Execute commands
execute date
Use this command to set the system date.
Syntax
execute date <date_str>
Variable |
Description |
Default |
---|---|---|
|
The system date in mm/dd/yyyy format. |
|
execute demo
Use this command to enable or disable demo mode.
Demo Mode is only available on FortiNDR VM. |
Syntax
execute demo {on|off}
execute expandspooldisk
Use this command to expand /var/spool
disk without losing pre-existing data; This disk is mainly used for storing training data and detection history.
Syntax
execute expandspooldisk
execute export file-report
Use this command to export the FortiNDR detection history as a .csv file.
Syntax
execute export file-report {disk|scp|ftp|tftp} <filenmame-to-be-saved> <server>[:ftp port] <user-name> <password>
execute export detected-files
Use this command to export the detected files by FortiNDR as a zip file with password. The password of the zip file is infected.
Syntax
execute export detected-files {disk|scp|ftp|tftp} <filenmame-to-be-saved> <server>[:ftp port] <user-name> <password>
For the disk option to work, you have to insert a USB flash drive into the FortiNDR device. Please make sure the flash drive has enough storage. |
execute api-key
Use this command to generate an API key for a system user.
If you want to specify an API key instead of the key automatically generated by FortiNDR, the API key string must be 31 characters in length and contain only upper and lower case letters, and numbers. |
Syntax
execute api-key <system-user-name> [user-specified-API-key]
execute db restore
Use this command to restore the database.
Syntax
execute db restore
execute db sample_process_summary
Use this command to get the processing status of FortiNDR within a specific time period.
Syntax
execute db sample_process_summary <from_date> <to_date>
Example of results
Sample accepted :192 Distinct sample accepted :88 Sample processed :192 Distinct sample accepted :88 Sample detected :192 infected host count :1 distinct infected remote IP :10 distinct infected host IP :5
execute factoryreset config
Use this command to reset the configuration only.
Back up your configuration before using this command. This command makes major changes to your configuration. If you are downgrading the firmware, this procedure resets all changes you have made to the FortiNDR configuration file and reverts the system to the default values for that firmware version, including factory default settings for the IP addresses of network interfaces. For information on creating a backup, see the FortiAI Administration Guide in the Fortinet Document Library. |
Syntax
execute factoryreset config
execute factoryreset disk
Use this command to reset the RAID level and partition the disk to default settings. This command does not reset the configuration such as IP configuration.
Back up all data on the disks before using this command. This command deletes all files on the disk. |
Syntax
execute factoryreset disk
execute factoryreset
Use this command to reset FortiNDR to its default settings for the currently installed firmware version. If you have not upgraded or downgraded the firmware, this restores factory default settings.
Back up your configuration before using this command. This procedure resets all changes you have made to the FortiNDR configuration file and reverts the system to the default values for the firmware version, including factory default settings for the IP addresses of network interfaces. For information on creating a backup, see the FortiNDR Administration Guide in the Fortinet Document Library. |
Syntax
execute factoryreset
Example
execute factoryreset
The CLI displays the following:
This operation will change all settings to
factory default! Do you want to continue? (y/n)
If you enter y
(yes), the CLI displays the following and logs you out of the CLI:
System is resetting to factory default...
execute formatdatadisk
Use this command to format the local hard disk that contains training data as well as detection history.
Format the disk regularly to improve performance.
Syntax
execute formatdatadisk
execute formatlogdisk
Use this command to reformat the local hard disk that contains log data. This command also reboots the unit.
Format the disk regularly to improve performance.
Back up all data on the disks before using this command. This command deletes all files on the disk. |
Syntax
execute formatlogdisk
Example
execute formatlogdisk
The CLI displays the following:
This operation will erase all data on the log disk! Do you want to continue? (y/n)
After you enter y
(yes), the CLI displays the following and logs you out of the CLI:
Formatting disk, Please wait a few seconds!
execute learner
Use this command to enable or disable FortiNDR learners.
Syntax
execute learner {on|off}
execute ha test-failover
Use this command to trigger an HA failover. This command should only be used on the primary FortiNDR unit of the primary-secondary HA group.
Syntax
execute ha test-failover
execute partitiondisk
Use this command to adjust the size ratio of the hard disk partitions for log and training data.
Back up all data on the disks before using this command. This command deletes all files on the disk. |
Syntax
execute partitiondisk <percentage_str>
Variable |
Description |
Default |
---|---|---|
|
Enter an integer between 1 and 95 to create a partition of that percentage of the total hard disk space for the log disk. The remaining space is for the data disk. |
5 |
execute ping
Use this command to perform an ICMP ECHO request (a ping) to a host by specifying its FQDN or IP address.
Syntax
execute ping {<fqdn_str> | <host_ipv4>}
Variable |
Description |
Default |
---|---|---|
|
IP address or FQDN of the host. |
|
Example 1
execute ping 172.16.1.10
The CLI displays the following:
PING 172.16.1.10 (172.16.1.10): 56 data bytes
64 bytes from 172.16.1.10: icmp_seq=0 ttl=128 time=0.5 ms
64 bytes from 172.16.1.10: icmp_seq=1 ttl=128 time=0.2 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=128 time=0.2 ms
64 bytes from 172.16.1.10: icmp_seq=3 ttl=128 time=0.2 ms
64 bytes from 172.16.1.10: icmp_seq=4 ttl=128 time=0.2 ms
--- 172.16.1.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.5 ms
The results of the ping indicate that a route exists between FortiWeb and 172.16.1.10. It also indicates that during the sample period, there was no packet loss and the average response time was 0.2 milliseconds (ms).
Example 2
execute ping 10.0.0.1
The CLI displays the following:
PING 10.0.0.1 (10.0.0.1): 56 data bytes
After several seconds with no output, the administrator stops the ping by pressing Ctrl + C. The CLI displays the following:
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
The results of the ping indicate that the host might be down or there is no route between FortiNDR and 10.0.0.1.
execute raidlevel
Use this command to reset the RAID level and partition the disk.
Syntax
execute raidlevel <raid-level-option>
execute reboot
Use this command to restart FortiAI.
Syntax
execute reboot
Example
execute reboot
The CLI displays the following:
This operation will reboot the system !
Do you want to continue? (y/n)
After you enter y
(yes), the CLI displays the following:
System is rebooting...
If you are connected to the CLI through a local console, the CLI displays messages during the reboot.
If you are connected to the CLI through the network, the CLI does not display any notifications during the reboot since the connection is terminated.
execute reload
If you set your console to batch mode, use this command to flush the current configuration from system memory and reload the configuration from a previously saved configuration file.
You can also use this command to reload individual daemons that have crashed, in this syntax:
execute reload [{httpd | ...}]
where [{httpd | ...}]
is the name of the daemon you want to restart.
For example, if HTTP and HTTPS access are enabled but you cannot get a connection response on the GUI, although you can still connect via SSH and ping. So you know that FortiAI has not crashed entirely. If you do not want to reboot as this would interrupt SMTP, you can try to restart the HTTP daemon only.
execute reload httpd
Restart httpd?
Do you want to continue? (y/n)y
Reloading httpd....done
This command does not check if the daemon actually exists. If the command does not execute in a few seconds, it is possible that the daemon might not exist.
Syntax
execute reload [<daemon_name>]
execute restore config
Use this command to restore a primary configuration file from a TFTP server.
Back up your configuration before using this command. This command makes major changes to your configuration. If you are downgrading the firmware, this procedure resets all changes you have made to the FortiNDR configuration file and reverts the system to the default values for that firmware version, including factory default settings for the IP addresses of network interfaces. For information on creating a backup, see the FortiAI Administration Guide in the Fortinet Document Library. |
Unlike installing firmware via TFTP during a boot interrupt, installing firmware using this command will attempt to preserve settings and files, and not necessarily restore the FortiNDR unit to its firmware/factory default configuration. For information on installing firmware via TFTP boot interrupt, see the FortiNDR Administration Guide. |
Syntax
execute restore config {disk <filename> | ftp <file name> <server_ipv4> | scp <file name> <server_ipv4> | tftp <file name> <server_ipv4>}
Variable |
Description |
Default |
---|---|---|
|
Name of the configuration file you want to restore from the TFTP server. |
|
|
IP address of the TFTP server where the configuration file is stored. |
|
|
If you want to restore a configuration file or apply a template stored in FortiManager, enter the management-station and then enter either:
|
|
|
If you want to restore a configuration file or apply a template stored in FortiManager, enter the revision number of the configuration file or template. |
|
Example 1
This example restores configuration file revision 2 which is stored in FortiManager.
execute restore config management-station normal 2
The CLI displays the following:
This operation will overwrite the current settings!
Do you want to continue? (y/n)
After you enter y
(yes), the CLI displays the following:
Connect to FortiManager ...
Please wait...
Example 2
This example restores a configuration file from a TFTP server at 172.16.1.5.
execute restore config tftp fml.cfg 172.16.1.5
The CLI displays the following:
This operation will overwrite the current settings!
(The current admin password will be preserved.)
Do you want to continue? (y/n)
After you enter y
(yes), the CLI displays the following, then terminates the SSH connection and reboots with the restored configuration:
Connect to tftp server 172.16.1.5 ...
Please wait...
Get config file from tftp server OK.
File check OK.
execute restore image
Use this command to restore a firmware file from a TFTP server or a FortiManager unit.
Back up your configuration before using this command. This command makes major changes to your configuration. If you are downgrading the firmware, this procedure resets all changes you have made to the FortiNDR configuration file and reverts the system to the default values for that firmware version, including factory default settings for the IP addresses of network interfaces. For information on creating a backup, see the FortiAI Administration Guide in the Fortinet Document Library. |
Syntax
execute restore image {disk <filename> | ftp <file name> <server_ipv4> | scp <file name> <server_ipv4> | tftp <file name> <server_ipv4>}
Variable |
Description |
Default |
---|---|---|
|
Name of the firmware file on the TFTP server. |
|
|
IP address of the TFTP server where the firmware file is stored. |
|
Example
This example restores firmware file FAI_3500F-v12-build0047-FORTINET.out, which is stored on the TFTP server 192.168.1.20.
execute restore image tftp FAI_3500F-v12-build0047-FORTINET.out 192.168.1.20
The CLI displays the following:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
After you enter y
(yes), the CLI displays the following:
Connect to tftp server 192.168.1.20 ...
Please wait...
########################
Get image from tftp server OK.
Check image OK.
execute restore image {disk <filename> | ftp <file name> <server_ipv4> | scp <file name> <server_ipv4> | tftp <file name> <server_ipv4>}
execute restore kdb
Use this command to restore, upgrade, or downgrade the FortiNDR ANN database. This command replaces the existing ANN database.
Syntax
execute restore kdb {disk <filename> | ftp <file name> <server_ipv4> | scp <file name> <server_ipv4> | tftp <file name> <server_ipv4>}
Variable |
Description |
Default |
---|---|---|
|
Name of the firmware file on the TFTP server. |
|
|
IP address of the TFTP server where the firmware file is stored. |
|
execute shutdown
Use this command to prepare the FortiNDR unit to be powered down by halting the software, clearing all buffers, and writing all cached data to disk.
Power off the FortiNDR unit only after issuing this command. Unplugging or switching off the FortiNDR unit without issuing this command could result in data loss. |
Syntax
execute shutdown
Example
execute shutdown
The CLI displays the following:
This operation will halt the system
(power-cycle needed to restart)!Do you want to continue? (y/n)
After you enter y
(yes), the CLI displays the following:
System is shutting down...(power-cycle needed to restart)
If you are connected to the CLI through a local console, the CLI displays a message when the shutdown is complete.
If you are connected to the CLI through the network, the CLI does not display any notifications and the connection times out.
execute ssh
Use this command as the Linux ssh
command.
Syntax
execute ssh <user@host>
execute telnettest
Use this command to test Telnet connectivity to a host.
Syntax
execute telnettest {<fqdn_str> | <host_ipv4>}[:<port_int>]
Variable |
Description |
Default |
---|---|---|
|
IP address or FQDN of the Telnet server. |
|
|
If the Telnet server listens on a port number other than port 23, enter a colon (:) followed by the port number. |
|
Example
This example tests the connection to an Telnet server at 192.168.1.10 on port 2323.
execute telnettest 192.168.1.10:2323
The CLI displays the following:
(using 192.168.1.20 to connect)
Remote Output(hex):
FF FD 18 FF FD 20 FF FD
23 FF FD 27
Connection Status:
Connecting to remote host succeeded.
execute traceroute
Use this command to use ICMP to test the connection between FortiNDR and another network device, and display information about the time required for network hops between FortiNDR and that device.
Syntax
execute traceroute {<fqdn_str> | <host_ipv4>}
Variable |
Description |
Default |
---|---|---|
|
IP address or FQDN of the host. |
|
Example 1
This example tests connectivity between FortiNDR and http://docs.fortinet.com. In this example, the trace times out after the first hop indicating a possible connectivity problem at that point in the network.
execute traceoute docs.fortinet.com
traceroute to docs.fortinet.com (65.39.139.196), 30 hops max, 38 byte packets
1 172.16.1.200 (172.16.1.200) 0.324 ms 0.427 ms 0.360 ms
2 * * *
Example 2
This example tests the availability of a network route to the server example.com.
execute traceroute example.com
The CLI displays the following:
traceroute to example.com (192.168.1.10), 32 hops max, 72 byte packets
1 172.16.1.2 0 ms 0 ms 0 ms
2 10.10.10.1 <static.isp.example.net> 2 ms 1 ms 2 ms
3 10.20.20.1 1 ms 5 ms 1 ms
4 10.10.10.2 <core.isp.example.net> 171 ms 186 ms 14 ms
5 10.30.30.1 <isp2.example.net> 10 ms 11 ms 10 ms
6 10.40.40.1 73 ms 74 ms 75 ms
7 192.168.1.1 79 ms 77 ms 79 ms
8 192.168.1.2 73 ms 73 ms 79 ms
9 192.168.1.10 73 ms 73 ms 79 ms
10 192.168.1.10 73 ms 73 ms 79 ms
Example 3
This example attempts to test connectivity between FortiNDR and example.com. However, FortiNDR cannot trace the route because the primary or secondary DNS server that FortiNDR is configured to query cannot resolve the FQDN example.com into an IP address, and so it does not know to which IP address it should connect. As a result, an error message displays.
execute traceroute example.com
traceroute: unknown host example.com
Command fail. Return code 1
To resolve the error in order to perform connectivity testing, the administrator would first configure FortiNDR with the IP addresses of DNS servers that are able to resolve the FQDN example.com.
execute update
Use this command to manually request updates or delete the downloaded cache files for updates to the FortiNDR ANN database and engine from FDS (FortiGuard Distribution Servers).
Syntax
execute update {now|clean-up}
execute vm license
In VM only, use this command to install license.
Syntax
execute vm license {disk|scp|ftp|tftp} <filenmame> <server>[:ftp port]
execute snifferd
Syntax
Use this command to enable or disable FortiNDR sniffer functionality.
execute snifferd {on|off}
execute ndrd
Syntax
Use this command to enable or disable FortiNDR NDR functionality.
execute ndrd {on|off}
execute file-size-threshold
Use this command to change FortiNDR’s max file size limit for different daemons.
Syntax
execute file-size-threshold {ICAP|OFTP|inline-blocking|manual-upload|network-share|sniffer}
Variable |
Description |
Default |
---|---|---|
|
Files sent from ICAP |
|
|
OFTP Devices |
|
|
Fabric Devices |
|
|
manual uploaded files |
|
|
Network share Scan |
|
|
Network Traffic Sniffer |
|
execute cleanup
Use this command to clean up historical data to free disk space. Please use with caution since all historical data will be deleted.
Syntax
execute cleanup
execute backup config
Use this command to back up the configuration file.
Syntax
execute backup config {disk|scp|ftp|tftp} <filenmame-to-be-saved> <server>[:ftp port] <user-name> <password>
execute device
Use this command to add back a fabric device that has been removed before, or remove an existing fabric device from FortiNDR.
Syntax
execute device {add|remove} < Device type ID > <Serial> [VDOM]