Fortinet black logo

CLI Reference

Tips

Tips & tricks

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

This section includes:

Help

To display brief help during command entry, enter the question mark (?) key:

  • At the command prompt to display a list of the commands available and a description of each.
  • After a command keyword to display a list of the objects available with that command and a description of each.
  • After entering a word or part of a word to display a list of valid word completions or subsequent words, and to display a description of each.

Shortcuts & key commands

Action Keys

List valid word completions or subsequent words.

If multiple words could complete your entry, display all possible completions with helpful descriptions of each.

?

Complete the word with the next available match.

Press the key multiple times to cycle through available matches.

Tab

Recall the previous command.

Command memory is limited to the current session.

Up arrow, or

Ctrl + P

Recall the next command.

Down arrow, or

Ctrl + N

Move the cursor left or right within the command line. Left or Right arrow
Move the cursor to the beginning of the command line. Ctrl + A
Move the cursor to the end of the command line. Ctrl + E
Move the cursor backwards one word. Ctrl + B
Move the cursor forwards one word. Ctrl + F
Delete the current character. Ctrl + D

Abort current interactive commands, such as when entering multiple lines.

If you are not currently within an interactive command such as config or edit, this closes the CLI connection.

Ctrl + C

Continue typing a command on the next line for a multi-line command.

For each line that you want to continue, terminate it with a backslash ( \ ). To complete the command line, terminate it by pressing the spacebar and then the Enter key, without an immediately preceding backslash.

\ then Enter

Command abbreviation

You can abbreviate words in the command line to their smallest number of non-ambiguous characters. For example, the command get system status could be abbreviated to:

g sy st


If you enter an ambiguous command, the CLI returns an error message such as:

ambiguous command before 's'

Value conflicts with system settings.

Special characters

Special characters <, >, (,), #, ', and " are usually not permitted in CLI. If you use them, the CLI will often return an error message such as:

The string contains XSS vulnerability characters

value parse error before '%^@'

Input not as expected.


Some may be enclosed in quotes or preceded with a backslash ( \ ) character.

Entering special characters

Character Key
? Ctrl + V then ?
Tab Ctrl + V then Tab

Space

(to be interpreted as part of a string value, not to end the string)

Enclose the string in quotation marks: "Security Administrator"

Enclose the string in single quotes: 'Security Administrator'

Precede the space with a backslash: Security\ Administrator

'

(to be interpreted as part of a string value, not to end the string)

\'

"

(to be interpreted as part of a string value, not to end the string)

\"
\ \\

Language support & regular expressions

The CLI currently supports the following languages:

  • English
  • Japanese
  • Simplified Chinese
  • Traditional Chinese

Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the item being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but some items with arbitrary names or values may be input using your language of choice.

For example, the host name must not contain special characters, and so the web UI and CLI will not accept most symbols and other non-ASCII encoded characters as input when configuring the host name. This means that languages other than English often are not supported. However, some configuration items, such as names and comments, may be able to use the language of your choice.

To use other languages in those cases, you must use the correct encoding.

FortiWeb stores inputs using Unicode UTF-8 encoding, but it is not normalized from other encodings into UTF-8 before stored. If your input method encodes some characters differently than in UTF-8, your configured items may not display or operate as expected.

Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may not be what you expect.

For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen symbols ( ¥ ) and vice versa. A regular expression intended to match HTTP requests containing money values with a yen symbol therefore may not work it if the symbol is entered using the wrong encoding.

For best results, you should use:

  • UTF-8 encoding.
  • Only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other encodings.
  • Regular expressions that match HTTP requests.
  • The same encoding as your HTTP clients.

HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the client’s operating system or input language. If you cannot predict the client’s encoding, you may only be able to match any parts of the request that are in English, because regardless of the encoding, the values for English characters tend to be encoded identically. For example, English words may be legible regardless of interpreting a web page as either ISO 8859-1 or as GB2312, whereas simplified Chinese characters might only be legible if the page is interpreted as GB2312.

To configure your FortiWeb appliance using other encodings, you may need to switch language settings on your management computer, including for your web browser or Telnet or SSH client. For instructions on how to configure your management computer’s operating system language, locale, or input method, see its documentation.

If you choose to configure parts of the FortiWeb appliance using non-ASCII characters, verify that all systems interacting with the FortiWeb appliance also support the same encodings. You should also use the same encoding throughout the configuration if possible in order to avoid needing to switch the language settings of your web browser or Telnet or SSH client while you work.

Similarly to input, your web browser or CLI client should usually interpret display output as encoded using UTF-8. If it does not, your configured items may not display correctly in the web UI or CLI. Exceptions include items such as regular expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that the FortiWeb appliance receives.

note icon

To enter non-ASCII characters in the CLI:

  • CLI access via the web UI—Configure your web browser to interpret the page as UTF-8 encoded. The console will then display non-ASCII characters in commands in their character code equivalent.
  • CLI access via a Telnet or SSH client—Configure the client to send and receive characters using UTF-8 encoding. Depending on the client, you may have to enter non-ASCII characters in commands in their character code equivalent.

Screen paging

When output spans multiple pages, you can configure the CLI to pause after each page. When the display pauses, the last line displays --More--. You can then either:

  • Press the spacebar to display the next page.
  • Enter Q to truncate the output and return to the command prompt.

This may be useful when displaying lengthy output, such as the list of possible matching commands for command completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of your terminal emulator, you can simply display one page at a time.

To configure the CLI display to pause after each full screen:

config system console

set output more

end


For details, see system console.

Baud rate

You can change the default baud rate of the local console connection. For details, see system console.

Editing the configuration file in a text editor

Editing the configuration file with a plain text editor can be time-saving if:

  • You have many changes to make
  • Are not sure where the setting is in the CLI
  • Own several FortiWeb appliances

This is true especially if your plain text editor provides advanced features such as regular expressions for find-and-replace, or batch changes across multiple files. Several free text editors are available with these features, such as Text Wrangler (http://www.barebones.com/products/textwrangler)and Notepad++ (http://notepad-plus-plus.org).

Do not use a rich text editor such as Microsoft Word. Rich text editors insert special characters into the file in order to apply formatting, which may corrupt the configuration file.
To edit the configuration on your computer

Use backup cli-config or backup full-config to download the configuration file to a TFTP server, such as your management computer.

Edit the configuration file using a plain text editor that supports Unix-style line endings.

Do not edit the first line. The first lines of the configuration file (preceded by a # character) contains information about the firmware version and FortiWeb model. If you change the model number, the FortiWeb appliance will reject the configuration file when you attempt to restore it.

Use restore config to upload the modified configuration file back to the FortiWeb appliance.

The FortiWeb appliance downloads the configuration file and checks that the model information is correct. If it is, the FortiWeb appliance loads the configuration file and checks each command for errors. If a command is invalid, the FortiWeb appliance ignores the command. If the configuration file is valid, the FortiWeb appliance restarts and loads the new configuration.

Pipeline 'grep' command

FortiWeb supports 'grep' in get and show to search for desired information and present the results in a format you want.

The 'grep' command format is as follows:

get <xxx> [ [path] <object>] | grep [options] <search string>

show [ [path] <object>] | grep [options] <search string>

For example:

The following options are supported:

-n Add 'line_no:' prefix.
-o Show only the matching part of the line.
-v Select non-matching lines.
-i Ignore the case.
-w Match whole words only.
-x Match whole lines only.
-F PATTERN is a literal (not regexp).
-E PATTERN is an extended regexp.

Tips & tricks

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

This section includes:

Help

To display brief help during command entry, enter the question mark (?) key:

  • At the command prompt to display a list of the commands available and a description of each.
  • After a command keyword to display a list of the objects available with that command and a description of each.
  • After entering a word or part of a word to display a list of valid word completions or subsequent words, and to display a description of each.

Shortcuts & key commands

Action Keys

List valid word completions or subsequent words.

If multiple words could complete your entry, display all possible completions with helpful descriptions of each.

?

Complete the word with the next available match.

Press the key multiple times to cycle through available matches.

Tab

Recall the previous command.

Command memory is limited to the current session.

Up arrow, or

Ctrl + P

Recall the next command.

Down arrow, or

Ctrl + N

Move the cursor left or right within the command line. Left or Right arrow
Move the cursor to the beginning of the command line. Ctrl + A
Move the cursor to the end of the command line. Ctrl + E
Move the cursor backwards one word. Ctrl + B
Move the cursor forwards one word. Ctrl + F
Delete the current character. Ctrl + D

Abort current interactive commands, such as when entering multiple lines.

If you are not currently within an interactive command such as config or edit, this closes the CLI connection.

Ctrl + C

Continue typing a command on the next line for a multi-line command.

For each line that you want to continue, terminate it with a backslash ( \ ). To complete the command line, terminate it by pressing the spacebar and then the Enter key, without an immediately preceding backslash.

\ then Enter

Command abbreviation

You can abbreviate words in the command line to their smallest number of non-ambiguous characters. For example, the command get system status could be abbreviated to:

g sy st


If you enter an ambiguous command, the CLI returns an error message such as:

ambiguous command before 's'

Value conflicts with system settings.

Special characters

Special characters <, >, (,), #, ', and " are usually not permitted in CLI. If you use them, the CLI will often return an error message such as:

The string contains XSS vulnerability characters

value parse error before '%^@'

Input not as expected.


Some may be enclosed in quotes or preceded with a backslash ( \ ) character.

Entering special characters

Character Key
? Ctrl + V then ?
Tab Ctrl + V then Tab

Space

(to be interpreted as part of a string value, not to end the string)

Enclose the string in quotation marks: "Security Administrator"

Enclose the string in single quotes: 'Security Administrator'

Precede the space with a backslash: Security\ Administrator

'

(to be interpreted as part of a string value, not to end the string)

\'

"

(to be interpreted as part of a string value, not to end the string)

\"
\ \\

Language support & regular expressions

The CLI currently supports the following languages:

  • English
  • Japanese
  • Simplified Chinese
  • Traditional Chinese

Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the item being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but some items with arbitrary names or values may be input using your language of choice.

For example, the host name must not contain special characters, and so the web UI and CLI will not accept most symbols and other non-ASCII encoded characters as input when configuring the host name. This means that languages other than English often are not supported. However, some configuration items, such as names and comments, may be able to use the language of your choice.

To use other languages in those cases, you must use the correct encoding.

FortiWeb stores inputs using Unicode UTF-8 encoding, but it is not normalized from other encodings into UTF-8 before stored. If your input method encodes some characters differently than in UTF-8, your configured items may not display or operate as expected.

Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may not be what you expect.

For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen symbols ( ¥ ) and vice versa. A regular expression intended to match HTTP requests containing money values with a yen symbol therefore may not work it if the symbol is entered using the wrong encoding.

For best results, you should use:

  • UTF-8 encoding.
  • Only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other encodings.
  • Regular expressions that match HTTP requests.
  • The same encoding as your HTTP clients.

HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the client’s operating system or input language. If you cannot predict the client’s encoding, you may only be able to match any parts of the request that are in English, because regardless of the encoding, the values for English characters tend to be encoded identically. For example, English words may be legible regardless of interpreting a web page as either ISO 8859-1 or as GB2312, whereas simplified Chinese characters might only be legible if the page is interpreted as GB2312.

To configure your FortiWeb appliance using other encodings, you may need to switch language settings on your management computer, including for your web browser or Telnet or SSH client. For instructions on how to configure your management computer’s operating system language, locale, or input method, see its documentation.

If you choose to configure parts of the FortiWeb appliance using non-ASCII characters, verify that all systems interacting with the FortiWeb appliance also support the same encodings. You should also use the same encoding throughout the configuration if possible in order to avoid needing to switch the language settings of your web browser or Telnet or SSH client while you work.

Similarly to input, your web browser or CLI client should usually interpret display output as encoded using UTF-8. If it does not, your configured items may not display correctly in the web UI or CLI. Exceptions include items such as regular expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that the FortiWeb appliance receives.

note icon

To enter non-ASCII characters in the CLI:

  • CLI access via the web UI—Configure your web browser to interpret the page as UTF-8 encoded. The console will then display non-ASCII characters in commands in their character code equivalent.
  • CLI access via a Telnet or SSH client—Configure the client to send and receive characters using UTF-8 encoding. Depending on the client, you may have to enter non-ASCII characters in commands in their character code equivalent.

Screen paging

When output spans multiple pages, you can configure the CLI to pause after each page. When the display pauses, the last line displays --More--. You can then either:

  • Press the spacebar to display the next page.
  • Enter Q to truncate the output and return to the command prompt.

This may be useful when displaying lengthy output, such as the list of possible matching commands for command completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of your terminal emulator, you can simply display one page at a time.

To configure the CLI display to pause after each full screen:

config system console

set output more

end


For details, see system console.

Baud rate

You can change the default baud rate of the local console connection. For details, see system console.

Editing the configuration file in a text editor

Editing the configuration file with a plain text editor can be time-saving if:

  • You have many changes to make
  • Are not sure where the setting is in the CLI
  • Own several FortiWeb appliances

This is true especially if your plain text editor provides advanced features such as regular expressions for find-and-replace, or batch changes across multiple files. Several free text editors are available with these features, such as Text Wrangler (http://www.barebones.com/products/textwrangler)and Notepad++ (http://notepad-plus-plus.org).

Do not use a rich text editor such as Microsoft Word. Rich text editors insert special characters into the file in order to apply formatting, which may corrupt the configuration file.
To edit the configuration on your computer

Use backup cli-config or backup full-config to download the configuration file to a TFTP server, such as your management computer.

Edit the configuration file using a plain text editor that supports Unix-style line endings.

Do not edit the first line. The first lines of the configuration file (preceded by a # character) contains information about the firmware version and FortiWeb model. If you change the model number, the FortiWeb appliance will reject the configuration file when you attempt to restore it.

Use restore config to upload the modified configuration file back to the FortiWeb appliance.

The FortiWeb appliance downloads the configuration file and checks that the model information is correct. If it is, the FortiWeb appliance loads the configuration file and checks each command for errors. If a command is invalid, the FortiWeb appliance ignores the command. If the configuration file is valid, the FortiWeb appliance restarts and loads the new configuration.

Pipeline 'grep' command

FortiWeb supports 'grep' in get and show to search for desired information and present the results in a format you want.

The 'grep' command format is as follows:

get <xxx> [ [path] <object>] | grep [options] <search string>

show [ [path] <object>] | grep [options] <search string>

For example:

The following options are supported:

-n Add 'line_no:' prefix.
-o Show only the matching part of the line.
-v Select non-matching lines.
-i Ignore the case.
-w Match whole words only.
-x Match whole lines only.
-F PATTERN is a literal (not regexp).
-E PATTERN is an extended regexp.