This section contains the following sections:
Overview
This guide describes the commands that make up the command-line interface (CLI) for the FortiPolicy product.
This guide is intended for system administrators responsible for deploying, operating, and maintaining FortiPolicy deployments.
Typographical conventions
|
Convention |
Meaning |
Example |
|---|---|---|
|
italics |
Names of parameters, variables, files, directories or URLs. |
The ip parameter specifies an IP Address in a configuration command. |
|
|
Coding examples and text to be entered at the command prompt |
Enter the following command:
|
|
Click |
A left-mouse button click. |
Click Task Panel in the FortiPolicy console to display data plane deployment progress after issuing a manual deployment CLI command. |
|
Double-click |
A double-click of the left mouse button. |
Double-click the log name to open in the FortiPolicy log. |
|
Right-click |
A right mouse button click. |
Right-click on the FortiPolicy pencil icon on the Edit Data Plane page of the Web UI to view and modify DP properties. |
|
< | > (text in angle brackets; items separated by the pipe symbols) |
Option for selection of required parameter and/or value. |
set support <enabled | disabled> |
|
[ ] (text in square brackets) or [ | ] (text in square brackets, items separated by pipe symbols) |
Optional parameters and values, with selection options separated by the pipe symbol. |
set [option1 |option2] |
Related documentation
The following is a list of additional FortiPolicy documentation to supplement this FortiPolicy CLI Guide:
-
FortiPolicy 7.2.0 Administration Guide
-
FortiPolicy 7.2.0 Automated Policy Generation Guide
-
FortiPolicy 7.2.0 Getting Started Guide
-
FortiPolicy 7.2.0 Release Notes
Obtaining more information
To obtain more information about FortiPolicy and products, refer to the following sources:
-
Fortinet website — http://www.fortinet.com
-
FortiPolicy Web UI Online help
-
Click the light bulb in the FortiPolicy Web UI to access the online help system referred to as the “Guide”. The FortiPolicy Web UI becomes available after initial FortiPolicy OVF installation.
-
Type
helpor-hto access the FortiPolicy CLI help display.
-
Introduction
This chapter explains how to use the FortiPolicy command line interface (CLI) to configure, administer and troubleshoot FortiPolicy deployments.
This chapter contains the following sections:
Accessing the CLI
Use SSH to access the FortiPolicy CLI.
|
Always use the latest version of PuTTY for SSH operations, if using PuTTY as an SSH client. |
To access the FortiPolicy CLI over the management network:
-
Start a terminal window session and use the
sshcommand to access the basic mode system.For example, if the IP address of the appliance is 10.1.1.1, enter the following command:
ssh admin@10.1.1.1 -
When prompted, enter the initial password provided at the time of licensing.
-
Immediately enter a new password after your initial login and then retype when prompted.
Accessing the support shell
To escalate and gain support access, you will require a One Time Password (OTP) login. First, enable support access through the CLI. Once enabled, access a support session via a customer-controlled OTP key and secret key.
To access the Restricted Shell support mode for troubleshooting issues in conjunction with your FortiPolicy Technical Support representative, use the following command sequence:
fortipolicy_um> set support enabled maxdays 14 remote
WARNING: *********************************************************
WARNING: Remote ssh access to the support account will be enabled,
WARNING: which may conflict with your local security policies.
WARNING: If that is not what you wanted, please re-run the command
WARNING: without the option 'remote'
WARNING: *********************************************************
Version : 3
Shared Secret : 001RJGURYT9H5RC0BXJPU7GMOLZDC
One-Time Password(s) : 00199673877 00102869729 00128354530 0016243754400137353324
To obtain access keys, use the following command:
fortipolicy-um> show support keys
Version : 3
Shared Secret : 001RJGURYT9H5RC0BXJPU7GMOLZDC
One-Time Password(s) : 00199673877 00102869729 00128354530 00162437544 00137353324
|
|
Be sure to provide the 'Shared Secret' or one of the 'One-Time Passwords' to your FortiPolicy support contact. |
When the troubleshooting session is finished, quit the restricted support shell session:
fortipolicy-um> set support enabled [maxdays [1-14]] [remote]
-
maxdays [1-14]defines how many "end-of-days" the account is enabled for. -
[remote]opens up the support account for remote ssh access.
CLI help and keyboard shortcuts
To display FortiPolicyCLI help, type the command help to display CLI keys and auto-completion usage.
For context-sensitive help, alternatively, enter a “?” to display either a list of possible command completions with summaries, or the full syntax of the current command. A subsequent repeat of this key, when a command has been resolved, will display a detailed reference, as described below.
-
Enter “?” at the prompt to display a list of the available commands in the current mode.
-
Enter “?” after you type a command to display its available options and parameters.
-
Enter “?” after a partially typed keyword to display command matches for auto-completions.
You can enter commands in abbreviated form if you enter enough characters to uniquely identify each keyword. For example, the history command can be abbreviated as:
hist
To identify a command’s minimum abbreviation, type a few characters then press Tab. When you have entered enough characters, the keyword is completed.
The following table outlines the available CLI shortcuts.
|
Action |
Shortcut |
Description |
|---|---|---|
|
Auto-Completion |
|
Completes a partial command during typing if enough characters are typed to uniquely identify it. |
|
Recall |
|
Retrieve previous command from CLI history. |
|
|
Retrieve next command from CLI history. |
|
|
|
Clear the screen or Redisplay the current command line. |
|
|
Delete |
|
Delete character. |
|
|
Delete character before cursor ( |
|
|
|
Delete all characters from cursor to end of line. |
|
|
|
Delete all characters or words on line. |
|
|
Cursor move
|
|
Move cursor to start of line. |
|
|
Move cursor back a single character. |
|
|
|
Move cursor to end of line. |
|
|
|
Move cursor forward a single character. |
|
|
Character Transpose |
|
Transpose character at the cursor with preceding character. |
|
Interrupt output |
|
Interrupt presentation of the CLI output. |
|
Replace
|
|
Substitute the last command line |
|
|
Substitute the Nth command line (absolute as per 'history' command) |
|
|
Exit mode or logout |
|
Exit current mode or exit the CLI session. |
SPECIAL CHARACTER REQUIREMENT
You must enclose non-alphabet characters in double quotes in CLI commands; for example:
fortipolicy-um> set passphrase “kfe$nd#$^S”
CLI modes
The CLI commands that you can enter depend on your user privileges and the CLI command mode. User roles are “admin” and “debugging.” The following table describes the CLI command mode.
Note that the prompt in each mode includes the host name of the FortiPolicy appliance.
|
Mode |
Description |
How to Exit |
|---|---|---|
|
Basic Mode |
Monitor system operation and issue basic system commands. This is the default login mode. The following prompt is displayed:
|
Enter |
|
Support Mode |
Troubleshoot issues with FortiPolicy Technical Support via the support restricted shell mode. fortipolicy-um> set support enable |
Enter |
System commands
This chapter describes the administration commands for a FortiPolicy system.
These commands are used to configure and view FortiPolicy settings and deployments.
|
|
You must enclose non-alphabet characters in double quotes in CLI commands. |
Basic mode commands
Use general system commands to configure settings, view history, enter other CLI modes, obtain help with CLI syntax, and to exit the CLI session.
The general commands are:
Basic commands
delete
|
Description |
Delete system configuration. |
|
Mode(s) |
Basic | Support |
|
Syntax |
delete <param> ? |
|
Parameters |
ntp | webproxy |
|
Example |
The following example deletes NTP information. fortipolicy-um> delete ntp |
enable
|
Description |
Enable the FortiPolicy CLI to display another command view. |
|
Mode(s) |
Basic | Support |
|
Syntax |
enable <param> ? |
|
Parameters |
console | maintenance |
|
Example |
The following example enables the CLI console view: fortipolicy-um> enable console hostname (console)# show versions |
exit
|
Description |
Exits the current CLI session mode. |
|
Mode(s) |
Basic | Support |
|
Syntax |
exit |
|
Parameters |
None |
|
Example |
The following example ends a command mode or CLI session. fortipolicy-um> exit |
help
|
Description |
Displays information about the CLI help system. |
|
Mode(s) |
Basic | Support |
|
Syntax |
help |
|
Parameters |
None |
|
Example |
The following example shows some of the output of the CONTEXT SENSITIVE HELP [?] - Display context sensitive help. This is either a list of possible command completions with summaries, or the full syntax of the current command. A subsequent repeat of this key, when a command has been resolved, will display a detailed reference. AUTO-COMPLETION The following keys both perform auto-completion for the current command line. If the command prefix is not unique then the bell will ring and a subsequent repeat of the key will display possible completions. [enter] - Auto-completes, syntax-checks then executes a command. If there is a syntax error then offending part of the command line will be highlighted and explained. [tab] - Auto-completes [space] - Auto-completes, or if the command is already resolved inserts a space. If “<cr>” is shown, that means that what you have entered so far is a complete command, and you may press Enter (carriage return) to execute it. Use ? to learn command parameters and option: fortipolicy-um> show n? Show ntp peering configurations |
history
|
Description |
Display the current session's command line history |
|
Mode(s) |
Basic | Support |
|
Syntax |
history |
|
Parameters |
None |
|
Example |
The following example displays the command line history. fortipolicy-um> history |
ping
|
Description |
Send messages to network hosts. | ||||||||
|
Mode(s) |
Basic | Support | ||||||||
|
Syntax |
ping | ||||||||
|
Parameters |
|
||||||||
|
Example |
The following example sends a ICMP IPv4 message to the network hose. fortipolicy-um> ping ip |
reboot
|
Description |
Reboot the system. |
|
Mode(s) |
Basic | Support |
|
Syntax |
reboot |
|
Parameters |
forcefsck |
|
Example |
The following example runs a force file system check on reboot. fortipolicy-um> forcefsck reboot |
resize
|
Description |
Resize console to terminal size. |
|
Mode(s) |
Basic | Support |
|
Syntax |
resize |
|
Parameters |
[integer] Number of lines |
|
Example |
The following example returns command line history for the current CLI session. fortipolicy-um> resize 80 25 |
restart services
|
Description |
Restarts FortiPolicy services. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Mode(s) |
Basic | Support | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Syntax |
restart services <param> ? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Parameters |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Example |
The following example restarts all FortiPolicy services. fortipolicy-um> restart services all |
set
|
Description |
Sets several FortiPolicy system configurations. |
||||||
|
Mode(s) |
Basic | Support | ||||||
|
Syntax |
set <param> ? | ||||||
|
Parameters |
|
||||||
|
Example |
The following example sets default logging for all FortiPolicy components. fortipolicy-um> set login The following example enables a FortiPolicy restricted shell support session access; you will be prompted to enter a Verification Code, One Time Password (OTP) and Shared Secret: fortipolicy-um> set support enabled The following example sets the support account expiration date from the default (1 day) to the maximum allowed 14 days. fortipolicy-um> set support enable maxdays 14 The following example disables support account access: fortipolicy-um> set support disabled |
shell
|
Description |
Displays the FortiPolicy restricted shell provided you have set up support account access with a Verification Code, OTP and Shared Secret. |
|
Mode(s) |
Basic | Support |
|
Syntax |
shell |
|
Parameters |
None |
|
Example |
The following example drops the session to the restricted shell. fortipolicy-um> shell *************************************************************** Accessing FortiPolicy Support Shell - Unauthorized access prohibited. *************************************************************** Support Verification Code(v3): *************** |
show
|
Description |
Displays FortiPolicy system configuration information. | ||||||||||||||||||
|
Mode(s) |
Basic | Support | ||||||||||||||||||
|
Syntax |
show | ||||||||||||||||||
|
Subcommands and Parameters |
|
||||||||||||||||||
|
Example |
The following example displays the support account status: fortipolicy-um> show support status Locked: no Expired: no (expires 2018-6-13 Shell: enabled OTP: configured Status: enabled The following example displays the last log file for error messages. fortipolicy-um> show log file /var/log/messages last 1 2018-06-12 00:59:17, 358 (none) syslog.err rsyslogd: cannot connect to 10.1.1.1:10514: Connection refused [v8.33.1 try http://www.rsyslog.com/e/2027 The following example displays services that are DOWN or UP and running. fortipolicy-um> show services CertificateAuthority [DOWN] ConfigUpdate --------[UP] ContainerEngine------[UP] ... The following example requests display of the last 10 system boot messages.
|
ssh
|
Description |
Specifies the IP address to which an SSH connection should be made. Note: After an SSH session to the FortiPolicy-UM, you can use the CLI to jump to the backend servers. For cloud deployments (or where you use SSH keys), you will need to setup ssh-agent on your originating SSH client machine. |
|
Mode(s) |
Basic | Support |
|
Syntax |
ssh {reset-host-key} <IP Address> |
|
Sub-commands & Parameters |
ssh <IP Address> ssh reset-host-key <IP Address> |
|
Example |
The following example sets the IP address for an SSH connection.
The following example resets the IP address for an SSH connection. fortipolicy-um> ssh reset-host-key 10.2.2.4 NOTE: Do not to use this command by default; best to use only when your DNS resource pool has rotated. |
top
|
Description |
Returns to the default Basic Mode CLI session from the restricted shell or other view modes. |
|
Mode(s) |
Support |
|
Syntax |
top |
|
Parameters |
None |
|
Example |
The following example returns the FortiPolicy CLI session to the default CLI view. fortipolicy-um> top |
test
|
Description |
Test commands. |
|
Mode(s) |
Basic | Support |
|
Syntax |
test |
|
Parameters |
None |
|
Example |
The following example tests the commands. fortipolicy-um> test |
traceroute
|
Description |
Tracks and prints the route packet path to a network host. |
||||||||
|
Mode(s) |
Basic | Support | ||||||||
|
Syntax |
traceroute | ||||||||
|
Parameters |
|
||||||||
|
Example |
The following example traces and displays the packet path to network host 10.1.1.4. fortipolicy-um> traceroute ip 10.1.1.4 |