Fortinet white logo
Fortinet white logo

CLI Reference

Command syntax

Command syntax

When entering a command, the CLI requires that you use valid syntax and conform to expected input constraints. It will reject invalid commands.

For example, if you do not type the entire object that will receive the action of a command operator such as config, the CLI will return an error message such as:

Command fail. CLI parsing error

This document uses the following conventions to describe valid command syntax.

Terminology

Each command line consists of a command word followed by words for the configuration data or other specific item that the command uses or affects, for example:

get system admin


This document uses the below terms to describe the function of each word in the command line.

Command syntax terminology

  • Command—A word that begins the command line and indicates an action that FortiWeb should perform on a part of the configuration or host on the network, such as config or execute. Together with other words, such as fields or values, that you terminate by pressing the Enter key, it forms a command line. Exceptions include multi-line command lines, which can be entered using an escape sequence. For details, see Shortcuts & key commands.

    Valid command lines must be unambiguous if abbreviated. For details, see Command abbreviation.

    Optional words or other command line permutations are indicated by syntax notation. For details, see Notation.

    If you do not enter a known command, the CLI will return an error message such as:

    Unknown action 0


  • Subcommand—A kind of command that is available only when nested within the scope of another command. After entering a command, its applicable subcommands are available to you until you exit the scope of the command, or until you descend an additional level into another subcommand. Indentation is used to indicate levels of nested commands. For details, see Indentation.

    Not all top-level commands have subcommands. Available subcommands vary by their containing scope. For details, see Subcommands.

  • Object—A part of the configuration that contains tables and/or fields. Valid command lines must be specific enough to indicate an individual object.

  • Table—A set of fields that is one of possibly multiple similar sets that each have a name or number, such as an administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by other parts of the configuration that use them. For details, see Notation.

  • Field—The name of a setting, such as ip or hostname. Fields in some tables must be configured with values. Failure to configure a required field will result in an invalid object configuration error message, and the FortiWeb appliance will discard the invalid table.

  • Value—A number, letter, IP address, or other type of input that is usually the configuration setting held by a field. Some commands, however, require multiple input values which may not be named but are simply entered in sequential order in the same command line. Valid input types are indicated by constraint notation. For details, see Notation.

  • Option—A kind of value that must be one or more words from a fixed set of options. For details, see Notation.

Indentation

Indentation indicates levels of nested commands, which indicate what other subcommands are available from within the scope.

For example, the edit subcommand is available only within a command that affects tables, and the next subcommand is available only from within the edit subcommand:

config system interface

edit port1

set status up

next

end

For details about available subcommands, see Subcommands.

Notation

Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

If you do not use the expected data type, the CLI returns an error message such as:

object set operator error, -4003 discard the setting

The request URL must start with "/" and without domain name.

or:

invalid unsigned integer value :-:

value parse error before '-'

Input value is invalid.

and may either reject or discard your settings instead of saving them when you type end.

Command syntax notation

Square brackets [ ]

A non-required (optional) word or words. For example:

[verbose {1 | 2 | 3}]


indicates that you may either omit or type both the verbose word and its accompanying option, such as:

verbose 3

Curly braces { }

A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.

You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].

Options delimited by vertical bars |

Mutually exclusive options. For example:

{enable | disable}

indicates that you must enter either enable or disable, but must not enter both.

Options delimited by spaces

Non-mutually exclusive options. For example:

{HTTP HTTPs ping snmp ssh telnet}

indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:

ping HTTPs ssh

Note: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:

ping HTTPs snmp ssh

If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.

Angle brackets < >

A word constrained by data type.

To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:

<retries_int>


indicates that you should enter a number of retries, such as 5.

Data types include:

  • <xxx_name>—A name referring to another part of the configuration, such as policy_A.

  • <xxx_index>—An index number referring to another part of the configuration, such as 0 for the first static route.

  • <xxx_pattern>—A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all e-mail addresses ending in @example.com.

  • <xxx_fqdn>—A fully qualified domain name (FQDN), such as mail.example.com.

  • <xxx_email>—An email address, such as admin@mail.example.com.

  • <xxx_url>—A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as HTTP://www.fortinet.com/.

  • <xxx_ipv4>—An IPv4 address, such as 192.0.2.99.

  • <xxx_v4mask>—A dotted decimal IPv4 netmask, such as 256.256.256.0.

  • <xxx_ipv4mask>—A dotted decimal IPv4 address and netmask separated by a space, such as 192.0.2.99 256.256.256.0.

  • <xxx_ipv4/mask> — A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as 192.0.2.99/24.

  • <xxx_ipv6>—A colon(:)-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

  • <xxx_v6mask>—An IPv6 netmask, such as /96.

  • <xxx_ipv6mask>—An IPv6 address and netmask separated by a space.

  • <xxx_str>—A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences. For details, see Special characters.

  • <xxx_int>—An integer number that is not another data type, such as 15 for the number of minutes.

Command syntax

Command syntax

When entering a command, the CLI requires that you use valid syntax and conform to expected input constraints. It will reject invalid commands.

For example, if you do not type the entire object that will receive the action of a command operator such as config, the CLI will return an error message such as:

Command fail. CLI parsing error

This document uses the following conventions to describe valid command syntax.

Terminology

Each command line consists of a command word followed by words for the configuration data or other specific item that the command uses or affects, for example:

get system admin


This document uses the below terms to describe the function of each word in the command line.

Command syntax terminology

  • Command—A word that begins the command line and indicates an action that FortiWeb should perform on a part of the configuration or host on the network, such as config or execute. Together with other words, such as fields or values, that you terminate by pressing the Enter key, it forms a command line. Exceptions include multi-line command lines, which can be entered using an escape sequence. For details, see Shortcuts & key commands.

    Valid command lines must be unambiguous if abbreviated. For details, see Command abbreviation.

    Optional words or other command line permutations are indicated by syntax notation. For details, see Notation.

    If you do not enter a known command, the CLI will return an error message such as:

    Unknown action 0


  • Subcommand—A kind of command that is available only when nested within the scope of another command. After entering a command, its applicable subcommands are available to you until you exit the scope of the command, or until you descend an additional level into another subcommand. Indentation is used to indicate levels of nested commands. For details, see Indentation.

    Not all top-level commands have subcommands. Available subcommands vary by their containing scope. For details, see Subcommands.

  • Object—A part of the configuration that contains tables and/or fields. Valid command lines must be specific enough to indicate an individual object.

  • Table—A set of fields that is one of possibly multiple similar sets that each have a name or number, such as an administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by other parts of the configuration that use them. For details, see Notation.

  • Field—The name of a setting, such as ip or hostname. Fields in some tables must be configured with values. Failure to configure a required field will result in an invalid object configuration error message, and the FortiWeb appliance will discard the invalid table.

  • Value—A number, letter, IP address, or other type of input that is usually the configuration setting held by a field. Some commands, however, require multiple input values which may not be named but are simply entered in sequential order in the same command line. Valid input types are indicated by constraint notation. For details, see Notation.

  • Option—A kind of value that must be one or more words from a fixed set of options. For details, see Notation.

Indentation

Indentation indicates levels of nested commands, which indicate what other subcommands are available from within the scope.

For example, the edit subcommand is available only within a command that affects tables, and the next subcommand is available only from within the edit subcommand:

config system interface

edit port1

set status up

next

end

For details about available subcommands, see Subcommands.

Notation

Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

If you do not use the expected data type, the CLI returns an error message such as:

object set operator error, -4003 discard the setting

The request URL must start with "/" and without domain name.

or:

invalid unsigned integer value :-:

value parse error before '-'

Input value is invalid.

and may either reject or discard your settings instead of saving them when you type end.

Command syntax notation

Square brackets [ ]

A non-required (optional) word or words. For example:

[verbose {1 | 2 | 3}]


indicates that you may either omit or type both the verbose word and its accompanying option, such as:

verbose 3

Curly braces { }

A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.

You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].

Options delimited by vertical bars |

Mutually exclusive options. For example:

{enable | disable}

indicates that you must enter either enable or disable, but must not enter both.

Options delimited by spaces

Non-mutually exclusive options. For example:

{HTTP HTTPs ping snmp ssh telnet}

indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:

ping HTTPs ssh

Note: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:

ping HTTPs snmp ssh

If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.

Angle brackets < >

A word constrained by data type.

To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:

<retries_int>


indicates that you should enter a number of retries, such as 5.

Data types include:

  • <xxx_name>—A name referring to another part of the configuration, such as policy_A.

  • <xxx_index>—An index number referring to another part of the configuration, such as 0 for the first static route.

  • <xxx_pattern>—A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all e-mail addresses ending in @example.com.

  • <xxx_fqdn>—A fully qualified domain name (FQDN), such as mail.example.com.

  • <xxx_email>—An email address, such as admin@mail.example.com.

  • <xxx_url>—A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as HTTP://www.fortinet.com/.

  • <xxx_ipv4>—An IPv4 address, such as 192.0.2.99.

  • <xxx_v4mask>—A dotted decimal IPv4 netmask, such as 256.256.256.0.

  • <xxx_ipv4mask>—A dotted decimal IPv4 address and netmask separated by a space, such as 192.0.2.99 256.256.256.0.

  • <xxx_ipv4/mask> — A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as 192.0.2.99/24.

  • <xxx_ipv6>—A colon(:)-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

  • <xxx_v6mask>—An IPv6 netmask, such as /96.

  • <xxx_ipv6mask>—An IPv6 address and netmask separated by a space.

  • <xxx_str>—A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences. For details, see Special characters.

  • <xxx_int>—An integer number that is not another data type, such as 15 for the number of minutes.