Fortinet white logo
Fortinet white logo

CLI Reference

CLI command branches

CLI command branches

The FortiManager CLI consists of the following command branches:

config branch

get branch

show branch

execute branch

diagnose branch

Examples showing how to enter command sequences within each branch are provided in the following sections.

config branch

The config commands configure objects of FortiManager functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of keywords that you can set to particular values. Simpler objects, such as system DNS, are a single set of keywords.

To configure an object, you use the config command to navigate to the object’s command “shell”. For example, to configure administrators, you enter the command

config system admin user

The command prompt changes to show that you are in the admin shell.

(user)#

This is a table shell. You can use any of the following commands:

delete

Remove an entry from the FortiManager configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin.

edit

Add an entry to the FortiManager configuration or edit an existing entry. For example in the config system admin shell:

  • type edit admin and press Enter to edit the settings for the default admin administrator account.
  • type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account.

end

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You return to the root FortiManager CLI prompt.

The end command is also used to save set command changes and leave the shell.

get

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the keywords and their values.

purge

Remove all entries configured in the current shell. For example in the config user local shell:

  • type get to see the list of user names added to the FortiManager configuration,
  • type purge and then y to confirm that you want to purge all the user names,
  • type get again to confirm that no user names are displayed.

show

Show changes to the default configuration as configuration commands.

If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name:

edit admin_1

The FortiManager unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry:

new entry 'admin_1' added

(admin_1)#

From this prompt, you can use any of the following commands:

abort

Exit an edit shell without saving the configuration.

config

In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add host definitions to an SNMP community.

end

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command.

The end command is also used to save set command changes and leave the shell.

get

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the keywords and their values.

next

Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell.

  1. Enter edit User1 and press Enter.
  2. Use the set commands to configure the values for the new admin account.
  3. Enter next to save the configuration for User1 without leaving the config system admin user shell.
  4. Continue using the edit, set, and next commands to continue adding admin user accounts.
  5. Type end then press Enter to save the last configuration and leave the shell.

set

Assign values. For example from the edit admin command shell, typing set passwd newpass changes the password of the admin administrator account to newpass.

Note: When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

show

Show changes to the default configuration in the form of configuration commands.

unset

Reset values to defaults. For example from the edit admin command shell, typing unset passwd resets the password of the admin administrator account to the default of no password.

The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.

The root prompt is the FortiManager host or model name followed by a #.

get branch

Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell.

To use get from the root prompt, you must include a path to a shell.

Example

When you type get in the config system admin user shell, the list of administrators is displayed.

At the (user)# prompt, type:

get

The screen displays:

== [ admin ]

userid: admin

== [ admin2 ]

userid: admin2

== [ admin3 ]

userid: admin3

Example

When you type get in the admin user shell, the configuration values for the admin administrator account are displayed.

edit admin

At the (admin)# prompt, type:

get

The screen displays:

userid : admin

login-max : 32

password : *

change-password : enable

trusthost1 : 0.0.0.0 0.0.0.0

trusthost2 : 255.255.255.255 255.255.255.255

trusthost3 : 255.255.255.255 255.255.255.255

trusthost4 : 255.255.255.255 255.255.255.255

trusthost5 : 255.255.255.255 255.255.255.255

trusthost6 : 255.255.255.255 255.255.255.255

trusthost7 : 255.255.255.255 255.255.255.255

trusthost8 : 255.255.255.255 255.255.255.255

trusthost9 : 255.255.255.255 255.255.255.255

trusthost10 : 255.255.255.255 255.255.255.255

ipv6_trusthost1 : ::/0

ipv6_trusthost2 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost3 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost4 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost5 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost6 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost7 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost8 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost9 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost10 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

profileid : Super_User

dev-group : (null)

web-filter:

ips-filter:

app-filter:

description : (null)

user_type : local

ssh-public-key1 :

ssh-public-key2 :

ssh-public-key3 :

avatar : (null)

meta-data:

== [ Contact Email ]

fieldname: Contact Email

== [ Contact Phone ]

fieldname: Contact Phone

password-expire : 0000-00-00 00:00:00

force-password-change: disable

rpc-permit : none

last-name : (null)

first-name : (null)

email-address : (null)

phone-number : (null)

mobile-number : (null)

pager-number : (null)

hidden : 0

dashboard-tabs:

dashboard:

Example

You want to confirm the IPv4 address and netmask of the port1 interface from the root prompt.

At the # prompt, type:

get system interface port1

The screen displays:

name : port1

status : up

ip : ***.**.***.** 255.255.255.0

allowaccess : https ssh

serviceaccess :

speed : auto

description : (null)

alias : (null)

mtu : 1500

ipv6:

ip6-address: ::/0 ip6-allowaccess: ip6-autoconf: enable

show branch

Use show to display the FortiManager unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.

To display the configuration of all config shells, you can use show from the root prompt.

Example

When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed.

At the (port1)# prompt, type:

show

The screen displays:

config system interface

edit "port1"

set ip ***.**.***.** 255.255.255.0

set allowaccess https ssh

next

end

Example

You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type:

show system dns

The screen displays:

config system dns

set primary 172.39.139.53

set secondary 172.39.139.63

end

execute branch

Use execute to run static commands, to reset the FortiManager unit to factory defaults, or to back up or restore the FortiManager configuration. The execute commands are available only from the root prompt.

Example

At the root prompt, type:

execute reboot

and press Enter to restart the FortiManager unit.

diagnose branch

Commands in the diagnose branch are used for debugging the operation of the FortiManager unit and to set parameters for displaying different levels of diagnostic information. The diagnose commands are not documented in this CLI Reference.

diagnose commands are intended for advanced users only. Contact Fortinet Customer Support before using these commands.

Example command sequences

The command prompt changes for each shell.

To configure the primary and secondary DNS server addresses:
  1. Starting at the root prompt, type:

    config system dns

    and press Enter. The prompt changes to (dns)#.

  2. At the (dns)# prompt, type ?

    The following options are displayed.

    set

    unset

    get

    show

    abort

    end

  3. Enter set ?

    The following options are displayed:

    primary

    secondary

    ip6-primary

    ip6-secondary

  4. To set the primary DNS server address to 172.16.100.100, type:

    set primary 172.16.100.100

    and press Enter.

  5. To set the secondary DNS server address to 207.104.200.1, type:

    set secondary 207.104.200.1

    and press Enter.

  6. To restore the primary DNS server address to the default address, type unset primary and press Enter.

    If you want to leave the config system dns shell without saving your changes, type abort and press Enter.

  7. To save your changes and exit the dns sub-shell, type end and press Enter.
  8. To confirm your changes have taken effect after leaving the dns sub-shell, type get system dns and press Enter.

CLI command branches

CLI command branches

The FortiManager CLI consists of the following command branches:

config branch

get branch

show branch

execute branch

diagnose branch

Examples showing how to enter command sequences within each branch are provided in the following sections.

config branch

The config commands configure objects of FortiManager functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of keywords that you can set to particular values. Simpler objects, such as system DNS, are a single set of keywords.

To configure an object, you use the config command to navigate to the object’s command “shell”. For example, to configure administrators, you enter the command

config system admin user

The command prompt changes to show that you are in the admin shell.

(user)#

This is a table shell. You can use any of the following commands:

delete

Remove an entry from the FortiManager configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin.

edit

Add an entry to the FortiManager configuration or edit an existing entry. For example in the config system admin shell:

  • type edit admin and press Enter to edit the settings for the default admin administrator account.
  • type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account.

end

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You return to the root FortiManager CLI prompt.

The end command is also used to save set command changes and leave the shell.

get

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the keywords and their values.

purge

Remove all entries configured in the current shell. For example in the config user local shell:

  • type get to see the list of user names added to the FortiManager configuration,
  • type purge and then y to confirm that you want to purge all the user names,
  • type get again to confirm that no user names are displayed.

show

Show changes to the default configuration as configuration commands.

If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name:

edit admin_1

The FortiManager unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry:

new entry 'admin_1' added

(admin_1)#

From this prompt, you can use any of the following commands:

abort

Exit an edit shell without saving the configuration.

config

In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add host definitions to an SNMP community.

end

Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command.

The end command is also used to save set command changes and leave the shell.

get

List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the keywords and their values.

next

Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell.

  1. Enter edit User1 and press Enter.
  2. Use the set commands to configure the values for the new admin account.
  3. Enter next to save the configuration for User1 without leaving the config system admin user shell.
  4. Continue using the edit, set, and next commands to continue adding admin user accounts.
  5. Type end then press Enter to save the last configuration and leave the shell.

set

Assign values. For example from the edit admin command shell, typing set passwd newpass changes the password of the admin administrator account to newpass.

Note: When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

show

Show changes to the default configuration in the form of configuration commands.

unset

Reset values to defaults. For example from the edit admin command shell, typing unset passwd resets the password of the admin administrator account to the default of no password.

The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.

The root prompt is the FortiManager host or model name followed by a #.

get branch

Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell.

To use get from the root prompt, you must include a path to a shell.

Example

When you type get in the config system admin user shell, the list of administrators is displayed.

At the (user)# prompt, type:

get

The screen displays:

== [ admin ]

userid: admin

== [ admin2 ]

userid: admin2

== [ admin3 ]

userid: admin3

Example

When you type get in the admin user shell, the configuration values for the admin administrator account are displayed.

edit admin

At the (admin)# prompt, type:

get

The screen displays:

userid : admin

login-max : 32

password : *

change-password : enable

trusthost1 : 0.0.0.0 0.0.0.0

trusthost2 : 255.255.255.255 255.255.255.255

trusthost3 : 255.255.255.255 255.255.255.255

trusthost4 : 255.255.255.255 255.255.255.255

trusthost5 : 255.255.255.255 255.255.255.255

trusthost6 : 255.255.255.255 255.255.255.255

trusthost7 : 255.255.255.255 255.255.255.255

trusthost8 : 255.255.255.255 255.255.255.255

trusthost9 : 255.255.255.255 255.255.255.255

trusthost10 : 255.255.255.255 255.255.255.255

ipv6_trusthost1 : ::/0

ipv6_trusthost2 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost3 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost4 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost5 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost6 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost7 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost8 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost9 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

ipv6_trusthost10 : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

profileid : Super_User

dev-group : (null)

web-filter:

ips-filter:

app-filter:

description : (null)

user_type : local

ssh-public-key1 :

ssh-public-key2 :

ssh-public-key3 :

avatar : (null)

meta-data:

== [ Contact Email ]

fieldname: Contact Email

== [ Contact Phone ]

fieldname: Contact Phone

password-expire : 0000-00-00 00:00:00

force-password-change: disable

rpc-permit : none

last-name : (null)

first-name : (null)

email-address : (null)

phone-number : (null)

mobile-number : (null)

pager-number : (null)

hidden : 0

dashboard-tabs:

dashboard:

Example

You want to confirm the IPv4 address and netmask of the port1 interface from the root prompt.

At the # prompt, type:

get system interface port1

The screen displays:

name : port1

status : up

ip : ***.**.***.** 255.255.255.0

allowaccess : https ssh

serviceaccess :

speed : auto

description : (null)

alias : (null)

mtu : 1500

ipv6:

ip6-address: ::/0 ip6-allowaccess: ip6-autoconf: enable

show branch

Use show to display the FortiManager unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell.

To display the configuration of all config shells, you can use show from the root prompt.

Example

When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed.

At the (port1)# prompt, type:

show

The screen displays:

config system interface

edit "port1"

set ip ***.**.***.** 255.255.255.0

set allowaccess https ssh

next

end

Example

You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type:

show system dns

The screen displays:

config system dns

set primary 172.39.139.53

set secondary 172.39.139.63

end

execute branch

Use execute to run static commands, to reset the FortiManager unit to factory defaults, or to back up or restore the FortiManager configuration. The execute commands are available only from the root prompt.

Example

At the root prompt, type:

execute reboot

and press Enter to restart the FortiManager unit.

diagnose branch

Commands in the diagnose branch are used for debugging the operation of the FortiManager unit and to set parameters for displaying different levels of diagnostic information. The diagnose commands are not documented in this CLI Reference.

diagnose commands are intended for advanced users only. Contact Fortinet Customer Support before using these commands.

Example command sequences

The command prompt changes for each shell.

To configure the primary and secondary DNS server addresses:
  1. Starting at the root prompt, type:

    config system dns

    and press Enter. The prompt changes to (dns)#.

  2. At the (dns)# prompt, type ?

    The following options are displayed.

    set

    unset

    get

    show

    abort

    end

  3. Enter set ?

    The following options are displayed:

    primary

    secondary

    ip6-primary

    ip6-secondary

  4. To set the primary DNS server address to 172.16.100.100, type:

    set primary 172.16.100.100

    and press Enter.

  5. To set the secondary DNS server address to 207.104.200.1, type:

    set secondary 207.104.200.1

    and press Enter.

  6. To restore the primary DNS server address to the default address, type unset primary and press Enter.

    If you want to leave the config system dns shell without saving your changes, type abort and press Enter.

  7. To save your changes and exit the dns sub-shell, type end and press Enter.
  8. To confirm your changes have taken effect after leaving the dns sub-shell, type get system dns and press Enter.