Fortinet white logo
Fortinet white logo

CLI Reference

Sub-commands

Sub-commands

Once you have connected to the CLI, you can enter commands.

Each command line consists of a command word that is usually followed by words for the configuration data or other specific item that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level, the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:

config system interface

edit port1

set status up

next

end

Sub-command scope is indicated in this guide by indentation. See Indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

  • commands affecting fields
  • commands affecting tables

Syntax examples for each top-level command in this guide do not show all available sub-commands. However, when nested scope is demonstrated, you should assume that sub-commands applicable for that level of scope are available.

Commands for tables:

delete <table_name>

Remove a table from the current object.

For example, in config system admin, you could delete an administrator account named newadmin by typing delete newadmin and pressing Enter. This deletes newadmin and all its fields, such as newadmin’s name and email-address.

delete is only available within objects containing tables.

edit <table_name>

Create or edit a table in the current object.

For example, in config system admin:

  • edit the settings for the default admin administrator account by typing edit admin.
  • add a new administrator account with the name newadmin and edit newadmin‘s settings by typing edit newadmin.

edit is an interactive sub-command: further sub-commands are available from within edit.

edit changes the prompt to reflect the table you are currently editing.

edit is only available within objects containing tables.

end

Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.

get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.

purge

Remove all tables in the current object.

For example, in config forensic user, you could type get to see the list of user names, then type purge and then y to confirm that you want to delete all users.

purge is only available for objects containing tables.

Caution: Back up the FortiMail unit before performing a purge. purge cannot be undone. To restore purged tables, the configuration must be restored from a backup. For details, see backup.

Caution: Do not purge system interface or system admin tables. purge does not provide default tables. This can result in being unable to connect or log in, requiring the FortiMail unit to be formatted and restored.

rename <table_name> to <table_name>

Rename a table.

For example, in config system admin, you could rename admin3 to fwadmin by typing rename admin3 to fwadmin.

rename is only available within objects containing tables.

show

Display changes to the default configuration. Changes are listed in the form of configuration commands.

Example of table commands:

From within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1 table:

new entry 'admin_1' added

(admin_1)#

Commands for fields:

abort

Exit both the edit and/or config commands without saving the fields.

chattr

Show which of the command's attributes are synchronized for HA. Use the sync-disable and sync-unset subcommands to change the attributes (chattr) that you wish to be synchronized across HA cluster members.

Only administrators with super admin privileges may configure the feature on the primary HA unit while it is operating either in primary or config-primary mode.

To define HA attribute synchronization, configure the following:

config <command>

chattr sync-disable ...

chattr sync-unset ...

end

Use chattr sync-disable to disable any attributes from being synchronized across the HA cluster.

Use chattr sync-unset to reset the attribute's default synchronization behavior.

You can also enter chattr without an argument within a config command to display all attributes that can be configured for HA attribute synchronization.

Additionally, use the following diagnose commands:

  • diagnose system ha show-sync-diable-cfg

  • Display all attributes that have been modified/disabled by the administrator.

  • diagnose system ha show-sync-diable-cfg all

  • Display all attributes that are not synchronized, including both system default and settings disabled by the administrator.

  • diagnose system ha unset-sync-disable-cfg

  • Change all modified/disabled attributes to the default synchronize action. Note that this command should be entered for both primary/config-primary and seconday/config-secondary units, as it may cause desynchronization between the cluster members.

end

Save the changes made to the current table or object fields, and exit the config command (to exit without saving, use abort instead).

get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.

next

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt (to save and exit completely to the root prompt, use end instead).

next is useful when you want to create or edit several tables in the same object, without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

set <field_name> <value>

Set a field’s value.

For example, in config system admin, after typing edit admin, you could type set passwd newpass to change the password of the admin administrator to newpass.

Note: When using set to change a field containing a space-delimited list, type the whole new list. For example, set <field> <new-value> will replace the list with the <new-value> rather than appending <new-value> to the list.

show

Display changes to the default configuration. Changes are listed in the form of configuration commands.

unset <field_name>

Reset the table or object’s fields to default values.

For example, in config system admin, after typing edit admin, typing unset passwd resets the password of the admin administrator account to the default (in this case, no password).

Example of field commands:

From within the admin_1 table, you might enter:

set passwd my1stExamplePassword

to assign the value my1stExamplePassword to the passwd field. You might then enter the next command to save the changes and edit the next administrator’s table.

Sub-commands

Sub-commands

Once you have connected to the CLI, you can enter commands.

Each command line consists of a command word that is usually followed by words for the configuration data or other specific item that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level, the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:

config system interface

edit port1

set status up

next

end

Sub-command scope is indicated in this guide by indentation. See Indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

  • commands affecting fields
  • commands affecting tables

Syntax examples for each top-level command in this guide do not show all available sub-commands. However, when nested scope is demonstrated, you should assume that sub-commands applicable for that level of scope are available.

Commands for tables:

delete <table_name>

Remove a table from the current object.

For example, in config system admin, you could delete an administrator account named newadmin by typing delete newadmin and pressing Enter. This deletes newadmin and all its fields, such as newadmin’s name and email-address.

delete is only available within objects containing tables.

edit <table_name>

Create or edit a table in the current object.

For example, in config system admin:

  • edit the settings for the default admin administrator account by typing edit admin.
  • add a new administrator account with the name newadmin and edit newadmin‘s settings by typing edit newadmin.

edit is an interactive sub-command: further sub-commands are available from within edit.

edit changes the prompt to reflect the table you are currently editing.

edit is only available within objects containing tables.

end

Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.

get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.

purge

Remove all tables in the current object.

For example, in config forensic user, you could type get to see the list of user names, then type purge and then y to confirm that you want to delete all users.

purge is only available for objects containing tables.

Caution: Back up the FortiMail unit before performing a purge. purge cannot be undone. To restore purged tables, the configuration must be restored from a backup. For details, see backup.

Caution: Do not purge system interface or system admin tables. purge does not provide default tables. This can result in being unable to connect or log in, requiring the FortiMail unit to be formatted and restored.

rename <table_name> to <table_name>

Rename a table.

For example, in config system admin, you could rename admin3 to fwadmin by typing rename admin3 to fwadmin.

rename is only available within objects containing tables.

show

Display changes to the default configuration. Changes are listed in the form of configuration commands.

Example of table commands:

From within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1 table:

new entry 'admin_1' added

(admin_1)#

Commands for fields:

abort

Exit both the edit and/or config commands without saving the fields.

chattr

Show which of the command's attributes are synchronized for HA. Use the sync-disable and sync-unset subcommands to change the attributes (chattr) that you wish to be synchronized across HA cluster members.

Only administrators with super admin privileges may configure the feature on the primary HA unit while it is operating either in primary or config-primary mode.

To define HA attribute synchronization, configure the following:

config <command>

chattr sync-disable ...

chattr sync-unset ...

end

Use chattr sync-disable to disable any attributes from being synchronized across the HA cluster.

Use chattr sync-unset to reset the attribute's default synchronization behavior.

You can also enter chattr without an argument within a config command to display all attributes that can be configured for HA attribute synchronization.

Additionally, use the following diagnose commands:

  • diagnose system ha show-sync-diable-cfg

  • Display all attributes that have been modified/disabled by the administrator.

  • diagnose system ha show-sync-diable-cfg all

  • Display all attributes that are not synchronized, including both system default and settings disabled by the administrator.

  • diagnose system ha unset-sync-disable-cfg

  • Change all modified/disabled attributes to the default synchronize action. Note that this command should be entered for both primary/config-primary and seconday/config-secondary units, as it may cause desynchronization between the cluster members.

end

Save the changes made to the current table or object fields, and exit the config command (to exit without saving, use abort instead).

get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.

next

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt (to save and exit completely to the root prompt, use end instead).

next is useful when you want to create or edit several tables in the same object, without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

set <field_name> <value>

Set a field’s value.

For example, in config system admin, after typing edit admin, you could type set passwd newpass to change the password of the admin administrator to newpass.

Note: When using set to change a field containing a space-delimited list, type the whole new list. For example, set <field> <new-value> will replace the list with the <new-value> rather than appending <new-value> to the list.

show

Display changes to the default configuration. Changes are listed in the form of configuration commands.

unset <field_name>

Reset the table or object’s fields to default values.

For example, in config system admin, after typing edit admin, typing unset passwd resets the password of the admin administrator account to the default (in this case, no password).

Example of field commands:

From within the admin_1 table, you might enter:

set passwd my1stExamplePassword

to assign the value my1stExamplePassword to the passwd field. You might then enter the next command to save the changes and edit the next administrator’s table.