Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    7.6.3
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    docConnecting to the CLI

    docConnecting to the CLI

    You can access the CLI in two ways:

    Local access is required in some cases.

    • If you are installing your FortiMail unit for the first time and it is not yet configured to connect to your network, unless you reconfigure your computer’s network settings for a peer connection, you may only be able to connect to the CLI using a local serial console connection.

    • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, and therefore local CLI access is the only viable option.

    This section includes:

    Connecting to the CLI using a local console

    Local console connections to the CLI are formed by directly connecting either a:

    • terminal server

    • management computer

    • console

    to the FortiMail unit, using its DB-9 or RJ-45 console port. The following procedure shows a connection to your computer.

    Requirements

    • a computer with an available serial communications (COM) port

    • the RJ-45-to-DB-9 or null modem cable included in your FortiMail package

    • terminal emulation software such as PuTTY

    The following procedure describes connection using PuTTY software; steps may vary with other terminal emulators.

    To connect to the CLI using a local serial console connection

    1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiMail unit’s console port to the serial communications (COM) port on your management computer.

    2. On your management computer, start PuTTY.

    3. In the Category tree on the left, go to Connection > Serial and configure the following:

      Serial line to connect to

      COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)

      Speed (baud)

      9600

      Data bits

      8

      Stop bits

      1

      Parity

      None

      Flow control

      None

    4. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial.

    5. Click Open.

    6. Press the Enter key to initiate a connection.

    7. The login prompt appears.

    8. Type a valid administrator account name (such as admin) and press Enter.

    9. Type the password for that administrator account then press Enter (in its default state, there is no password for the admin account).

      The CLI displays a command line prompt.

    Enabling network connections (SSH or Telnet) to the CLI

    SSH, Telnet, or CLI Console widget (via the GUI) access to the CLI requires that you connect your computer to the FortiMail unit using one of its RJ-45 network ports. You can connect either:

    • Directly, with a peer connection or switch between the two

    • Indirectly, through any local network or the Internet

    Before you can use the network connection, you must enable the physical network port's network interface to accept SSH and/or Telnet.

    If your computer is connected indirectly, then you must also configure network settings so that a router that can forward packets through the network, from the FortiMail unit to your computer.

    This procedure shows how to enable both direct and indirect network connections.

    If you do not want to use an SSH or Telnet client and you have HTTPS access to the FortiMail GUI, you can alternatively use the CLI Console widget. For details, see the FortiMail Administration Guide.

    Requirements

    • a computer with an available serial communications (COM) port and RJ-45 port

    • terminal emulation software such as PuTTY

    • the RJ-45-to-DB-9 or null modem cable included in your FortiMail package

    • a crossover or straight-through network cable (autosensing ports)

    To enable SSH or Telnet access to the CLI

    1. Using the network cable, connect the FortiMail unit’s network port either:

      • directly to your computer’s network port

      • to a network through which your computer can reach the FortiMail unit indirectly

      Note the number of the physical network port, such as port1.

    2. Using a local console connection, connect and log into the CLI. For details, see Connecting to the CLI using a local console.

    3. Enter the following commands in sequential order:

      config system admin

      edit "admin"

      set password "<new-password_str>"

      end

      config system global

      set operation-mode {gateway | server | transparent}

      end

      config system interface

      edit <interface_name>

      set ip {<interface_ipv4> | <interface_ipv6>}

      set allowaccess {http https ping snmp ssh telnet}

      end

      config system route

      edit 0

      set destination {<subnet_ipv4mask> | <subnet_ipv6mask>}

      set gateway {<router_ipv4> | <router_ipv6>}

      set interface <interface_name>

      end

      config system dns

      set primary <dns1_ipv4>

      set secondary <dns2_ipv4>

      end

      config system time ntp

      set ntpsync enable

      set ntpserver {<ntp_ipv4 | <ntp_fqdn>}

      end

      where:

      • <new-password_str> is your new password for the administrator account named admin

      • {gateway | server | transparent} is your choice of FortiMail operation mode

      • <interface_name> is the network interface, such as port1, associated with the physical network port

      • {<interface_ipv4> | <interface_ipv6>} is the IP address of the network interface; omit this command to use the existing IP address

      • {http https ping snmp ssh telnet} is the space-delimited list of administrative access protocols that you want to permit, such as https ssh; omit administrative access protocols that you do not want to permit

      • {<subnet_ipv4mask> | <subnet_ipv6mask>} is which outgoing traffic, such as 0.0.0.0/0 for all traffic, that FortiMail should send to the router to be forwarded to destination IP addresses such as your computer; omit route settings if you are using a direct connection

      • {<router_ipv4> | <router_ipv6>} is the next hop (gateway) router or firewall

      • <dns1_ipv4> and <dns2_ipv4> are DNS servers; DNS is required by secure connections and many other features

      • {<ntp_ipv4 | <ntp_fqdn>} is an NTP (time) server, in either IP address or domain name format; accurate time is required by secure connections and many other features

      • Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

      • Default administrator passwords should be replaced before you allow any network connections to FortiMail. Security can be compromised if the Internet or other untrusted connections can reach a FortiMail unit that still has a default password.

      • If you change the operation mode later, most settings will be reset and must be reconfigured.

      You can alternatively log in using an SSH key instead of a password. For details, see system admin.

    4. To test your network settings, enter the command:

      exec ping fortinet.com

      Results should show 0% packet loss. Otherwise verify your settings and (for indirect connections) router/firewall.

    5. To connect to the CLI through the network interface, see Connecting to the CLI using SSH or Connecting to the CLI using Telnet.

    Connecting to the CLI using SSH

    Once the FortiMail unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

    SSH provides both secure authentication and secure communications to the CLI. Supported SSH protocol versions, ciphers, and bit strengths vary by whether or not you have enabled FIPS-CC mode. FortiMail does not support SSH connections with plain-text password authentication. Instead, challenge/response should be used.

    Requirements

    To connect to the CLI using SSH

    1. On your management computer, start PuTTY.

    2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled SSH administrative access.

    3. In Port, type 22.

    4. From Connection type, select SSH.

    5. Click Open.

      The SSH client connects to the FortiMail unit.

      The SSH client may display a warning if this is the first time you are connecting to the FortiMail unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiMail unit but it used a different IP address or SSH key. If your management computer is directly connected to the FortiMail unit with no network hosts between them, this is normal.

    6. Click Yes to verify the fingerprint and accept the FortiMail unit’s SSH key. You will not be able to log in until you have accepted the key.

      The CLI displays a login prompt.

    7. Log in using your administrator account.

      If four incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

      The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.

    Connecting to the CLI using Telnet

    Once the FortiMail unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

    Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

    Requirements

    To connect to the CLI using Telnet

    1. On your management computer, start PuTTY.

    2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled Telnet administrative access.

    3. In Port, type 23.

    4. From Connection type, select Telnet.

    5. Click Open.

      6. The CLI displays a login prompt.

    6. Log in using your administrator account

      If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

      The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.

    Logging out from the CLI

    Regardless of how you connect to the FortiMail CLI console (direct console connection, SSH, Telnet, or the CLI Console in the GUI) , to log out of the console, enter the exit command.

    Previous
    Next

    docConnecting to the CLI

    docConnecting to the CLI

    You can access the CLI in two ways:

    Local access is required in some cases.

    • If you are installing your FortiMail unit for the first time and it is not yet configured to connect to your network, unless you reconfigure your computer’s network settings for a peer connection, you may only be able to connect to the CLI using a local serial console connection.

    • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, and therefore local CLI access is the only viable option.

    This section includes:

    Connecting to the CLI using a local console

    Local console connections to the CLI are formed by directly connecting either a:

    • terminal server

    • management computer

    • console

    to the FortiMail unit, using its DB-9 or RJ-45 console port. The following procedure shows a connection to your computer.

    Requirements

    • a computer with an available serial communications (COM) port

    • the RJ-45-to-DB-9 or null modem cable included in your FortiMail package

    • terminal emulation software such as PuTTY

    The following procedure describes connection using PuTTY software; steps may vary with other terminal emulators.

    To connect to the CLI using a local serial console connection

    1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiMail unit’s console port to the serial communications (COM) port on your management computer.

    2. On your management computer, start PuTTY.

    3. In the Category tree on the left, go to Connection > Serial and configure the following:

      Serial line to connect to

      COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)

      Speed (baud)

      9600

      Data bits

      8

      Stop bits

      1

      Parity

      None

      Flow control

      None

    4. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial.

    5. Click Open.

    6. Press the Enter key to initiate a connection.

    7. The login prompt appears.

    8. Type a valid administrator account name (such as admin) and press Enter.

    9. Type the password for that administrator account then press Enter (in its default state, there is no password for the admin account).

      The CLI displays a command line prompt.

    Enabling network connections (SSH or Telnet) to the CLI

    SSH, Telnet, or CLI Console widget (via the GUI) access to the CLI requires that you connect your computer to the FortiMail unit using one of its RJ-45 network ports. You can connect either:

    • Directly, with a peer connection or switch between the two

    • Indirectly, through any local network or the Internet

    Before you can use the network connection, you must enable the physical network port's network interface to accept SSH and/or Telnet.

    If your computer is connected indirectly, then you must also configure network settings so that a router that can forward packets through the network, from the FortiMail unit to your computer.

    This procedure shows how to enable both direct and indirect network connections.

    If you do not want to use an SSH or Telnet client and you have HTTPS access to the FortiMail GUI, you can alternatively use the CLI Console widget. For details, see the FortiMail Administration Guide.

    Requirements

    • a computer with an available serial communications (COM) port and RJ-45 port

    • terminal emulation software such as PuTTY

    • the RJ-45-to-DB-9 or null modem cable included in your FortiMail package

    • a crossover or straight-through network cable (autosensing ports)

    To enable SSH or Telnet access to the CLI

    1. Using the network cable, connect the FortiMail unit’s network port either:

      • directly to your computer’s network port

      • to a network through which your computer can reach the FortiMail unit indirectly

      Note the number of the physical network port, such as port1.

    2. Using a local console connection, connect and log into the CLI. For details, see Connecting to the CLI using a local console.

    3. Enter the following commands in sequential order:

      config system admin

      edit "admin"

      set password "<new-password_str>"

      end

      config system global

      set operation-mode {gateway | server | transparent}

      end

      config system interface

      edit <interface_name>

      set ip {<interface_ipv4> | <interface_ipv6>}

      set allowaccess {http https ping snmp ssh telnet}

      end

      config system route

      edit 0

      set destination {<subnet_ipv4mask> | <subnet_ipv6mask>}

      set gateway {<router_ipv4> | <router_ipv6>}

      set interface <interface_name>

      end

      config system dns

      set primary <dns1_ipv4>

      set secondary <dns2_ipv4>

      end

      config system time ntp

      set ntpsync enable

      set ntpserver {<ntp_ipv4 | <ntp_fqdn>}

      end

      where:

      • <new-password_str> is your new password for the administrator account named admin

      • {gateway | server | transparent} is your choice of FortiMail operation mode

      • <interface_name> is the network interface, such as port1, associated with the physical network port

      • {<interface_ipv4> | <interface_ipv6>} is the IP address of the network interface; omit this command to use the existing IP address

      • {http https ping snmp ssh telnet} is the space-delimited list of administrative access protocols that you want to permit, such as https ssh; omit administrative access protocols that you do not want to permit

      • {<subnet_ipv4mask> | <subnet_ipv6mask>} is which outgoing traffic, such as 0.0.0.0/0 for all traffic, that FortiMail should send to the router to be forwarded to destination IP addresses such as your computer; omit route settings if you are using a direct connection

      • {<router_ipv4> | <router_ipv6>} is the next hop (gateway) router or firewall

      • <dns1_ipv4> and <dns2_ipv4> are DNS servers; DNS is required by secure connections and many other features

      • {<ntp_ipv4 | <ntp_fqdn>} is an NTP (time) server, in either IP address or domain name format; accurate time is required by secure connections and many other features

      • Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

      • Default administrator passwords should be replaced before you allow any network connections to FortiMail. Security can be compromised if the Internet or other untrusted connections can reach a FortiMail unit that still has a default password.

      • If you change the operation mode later, most settings will be reset and must be reconfigured.

      You can alternatively log in using an SSH key instead of a password. For details, see system admin.

    4. To test your network settings, enter the command:

      exec ping fortinet.com

      Results should show 0% packet loss. Otherwise verify your settings and (for indirect connections) router/firewall.

    5. To connect to the CLI through the network interface, see Connecting to the CLI using SSH or Connecting to the CLI using Telnet.

    Connecting to the CLI using SSH

    Once the FortiMail unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

    SSH provides both secure authentication and secure communications to the CLI. Supported SSH protocol versions, ciphers, and bit strengths vary by whether or not you have enabled FIPS-CC mode. FortiMail does not support SSH connections with plain-text password authentication. Instead, challenge/response should be used.

    Requirements

    To connect to the CLI using SSH

    1. On your management computer, start PuTTY.

    2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled SSH administrative access.

    3. In Port, type 22.

    4. From Connection type, select SSH.

    5. Click Open.

      The SSH client connects to the FortiMail unit.

      The SSH client may display a warning if this is the first time you are connecting to the FortiMail unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiMail unit but it used a different IP address or SSH key. If your management computer is directly connected to the FortiMail unit with no network hosts between them, this is normal.

    6. Click Yes to verify the fingerprint and accept the FortiMail unit’s SSH key. You will not be able to log in until you have accepted the key.

      The CLI displays a login prompt.

    7. Log in using your administrator account.

      If four incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

      The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.

    Connecting to the CLI using Telnet

    Once the FortiMail unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

    Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other untrusted network.

    Requirements

    To connect to the CLI using Telnet

    1. On your management computer, start PuTTY.

    2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled Telnet administrative access.

    3. In Port, type 23.

    4. From Connection type, select Telnet.

    5. Click Open.

      6. The CLI displays a login prompt.

    6. Log in using your administrator account

      If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then reconnect to attempt the login again.

      The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI commands.

    Logging out from the CLI

    Regardless of how you connect to the FortiMail CLI console (direct console connection, SSH, Telnet, or the CLI Console in the GUI) , to log out of the console, enter the exit command.

    Previous
    Next