Introduction
This manual describes the command line interface (CLI) commands for FortiSwitchOS.
FortiSwitch models
This guide is applicable to all FortiSwitch models that are supported by FortiSwitchOS.
See the Release Notes for information about the software features supported on each of the models.
How this guide is organized
The chapters in this document describe the commands available for each of the top-level CLI commands:
- config—commands that allow you to configure various components of the FortiSwitch unit.
- diagnose—commands that help with troubleshooting.
- execute—commands that perform immediate operations.
- get—commands that provide information about FortiSwitch operation.
Typographical conventions
This document uses the following typographical conventions:
Convention |
Example |
---|---|
CLI input |
config system dns set primary <address_ipv4> end |
CLI output |
|
Emphasis |
HTTP connections are not secure and can be intercepted by a third party. |
File content |
<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> |
Hyperlink |
Visit the Fortinet Technical Support web site: |
Keyboard entry |
Type a name for the remote VPN peer or client, such as |
Publication |
For details, see the FortiOS Administration Guide. |
CLI command syntax conventions
This guide uses the following conventions to describe the syntax to use when entering commands in the Command Line Interface (CLI).
Convention |
Description |
Angle brackets |
A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( For example: indicates that you should enter a number of retries, such as |
Data types include: |
|
|
A name referring to another part of the configuration, such as |
|
An index number referring to another part of the configuration, such as |
|
A regular expression or word with wild cards that matches possible variations, such as |
|
A fully qualified domain name (FQDN), such as |
|
An email address, such as |
|
An IPv4 address, such as |
|
A dotted decimal IPv4 netmask, such as |
|
A dotted decimal IPv4 address and netmask separated by a space, such as |
|
A dotted decimal IPv4 address and CIDR‑notation netmask separated by a slash, such as such as |
|
A colon( |
|
An IPv6 netmask, such as |
|
An IPv6 address and netmask separated by a space. |
|
An integer number that is not another data type, such as |
|
A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as |
Square brackets |
A non-required word or series of words. For example: [verbose {1 | 2 | 3}] indicates that you can either omit or type both the verbose word and its accompanying option, such as:verbose 3 |
Curly braces |
A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ]. |
Options delimited by vertical bars |
Mutually exclusive options. For example: {enable | disable} indicates that you must enter either |
Options delimited by spaces |
Non-mutually exclusive options. For example: {http https ping snmp ssh telnet} indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:
NOTE: To change the options, you must re-type the entire list. For example, to add
If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted. |
Entering configuration data
The switch configuration is stored as a series of configuration settings in the FortiSwitchOS configuration database. To change the configuration, you can use the CLI to add, delete, or change configuration settings. These configuration changes are stored in the configuration database as they are made.
Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).
Entering text strings (names)
Text strings are used to name entities in the configuration, such as an administrative user name. You can enter any character in a text string with the following exceptions (to prevent cross-site scripting vulnerabilities):
- " (double quote)
- & (ampersand)
- ' (single quote)
- < (less than)
- < (greater than)
You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the CLI allows for a given name field. From the CLI, you can also use the tree
command to view the number of characters that are allowed. For example, firewall address names can contain up to 64 characters. From the CLI, you can do the following to confirm that the firewall address name field allows 64 characters:
config firewall address
tree
-- [address] --*name (64)
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn (256)
|- cache-ttl (0,86400)
|- wildcard
|- comment (64 xss)
|- associated-interface (16)
+- color (0,32)
NOTE: The tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully qualified domain name (fqdn
) field can contain up to 256 characters.
Entering numeric values
Numeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example, the IP address 10.10.10.1) or, as in the case of MAC or IPv6 addresses, separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (such as MAC addresses) require hexadecimal numbers.
CLI help includes information about allowed numeric value ranges.The CLI prevents you from entering invalid numbers.