Fortinet black logo

Introduction

Introduction

This manual describes the command line interface (CLI) commands for FortiSwitchOS.

FortiSwitch models

This guide is applicable to all FortiSwitch models that are supported by FortiSwitchOS.

See the Release Notes for information about the software features supported on each of the models.

How this guide is organized

The chapters in this document describe the commands available for each of the top-level CLI commands:

  • config—commands that allow you to configure various components of the FortiSwitch unit.
  • diagnose—commands that help with troubleshooting.
  • execute—commands that perform immediate operations.
  • get—commands that provide information about FortiSwitch operation.

Typographical conventions

This document uses the following typographical conventions:

Convention

Example

CLI input

config system dns

set primary <address_ipv4>

end

CLI output

FG T-602803030703 # get system setting

comments : (No default)

opmode : nat

Emphasis

HTTP connections are not secure and can be intercepted by a third party.

File content

<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>

<BODY><H4>You must authenticate to use this service.</H4>

Hyperlink

Visit the Fortinet Technical Support web site:

https://support.fortinet.com/

Keyboard entry

Type a name for the remote VPN peer or client, such as Central_Office_1.

Publication

For details, see the FortiOS Administration Guide.

CLI command syntax conventions

This guide uses the following conventions to describe the syntax to use when entering commands in the Command Line Interface (CLI).

Convention

Description

Angle brackets < >

A word constrained by data type. To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type.

For example: <retries_int>

indicates that you should enter a number of retries, such as 5.

Data types include:

<xxx_name>

A name referring to another part of the configuration, such as policy_A.

<xxx_index>

An index number referring to another part of the configuration, such as 0 for the first static route.

<xxx_pattern>

A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

<xxx_fqdn>

A fully qualified domain name (FQDN), such as mail.example.com.

<xxx_email>

An email address, such as admin@mail.example.com.

<xxx_ipv4>

An IPv4 address, such as 192.168.1.99.

<xxx_v4mask>

A dotted decimal IPv4 netmask, such as 255.255.255.0.

<xxx_ipv4mask>

A dotted decimal IPv4 address and netmask separated by a space, such as 192.168.1.99 255.255.255.0.

<xxx_ipv4/mask>

A dotted decimal IPv4 address and CIDR‑notation netmask separated by a slash, such as such as 192.168.1.99/24.

<xxx_ipv6>

A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

<xxx_ipv6mask>

An IPv6 netmask, such as /96.

<xxx_ipv6/mask>

An IPv6 address and netmask separated by a space.

<xxx_int>

An integer number that is not another data type, such as 15 for the number of minutes.

<xxx_url>

A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/.

Square brackets [ ]

A non-required word or series of words. For example: [verbose {1 | 2 | 3}] indicates that you can either omit or type both the verbose word and its accompanying option, such as:

verbose 3

Curly braces { }

A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.

You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].

Options delimited by vertical bars |

Mutually exclusive options. For example: {enable | disable}

indicates that you must enter either enable or disable but must not enter both.

Options delimited by spaces

Non-mutually exclusive options. For example:

{http https ping snmp ssh telnet}

indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as: ping https ssh

NOTE: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:

ping https snmp ssh

If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.

Entering configuration data

The switch configuration is stored as a series of configuration settings in the FortiSwitchOS configuration database. To change the configuration, you can use the CLI to add, delete, or change configuration settings. These configuration changes are stored in the configuration database as they are made.

Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).

Entering text strings (names)

Text strings are used to name entities in the configuration, such as an administrative user name. You can enter any character in a text string with the following exceptions (to prevent cross-site scripting vulnerabilities):

  • " (double quote)
  • & (ampersand)
  • ' (single quote)
  • < (less than)
  • < (greater than)

You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the CLI allows for a given name field. From the CLI, you can also use the tree command to view the number of characters that are allowed. For example, firewall address names can contain up to 64 characters. From the CLI, you can do the following to confirm that the firewall address name field allows 64 characters:

config firewall address

tree

-- [address] --*name (64)

|- subnet

|- type

|- start-ip

|- end-ip

|- fqdn (256)

|- cache-ttl (0,86400)

|- wildcard

|- comment (64 xss)

|- associated-interface (16)

+- color (0,32)

NOTE: The tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully qualified domain name (fqdn) field can contain up to 256 characters.

Entering numeric values

Numeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example, the IP address 10.10.10.1) or, as in the case of MAC or IPv6 addresses, separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (such as MAC addresses) require hexadecimal numbers.

CLI help includes information about allowed numeric value ranges.The CLI prevents you from entering invalid numbers.

Introduction

This manual describes the command line interface (CLI) commands for FortiSwitchOS.

FortiSwitch models

This guide is applicable to all FortiSwitch models that are supported by FortiSwitchOS.

See the Release Notes for information about the software features supported on each of the models.

How this guide is organized

The chapters in this document describe the commands available for each of the top-level CLI commands:

  • config—commands that allow you to configure various components of the FortiSwitch unit.
  • diagnose—commands that help with troubleshooting.
  • execute—commands that perform immediate operations.
  • get—commands that provide information about FortiSwitch operation.

Typographical conventions

This document uses the following typographical conventions:

Convention

Example

CLI input

config system dns

set primary <address_ipv4>

end

CLI output

FG T-602803030703 # get system setting

comments : (No default)

opmode : nat

Emphasis

HTTP connections are not secure and can be intercepted by a third party.

File content

<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>

<BODY><H4>You must authenticate to use this service.</H4>

Hyperlink

Visit the Fortinet Technical Support web site:

https://support.fortinet.com/

Keyboard entry

Type a name for the remote VPN peer or client, such as Central_Office_1.

Publication

For details, see the FortiOS Administration Guide.

CLI command syntax conventions

This guide uses the following conventions to describe the syntax to use when entering commands in the Command Line Interface (CLI).

Convention

Description

Angle brackets < >

A word constrained by data type. To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type.

For example: <retries_int>

indicates that you should enter a number of retries, such as 5.

Data types include:

<xxx_name>

A name referring to another part of the configuration, such as policy_A.

<xxx_index>

An index number referring to another part of the configuration, such as 0 for the first static route.

<xxx_pattern>

A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

<xxx_fqdn>

A fully qualified domain name (FQDN), such as mail.example.com.

<xxx_email>

An email address, such as admin@mail.example.com.

<xxx_ipv4>

An IPv4 address, such as 192.168.1.99.

<xxx_v4mask>

A dotted decimal IPv4 netmask, such as 255.255.255.0.

<xxx_ipv4mask>

A dotted decimal IPv4 address and netmask separated by a space, such as 192.168.1.99 255.255.255.0.

<xxx_ipv4/mask>

A dotted decimal IPv4 address and CIDR‑notation netmask separated by a slash, such as such as 192.168.1.99/24.

<xxx_ipv6>

A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

<xxx_ipv6mask>

An IPv6 netmask, such as /96.

<xxx_ipv6/mask>

An IPv6 address and netmask separated by a space.

<xxx_int>

An integer number that is not another data type, such as 15 for the number of minutes.

<xxx_url>

A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/.

Square brackets [ ]

A non-required word or series of words. For example: [verbose {1 | 2 | 3}] indicates that you can either omit or type both the verbose word and its accompanying option, such as:

verbose 3

Curly braces { }

A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.

You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].

Options delimited by vertical bars |

Mutually exclusive options. For example: {enable | disable}

indicates that you must enter either enable or disable but must not enter both.

Options delimited by spaces

Non-mutually exclusive options. For example:

{http https ping snmp ssh telnet}

indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as: ping https ssh

NOTE: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:

ping https snmp ssh

If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.

Entering configuration data

The switch configuration is stored as a series of configuration settings in the FortiSwitchOS configuration database. To change the configuration, you can use the CLI to add, delete, or change configuration settings. These configuration changes are stored in the configuration database as they are made.

Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).

Entering text strings (names)

Text strings are used to name entities in the configuration, such as an administrative user name. You can enter any character in a text string with the following exceptions (to prevent cross-site scripting vulnerabilities):

  • " (double quote)
  • & (ampersand)
  • ' (single quote)
  • < (less than)
  • < (greater than)

You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the CLI allows for a given name field. From the CLI, you can also use the tree command to view the number of characters that are allowed. For example, firewall address names can contain up to 64 characters. From the CLI, you can do the following to confirm that the firewall address name field allows 64 characters:

config firewall address

tree

-- [address] --*name (64)

|- subnet

|- type

|- start-ip

|- end-ip

|- fqdn (256)

|- cache-ttl (0,86400)

|- wildcard

|- comment (64 xss)

|- associated-interface (16)

+- color (0,32)

NOTE: The tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully qualified domain name (fqdn) field can contain up to 256 characters.

Entering numeric values

Numeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example, the IP address 10.10.10.1) or, as in the case of MAC or IPv6 addresses, separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (such as MAC addresses) require hexadecimal numbers.

CLI help includes information about allowed numeric value ranges.The CLI prevents you from entering invalid numbers.