Fortinet black logo

CLI Reference

Subcommands

Subcommands

Once you connect to the CLI, you can enter commands.

Each command line consists of a command word that is usually followed by words for the configuration data or other specific item that the command uses or affects, for example:

get system admin


Subcommands are available from within the scope of some commands. When you enter a subcommand level, the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin


the command prompt becomes:

(admin)#


Applicable subcommands are available to you until you exit the scope of the command, or until you descend an additional level into another subcommand.

For example, the edit subcommand is available only within a command that affects tables; the next subcommand is available only from within the edit subcommand:

config system interface

edit port1

set status up

next

end


Available subcommands vary by command. From a command prompt within config, two types of subcommands might become available:

Subcommand scope is indicated in this (Undefined variable: FortinetVariables.Document title3) by indentation. For details, see Indentation.

Syntax examples for each top-level command in this (Undefined variable: FortinetVariables.Document title3) do not show all available subcommands. However, when nested scope is demonstrated, you should assume that subcommands applicable for that level of scope are available.

Table commands

delete <table_name>

Remove a table from the current object.

For example, in config system admin, you could delete an administrator account named newadmin by typing delete newadmin and pressing Enter. This deletes newadmin and all its fields, such as newadmin’s first-name and email-address.

delete is only available within objects containing tables.

edit <table_name>

Create or edit a table in the current object.

For example, in config system admin:

  • Edit the settings for the default admin administrator account by typing edit admin.
  • Add a new administrator account with the name newadmin and edit newadmin‘s settings by entering edit newadmin.

edit is an interactive subcommand: further subcommands are available from within edit.

edit changes the prompt to reflect the table you are currently editing.

edit is only available within objects containing tables.

end Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.
get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.

For more information on get commands, see get.

purge

Remove all tables in the current object.

For example, in config user local-user, you could type get to see the list of all local user names, then type purge and then y to confirm that you want to delete all users.

purge is only available for objects containing tables.

Caution: Back up the FortiWeb appliance before performing a purge because it cannot be undone. To restore purged tables, the configuration must be restored from a backup. For details, see backup cli-config.

Caution: Do not purge system interface or system admin tables. This can result in being unable to connect or log in, requiring the FortiWeb appliance to be formatted and restored.

show

Display changes to the default configuration. Changes are listed in the form of configuration commands.

For more information on show commands, see show.

Example of table commands

From within the system admin object, you might enter:

edit admin_1


The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1 table:

new entry 'admin_1' added

(admin_1)#

Field commands

abort Exit both the edit and/or config commands without saving the fields.
end Save the changes made to the current table or object fields, and exit the config command. To exit without saving, use abort instead.
get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.
next

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt. To save and exit completely to the root prompt, use end instead.

next is useful when you want to create or edit several tables in the same object, without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

set <field_name> <value>

Set a field’s value.

For example, in config system admin, after entering edit admin, you could enter set password newpass to change the password of the admin administrator to newpass.

Note: When using set to change a field containing a space-delimited list, enter the whole new list. For example, set <field> <new-value> will replace the list with the <new-value> rather than appending <new-value> to the list.

show Display changes to the default configuration. Changes are listed in the form of configuration commands.
unset <field_name>

Reset the table or object’s fields to default values.

For example, in config system admin, after entering edit admin, entering unset password resets the password of the admin administrator account to the default (in this case, no password).

Example of field commands

From within the admin_1 table, you might enter:

set password "my1stExamplePassword"


to assign the value my1stExamplePassword to the password field. You might then enter the next command to save the changes and edit the next administrator’s table.

Subcommands

Subcommands

Once you connect to the CLI, you can enter commands.

Each command line consists of a command word that is usually followed by words for the configuration data or other specific item that the command uses or affects, for example:

get system admin


Subcommands are available from within the scope of some commands. When you enter a subcommand level, the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin


the command prompt becomes:

(admin)#


Applicable subcommands are available to you until you exit the scope of the command, or until you descend an additional level into another subcommand.

For example, the edit subcommand is available only within a command that affects tables; the next subcommand is available only from within the edit subcommand:

config system interface

edit port1

set status up

next

end


Available subcommands vary by command. From a command prompt within config, two types of subcommands might become available:

Subcommand scope is indicated in this (Undefined variable: FortinetVariables.Document title3) by indentation. For details, see Indentation.

Syntax examples for each top-level command in this (Undefined variable: FortinetVariables.Document title3) do not show all available subcommands. However, when nested scope is demonstrated, you should assume that subcommands applicable for that level of scope are available.

Table commands

delete <table_name>

Remove a table from the current object.

For example, in config system admin, you could delete an administrator account named newadmin by typing delete newadmin and pressing Enter. This deletes newadmin and all its fields, such as newadmin’s first-name and email-address.

delete is only available within objects containing tables.

edit <table_name>

Create or edit a table in the current object.

For example, in config system admin:

  • Edit the settings for the default admin administrator account by typing edit admin.
  • Add a new administrator account with the name newadmin and edit newadmin‘s settings by entering edit newadmin.

edit is an interactive subcommand: further subcommands are available from within edit.

edit changes the prompt to reflect the table you are currently editing.

edit is only available within objects containing tables.

end Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.
get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.

For more information on get commands, see get.

purge

Remove all tables in the current object.

For example, in config user local-user, you could type get to see the list of all local user names, then type purge and then y to confirm that you want to delete all users.

purge is only available for objects containing tables.

Caution: Back up the FortiWeb appliance before performing a purge because it cannot be undone. To restore purged tables, the configuration must be restored from a backup. For details, see backup cli-config.

Caution: Do not purge system interface or system admin tables. This can result in being unable to connect or log in, requiring the FortiWeb appliance to be formatted and restored.

show

Display changes to the default configuration. Changes are listed in the form of configuration commands.

For more information on show commands, see show.

Example of table commands

From within the system admin object, you might enter:

edit admin_1


The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1 table:

new entry 'admin_1' added

(admin_1)#

Field commands

abort Exit both the edit and/or config commands without saving the fields.
end Save the changes made to the current table or object fields, and exit the config command. To exit without saving, use abort instead.
get

List the configuration of the current object or table.

  • In objects, get lists the table names (if present), or fields and their values.
  • In a table, get lists the fields and their values.
next

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt. To save and exit completely to the root prompt, use end instead.

next is useful when you want to create or edit several tables in the same object, without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

set <field_name> <value>

Set a field’s value.

For example, in config system admin, after entering edit admin, you could enter set password newpass to change the password of the admin administrator to newpass.

Note: When using set to change a field containing a space-delimited list, enter the whole new list. For example, set <field> <new-value> will replace the list with the <new-value> rather than appending <new-value> to the list.

show Display changes to the default configuration. Changes are listed in the form of configuration commands.
unset <field_name>

Reset the table or object’s fields to default values.

For example, in config system admin, after entering edit admin, entering unset password resets the password of the admin administrator account to the default (in this case, no password).

Example of field commands

From within the admin_1 table, you might enter:

set password "my1stExamplePassword"


to assign the value my1stExamplePassword to the password field. You might then enter the next command to save the changes and edit the next administrator’s table.