1 | md5}

set auth-pwd <password>

set status {enable | disable}

set trap-status {enable | disable}

set trapevent {cpu | deferred-queue | ha | ip-change | logdisk | maildisk | mem | raid | remote-storage | spam | system | virus}

set trapport-local <port_number>

set trapport-remote <port_number>

config host

edit <host_no>

set ip <class_ip>

end

end

Enabling access to the CLI through the network (SSH or Telnet)

SSH, Telnet, or CLI Console widget (via the web UI) access to the CLI requires connecting your computer to the FortiMail unit using one of its RJ-45 network ports. You can either connect directly, use a peer connection between the two, or through any intermediary network.

If you do not want to use an SSH/Telnet client and you have access to the web UI, you can alternatively access the CLI through the network using the CLI Console widget in the web UI. For details, see the FortiWeb Administration Guide.

 

If you do not want to use an SSH/Telnet client and you have access to the web-based manager, you can alternatively access the CLI through the network using the CLI Console widget in the web-based manager. For details, see the FortiMail Administration Guide.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiMail unit with a static route to a router that can forward packets from the FortiMail unit to your computer.

You can do this using either:

Requirements
  • a computer with an available serial communications (COM) port and RJ-45 port
  • terminal emulation software such as PuTTY
  • the RJ-45-to-DB-9 or null modem cable included in your FortiMail package
  • a crossover or straight-through network cable autosensing ports
  • prior configuration of the operating mode, network interface, and static route (for details, see the FortiMail Install Guide)
To enable SSH or Telnet access to the CLI using a local console connection

Using the network cable, connect the FortiMail unit’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiMail unit.

Note the number of the physical network port.

Using a local console connection, connect and log into the CLI. For details, see Local console connection and initial configuration.

Enter the following commands:

config system interface

edit <interface_name>

set allowaccess {http https ping snmp ssh telnet}

end

where:

<interface_str> is the name of the network interface associated with the physical network port, such as port1

Enter the administrative access protocols you wish to permit in a space-delimited format, such as https ssh telnet; omit protocols that you do not want to permit.

For example, to exclude HTTP, SNMP, and Telnet, and allow only HTTPS, ICMP ECHO (ping), and SSH administrative access on port1:

config system interface

edit "port1"

set allowaccess https ping ssh

next

end

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

To confirm the configuration, enter the command to view the access settings for the interface.

show system interface <interface_name>

The CLI displays the settings, including the management access settings, for the interface.

To connect to the CLI through the network interface, see Connecting to the CLI using SSH or Connecting to the CLI using Telnet.

Connecting to the CLI using SSH

Once the FortiMail unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

SSH provides both secure authentication and secure communications to the CLI. Supported SSH protocol versions, ciphers, and bit strengths vary by whether or not you have enabled FIPS-CC mode, but generally include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1.

Requirements
To connect to the CLI using SSH
  1. On your management computer, start PuTTY.
  2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled SSH administrative access.
  3. In Port, type 22.
  4. From Connection type, select SSH.
  5. Click Open.
  6. The SSH client connects to the FortiMail unit.

    The SSH client may display a warning if this is the first time you are connecting to the FortiMail unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiMail unit but it used a different IP address or SSH key. If your management computer is directly connected to the FortiMail unit with no network hosts between them, this is normal.

  7. Click Yes to verify the fingerprint and accept the FortiMail unit’s SSH key. You will not be able to log in until you have accepted the key.
  8. The CLI displays a login prompt.

  9. Type a valid administrator account name (such as admin) and press Enter.
  10. You can alternatively log in using an SSH key. For details, see system admin.

  11. Type the password for this administrator account and press Enter.
  12. If four (three for FortiWeb) incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

    The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.

Connecting to the CLI using Telnet

Once the FortiMail unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

Requirements
To connect to the CLI using Telnet
  1. On your management computer, start PuTTY.
  2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled Telnet administrative access.
  3. In Port, type 23.
  4. From Connection type, select Telnet.
  5. Click Open.
  6. The CLI displays a login prompt.

  7. Type a valid administrator account name (such as admin) and press Enter.
  8. Type the password for this administrator account and press Enter.

If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.

Logging out from the CLI console

No matter how you connect to the FortiMail CLI console (direct console connection, SSH, or Telnet) , to exit the console, enter the exit command.

Connecting to the CLI

You can access the CLI in two ways:

  • Locally — Connect your computer directly to the FortiMail unit’s console port.
  • Through the network — Connect your computer through any network attached to one of the FortiMail unit’s network ports. The network interface must have enabled Telnet or Secure Shell (SSH) administrative access if you will connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you will connect using the CLI Console widget in the web-based manager.

Local access is required in some cases.

If you are installing your FortiMail unit for the first time and it is not yet configured to connect to your network, unless you reconfigure your computer’s network settings for a peer connection, you may only be able to connect to the CLI using a local serial console connection.

Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, and therefore local CLI access is the only viable option.

Before you can access the CLI through the network, you usually must enable SSH and/or HTTP/HTTPS and/or Telnet on the network interface through which you will access the CLI.

This section includes:

Local console connection and initial configuration

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiMail unit, using its DB-9 or RJ-45 console port.

Requirements
  • a computer with an available serial communications (COM) port
  • the RJ-45-to-DB-9 or null modem cable included in your FortiMail package
  • terminal emulation software such as PuTTY

The following procedure describes connection using PuTTY software; steps may vary with other terminal emulators.

To connect to the CLI using a local serial console connection
  1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiMail unit’s console port to the serial communications (COM) port on your management computer.
  2. On your management computer, start PuTTY.
  3. In the Category tree on the left, go to Connection > Serial and configure the following:
  4. Serial line to connect to

    COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)

    Speed (baud)

    9600

    Data bits

    8

    Stop bits

    1

    Parity

    None

    Flow control

    None

  5. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial.
  6. Click Open.
  7. Press the Enter key to initiate a connection.
  8. The login prompt appears.
  9. Type a valid administrator account name (such as admin) and press Enter.
  10. Type the password for that administrator account then press Enter (in its default state, there is no password for the admin account).
  11. The CLI displays the following text, followed by a command line prompt:

Welcome!

Initial configurations

Once you’ve physically connected your computer to the FortiMail unit, you can configure the basic FortiMail system settings through the CLI. For more information on other CLI commands, see the FortiMail CLI Guide.

To change the admin password:

config system admin

edit <admin_name>

set password <new_password>

end

To change the operation mode:

config system global

set operation-mode {gateway | server | transparent}

end

To configure the interface IP address:

config system interface

edit <interface_name>

set ip <ip_address>

end

To configure the system route/gateway:

config system route

edit <route_int>

set destination <destination_ip4mask>

set gateway <gateway_ipv4>

set interface <interface_name>

end

To configure the DNS servers:

config system dns

set primary <ipv4_address>

set secondary <ipv4_ address>

end

To configure the NTP time synchronization:

config system time ntp

set ntpserver {<address_ipv4 | <fqdn_str>}

set ntpsync {enable | disable}

set syncinterval <interval_int>

end

To configure the SNMP v3 user settings:

config system snmp user

edit <user_name>

set query-status {enable | disable}

set queryport <port_number>

set security-level {authnopriv | authpriv | noauthnopriv}

set auth-proto {sha1 | md5}

set auth-pwd <password>

set status {enable | disable}

set trap-status {enable | disable}

set trapevent {cpu | deferred-queue | ha | ip-change | logdisk | maildisk | mem | raid | remote-storage | spam | system | virus}

set trapport-local <port_number>

set trapport-remote <port_number>

config host

edit <host_no>

set ip <class_ip>

end

end

Enabling access to the CLI through the network (SSH or Telnet)

SSH, Telnet, or CLI Console widget (via the web UI) access to the CLI requires connecting your computer to the FortiMail unit using one of its RJ-45 network ports. You can either connect directly, use a peer connection between the two, or through any intermediary network.

If you do not want to use an SSH/Telnet client and you have access to the web UI, you can alternatively access the CLI through the network using the CLI Console widget in the web UI. For details, see the FortiWeb Administration Guide.

 

If you do not want to use an SSH/Telnet client and you have access to the web-based manager, you can alternatively access the CLI through the network using the CLI Console widget in the web-based manager. For details, see the FortiMail Administration Guide.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiMail unit with a static route to a router that can forward packets from the FortiMail unit to your computer.

You can do this using either:

Requirements
  • a computer with an available serial communications (COM) port and RJ-45 port
  • terminal emulation software such as PuTTY
  • the RJ-45-to-DB-9 or null modem cable included in your FortiMail package
  • a crossover or straight-through network cable autosensing ports
  • prior configuration of the operating mode, network interface, and static route (for details, see the FortiMail Install Guide)
To enable SSH or Telnet access to the CLI using a local console connection

Using the network cable, connect the FortiMail unit’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiMail unit.

Note the number of the physical network port.

Using a local console connection, connect and log into the CLI. For details, see Local console connection and initial configuration.

Enter the following commands:

config system interface

edit <interface_name>

set allowaccess {http https ping snmp ssh telnet}

end

where:

<interface_str> is the name of the network interface associated with the physical network port, such as port1

Enter the administrative access protocols you wish to permit in a space-delimited format, such as https ssh telnet; omit protocols that you do not want to permit.

For example, to exclude HTTP, SNMP, and Telnet, and allow only HTTPS, ICMP ECHO (ping), and SSH administrative access on port1:

config system interface

edit "port1"

set allowaccess https ping ssh

next

end

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

To confirm the configuration, enter the command to view the access settings for the interface.

show system interface <interface_name>

The CLI displays the settings, including the management access settings, for the interface.

To connect to the CLI through the network interface, see Connecting to the CLI using SSH or Connecting to the CLI using Telnet.

Connecting to the CLI using SSH

Once the FortiMail unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

SSH provides both secure authentication and secure communications to the CLI. Supported SSH protocol versions, ciphers, and bit strengths vary by whether or not you have enabled FIPS-CC mode, but generally include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1.

Requirements
To connect to the CLI using SSH
  1. On your management computer, start PuTTY.
  2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled SSH administrative access.
  3. In Port, type 22.
  4. From Connection type, select SSH.
  5. Click Open.
  6. The SSH client connects to the FortiMail unit.

    The SSH client may display a warning if this is the first time you are connecting to the FortiMail unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiMail unit but it used a different IP address or SSH key. If your management computer is directly connected to the FortiMail unit with no network hosts between them, this is normal.

  7. Click Yes to verify the fingerprint and accept the FortiMail unit’s SSH key. You will not be able to log in until you have accepted the key.
  8. The CLI displays a login prompt.

  9. Type a valid administrator account name (such as admin) and press Enter.
  10. You can alternatively log in using an SSH key. For details, see system admin.

  11. Type the password for this administrator account and press Enter.
  12. If four (three for FortiWeb) incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

    The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.

Connecting to the CLI using Telnet

Once the FortiMail unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

Requirements
To connect to the CLI using Telnet
  1. On your management computer, start PuTTY.
  2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled Telnet administrative access.
  3. In Port, type 23.
  4. From Connection type, select Telnet.
  5. Click Open.
  6. The CLI displays a login prompt.

  7. Type a valid administrator account name (such as admin) and press Enter.
  8. Type the password for this administrator account and press Enter.

If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.

Logging out from the CLI console

No matter how you connect to the FortiMail CLI console (direct console connection, SSH, or Telnet) , to exit the console, enter the exit command.