FortiAnalyzer - CLI Reference

VERSION 5.2.2
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdocs@fortinet.com

April 10, 2015

FortiAnalyzer 5.2.2 CLI Reference

05-522-232152-20150410
TABLE OF CONTENTS

Change Log 10
Introduction 11
Feature support 11
FortiAnalyzer documentation 12
What’s New in FortiAnalyzer 5.2 13
FortiAnalyzer version 5.2.2 13
FortiAnalyzer version 5.2.1 15
FortiAnalyzer version 5.2.0 16
Using the Command Line Interface 18
CLI command syntax 18
Connecting to the CLI 19
Connecting to the FortiAnalyzer console 19
Setting administrative access on an interface 20
Connecting to the FortiAnalyzer CLI using SSH 20
Connecting to the FortiAnalyzer CLI using the GUI 21
CLI objects 21
CLI command branches 21
config branch 21
get branch 23
show branch 25
execute branch 26
diagnose branch 26
Example command sequences 27
CLI basics 27
Command help 27
Command tree 28
Command completion 28
Recalling commands 28
Editing commands 28
Line continuation 29
Command abbreviation 29
Environment variables 29
Encrypted password support 30
Entering spaces in strings 30
 Entering quotation marks in strings 30
Entering a question mark (?) in a string 30
International characters 31
Special characters 31
IP address formats 31
Editing the configuration file 31
Changing the baud rate 31
Debug log levels 32
Administrative Domains 33
About ADOMs 33
Configuring ADOMs 34
system 36
admin 36
admin group 36
admin ldap 36
admin profile 38
admin radius 41
admin setting 42
admin tacacs 44
admin user 45
aggregation-client 53
aggregation-service 56
alert-console 57
alert-event 58
alertemail 61
auto-delete 62
backup all-settings 63
central-management 64
certificate 65
certificate ca 65
certificate crl 65
certificate local 66
certificate oftp 67
certificate ssh 67
dns 68
fips 69
fortiview 69
global 70
interface 76
locallog 78
locallog disk setting 78
locallog filter 81
 locallog fortianalyzer (fortianalyzer2, fortianalyzer3) setting 83
locallog memory setting 84
locallog syslogd (syslogd2, syslogd3) setting 84
log 86
log alert 86
log mail-domain 87
log settings 88
mail 90
ntp 91
password-policy 92
report 93
report auto-cache 93
report est-browse-time 94
report group 94
report setting 95
route 96
route6 96
snmp 97
snmp community 97
snmp sysinfo 100
snmp user 101
sql 103
syslog 106
fmupdate 108
analyzer 108
analyzer virusreport 108
av-ips 108
av-ips advanced-log 108
av-ips fct server-override 109
av-ips fgt server-override 110
av-ips push-override 111
av-ips push-override-to-client 111
av-ips update-schedule 112
av-ips web-proxy 113
device-version 114
disk-quota 115
fct-services 116
multilayer 116
publicnetwork 117
server-access-priorities 117
config private-server 117
server-override-status 118
 service 119
support-pre-fgt43 119
execute 120
add-vm-license 120
backup 120
backup all-settings 120
backup logs 121
backup logs-only 121
backup logs-rescue 122
backup reports 123
backup reports-config 123
bootimage 124
certificate 124
certificate ca 124
certificate local 125
console 126
console baudrate 126
date 127
device 127
factory-license 128
fmupdate 128
fmupdate cdrom 129
format 129
log 130
log device disk_quota 130
log device logstore 130
log device permissions 131
log dlp-files 131
log import 131
log ips-pkt 132
log quarantine-files 132
log-aggregation 132
log-integrity 133
lvm 133
ping 134
ping6 134
raid 134
reboot 135
remove 135
reset 135
reset-sqllog-transfer 135
restore 135
 restore all-settings 135
restore image 136
restore {logs | logs-only} 137
restore reports 137
restore reports-config 138
shutdown 139
sql-local 139
sql-local rebuild-adom 139
sql-local rebuild-db 139
sql-local remove-db 140
sql-local remove-logtype 140
sql-query-dataset 140
sql-query-generic 140
sql-report 141
ssh 142
ssh-known-hosts 142
tac 143
time 143
top 143
traceroute 144
traceroute6 145
diagnose 146
auto-delete 146
cdb check 147
debug 147
debug application 147
debug cli 150
debug console 150
debug crashlog 150
debug disable 150
debug enable 150
debug info 151
debug reset 151
debug service 151
debug sysinfo 151
debug sysinfo-log 152
debug sysinfo-log-backup 152
debug sysinfo-log-list 152
debug timestamp 152
debug vminfo 153
dlp-archives 153
dvm 154
 dvm adom 154
dvm chassis 154
dvm check-integrity 154
dvm debug 154
dvm device 155
dvm device-tree-update 155
dvm extender 155
dvm group 156
dvm lock 156
dvm proc 156
dvm task 156
dvm transaction-flag 157
dvm workflow 157
fmnetwork 157
fmnetwork arp 157
fmnetwork interface 158
fmnetwork netstat 158
fmupdate 158
fortilogd 161
hardware 162
log 162
log device 162
pm2 162
report 163
sniffer 163
sql 167
system 169
system admin-session 169
system disk 169
system export 170
system flash 170
system fsck 171
system geoip 171
system ntp 171
system print 172
system process 173
system raid 173
system route 174
system route6 174
test 174
test application 174
test connection 177
 test sftp 178
upload 178
upload clear 178
upload force-retry 179
upload status 179
vpn 179
get 180
system admin 180
system aggregation-client 181
system aggregation-service 182
system alert-console 182
system alert-event 182
system alertemail 183
system auto-delete 183
system backup 183
system certificate 184
system dns 184
system fips 185
system global 185
system interface 186
system locallog 186
system log 187
system mail 187
system ntp 188
system password-policy 188
system performance 188
system report 189
system route 189
system route6 190
system snmp 190
system sql 190
system status 190
system syslog 191
show 192
Appendix A - Object Tables 193
Global object categories 193
Device object ID values 194
Appendix B - Maximum Values Table 198
Maximum values table 198
Change Log

Change Log

Date Change Description

2015-04-10 Initial release.

10 CLI Reference
Fortinet Technologies Inc.
Introduction

FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering
increased knowledge of security events throughout your network. The FortiAnalyzer family minimizes the effort
required to monitor and maintain acceptable use policies, as well as identify attack patterns to help you fine-tune
your policies. Organizations of any size will benefit from centralized security event logging, forensic research,
reporting, content archiving, data mining and malicious file quarantining.

FortiAnalyzer offers enterprise class features to identify threats, while providing the flexibility to evolve along with
your ever-changing network. FortiAnalyzer can generate highly customized reports for your business
requirements, while aggregating logs in a hierarchical, tiered logging topology.

You can deploy FortiAnalyzer physical or virtual appliances to collect, correlate, and analyze geographically and
chronologically diverse security data. Aggregate alerts and log information from Fortinet appliances and third-
party devices in a single location, providing a simplified, consolidated view of your security posture. In addition,
FortiAnalyzer platforms provide detailed data capture for forensic purposes to comply with policies regarding
privacy and disclosure of information security breaches.

Feature support

The following table lists FortiAnalyzer feature support for log devices.

Platform Logging FortiView Event Management Reports

FortiGate a a a a

FortiCarrier a a a a

FortiCache a a a

FortiClient a

FortiMail a a a

FortiManager a a

FortiSandbox a a

FortiWeb a a a

Syslog a a

For more information on supported platforms, see the FortiAnalyzer Release Notes.

CLI Reference 11
Fortinet Technologies Inc.
Introduction FortiAnalyzer documentation

FortiAnalyzer documentation

The following FortiAnalyzer product documentation is available:

l FortiAnalyzer Administration Guide

This document describes how to set up the FortiAnalyzer system and use it with supported Fortinet units.

l FortiAnalyzer device QuickStart Guides

These documents are included with your FortiAnalyzer system package. Use this document to install and
begin working with the FortiAnalyzer system and FortiAnalyzer Web-based Manager.

l FortiAnalyzer Online Help

You can get online help from the FortiAnalyzer Web-based Manager. FortiAnalyzer online help contains
detailed procedures for using the FortiAnalyzer Web-based Manager to configure and manage FortiGate units.

l FortiAnalyzer CLI Reference

This document describes how to use the FortiAnalyzer Command Line Interface (CLI) and contains references
for all FortiAnalyzer CLI commands.

l FortiAnalyzer Release Notes

This document describes new features and enhancements in the FortiAnalyzer system for the release, and
lists resolved and known issues. This document also defines supported platforms and firmware versions.

l FortiAnalyzer VM (VMware) Install Guide

This document describes installing FortiAnalyzer VM in your VMware ESX or ESXi virtual environment.

l FortiAnalyzer VM (Microsoft Hyper-V) Install Guide

This document describes installing FortiAnalyzer VM in your Microsoft Hyper-V Server 2008 R2 or 2012 virtual
environment.

12 CLI Reference
Fortinet Technologies Inc.
What’s New in FortiAnalyzer 5.2

FortiAnalyzer version 5.2.2

The table below list commands which have changed in version 5.2.2.

Command Change

config system admin setting Variable added:

show-checkbox-in-table

config system admin user Variable added:

config dashboard time-period

config system fortiview setting Variable added:

resolve-ip

config system global Variable added:

country-flag

config system locallog ... filter Variable added:

devops

config system log mail-domain Command added

config system log settings Variables added:

log-file-archive-name
download-max-logs

config system mail Variable added:

secure-option

config system report group Command added

config system report setting Variables added:

hcache-lossless
report-priority

config system report settings Variable added:

show-checkbox-in-table

config system sql Variable added:

fct-table-partition-time
background-rebuild

CLI Reference 13
Fortinet Technologies Inc.
What’s New in FortiAnalyzer 5.2 FortiAnalyzer version 5.2.2

Command Change

diagnose debug application Variables added:

fazmaild
sqllogd
Variables removed:
depmanager
dmworker
fgfmd
securityconsole
ptsessionmgr
ptmgr
srchd

diagnose cdb check Variable added:

reference-integrity

diagnose dminstallog Command removed.

diagnose fgfm object-list Command removed.

diagnose sql status Variables added:

sql_hcache_chk
rebuild-adom

diagnose sql config Variable added:

auto-cache-delay

diagnose test application Variable added:

fazmaild

execute factory-license Variable added:

tac-report

execute fgfm reclaim-dev-tunnel Command removed

execute fmupdate cdrom Command added

execute format Variable added:

disk-ext3

execute sql-local rebuild-adom Command added

execute sql-report Variables added:

hcache-check
list
list-schedule
view

execute tac report Command added

14 CLI Reference
Fortinet Technologies Inc.
 FortiAnalyzer version 5.2.1 What’s New in FortiAnalyzer 5.2

FortiAnalyzer version 5.2.1

The table below list commands which have changed in version 5.2.1.

Command Change

config system report settings Variable added:

max-table-rows

config fmupdate av-ips fgt server-override Variable added:

config servlist ip6

config fmupdate av-ips push-override Variable added:

ip6

config fmupdate av-ips web-proxy Variable added:

ip6

config fmupdate av-ips push-override-to- Variable added:

client ip6
config announce-ip

config fmupdate server-access-priorities Variable added:

config private-server ip6

diagnose sniffer packet Variable added:

Timestamp

diagnose sql config top-dev set Command added.

config system glopal Variable removed:

admintimeout

config system report auto-cache Variables added:

order
aggressive-schedule
drilldown-status

execute devicelog clear Command removed.

execute log device logstore Command added.

diagnose sql rebuild-report-hcache Command added.

config system global Variable added:

ssl-protocol
create-revision

config system global Variable removed:

max-concurrent-users

CLI Reference 15
Fortinet Technologies Inc.
 What’s New in FortiAnalyzer 5.2 FortiAnalyzer version 5.2.0

Command Change

config system dns Variables added:

ip6-primary
ip6-secondary

config system admin setting Variable added:

admin-login-max

diagnose debug application dns Command added.

config system log fortianalyzer Command removed.

config system locallog Variables added:

fortianalyzer2
fortianalyzer3

config system sql Variable removed:

auto-table-upgrade

diagnose debug reset Command added.

config system fortiview setting Variable added:

not-scanned apps

config system admin user Variable added:

set rpc-permit

config system sql Variables added:

device-count-high
event-table-partition-
time
traffic-table-partition-
time
utm-table-partition-time

diagnose debug application vmtools Command added.

FortiAnalyzer version 5.2.0

The table below list commands which have changed in version 5.2.0.

Command Change

set unregister-pop-up Command removed.

config system admin profile Variable added:

change password

16 CLI Reference
Fortinet Technologies Inc.
FortiAnalyzer version 5.2.0 What’s New in FortiAnalyzer 5.2

Command Change

config system admin setting Variable added:

admin-https-redirect

config system admin user Variable added:

change password

set show-log-forwarding Command added.

config system log settings Variable added:

FSA-custom-field1

config system report est-browse-time Variables added:

compensate-read-time
max-read-time

CLI Reference 17
Fortinet Technologies Inc.
Using the Command Line Interface

This chapter explains how to connect to the Command Line Interface (CLI) and describes the basics of using the
CLI. You can use CLI commands to view all system information and to change all system configuration settings.

This chapter describes:

l CLI command syntax

l Connecting to the CLI
l CLI objects
l CLI command branches
l CLI basics

CLI command syntax

This guide uses the following conventions to describe command syntax.

l Angle brackets < > indicate variables.

l Vertical bar and curly brackets {|} separate alternative, mutually exclusive required variables.
For example:
set protocol {ftp | sftp}
You can enter set protocol ftp or set protocol sftp.

l Square brackets [ ] indicate that a variable is optional.

For example:
show system interface [<name_str>]
To show the settings for all interfaces, you can enter show system interface. To show the settings for
the Port1 interface, you can enter show system interface port1.

l A space separates options that can be entered in any combination and must be separated by spaces.
For example:
set allowaccess {https ping ssh snmp telnet http webservice aggregator}
You can enter any of the following:
set allowaccess ping
set allowaccess https
set allowaccess ssh
set allowaccess https ssh
set allowaccess aggregator http https ping ssh telnet webservice
In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole
list including all the options you want to apply and excluding all the options you want to remove.

l Special characters:
l The \ is supported to escape spaces or as a line continuation character.
l The single quotation mark ' and the double quotation mark “ are supported, but must be used in pairs.

18 CLI Reference
Fortinet Technologies Inc.
 Connecting to the CLI Using the Command Line Interface

l If there are spaces in a string, you must precede the spaces with the \ escape character or put the string in a
pair of quotation marks.

Connecting to the CLI

You can use a direct console connection or SSH to connect to theFortiAnalyzer CLI. You can also access through
the CLI console widget on the Web-based Manager. For more information, see the FortiAnalyzer Administration
Guide, and your device’s QuickStart Guide.

You can use a direct console connection or SSH to connect to the FortiAnalyzer CLI.

Connecting to the FortiAnalyzer console

To connect to the FortiAnalyzer console, you need:

l a computer with an available communications port

l a console cable, provided with your FortiAnalyzer unit, to connect the FortiAnalyzer console port and a
communications port on your computer
l terminal emulation software, such as HyperTerminal for Windows.

The following procedure describes how to connect to the FortiAnalyzer CLI using Win-
dows HyperTerminal software. You can use any terminal emulation program.

To connect to the CLI:

1. Connect the FortiAnalyzer console port to the available communications port on your computer.
2. Make sure the FortiAnalyzer unit is powered on.
3. Start HyperTerminal, enter a name for the connection, and select OK.
4. Configure HyperTerminal to connect directly to the communications port on the computer to which you have
connected the FortiAnalyzer console port.
5. Select OK.
6. Select the following port settings and select OK.

COM port COM1

Bits per second 115200

Data bits 8

Parity None

Stop bits 1

Flow control None

7. Press Enter to connect to the FortiAnalyzer CLI. A login prompt appears.

8. Type a valid administrator name and press Enter.
9. Type the password for this administrator and press Enter. A command prompt appears.

CLI Reference 19
Fortinet Technologies Inc.
 Using the Command Line Interface Connecting to the CLI

You have connected to the FortiAnalyzer CLI, and you can enter CLI commands.

Setting administrative access on an interface

To perform administrative functions through a FortiAnalyzer network interface, you must enable the required
types of administrative access on the interface to which your management computer connects. Access to the CLI
requires Secure Shell (SSH) access. If you want to use the Web-based Manager, you need HTTPS access.

To use the Web-based Manager to configure FortiAnalyzer interfaces for SSH access, see the FortiAnalyzer
Administration Guide.

To use the CLI to configure SSH access:

1. Connect and log into the CLI using the FortiAnalyzer console port and your terminal emulation software.
2. Use the following command to configure an interface to accept SSH connections:
config system interface
edit < interface_name>
set allowaccess <access_types>
end
Where <interface_name> is the name of the FortiAnalyzer interface to be configured to allow
administrative access, and <access_types> is a whitespace-separated list of access types to enable.

For example, to configure port1 to accept HTTPS and SSH connections, enter:
config system interface
edit port1
set allowaccess https ssh
end

Remember to press Enter at the end of each line in the command example. Also,
type end and press Enter to commit the changes to the FortiAnalyzer configuration.

3. To confirm that you have configured SSH access correctly, enter the following command to view the access
settings for the interface:
get system interface <interface_name>
The CLI displays the settings, including the management access settings, for the named interface.

Connecting to the FortiAnalyzer CLI using SSH

SSH provides strong secure authentication and secure communications to the FortiAnalyzer CLI from your
internal network or the internet. Once the FortiAnalyzer unit is configured to accept SSH connections, you can run
an SSH client on your management computer and use this client to connect to the FortiAnalyzer CLI.

To connect to the CLI using SSH:

1. Install and start an SSH client.

2. Connect to a FortiAnalyzer interface that is configured for SSH connections.
3. Type a valid administrator name and press Enter.
4. Type the password for this administrator and press Enter.
The FortiAnalyzer model name followed by a # is displayed.

You have connected to the FortiAnalyzer CLI, and you can enter CLI commands.

20 CLI Reference
Fortinet Technologies Inc.
 CLI objects Using the Command Line Interface

Connecting to the FortiAnalyzer CLI using the GUI

The GUI also provides a CLI console window.

To connect to the CLI using the Web-based Manager:

1. Connect to the Web-based Manager and log in.

2. Go to System Settings > Dashboard
3. Click inside the CLI Console widget. If the widget is not available, select Add Widget to add the widget to the
dashboard.

CLI objects

The FortiAnalyzer CLI is based on configurable objects. The top-level object are the basic components of
FortiAnalyzer functionality.

system Configuration options related to the overall operation of the FortiAnalyzer unit, such as
interfaces, virtual domains, and administrators.

fmupdate Configures settings related to FortiGuard service updates and the unit’s built-in FDS.

This object contains more specific lower level objects. For example, the system object contains objects for
administrators, DNS, interfaces and so on.

CLI command branches

The FortiAnalyzer CLI consists of the following command branches:

config branch execute branch

get branch diagnose branch

show branch

Examples showing how to enter command sequences within each branch are provided in the following sections.

config branch
The config commands configure objects of FortiAnalyzer functionality. Top-level objects are not configurable,
they are containers for more specific lower level objects. For example, the system object contains administrators,
DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as
administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the
table. Table entries each consist of variables that you can set to particular values. Simpler objects, such as
system DNS, are a single set of variables.

CLI Reference 21
Fortinet Technologies Inc.
Using the Command Line Interface CLI command branches

To configure an object, you use the config command to navigate to the object’s command “shell”. For example,
to configure administrators, you enter the command
config system admin user
The command prompt changes to show that you are in the admin shell.
(user)#
This is a table shell. You can use any of the following commands:

edit Add an entry to the FortiAnalyzer configuration or edit an existing entry. For example in the
config system admin shell:
l Type edit admin and press Enter to edit the settings for the default admin
administrator account.
l Type edit newadmin and press Enter to create a new administrator account
with the name newadmin and to edit the default settings for the new administrator
account.

delete Remove an entry from the FortiAnalyzer configuration. For example in the config sys-
tem admin shell, type delete newadmin and press Enter to delete the administrator
account named newadmin.

purge Remove all entries configured in the current shell. For example in the config user
local shell:
l Type get to see the list of user names added to the FortiAnalyzer configuration,
l Type purge and then y to confirm that you want to purge all the user names,
l Type get again to confirm that no user names are displayed.

get List the configuration. In a table shell, get lists the table members. In an edit shell, get
lists the variables and their values.

show Show changes to the default configuration as configuration commands.

end Save the changes you have made in the current shell and leave the shell. Every config
command must be paired with an end command. You will return to the root FortiAnalyzer
CLI prompt.
The end command is also used to save set command changes and leave the shell.

If you enter the get command, you see a list of the entries in the table of administrators. To add a new
administrator, you enter the edit command with a new administrator name:
edit admin_1
The FortiAnalyzer unit acknowledges the new table entry and changes the command prompt to show that you are
now editing the new entry:
new entry 'admin_1' added
(admin_1)#
From this prompt, you can use any of the following commands:

config In a few cases, there are subcommands that you access using a second config command
while editing a table entry. An example of this is the command to add restrict the user to spe-
cific devices or VDOMs.

22 CLI Reference
Fortinet Technologies Inc.
 CLI command branches Using the Command Line Interface

set Assign values. For example from the edit admin command shell, typing set pass-
word newpass changes the password of the admin administrator account to newpass.
When using a set command to make changes to lists that contain options separated by
spaces, you need to retype the whole list including all the options you want to apply and
excluding all the options you want to remove.

unset Reset values to defaults. For example from the edit admin command shell, typing
unset password resets the password of the admin administrator account to the default
of no password.

get List the configuration. In a table shell, get lists the table members. In an edit shell, get
lists the variables and their values.

show Show changes to the default configuration in the form of configuration commands.

next Save the changes you have made in the current shell and continue working in the shell. For
example if you want to add several new admin user accounts enter the config system
admin user shell.
l Type edit User1 and press Enter.
l Use the set commands to configure the values for the new admin account.
l Type next to save the configuration for User1 without leaving the config
system admin user shell.
l Continue using the edit, set, and next commands to continue adding admin
user accounts.
l Type end and press Enter to save the last configuration and leave the shell.

abort Exit an edit shell without saving the configuration.

end Save the changes you have made in the current shell and leave the shell. Every config
command must be paired with an end command.
The end command is also used to save set command changes and leave the shell.

The config branch is organized into configuration shells. You can complete and save the configuration within
each shell for that shell, or you can leave the shell without saving the configuration. You can only use the
configuration commands for the shell that you are working in. To use the configuration commands for another
shell you must leave the shell you are working in and enter the other shell.

get branch
Use get to display settings. You can use get within a config shell to display the settings for that shell, or you
can use get with a full path to display the settings for the specified shell.

To use get from the root prompt, you must include a path to a shell.

The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type get in the config system admin user shell, the list of administrators is displayed.

At the (user)# prompt, type:

CLI Reference 23
Fortinet Technologies Inc.
Using the Command Line Interface CLI command branches

get
The screen displays:
== [ admin ]
userid: admin
== [ admin2 ]
userid: admin2
== [ admin3 ]
userid: admin3

Example 2

When you type get in the admin user shell, the configuration values for the admin administrator account are
displayed.
edit admin
At the (admin)# prompt, type:
get
The screen displays:
userid : admin
password : *
trusthost1 : 0.0.0.0 0.0.0.0
trusthost2 : 0.0.0.0 0.0.0.0
trusthost3 : 0.0.0.0 0.0.0.0
trusthost4 : 0.0.0.0 0.0.0.0
trusthost5 : 0.0.0.0 0.0.0.0
trusthost6 : 0.0.0.0 0.0.0.0
trusthost7 : 0.0.0.0 0.0.0.0
trusthost8 : 0.0.0.0 0.0.0.0
trusthost9 : 0.0.0.0 0.0.0.0
trusthost10 : 127.0.0.1 255.255.255.255
ipv6_trusthost1 : ::/0
ipv6_trusthost2 : ::/0
ipv6_trusthost3 : ::/0
ipv6_trusthost4 : ::/0
ipv6_trusthost5 : ::/0
ipv6_trusthost6 : ::/0
ipv6_trusthost7 : ::/0
ipv6_trusthost8 : ::/0
ipv6_trusthost9 : ::/0
ipv6_trusthost10 : ::1/128
profileid : Super_User
adom:
== [ all_adoms ]
adom-name: all_adoms
policy-package:
== [ all_policy_packages ]
policy-package-name: all_policy_packages
restrict-access : disable
restrict-dev-vdom:
description : (null)
user_type : local
ssh-public-key1 :
ssh-public-key2 :
ssh-public-key3 :
meta-data:

24 CLI Reference
Fortinet Technologies Inc.
 CLI command branches Using the Command Line Interface

last-name : (null)
first-name : (null)
email-address : (null)
phone-number : (null)
mobile-number : (null)
pager-number : (null)
hidden : 0
dashboard-tabs:
dashboard:
== [ 6 ]
moduleid: 6
== [ 1 ]
moduleid: 1
== [ 2 ]
moduleid: 2
== [ 3 ]
moduleid: 3
== [ 4 ]
moduleid: 4
== [ 5 ]
moduleid: 5

Example 3

You want to confirm the IP address and netmask of the port1 interface from the root prompt.

At the (command) # prompt, type:

get system interface port1
The screen displays:
name : port1
status : up
ip : 172.16.81.30 255.255.255.0
allowaccess : ping https ssh snmp telnet http webservice aggregator
serviceaccess :
speed : auto
description : (null)
alias : (null)
ipv6:
ip6-address: ::/0 ip6-allowaccess:

show branch
Use show to display the FortiAnalyzer unit configuration. Only changes to the default configuration are displayed.
You can use show within a config shell to display the configuration of that shell, or you can use show with a full
path to display the configuration of the specified shell.

To display the configuration of all config shells, you can use show from the root prompt. The root prompt is the
FortiAnalyzer host or model name followed by a number sign (#).

Example 1

When you type show and press Enter within the port1 interface shell, the changes to the default interface
configuration are displayed.

At the (port1)# prompt, type:

CLI Reference 25
Fortinet Technologies Inc.
 Using the Command Line Interface CLI command branches

show
The screen displays:
config system interface
edit "port1"
set ip 172.16.81.30 255.255.255.0
set allowaccess ping https ssh snmp telnet http webservice aggregator
next
edit "port2"
set ip 1.1.1.1 255.255.255.0
set allowaccess ping https ssh snmp telnet http webservice aggregator
next
edit "port3"
next
edit "port4"
next
end

Example 2

You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)#
prompt, type:
show system dns
The screen displays:
config system dns
set primary 65.39.139.53
set secondary 65.39.139.63
end

execute branch
Use execute to run static commands, to reset the FortiAnalyzer unit to factory defaults, or to back up or restore
the FortiAnalyzer configuration. The execute commands are available only from the root prompt.

The root prompt is the FortiAnalyzer host or model name followed by a number sign (#).

Example

At the root prompt, type:

execute reboot
The system will be rebooted.
Do you want to continue? (y/n)
and press Enter to restart the FortiAnalyzer unit.

diagnose branch
Commands in the diagnose branch are used for debugging the operation of the FortiAnalyzer unit and to set
parameters for displaying different levels of diagnostic information.

Diagnose commands are intended for advanced users only. Contact Fortinet Tech-
nical Support before using these commands.

26 CLI Reference
Fortinet Technologies Inc.
CLI basics Using the Command Line Interface

Example command sequences

The command prompt changes for each shell.

To configure the primary and secondary DNS server addresses:

1. Starting at the root prompt, type:

config system dns
and press Enter. The prompt changes to (dns)#.

2. At the (dns)# prompt, type (question mark) ?

The following options are displayed.
set
unset
get
show
abort
end
3. Type set (question mark)?
The following options are displayed:
primary
secondary
4. To set the primary DNS server address to 172.16.100.100, type:
set primary 172.16.100.100
and press Enter.

5. To set the secondary DNS server address to 207.104.200.1, type:

set secondary 207.104.200.1
and press Enter.

6. To restore the primary DNS server address to the default address, type unset primary and press Enter.
7. If you want to leave the config system dns shell without saving your changes, type abort and press
Enter.
8. To save your changes and exit the dns sub-shell, type end and press Enter.
9. To confirm your changes have taken effect after leaving the dns sub-shell, type get system dns and press
Enter.

CLI basics

Command help
You can press the question mark (?) key to display command help.

CLI Reference 27
Fortinet Technologies Inc.
 Using the Command Line Interface CLI basics

l Press the question mark (?) key at the command prompt to display a list of the commands available and a
description of each command.
l Type a command followed by a space and press the question mark (?) key to display a list of the options available
for that command and a description of each option.
l Type a command followed by an option and press the question mark (?) key to display a list of additional options
available for that command option combination and a description of each option.

Command tree
Type tree to display the FortiAnalyzer CLI command tree. To capture the full output, connect to your device
using a terminal emulation program, such as PuTTY, and capture the output to a log file. For config
commands, use the tree command to view all available variables and sub-commands.

Example
#config system interface
(interface)# tree
-- [interface] --*name
|- status
|- ip
|- allowaccess
|- serviceaccess
|- speed
|- description
|- alias
+- <ipv6> -- ip6-address
+- ip6-allowaccess

Command completion
You can use the tab key or the question mark (?) key to complete commands:

l You can press the tab key at any prompt to scroll through the options available for that prompt.
l You can type the first characters of any command and press the tab key or the question mark (?) key to complete
the command or to scroll through the options that are available at the current cursor position.
l After completing the first word of a command, you can press the space bar and then the tab key to scroll through the
options available at the current cursor position.

Recalling commands
You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands
you have entered.

Editing commands
Use the left and right arrow keys to move the cursor back and forth in a recalled command. You can also use the
backspace and delete keys and the control keys listed in the following table to edit the command.

28 CLI Reference
Fortinet Technologies Inc.
 CLI basics Using the Command Line Interface

Function Key combination

Beginning of line Control key + A

End of line Control key + E

Back one character Control key + B

Forward one character Control key + F

Delete current character Control key + D

Previous command Control key + P

Next command Control key + N

Abort the command Control key + C

If used at the root prompt, exit the CLI Control key + C

Line continuation
To break a long command over multiple lines, use a \ at the end of each line.

Command abbreviation
You can abbreviate commands and command options to the smallest number of unambiguous characters. For
example, the command get system status can be abbreviated to g sy st.

Environment variables
The FortiAnalyzer CLI supports several environment variables.

$USERFROM The management access type (SSH, Telnet and so on) and the IP address of the
logged in administrator.

$USERNAME The user account name of the logged in administrator.

$SerialNum The serial number of the FortiAnalyzer unit.

Variable names are case sensitive. In the following example, when entering the variable, you can type (dollar
sign) $ followed by a tab to auto-complete the variable to ensure that you have the exact spelling and case.
Continue pressing tab until the variable you want to use is displayed.
config system global
set hostname $SerialNum
end

CLI Reference 29
Fortinet Technologies Inc.
 Using the Command Line Interface CLI basics

Encrypted password support

After you enter a clear text password using the CLI, the FortiAnalyzer unit encrypts the password and stores it in
the configuration file with the prefix ENC. For example:
show system admin user user1
config system admin user
edit "user1"
set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1
rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9
f
set profileid "Standard_User"
next
end
It is also possible to enter an already encrypted password. For example, type:
config system admin
then press Enter.

Type:
edit user1
then press Enter.

Type:
set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1rVJmMF
c9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwzGzGuJ5a9f
then press Enter.

Type:
end
then press Enter.

Entering spaces in strings

When a string value contains a space, do one of the following:

l Enclose the string in quotation marks, for example "Security Administrator".

l Enclose the string in single quotes, for example 'Security Administrator'.
l Use a backslash (“\”) preceding the space, for example Security\ Administrator.

Entering quotation marks in strings

If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character
with a backslash character. To include a backslash, enter two backslashes.

Entering a question mark (?) in a string

If you want to include a question mark (?) in a string, you must precede the question mark with CTRL-V. Entering
a question mark without first entering CTRL-V causes the CLI to display possible command completions,
terminating the string.

30 CLI Reference
Fortinet Technologies Inc.
 CLI basics Using the Command Line Interface

International characters
The CLI supports international characters in strings.

Special characters
The characters <, >, (, ), #, ’, and " are not permitted in most CLI fields, but you can use them in passwords. If you
use the apostrophe (‘) or quote (") character, you must precede it with a backslash (\) character when entering it in
the CLI set command.

IP address formats
You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can
type one of:
set ip 192.168.1.1 255.255.255.0
set ip 192.168.1.1/24
The IP address is displayed in the configuration file in dotted decimal format.

Editing the configuration file

You can change the FortiAnalyzer configuration by backing up the configuration file to a FTP, SCP, or SFTP
server. Then you can make changes to the file and restore it to the FortiAnalyzer unit.

1. Use the execute backup all-settings command to back up the configuration file to a FTP server. For
example,
execute backup all-settings ftp 10.10.0.1 mybackup.cfg myid mypass
2. Edit the configuration file using a text editor.
Related commands are listed together in the configuration file. For instance, all the system commands are
grouped together. You can edit the configuration by adding, changing or deleting the CLI commands in the
configuration file.

The first line of the configuration file contains information about the firmware version and FortiAnalyzer
model. Do not edit this line. If you change this information the FortiAnalyzer unit will reject the configuration
file when you attempt to restore it.

3. Use the execute restore all-settings command to copy the edited configuration file back to the
FortiAnalyzer unit. For example,
execute restore all-settings 10.10.0.1 mybackup.cfg myid mypass
The FortiAnalyzer unit receives the configuration file and checks to make sure the firmware version and
model information is correct. If it is, the FortiAnalyzer unit loads the configuration file and checks each
command for errors. If the FortiAnalyzer unit finds an error, an error message is displayed after the command
and the command is rejected. Then the FortiAnalyzer unit restarts and loads the new configuration.

Changing the baud rate

Using execute console baudrate, you can change the default console connection baud rate.

To check the current baud rate enter the following CLI command:
# execute console baudrate [enter]
current baud rate is: 9600

CLI Reference 31
Fortinet Technologies Inc.
 Using the Command Line Interface CLI basics

To view baudrate options, enter the CLI command with the question mark (?).
# execute console baudrate ?
baudrate 9600 | 19200 | 38400 | 57600 | 115200
To change the baudrate, enter the CLI command as listed below.
# execute console baudrate 19200
Your console connection will get lost after changing baud rate.
Change your console setting!
Do you want to continue? (y/n)

Changing the default baud rate is not available on all models.

Debug log levels

The following table lists available debug log levels on your FortiAnalyzer .

Level Type Description

0 Emergency The system has become unusable.

1 Alert Immediate action is required.

2 Critical Functionality is affected.

3 Error An erroneous condition exists and functionality is probably affected.

4 Warning Function might be affected.

5 Notice Notification of normal events.

6 Information General information about system operations.

7 Debug Detailed information useful for debugging purposes.

8 Maximum Maximum log level.

32 CLI Reference
Fortinet Technologies Inc.
Administrative Domains

Administrative domains (ADOMs) enable the admin administrator to constrain other Fortinet unit administrators’
access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs),
ADOMs can further restrict access to only data from a specific FortiGate VDOM.

About ADOMs

Enabling ADOMs alters the structure and available functionality of the Web-based Manager and CLI according to
whether you are logging in as the admin administrator, and, if you are not logging in as the admin administrator,
the administrator account’s assigned access profile.

The admin administrator can further restrict other administrators’ access to specific
configuration areas within their ADOM by using access profiles .

Characteristics of the CLI and Web-based Manager when ADOMs are enabled

admin administrator account Other administrators

Access to config system global Yes No

Can create administrator accounts Yes No

Can enter all ADOMs Yes No

l If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing
unrestricted access and ADOM configuration.
config system global contains settings used by the FortiAnalyzer unit itself and settings shared by
ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings
or data, such as logs and reports. When configuring other administrator accounts, an additional option appears
allowing you to restrict other administrators to an ADOM.

l If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A
subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files,
content archives, IP aliases, and LDAP queries specific to your ADOM. You cannot access Global Configuration, or
enter other ADOMs.
By default, administrator accounts other than the admin account are assigned to the root ADOM, which
includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list,
and assigning them to administrator accounts, you can restrict other administrator accounts to a subset of the
FortiAnalyzer unit’s total devices or VDOMs.

The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their
ADOM, and cannot configure ADOMs or Global Configuration.

The maximum number of ADOMs varies by FortiAnalyzer model.

CLI Reference 33
Fortinet Technologies Inc.
Administrative Domains Configuring ADOMs

FortiAnalyzer Model Maximum ADOMs

FAZ-100C 100

FAZ-200D 150

FAZ-300D 175

FAZ-400C 300

FAZ-1000C, and FAZ-1000D 2 000

FAZ-3000D and FAZ-3000E 2 000

FAZ-3500E and FAZ-3900E 4 000

FAZ-4000B 2 000

FAZ-VM32 and FAZ-VM64 10 000

Configuring ADOMs

To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and
assign existing FortiAnalyzer administrators to ADOMs.

Enabling ADOMs moves non-global configuration items to the root ADOM. Back up
the FortiAnalyzer unit configuration before enabling ADOMs.

Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use
the Web-based Manager.

To enable or disable ADOMs:

Enter the following CLI command:

config system global
set adom-status {enable | disable}
end
An administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In
normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can
assign different VDOMs from the same FortiGate to multiple administrative domains.

Enabling the advanced mode option will result in a reduced operation mode and more
complicated management scenarios. It is recommended only for advanced users.

To change ADOM device modes:

Enter the following CLI command:

config system global

34 CLI Reference
Fortinet Technologies Inc.
Configuring ADOMs Administrative Domains

set adom-mode {advanced | normal}

end

To assign an administrator to an ADOM:

Enter the following CLI command:

config system admin user
edit <name>
set adom <adom_name>
next
end
where <name> is the administrator user name and <adom_name> is the ADOM name.

CLI Reference 35
Fortinet Technologies Inc.
system

Use system commands to configure options related to the overall operation of the FortiAnalyzer unit.

FortiAnalyzer CLI commands and variables are case sensitive.

admin

Use the following commands to configure admin related settings.

admin group
Use this command to add, edit, and delete admin user groups.

Syntax
config system admin group
edit <name>
set <member>
end
Variable Description

<name> Enter the name of the group you are editing or enter a new name to create
an entry. Character limit: 63

<member> Add group members.

admin ldap
Use this command to add, edit, and delete Lightweight Directory Access Protocol (LDAP) users.

Syntax
config system admin ldap
edit <name>
set server <string>
set cnid <string>
set dn <string>
set port <integer>
set type {anonymous | regular | simple}
set username <string>
set password <passwd>
set group <string>
set filter <string>
set attributes <filter>
set secure {disable | ldaps | starttls}

36 CLI Reference
Fortinet Technologies Inc.
admin system

set ca-cert <string>

set connect-timeout <integer>
set adom <adom-name>
end

Variable Description

<name> Enter the name of the LDAP server or enter a new name to create an entry.
Character limit: 63

server <string> Enter the LDAP server domain name or IPv4 address. Enter a new name to
create a new entry.

cnid <string> Enter the common name identifier.

Default: cn
Character limit: 20

dn <string> Enter the distinguished name.

port <integer> Enter the port number for LDAP server communication.
Default: 389
Range: 1 to 65535

type {anonymous | regular | Set a binding type. The following options are available:
simple} l anonymous: Bind using anonymous user search
l regular: Bind using username/password and then search
l simple: Simple password authentication without search
Default: simple

username <string> Enter a username. This variable appears only when type is set to reg-
ular.

password <passwd> Enter a password for the username above. This variable appears only when
type is set to regular.

group <string> Enter an authorization group. The authentication user must be a member
of this group (full DN) on the server.

filter <string> Enter content for group searching. For example:

(&(objectcategory=group)(member=*))
(&(objectclass=groupofnames)(member=*))
(&(objectclass=groupofuniquenames)(uniquemember=*))
(&(objectclass=posixgroup)(memberuid=*))

attributes <filter> Attributes used for group searching (for multi-attributes, a use comma as a
separator). For example:
l member
l uniquemember
l member,uniquemember

CLI Reference 37
Fortinet Technologies Inc.
 system admin

Variable Description

secure {disable | ldaps | Set the SSL connection type.

starttls}

ca-cert <string> CA certificate name. This variable appears only when secure is set to
ldaps or starttls.

connect-timeout <integer> Set the LDAP connection timeout (msec).

adom <adom-name> Set the ADOM name to link to the LDAP configuration.

Example
This example shows how to add the LDAP user user1 at the IPv4 address 206.205.204.203.
config system admin ldap
edit user1
set server 206.205.204.203
set dn techdoc
set type regular
set username auth1
set password auth1_pwd
set group techdoc
end

admin profile
Use this command to configure access profiles. In a newly-created access profile, no access is enabled.

Syntax
config system admin profile
edit <profile_name>
set description <text>
set scope {adom | global}
set system-setting {none | read | read-write}
set adom-switch {none | read | read-write}
set device-manager {none | read | read-write}
set device-op {none | read | read-write}
set realtime-monitor {none | read | read-write}
set log-viewer {none | read | read-write}
set report-viewer {none | read | read-write}
set event-management {none | read | read-write}
set change-password {enable | disable}
end

Use the show command to display the current configuration if it has been changed from its default value:
show system admin profile

38 CLI Reference
Fortinet Technologies Inc.
admin system

Variable Description

<profile> Edit the access profile. Enter a new name to create a new profile. The pre-
defined access profiles are Super_User, Standard_User, Restricted_
User, and Package_User. Character limit: 35

adom-switch {none | read | Configure administrative domain (ADOM) permissions for this profile.
read-write} Select none to hide this option from the administrator in the GUI. The fol-
lowing options are available:
l none: No permission.
l read: Read permission.
l read-write: Read-write permission.
Controlled functions: ADOM settings in DVM, ADOM settings in All
ADOMs page (under System Settings tab)
Dependencies: If system-setting is none, the All ADOMs page is not
accessible, type must be set to system

change-password {enable | dis- Enable/disable allowing restricted users to change their password. The fol-
able} lowing options are available:
l disable: Disable setting.
l enable: Enable setting.

description <string> Enter a description for this access profile. Enclose the description in quotes
if it contains spaces. Character limit: 1023

device-manager {none | read | Enter the level of access to Device Manager settings for this profile. Select
read-write} none to hide this option from the administrator in the GUI. The following
options are available:
l none: No permission.
l read: Read permission.
l read-write: Read-write permission.
This command corresponds to the Device Manager option in the GUI
administrator profile.
Controlled functions: Device Manager tab
Dependencies: type must be set to system

device-op {none | read | read- Add the capability to add, delete, and edit devices to this profile. Select
write} none to hide this option from the administrator in the GUI. The following
options are available:
l none: No permission.
l read: Read permission.
l read-write: Read-write permission.
This command corresponds to the Add/Delete Devices/Groups option in
the GUI administrator profile. This is a sub-setting of device-manager.
Controlled functions: Add or delete devices or groups
Dependencies: type must be set to system

CLI Reference 39
Fortinet Technologies Inc.
system admin

Variable Description

event-management {none | Set the Event Management permission. Select none to hide this option
read | read-write} from the administrator in the GUI. The following options are available:
l none: No permission.
l read: Read permission.
l read-write: Read-write permission.
This command corresponds to the Event Management option in the GUI
administrator profile.
Controlled functions: Event Management tab and all its operations
Dependencies: faz-status must be set to enable in system global,
type must be set to system

log-viewer {none | read | read- Set the Log View permission. Select none to hide this option from the
write} administrator in the GUI. Enter one of the following settings:
l none: No permission.
l read: Read permission.
l read-write: Read-write permission.
This command corresponds to the Log View option in the GUI admin-
istrator profile.
Controlled functions: Log View and all its operations
Dependencies: faz-status must be set to enable in system global,
type must be set to system

realtime-monitor {none | read | Enter the level of access to the Drill Down configuration settings for this pro-
read-write} file. Select none to hide this option from the administrator in the GUI.
Enter one of the following settings:
l none: No permission.
l read: Read permission.
l read-write: Read-write permission.
This command corresponds to the Drill Down option in the GUI admin-
istrator profile.
Controlled functions: Drill Down tab and all its operations
Dependencies: faz-status must be set to enable in system global,
type must be set to system

report-viewer {none | read | Set the Reports permission. Select none to hide this option from the
read-write} administrator in the GUI. Enter one of the following settings:
l none: No permission.
l read: Read permission.
l read-write: Read-write permission.
This command corresponds to the Reports option in the GUI administrator
profile.
Controlled functions: Reports tab and all its operations
Dependencies: faz-status must be set to enable in system global,
type must be set to system

scope (Not Applicable) CLI command is not in use.

40 CLI Reference
Fortinet Technologies Inc.
 admin system

Variable Description

system-setting {none | read | Configure System Settings permissions for this profile. Select none to hide
read-write} this option from the administrator in the GUI. Enter one of the following set-
tings:
l none: No permission.
l read: Read permission.
l read-write: Read-write permission.
This command corresponds to the System Settings option in the GUI
administrator profile.
Controlled functions: System Settings tab, All the settings under System
setting
Dependencies: type must be set to system

admin radius
Use this command to add, edit, and delete administration RADIUS servers.

Syntax
config system admin radius
edit <server>
set auth-type {any | chap | mschap2 | pap}
set nas-ip <ipv4_address>
set port <integer>
set secondary-secret <passwd>
set secondary-server <string>
set secret <passwd>
set server <string>
end
Variable Description

<server> Enter the name of the RADIUS server or enter a new name to create an
entry. Character limit: 63

auth-type {any | chap | Enter the authentication protocol the RADIUS server will use.
mschap2 | pap} l any: Use any supported authentication protocol.
l mschap2: Microsoft Challenge Handshake Authentication
Protocol version 2(MS-CHAPv2).
l chap: Challenge Handshake Authentication Protocol (CHAP)
l pap: Password Authentication Protocol (PAP).

nas-ip <ipv4_address> Enter the network access server (NAS) IPv4 address and called station ID.

port <integer> Enter the RADIUS server port number.

Default: 1812
Range: 1 to 65535

CLI Reference 41
Fortinet Technologies Inc.
 system admin

Variable Description

secondary-secret <passwd> Enter the password to access the RADIUS secondary-server. Character
limit: 64

secondary-server <string> Enter the RADIUS secondary-server DNS resolvable domain name or IPv4
address.

secret <passwd> Enter the password to access the RADIUS server. Character limit: 64

server <string> Enter the RADIUS server DNS resolvable domain name or IPv4 address.

Example
This example shows how to add the RADIUS server RAID1 at the IPv4 address 206.205.204.203 and set the
shared secret as R1a2D3i4U5s.
config system admin radius
edit RAID1
set server 206.205.204.203
set secret R1a2D3i4U5s
end

admin setting
Use this command to configure system administration settings, including web administration ports, timeout, and
language.

Syntax
config system admin setting
set access-banner {enable | disable}
set admin-https-redirect {enable | disable}
set admin-login-max <integer>
set admin_server_cert <admin_server_certificate>
set banner-message <string>
set http_port <integer>
set https_port <integer>
set idle_timeout <integer>
set show-add-multiple {enable | disable}
set show-checkbox-in-table {enable | disable}
set show-device-import-export {enable | disable}
set show-log-forwarding {enable | disable}
set unreg_dev_opt {add_allow_service | add_no_service}
set webadmin_language {auto_detect | english | japanese | korean | simplified_
chinese | traditional_chinese}
end
Variable Description

access-banner {enable | dis- Enable/disable the access banner. Default: disable

able}

42 CLI Reference
Fortinet Technologies Inc.
admin system

Variable Description

admin-https-redirect {enable | Enable/disable the redirection of HTTP admin traffic to HTTPS.

disable}

admin-login-max <integer> Set the maximum number of admin users that be logged in at one time.
Range: 1 to 256 (users)

admin_server_cert <admin_ Enter the name of an HTTPS server certificate to use for secure con-
server_certificate> nections. FortiAnalyzer has the following certificates pre-loaded: server.crt
and Fortinet_Local.

banner-message <string> Enter a banner message. Character limit: 255

http_port <integer> Enter the HTTP port number for web administration.
Default: 80Range: 1 to 65535

https_port <integer> Enter the HTTPS port number for web administration.
Default: 443
Range: 1 to 65535

idle_timeout <integer> Enter the idle timeout value.

Default: 5
Range: 1 to 480 (minutes)

show-add-multiple {enable | Enable/disable show the add multiple button in the GUI.
disable}

show-checkbox-in-table Show checkboxes in tables in the GUI.

{enable | disable}

show-device-import-export Enable/disable import/export of ADOM, device, and group lists.

{enable | disable}

show-log-forwarding {enable | Enable/disable show log forwarding tab in analyzer mode.

disable}

unreg_dev_opt {add_allow_ Select action to take when an unregistered device connects to FortiAna-
service | add_no_service} lyzer. The following options are available:
l add_allow_service: Add unregistered devices and allow
service requests.
l add_no_service: Add unregistered devices and deny service
requests.
Default: add_allow_service

CLI Reference 43
Fortinet Technologies Inc.
 system admin

Variable Description

webadmin_language {auto_ Enter the language to be used for web administration. The following
detect | english | japanese | options are available:
korean | simplified_chinese | l auto_detect: Automatically detect language.
traditional_chinese} l english: English.
l japanese: Japanese.
l korean: Korean.
l simplified_chinese: Simplified Chinese.
l traditional_chinese: Traditional Chinese.
Default: auto_detect

Use the show command to display the current configuration if it has been changed from its default value:
show system admin setting

admin tacacs
Use this command to add, edit, and delete administration TACACS+ servers.

Syntax
config system admin tacacs
edit <name>
set authen-type {ascii | auto |chap | mschap | pap}
set authorization {enable | disable}
set key <passwd>
set port <integer>
set secondary-key <passwd>
set secondary-server <string>
set server <string>
set tertiary-key <passwd>
set tertiary-server <string>
end
Variable Description

<name> Enter the name of the TACACS+ server or enter a new name to create an
entry. Character limit: 63

authen-type {ascii | Choose which authentication type to use. The following options are
auto |chap | mschap | pap} available:
l ascii: ASCII
l auto: Uses PAP, MSCHAP, and CHAP (in that order).
l chap: Challenge Handshake Authentication Protocol (CHAP)
l mschap: Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP)
l pap: Password Authentication Protocol (PAP).
Default: auto

44 CLI Reference
Fortinet Technologies Inc.
 admin system

Variable Description

authorization {enable | disable} Enable/disable TACACS+ authorization. The following options are
available:
l disable: Disable TACACS+ authorization.
l enable: Enable TACACS+ authorization (service = FortiGate).

key <passwd> Key to access the server. Character limit: 128

port <integer> Port number of the TACACS+ server. Range: 1 to 65535

secondary-key <passwd> Key to access the secondary server. Character limit: 128

secondary-server <string> Secondary server domain name or IPv4 address.

server <string> The server domain name or IPv4 address.

tertiary-key <passwd> Key to access the tertiary server. Character limit: 128

tertiary-server <string> Tertiary server domain name or IPv4 address.

Example
This example shows how to add the TACACS+ server TAC1 at the IPv4 address 206.205.204.203 and set the
key as R1a2D3i4U5s.
config system admin tacacs
edit TAC1
set server 206.205.204.203
set key R1a2D3i4U5s
end

admin user
Use this command to add, edit, and delete administrator accounts.

Use the admin account or an account with System Settings read and write privileges to add new administrator
accounts and control their permission levels. Each administrator account must include a minimum of an access
profile. The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change
the default profile from Restricted_User. You cannot delete the admin administrator account. You cannot delete
an administrator account if that user is logged on.

You can create meta-data fields for administrator accounts. These objects must be created
using the FortiAnalyzer GUI. The only information you can add to the object is the value of
the field (pre-determined text/numbers). For more information, see System Settings in the
FortiAnalyzer Administration Guide.

Syntax
config system admin user
edit <name_str>
set password <passwd>
set change-password {enable | disable}

CLI Reference 45
Fortinet Technologies Inc.
system admin

set trusthost1 <ipv4_mask>

set trusthost2 <ipv4_mask>
set trusthost3 <ipv4_mask>
...
set trusthost10 <ipv4_mask>
set ipv6_trusthost1 <ipv6_mask>
set ipv6_trusthost2 <ipv6_mask>
set ipv6_trusthost3 <ipv6_mask>
...
set ipv6_trusthost10 <ipv6_mask>
set profileid <profile-name>
set adom <adom_name(s)>
set web-filter <Web Filter profile name>
set ips-filter <IPS Sensor name>
set app-filter <Application Sensor name>
set policy-package {<adom name>: <policy package id> <adom policy folder name>/
<package name> | all_policy_packages}
set restrict-access {enable | disable}
set rpc-permit {enable | disable}
set description <string>
set user_type {group | ldap | local | pki-auth | radius | tacacs-plus}
set group <string>
set ldap-server <string>
set radius_server <string>
set tacacs-plus-server <string>
set ssh-public-key1 <key-type> <key-value>
set ssh-public-key2 <key-type>, <key-value>
set ssh-public-key3 <key-type> <key-value>
set wildcard <enable | disable>
set radius-accprofile-override <enable | disable>
set radius-adom-override <enable | disable>
set radius-group-match <string>
set password-expire <yyyy-mm-dd>
set force-password-change {enable | disable}
set subject <string>
set ca <string>
set two-factor-auth {enable | disable}
set last-name <string>
set first-name <string>
set email-address <string>
set phone-number <string>
set mobile-number <string>
set pager-number <string>
end
config meta-data
edit <fieldname>
set fieldlength
set fieldvalue <string>
set importance
set status
end
end
config dashboard-tabs
edit tabid <integer>
set name <string>
end
end

46 CLI Reference
Fortinet Technologies Inc.
admin system

config dashboard
edit moduleid
set name <string>
set column <column_pos>
set refresh-inverval <integer>
set status {close | open}
set tabid <integer>
set widget-type <string>
set log-rate-type {device | log}
set log-rate-topn {1 | 2 | 3 | 4 | 5}
set log-rate-period {1hour | 2min | 6hours}
set res-view-type {history | real-time}
set res-period {10min | day | hour}
set res-cpu-display {average | each}
set num-entries <integer>
set time-period {1hour | 24hour | 8hour}
end
end
config restrict-dev-vdom
edit dev-vdom <string>
end
end
Variable Description

<name_string> Enter the name of the admin user or enter a new name to create a new
user. Character limit: 35

password <passwd> Enter a password for the administrator account. For improved security, the
password should be at least 6 characters long. This variable is available
only if user_type is local. Character limit: 128

change-password {enable | dis- Enable/disable allowing restricted users to change their password.
able}

trusthost1 <ipv4_mask> Optionally, type the trusted host IPv4 address and network mask from
trusthost2 <ipv4_mask> which the administrator can log in to the FortiAnalyzer system. You can spe-
trusthost3 <ipv4_mask> cify up to ten trusted hosts.
... Setting trusted hosts for all of your administrators can enhance the security
trusthost10 <ipv4_mask> of your system.
Defaults:
trusthost1: 0.0.0.0 0.0.0.0 for all
others: 255.255.255.255 255.255.255.255 for none

ipv6_trusthost1 <ipv6_mask> Optionally, type the trusted host IPv6 address from which the administrator
ipv6_trusthost2 <ipv6_mask> can log in to the FortiAnalyzer system. You can specify up to ten trusted
ipv6_trusthost3 <ipv6_mask> hosts.
... Setting trusted hosts for all of your administrators can enhance the security
ipv6_trusthost10 <ipv6_mask> of your system.
Defaults:
ipv6_trusthost1: ::/0 for all
others: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 for
none

CLI Reference 47
Fortinet Technologies Inc.
system admin

Variable Description

profileid <profile-name> Enter the name of the access profile to assign to this administrator
account. Access profiles control administrator access to FortiAnalyzer fea-
tures.
Default: Restricted_User
Character limit: 35

adom <adom_name(s)> Enter the name(s) of the ADOM(s) the administrator belongs to. Any con-
figuration of ADOMs takes place via the FortiAnalyzer GUI.

web-filter <Web Filter profile Enter the Web Filter profile to associate with the restricted admin profile.
name> Dependencies: admin user must be associated with a restricted admin pro-
file.

ips-filter <IPS Sensor name> Enter the IPS Sensor to associate with the restricted admin profile.
Dependencies: The admin user must be associated with a restricted admin
profile.

app-filter <Application Sensor Enter the Application Sensor to associate with the restricted admin profile.
name> Dependencies: The admin user must be associated with a restricted admin
profile.

policy-package Policy package access

{<adom name>: <policy pack-
age id> <adom policy folder
name>/ <package name> | all_
policy_packages}

restrict-access {enable | dis- Enable/disable restricted access to the development VDOM (dev-vdom).
able} Default: disable

rpc-permit {enable | disable} Set the permission level for login via Remote Procedure Call (RPC). The fol-
lowing options are available:
l none: No permission.
l read-only: Read-only permission.
l read-write: Read-write permission.

description <string> Enter a description for this administrator account. When using spaces,
enclose description in quotes. Character limit: 127

48 CLI Reference
Fortinet Technologies Inc.
admin system

Variable Description

user_type {group | ldap | local | Enter local if the FortiAnalyzer system verifies the administrator’s pass-
pki-auth | radius | tacacs-plus} word. Enter radius if a RADIUS server verifies the administrator’s pass-
word. Enter of the following:
l group: Group user.
l ldap: LDAP user.
l local: Local user.
l pki-auth: PKI user.
l radius: RADIUS user.
l tacacs-plus: TACACS+ user.
Default: local

set group <string> Enter the group name.

ldap-server <string> Enter the LDAP server name if the user type is set to LDAP.

radius_server <string> Enter the RADIUS server name if the user type is set t o RADIUS.

tacacs-plus-server <string> Enter the TACACS+ server name if the user type is set to TACACS+.

ssh-public-key1 <key-type> You can specify the public keys of up to three SSH clients. These clients
<key-value> are authenticated without being asked for the administrator password. You
must create the public-private key pair in the SSH client application.
ssh-public-key2 <key-type>, <key type> is ssh-dss for a DSA key, ssh-rsa for an RSA key.
<key-value> <key-value> is the public key string of the SSH client.

ssh-public-key3 <key-type>
<key-value>

wildcard <enable | disable> Enable/disable wildcard remote authentication.

radius-accprofile-override Allow access profile to be overridden from RADIUS.

<enable | disable>

radius-adom-override Enable/disable the ADOM to be overridden from RADIUS.

<enable | disable> In order to support vendor specific attributes (VSA), the RADIUS server
requires a dictionary to define which VSAs to support. The Fortinet RADIUS
vendor ID is 12365. The Fortinet-Vdom-Name attribute is used by this
command.

radius-group-match <string> Only admin that belong to this group are allowed to login.

password-expire <yyyy-mm- When enforcing the password policy, enter the date that the current pass-
dd> word will expire.

force-password-change Enable/disable force password change on next login.

{enable | disable}

CLI Reference 49
Fortinet Technologies Inc.
system admin

Variable Description

subject <string> PKI user certificate name constraints. This command is available when a
PKI administrator account is configured.

ca <string> PKI user certificate CA (CA name in local). This command is available
when a PKI administrator account is configured.

two-factor-auth {enable | dis- Enable/disable two-factor authentication (certificate + password).

able} This command is available when a PKI administrator account is configured.

last-name <string> Administrators last name. Character limit: 63

first-name <string> Administrators first name. Character limit: 63

email-address <string> Administrators email address.

phone-number <string> Administrators phone number.

mobile-number <string> Administrators mobile phone number.

pager-number <string> Administrators pager number.

Subcommand variables

This subcommand can only change the value of an existing field.

To create a new metadata field, use the config metadata command.

Variable for config meta-data subcommand:

fieldname The label/name of the field. Read-only. Default: 50

fieldlength The maximum number of characters allowed for this field. Read-only.

fieldvalue <string> Enter a pre-determined value for the field. This is the only value that can be
changed with the config meta-data subcommand. Character limit:
255

importance Indicates whether the field is compulsory (required) or optional

(optional). Read-only. Default: optional

status For display only. Value cannot be changed. Default: enable

Subcommand variables

Variable for config dashboard-tabs subcommand:

tabid <integer> Tab ID.

name <string> Tab name.

50 CLI Reference
Fortinet Technologies Inc.
admin system

Subcommand variables

Variable for config dashboard subcommand:

moduleid Widget ID.

l 1: System Information
l 2: System Resources
l 3: License Information
l 4: Unit Operation
l 5: Log Receive Monitor
l 6: Logs/Data Received
l 7: Statistics
l 8: Insert Rate vs Receive Rate
l 9: Log Insert Lag Time
l 10: Alert Message Console
l 11: CLI Console

name <string> Widget name. Character limit: 63

column <column_pos> Widget’s column ID.

refresh-inverval <integer> Widget’s refresh interval. Default: 300

status {close | open} Widget’s opened/closed status. Default: open

tabid <integer> ID of the tab where the widget is displayed. Default: 0

widget-type <string> Widget type. The following options are available:

l alert: Alert Message Console.
l devsummary: Device Summary.
l jsconsole: CLI Console.
l licinfo: License Information.
l logdb-lag: Log Database Lag Time.
l logdb-perf: Log Database Performance Monitor.
l logrecv: Logs/Data Received.
l raid: Disk Monitor.
l rpteng: Report Engine.
l statistics: Statistics.
l sysinfo: System Information.
l sysop: Unit Operation.
l sysres: System resources.
l top-lograte: Log Receive Monitor.

log-rate-type {device | log} Log receive monitor widget’s statistics breakdown options.

CLI Reference 51
Fortinet Technologies Inc.
system admin

Variable for config dashboard subcommand:

log-rate-topn {1 | 2 | 3 | 4 | 5} Log receive monitor widgets’s number of top items to display.

log-rate-period {1hour | 2min | Log receive monitor widget’s data period.

6hours}

res-view-type {history | real- Widget’s data view type. The following options are available:
time} l history: History view.
l real-time: Real-time view.

res-period {10min | day | hour} Widget’s data period. The following options are available:
l 10min: Last 10 minutes.
l day: Last day.
l hour: Last hour.

res-cpu-display {average | Widget’s CPU display type. The following options are available:
each} l average: Average usage of CPU.
l each: Each usage of CPU.

num-entries <integer> Number of entries.

time-period {1hour | 24hour | Set the Log Database Monitor widget's data period. One of 1 hour, 8 hours,
8hour} or 24 hours.

Subcommand variables

Variable for config restrict-dev-vdom subcommand:

dev-vdom <string> Enter device or VDOM to edit.

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting
administrative access. In addition to knowing the password, an administrator must connect only through the
subnet or subnets you specify. You can even restrict an administrator to a single IPv4 address if you define only
one trusted host IPv4 address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the FortiAnalyzer system does not respond to administrative
access attempts from any other hosts. This provides the highest security. If you leave even one administrator
unrestricted, the unit accepts administrative access attempts on any interface that has administrative access
enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply both to the GUI and to the CLI when accessed through SSH. CLI access
through the console connector is not affected.

Example
Use the following commands to add a new administrator account named admin_2 with the password set to
p8ssw0rd and the Super_User access profile. Administrators that log in to this account will have

52 CLI Reference
Fortinet Technologies Inc.
 aggregation-client system

administrator access to the FortiAnalyzer system from any IPv4 address.

config system admin user
edit admin_2
set description "Backup administrator"
set password p8ssw0rd
set profileid Super_User
end

aggregation-client

Use the following commands to configure log aggregation.

Syntax
config system aggregation-client
edit <id>
set mode {aggregation | both | disable | realtime}
set agg-password <passwd>
set server-ip <ipv4_address>
set agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_
Archive | MMS_Archive | AV_Quarantine | IPS_Packets}
set agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter |
event | history | traffic | virus | webfilter | netscan}
set agg-time <integer>
set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp |
kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 |
local7 | lpr | mail | news | ntp | syslog | user | uucp}
set fwd-log-source-ip {local_ip | original_ip}
set fwd-min-level {alert | critical | debug | emergency | error | information |
notification | warning}
set fwd-remote-server {cef | fortianalyzer | syslog}
set fwd-reliable {enable | disable}
set server-device <string>
set server-name <string>
set server-port <integer>
config device-filter
edit id
set action {exclude | include}
set device <string>
end
end
Variable Description

<id> Enter the log aggregation ID that you want to edit. Enter edit ? to view
available entries.

CLI Reference 53
Fortinet Technologies Inc.
system aggregation-client

Variable Description

mode {aggregation | Log aggregation mode. The following options are available:
both | disable | real- l aggregation: Aggregate logs to FortiAnalyzer
time} l both: Forward and aggregate logs to the FortiAnalyzer
l disable: Do not forward or aggregate logs
l realtime: Real time forward logs to the FortiAnalyzer

agg-password <passwd> Log aggregation access password for server. Command only available
when the mode is set to aggregation or both.

server-ip <ipv4_ Remote server IPv4 address. Command only available when the mode is
address> set to aggregation, both, or realtime.

agg-archive-types Archive type. Command only available when the mode is set to aggreg-
{Web_Archive | Email_ ation or both. The following options are available:
Archive | File_Trans- l Web_Archive: Web_Archive
fer_Archive | IM_ l Secure_Web_Archive: Secure_Web_Archive
Archive | MMS_
l Email_Archive: Email_Archive
Archive | AV_
Quarantine | IPS_Pack- l File_Transfer_Archive: File_Transfer_Archive
ets} l IM_Archive: IM_Archive
l MMS_Archive: MMS_Archive
l AV_Quarantine: AV_Quarantine
l IPS_Packets: IPS_Packets

agg-logtypes {none | Log type. Command only available when the mode is set to aggreg-
app-ctrl | attack | ation or both. The following options are available:
content | dlp | l none: none
emailfilter | event | l app-ctrl: app-ctrl
history | traffic |
l attack: attack
virus | webfilter |
netscan} l content: content
l dlp: dlp
l emailfilter: emailfilter
l event: event
l history: history
l traffic: traffic
l virus: virus
l webfilter: webfilter
l netscan: netscan

agg-time <integer> Daily at the selected time. Command only available when the mode is set
to aggregation or both.

54 CLI Reference
Fortinet Technologies Inc.
aggregation-client system

Variable Description

fwd-facility {alert | Facility for remote syslog. The command is only available when the mode
audit | auth | is set to realtime or both. The following options are available:
authpriv | clock | l alert: Log alert
cron | daemon | ftp | l audit: Log audit
kernel | local0 |
l auth: Security/authorization messages
local1 | local2 |
local3 | local4 | l authpriv: Security/authorization messages (private)
local5 | local6 | l clock: Clock daemon
local7 | lpr | mail | l cron: Clock daemon
news | ntp | syslog |
l daemon: System daemons
user | uucp}
l ftp: FTP daemon
l kernel: Kernel messages
l local0, local1, local2, local3, local4,
local5, local 6, local7: Reserved for local use
l lpr: Line printer subsystem
l mail: Mail system
l news: Network news subsystem
l ntp: NTP daemon
l syslog: Messages generated internally by syslogd
l user: Random user level messages
l uucp: Network news subsystem

fwd-log-source-ip {local_ip | ori- The logs source IP address. Command only available when the mode is set
ginal_ip} to realtime or both. The following options are available:
l local_ip: Use local IP
l original_ip: Use original source IP

fwd-min-level {alert | critical | Forward logs more sever than this level. This command only available
debug | emergency | error | when the mode is set to realtime or both. The following options are
information | notification | available:
warning} l emergency: The unit is unusable.
l alert: Immediate action is required.
l critical: Functionality is affected.
l error: Functionality is probably affected.
l warning: Functionality might be affected.
l notification: Information about normal events.
l information: General information about unit operations.
l debug: Information used for diagnosis or debugging.

CLI Reference 55
Fortinet Technologies Inc.
system aggregation-service

Variable Description

fwd-remote-server {cef | Forwarding all logs to a CEF (Common Event Format) server, syslog
fortianalyzer | syslog} server, or the FortiAnalyzer device. This command only available when the
mode is set to realtime or both. The following options are available:
l cef: Common Event Format server
l fortianalyzer: FortiAnalyzer device
l syslog: Syslog server

fwd-reliable {enable | disable} Enable/disable reliable logging.

set fwd-remote-server must be syslog to support reliable for-
warding.
This command only available when the mode is set to both or realtime.

server-device <id> Log aggregation server device ID.

Example: set server-device FL-1KC3R11600346
where FL-1KC3R11600346 is the device ID and 1.1.1.1 is the IP address of
the FortiAnalyzer device to be registered in the DVM table of another
FortiAnalyzer for aggregation client configuration.

server-name <string> Log aggregation server name.

server-port <integer> Enter the server listen port. This command is available when the mode is
set to both or realtime. Range: 1 to 65535

Variable for config device-filter subcommand:

Variable Description

id Enter the device filter ID or enter a number to create a new entry.

action {exclude | include} Select to exclude or include the specified device.

device <string> Select All_FortiGates, All_FortiMail, All_FortiWebs, or specify specific

devices.

Use the show command to display the current configuration if it has been changed from its default value:
show system aggregation-client

aggregation-service

Use the following commands to configure log aggregation service.

This command is not available on all models.

56 CLI Reference
Fortinet Technologies Inc.
 alert-console system

Syntax
config system aggregation-service
set accept-aggregation {enable | disable}
set accept-realtime-log {enable | disable}
set aggregation-disk-quota <integer>
set password <passwd>
end
Variable Description

accept-aggregation {enable | Enable/disable accept log aggregation option.

disable}

accept-realtime-log {enable | Enable/disable accept real time logs.

disable}

aggregation-disk-quota Aggregated device disk quota (MB) on server. accept-aggregation

<integer> must be enabled.

password <passwd> Log aggregation access password for server. accept-aggregation

must be enabled.
Character limit: 128

Use the show command to display the current configuration if it has been changed from its default value:
show system aggregation-service

alert-console

Use this command to configure the alert console options. The alert console appears on the dashboard in the GUI.

Syntax
config system alert-console
set period {1 | 2 | 3 | 4 | 5 | 6 | 7}>
set severity-level {information | notify | warning | error | critical | alert |
emergency}
end
Variable Description

period {1 | 2 | 3 | 4 | 5 | 6 | 7}> Enter the number of days to keep the alert console information on the dash-
board. Default: 7

CLI Reference 57
Fortinet Technologies Inc.
 system alert-event

Variable Description

severity-level {information | Enter the severity level to display on the alert console on the dashboard.
notify | warning | error | critical | The following options are available:
alert | emergency} l emergency: The unit is unusable.
l alert: Immediate action is required.
l critical: Functionality is affected.
l error: Functionality is probably affected.
l warning: Functionality might be affected.
l notification: Information about normal events.
l information: General information about unit operations.

Example
This example sets the alert console message display to warning for a duration of three days.
config system alert-console
set period 3
set severity-level warning
end

alert-event

Use alert-event commands to configure the FortiAnalyzer unit to monitor logs for log messages with certain
severity levels, or information within the logs. If the message appears in the logs, the FortiAnalyzer unit sends an
email or SNMP trap to a predefined recipient(s) of the log message encountered. Alert event messages provide
immediate notification of issues occurring on the FortiAnalyzer unit.

When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP
server name to connect to the mail server and must look up this name on your DNS server.

alert-event was removed from the GUI in FortiAnalyzer version 5.0.3. This command
has been kept in the CLI for customers who previously configured this function.

Syntax
config system alert-event
edit <name_string>
config alert-destination
edit destination_id <integer>
set type {mail | snmp | syslog}
set from <email_address>
set to <email_address>
set smtp-name <server_name>
set snmp-name <server_name>
set syslog-name <server_name>
end
set enable-generic-text {enable | disable}
set enable-severity-filter {enable | disable}
set event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}
set generic-text <string>

58 CLI Reference
Fortinet Technologies Inc.
alert-event system

set num-events {1 | 5 | 10 | 50 | 100}

set severity-filter {high | low | medium | medium-high | medium-low}
set severity-level-comp {>= | = | <=}
set severity-level-logs {no-check | information | notify | warning |error |
critical | alert | emergency}
end
Variable Description

<name_string> Enter a name for the alert event. Character limit: 63

destination_id <integer> Enter the table sequence number, beginning at 1.

type {mail | snmp | syslog} Select the alert event message method of delivery. Default: mail

from <email_address> Enter the email address of the sender of the message. This is available
when the type is set to mail.

to <email_address> Enter the recipient of the alert message. This is available when the type is
set to mail.

smtp-name <server_name> Enter the name of the mail server. This is available when the type is set to
mail.

snmp-name <server_name> Enter the snmp server name. This is available when the type is set to
snmp.

syslog-name <server_name> Enter the syslog server name or IPv4 address. This is available when the
type is set to syslog.

enable-generic-text {enable | Enable the text alert option. Default: disable

disable}

enable-severity-filter {enable | Enable the severity filter option. Default: disable

disable}

event-time-period {0.5 | 1 | 3 | The period of time in hours during which if the threshold number is
6 | 12 | 24 | 72 | 168} exceeded, the event will be reported. The following options are available:
l 0.5: 30 minutes.
l 1: 1 hour.
l 3: 3 hours.
l 6: 6 hours.
l 12: 12 hours.
l 24: 1 day.
l 72: 3 days.
l 168: 1 week.

generic-text <string> Enter the text the alert looks for in the log messages. Character limit: 255

CLI Reference 59
Fortinet Technologies Inc.
system alert-event

Variable Description

num-events {1 | 5 | 10 | 50 | Set the number of events that must occur in the given interval before it is
100} reported.

severity-filter {high | low | Set the alert severity indicator for the alert message the FortiAnalyzer unit
medium | medium-high | sends to the recipient.
medium-low}

severity-level-comp {>= | = | Set the severity level in relation to the log level. Log messages are mon-
<=} itored based on the log level. For example, alerts may be monitored if the
messages are greater than, and equal to (>=) the Warning log level. The fol-
lowing options are available:
l >=: Greater than or equal to.
l =: Equal to.
l <=: Less than or equal to.

severity-level-logs {no-check | Set the log level the FortiAnalyzer looks for when monitoring for alert mes-
information | notify | sages. The following options are available:
warning |error | critical | alert | l no-check: Do not check severity level for this log type.
emergency} l emergency: The unit is unusable.
l alert: Immediate action is required.
l critical: Functionality is affected.
l error: Functionality is probably affected.
l warning: Functionality might be affected.
l notification: Information about normal events.
l information: General information about unit operations.

Example
In the following example, the alert message is set to send an email to the administrator when 5 warning log
messages appear over the span of three hours.
config system alert-event
edit warning
config alert-destination
edit 1
set type mail
set from fmgr@exmample.com
set to admin@example.com
set smtp-name mail.example.com
end
set enable-severity-filter enable
set event-time-period 3
set severity-level-log warning
set severity-level-comp =
set severity-filter medium
end

60 CLI Reference
Fortinet Technologies Inc.
 alertemail system

alertemail

Use this command to configure alert email settings for your FortiAnalyzer unit.

All variables are required if authentication is enabled.

Syntax
config system alertemail
set authentication {enable | disable}
set fromaddress <email-address_string>
set fromname <string>
set smtppassword <passwd>
set smtpport <integer>
set smtpserver {<ipv4_address>|<fqdn_string>}
set smtpuser <username>
end
Variable Description

authentication {enable | dis- Enable/disable alert email authentication. Default: enable

able}

fromaddress <email-address_ The email address the alertmessage is from.

string> This is a required variable.

fromname <string> The SMTP name associated with the email address. To enter a name that
includes spaces, enclose the whole name in quotes.

smtppassword <passwd> Set the SMTP server password. Character limit: 39

smtpport <integer> The SMTP server port.

Default: 25
Range: 1 to 65535

smtpserver {<ipv4_ The SMTP server address. Enter either a DNS resolvable host name or an
address>|<fqdn_string>} IPv4 address.

smtpuser <username> Set the SMTP server username. Character limit: 63

Example
Here is an example of configuring alertemail. Enable authentication, the alert is set in Mr. Customer’s name
and from his email address, the SMTP server port is the default port(25), and the SMTP server is at IPv4 address
of 192.168.10.10.
config system alertemail
set authentication enable
set fromaddress customer@example.com
set fromname “Mr. Customer”
set smtpport 25
set smtpserver 192.168.10.10

CLI Reference 61
Fortinet Technologies Inc.
 system auto-delete

end

auto-delete

Use this command to automatically delete policies for logs, reports, and archived and quarantined files.

Syntax
config system auto-delete
config dlp-files-auto-deletion
set status {enable | disable}
set value <integer>
set when {days | hours | months | weeks}
end
config quarantine-files-auto-deletion
set status {enable | disable}
set value <integer>
set when {days | hours | months | weeks}
end
config log-auto-deletion
set status {enable | disable}
set value <integer>
set when {days | hours | months | weeks}
end
config report-auto-deletion
set status {enable | disable}
set value <integer>
set when {days | hours | months | weeks}
end
end
Variable Description

dlp-files-auto-deletion Automatic deletion policy for DLP archives.

quarantine-files-auto-deletion Automatic deletion policy for quarantined files.

log-auto-deletion Automatic deletion policy for device logs.

report-auto-deletion Automatic deletion policy for reports.

status {enable | dis- Enable/disable automatic deletion.

able}

value <integer> Set the value integer. Range: 1 to 999

when {days | hours | months | Auto-delete data older that <value> days, hours, months, weeks. The fol-
weeks} lowing options are available:
l days: Auto-delete data older than <value> days.
l hours: Auto-delete data older than <value> hours.
l months: Auto-delete data older than <value> months.
l weeks: Auto-delete data older than <value> weeks.

62 CLI Reference
Fortinet Technologies Inc.
 backup all-settings system

backup all-settings

Use this command to set or check the settings for scheduled backups.

Syntax
config system backup all-settings
set status {enable | disable}
set server {<ipv4_address>|<fqdn_str>}
set user <username>
set directory <string>
set week_days {monday tuesday wednesday thursday friday saturday sunday}
set time <hh:mm:ss>
set protocol {ftp | scp | sftp}
set passwd <passwd>
set cert <string>
set crptpasswd <passwd>
end
Variable Description

status {enable | disable} Enable/disable scheduled backups.

Default: disable

server {<ipv4_address>|<fqdn_ Enter the IPv4 address or DNS resolvable host name of the backup server.
str>}

user <username> Enter the user account name for the backup server. Character limit: 63

directory <string> Enter the name of the directory on the backup server in which to save the
backup file.

week_days {monday tuesday Enter the days of the week on which to perform backups. You may enter
wednesday thursday friday sat- multiple days.
urday sunday}

time <hh:mm:ss> Enter the time of day to perform the backup. Time is required in the form
<hh:mm:ss>.

protocol {ftp | scp | sftp} Enter the transfer protocol.

Default: sftp

passwd <passwd> Enter the password for the backup server. Character limit: 63

cert <string> SSH certificate for authentication. Only available if the protocol is set to
scp.

crptpasswd <passwd> Optional password to protect backup content. Character limit: 63

CLI Reference 63
Fortinet Technologies Inc.
system central-management

Example
This example shows a whack where backup server is 172.20.120.11 using the admin account with no password,
saving to the /usr/local/backup directory. Backups are done on Mondays at 1:00pm using ftp.
config system backup all-settings
set status enable
set server 172.20.120.11
set user admin
set directory /usr/local/backup
set week_days monday
set time 13:00:00
set protocol ftp
end

central-management

Use this command to set or check the settings for central management.

Syntax
config system central-management
set type {fortimanager}
set allow-monitor {enable | disable}
set authorized-manager-only {enable | disable}
set serial-number <serial_number_string>
set fmg <string>
set enc-alogorithm {default | high | low}
end
Variable Description

type {fortimanager} Type of management server.

allow-monitor {enable | dis- Enable/disable remote monitoring of the device.

able}

authorized-manager-only Enable/disable restricted to authorize manager only setting.

{enable | disable}

serial-number <serial_num- Set the device serial number. You can enter up to 5 serial numbers.
ber_string>

fmg <string> Set the IP address or FQDN of the FortiManager. Character limit: 31

enc-alogorithm {default | high | Set the SSL communication encryption algorithms. The following options
low} are available:
l default: SSL communication with high and medium encryption
algorithms
l high: SSL communication with high encryption algorithms
l low: SSL communication with low encryption algorithms

64 CLI Reference
Fortinet Technologies Inc.
 certificate system

Use the show command to display the current configuration if it has been changed from its default value:
show system central-management

certificate

Use the following commands to configure certificate related settings.

certificate ca
Use this command to install Certificate Authority (CA) root certificates.

When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local
certificate and the Certificate Revocation List (CRL).

The process for obtaining and installing certificates is as follows:

1. Use the execute certificate local generate command to generate a CSR.

2. Send the CSR to a CA. he CA sends you the CA certificate, the signed local certificate and the CRL.
3. Use the system certificate local command to install the signed local certificate.
4. Use the system certificate ca command to install the CA certificate. Depending on your terminal
software, you can copy the certificate and paste it into the command.

Syntax
config system certificate ca
edit <ca_name>
set ca <certificate>
set comment <string>
end
To view all of the information about the certificate, use the get command:
get system certificate ca <ca_name>
Variable Description

<ca_name> Enter a name for the CA certificate. Character limit: 35

ca <certificate> Enter or retrieve the CA certificate in PEM format.

comment <string> Optionally, enter a descriptive comment. Character limit: 127

certificate crl
Use this command to configure CRLs.

Syntax
config system certificate crl
edit <name>
set crl <crl>
set comment <string>

CLI Reference 65
Fortinet Technologies Inc.
 system certificate

end
Variable Description

<name> Enter a name for the CRL. Character limit: 35

crl <crl> Enter or retrieve the CRL in PEM format.

comment <string> Optionally, enter a descriptive comment for this CRL. Character limit: 127

certificate local
Use this command to install local certificates. When a CA processes your CSR, it sends you the CA certificate,
the signed local certificate and the CRL.

The process for obtaining and installing certificates is as follows:

1. Use the execute certificate local generate command to generate a CSR.

2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
3. Use the system certificate local command to install the signed local certificate.
4. Use the system certificate ca command to install the CA certificate. Depending on your terminal
software, you can copy the certificate and paste it into the command.

Syntax
config system certificate local
edit <cert_name>
set password <passwd>
set comment <string>
set certificate <certificate_PEM>
set private-key <prkey>
set csr <csr_PEM>
end
To view all of the information about the certificate, use the get command:
get system certificate local [cert_name]
Variable Description

<cert_name> Enter the local certificate name. Character limit: 35

password <passwd> Enter the local certificate password. Character limit: 67

comment <string> Enter any relevant information about the certificate. Character length: 127

certificate <certificate_PEM> Enter the signed local certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <prkey> The private key in PEM format.

csr <csr_PEM> The CSR in PEM format.

66 CLI Reference
Fortinet Technologies Inc.
 certificate system

certificate oftp
Use this command to install OFTP certificates and keys.

Syntax
config system certificate oftp
set certificate <certificate>
set comment <string>
set custom {enable | disable}
set private-key <key>
end
Variable Description

certificate <certificate> PEM format certificate.

comment <string> OFTP certificate comment. Character limit: 127

custom {enable | disable} Enable/disable custom certificates.

private-key <key> PEM format private key.

certificate ssh
Use this command to install SSH certificates and keys.

The process for obtaining and installing certificates is as follows:

1. Use the execute certificate local generate command to generate a CSR.

2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
3. Use the system certificate local command to install the signed local certificate.
4. Use the system certificate ca command to install the CA certificate.
5. Use the system certificate SSH command to install the SSH certificate. Depending on your terminal
software, you can copy the certificate and paste it into the command.

Syntax
config system certificate ssh
edit <name>
set comment <comment_text>
set certificate <certificate>
set private-key <key>
end
To view all of the information about the certificate, use the get command:
get system certificate ssh [cert_name]

CLI Reference 67
Fortinet Technologies Inc.
system dns

Variable Description

<name> Enter the SSH certificate name. Character limit: 63

comment <comment_text> Enter any relevant information about the certificate. Character limit: 127

certificate <certificate> Enter the signed SSH certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit.

private-key <key> The private key in PEM format.

dns

Use these commands to set the DNS server addresses. Several FortiAnalyzer functions, including sending alert
email, use DNS. In FortiAnalyzer v5.2.1 or later, you can configure both IPv4 and IPv6 DNS server addresses.

Syntax
config system dns
set primary <ipv4_address>
set secondary <ipv4_address>
set ip6-primary <ipv6_address>
set ip6-secondary <ipv6_address>
end
Variable Description

primary <ipv4_address> Enter the primary DNS server IPv4 address.

secondary <ipv4_address> Enter the secondary DNS IPv4 server address.

ip6-primary <ipv6_address> Enter the primary DNS server IPv6 address.

ip6-secondary <ipv6_address> Enter the secondary DNS IPv6 server address.

Example
This example shows how to set the primary FortiAnalyzer DNS server IPv4 address to 172.20.120.99 and the
secondary FortiAnalyzer DNS server IPv4 address to 192.168.1.199.
config system dns
set primary 172.20.120.99
set secondary 192.168.1.199
end

68 CLI Reference
Fortinet Technologies Inc.
 fips system

fips

Use this command to set the Federal Information Processing Standards (FIPS) status. FIPS mode is an
enhanced security option for some FortiAnalyzer models. Installation of FIPS firmware is required only if the unit
was not ordered with this firmware pre-installed.

Syntax
config system fips
set status {enable | disable}
set entropy-token {enable | disable | dynamic}
set re-seed-interval <integer>
end
Variable Description Default

status {enable | disable} Enable/disable the FIPS-CC mode of operation. enable

entropy-token {enable | Configure support for the FortiTRNG entropy token: disable
disable | dynamic} l enable: The token must be present during boot up and
reseeding. If the token is not present, the boot up or
reseeding is interrupted until the token is inserted.
l disable: The current entropy implementation is used to
seed the Random Number Generator (RNG).
l dynamic: The token is used to seed or reseed the RNG if it
is present. If the token is not present, the boot process is not
blocked and the old entropy implementation is used.

re-seed-interval The amount of time, in minutes, between RNG reseeding. 1440

<integer>

fortiview

Use this command to configure FortiView settings.

Syntax
config system fortiview setting
set not-scanned apps {exclude | include}
set resolve-ip {enable | disable}
end

CLI Reference 69
Fortinet Technologies Inc.
 system global

Variable Description

not-scanned apps {exclude | Include/exclude ‘Not.Scanned’ applications in FortiView. The following

include} options are available:
l exclude: Exclude 'Not.Scanned' applications in FortiView.
l include: Include 'Not.Scanned' applications in FortiView.

resolve-ip {enable | disable} Enable or disable resolving the IP address to the hostname in FortiView.

global

Use this command to configure global settings that affect miscellaneous FortiAnalyzer features.

Syntax
config system global
set admin-https-pki-required {disable | enable}
set admin-lockout-duration <integer>
set admin-lockout-threshold <integer>
set admin-maintainer {disable | enable}
set adom-mode {advanced | normal}sh
set adom-rev-auto-delete {by-days | by-revisions | disable}
set adom-rev-max-days <integer>
set adom-rev-max-revisions <integer>
set adom-status {enable | disable}
set clt-cert-req {disable | enable}
set console-output {more | standard}
set country-flag {disable | enable}
set create-revision {disable | enable}
set daylightsavetime {enable | disable}
set default-disk-quota <integer>
set faz-status {enable | disable}
set enc-algorithm {default | high | low}
set hostname <string>
set language {english | japanese | simch | trach}
set ldapconntimeout <integer>
set lcdpin <integer>
set lock-preempt {enable | disable}
set log-checksum {md5 | md5-auth | none}
set max-running-reports <integer>
set partial-install {enable | disable}
set pre-login-banner {disable | enable}
set pre-login-banner-message <string>
set remoteauthtimeout <integer>
set search-all-adoms {enable | disable}
set ssl-low-encryption {enable | disable}
set ssl-protocol {tlsv1 | sslv3}
set swapmem {enable | disable}
set task-list-size <integer>
set timezone <integer>
set vdom-mirror {enable | disable}
set webservice-proto {tlsv1 | sslv3 | sslv2}
set workflow-max-sessions <integer>

70 CLI Reference
Fortinet Technologies Inc.
global system

set workspace-mode {disabled | normal | workflow}

end
Variable Description

admin-https-pki-required Enable/disable HTTPS login page when PKI is enabled. The following
{disable | enable} options are available:
l disable: Admin users can login by providing a valid certificate or
password.
l enable: Admin users have to provide a valid certificate when PKI
is enabled for HTTPS admin access.
When both set clt-cert-req and set admin-https-pki-
required are enabled, only PKI administrators can connect to the
FortiAnalyzer GUI.

admin-lockout-duration Set the lockout duration (seconds) for FortiAnalyzer administration.

<integer> Default: 60

admin-lockout-threshold Set the lockout threshold for FortiAnalyzer administration.

<integer> Range: 1 to 10
Default: 3

admin-maintainer {disable | Enable/disable the special user maintainer account.

enable}

adom-mode Set the ADOM mode.

{advanced | normal}

adom-rev-auto-delete {by- Auto delete features for old ADOM revisions. The following options are
days | by-revisions | disable} available:
l by-days: Auto delete ADOM revisions by maximum days.
l by-revisions: Auto delete ADOM revisions by maximum
number of revisions.
l disable: Disable auto delete function for ADOM revision.

adom-rev-max-days <integer> The maximum number of days to keep old ADOM revisions.

adom-rev-max-revisions The maximum number of ADOM revisions to keep.

<integer>

adom-status {enable | disable} Enable/disable administrative domains (ADOMs). Default: disable

clt-cert-req {disable | enable} Enable/disable requiring a client certificate for GUI login.
When both set clt-cert-req and set admin-https-pki-
required are enabled, only PKI administrators can connect to the
FortiAnalyzer GUI.

console-output {more | stand- Select how the output is displayed on the console. Select more to pause
ard} the output at each full screen until keypress. Select standard for con-
tinuous output without pauses. Default: standard

CLI Reference 71
Fortinet Technologies Inc.
system global

Variable Description

country-flag {disable | enable} Enable or disable a country flag icon beside an IP address.

create-revision {disable | Enable/disable create revision by default.

enable}

daylightsavetime Enable/disable daylight saving time.

{enable | disable} If you enable daylight saving time, the FortiAnalyzer unit automatically
adjusts the system time when daylight saving time begins or ends.
Default: enable

default-disk-quota <integer> Default disk quota (MB) for registered device. Range: 100 to 100 000 (MB).

faz-status {enable | disable} Enable/disable FortiAnalyzer features in FortiAnalyzer.

This command is not available on the FMG-100C.

enc-algorithm {default | high | Set SSL communication encryption algorithms. Default: default
low}

hostname <string> FortiAnalyzer host name.

language {english | japanese | GUI language. The following options are available:
simch | trach} l english: English
l japanese: Japanese
l simch: Simplified Chinese
l trach: Traditional Chinese
Default: English

ldapconntimeout <integer> LDAP connection timeout (in milliseconds). Default: 60000

lcdpin <integer> Set the 6-digit PIN administrators must enter to use the LCD panel.

lock-preempt {enable | disable} Enable/disable the ADOM lock override.

log-checksum {md5 | md5- Record log file hash value, timestamp, and authentication code at trans-
auth | none} mission or rolling. The following options are available:
l md5: Record log file’s MD5 hash value only
l md5-auth: Record log file’s MD5 hash value and authentication
code
l none: Do not record the log file checksum

max-running-reports <integer> Maximum running reports number. Range: 1 to 10

partial-install {enable | disable} Enable/disable partial install (install only some objects).
Use this command to enable pushing individual objects of the policy pack-
age down to all FortiGates in the Policy Package.
Once enabled, in the GUI you can right-click an object and choose to install
it.

72 CLI Reference
Fortinet Technologies Inc.
global system

Variable Description

pre-login-banner {disable | Enable/disable pre-login banner.

enable}

pre-login-banner-message Set the pre-login banner message.

<string>

remoteauthtimeout <integer> Remote authentication (RADIUS/LDAP) timeout (in seconds). Default: 10

search-all-adoms {enable | dis- Enable/disable search all ADOMs for where-used queries.
able}

ssl-low-encryption {enable | dis- Enable/disable low-grade (40-bit) encryption. Default: enable

able}

ssl-protocol {tlsv1 | sslv3} Set the SSL protocols.

swapmem {enable | disable} Enable/disable virtual memory.

task-list-size <integer> Set the maximum number of completed tasks to keep. Default: 2000

timezone <integer> The time zone for the FortiAnalyzer unit. Default: (GMT-8)Pacific
Time(US & Canada)

vdom-mirror {enable | disable} Enable/disable VDOM mirror. Once enabled in the CLI, you can select to
enable VDOM Mirror when editing a virtual domain in the System > Virtual
Domain device tab in Device Manager. You can then add devices and
VDOMs to the list so they may be mirrored. A icon is displayed in the Mirror
column of this page to indicate that the VDOM is being mirrored to another
device/VDOM.
When changes are made to the master device’s VDOM database, a copy is
applied to the mirror device’s VDOM database. A revision is created and
then installed to the devices.
Default: disable
VDOM mirror is intended to be used by MSSP or enterprise companies who
need to provide a backup VDOM for their customers.

webservice-proto {tlsv1 | sslv3 | Web Service connection. The following options are available:
sslv2} l tlsv1: Web Service connection using TLSv1 protocol.
l sslv3: Web Service connection using SSLv3 protocol.
l sslv2: Web Service connection using SSLv2 protocol.

workflow-max-sessions Maximum number of workflow sessions per ADOM.

<integer> Range: 100 to 1000
Default: 500

CLI Reference 73
Fortinet Technologies Inc.
system global

Variable Description

workspace-mode {disabled | Enable/disable Workspace and Workflow (ADOM locking). The following
normal | workflow} options are available:
l disabled: Workspace is disabled.
l normal: Workspace lock mode enabled.
l workspace: Workspace workflow mode enabled.

Example
The following command turns on daylight saving time, sets the FortiAnalyzer unit name to FMG3k, and chooses
the Eastern time zone for US & Canada.
config system global
set daylightsavetime enable
set hostname FMG3k
set timezone 12
end

Time zones

Integer Time zone Integer Time zone

00 (GMT-12:00) Eniwetak, Kwajalein 41 (GMT+3:30) Tehran

01 (GMT-11:00) Midway Island, Samoa 42 (GMT+4:00) Abu Dhabi, Muscat

02 (GMT-10:00) Hawaii 43 (GMT+4:00) Baku

03 (GMT-9:00) Alaska 44 (GMT+4:30) Kabul

04 (GMT-8:00) Pacific Time (US & Canada) 45 (GMT+5:00) Ekaterinburg

05 (GMT-7:00) Arizona 46 (GMT+5:00) Islamabad,

Karachi,Tashkent

06 (GMT-7:00) Mountain Time (US & 47 (GMT+5:30) Calcutta, Chennai, Mum-

Canada) bai, New Delhi

07 (GMT-6:00) Central America 48 (GMT+5:45) Kathmandu

08 (GMT-6:00) Central Time (US & Canada) 49 (GMT+6:00) Almaty, Novosibirsk

09 (GMT-6:00) Mexico City 50 (GMT+6:00) Astana, Dhaka

10 (GMT-6:00) Saskatchewan 51 (GMT+6:00) Sri Jayawardenapura

11 (GMT-5:00) Bogota, Lima, Quito 52 (GMT+6:30) Rangoon

74 CLI Reference
Fortinet Technologies Inc.
global system

Integer Time zone Integer Time zone

12 (GMT-5:00) Eastern Time (US & 53 (GMT+7:00) Bangkok, Hanoi, Jakarta

Canada)

13 (GMT-5:00) Indiana (East) 54 (GMT+7:00) Krasnoyarsk

14 (GMT-4:00) Atlantic Time (Canada) 55 (GMT+8:00) Beijing,ChongQing,

HongKong,Urumqi

15 (GMT-4:00) La Paz 56 (GMT+8:00) Irkutsk, Ulaanbaatar

16 (GMT-4:00) Santiago 57 (GMT+8:00) Kuala Lumpur, Singapore

17 (GMT-3:30) Newfoundland 58 (GMT+8:00) Perth

18 (GMT-3:00) Brasilia 59 (GMT+8:00) Taipei

19 (GMT-3:00) Buenos Aires, Georgetown 60 (GMT+9:00) Osaka, Sapporo, Tokyo,

Seoul

20 (GMT-3:00) Nuuk (Greenland) 61 (GMT+9:00) Yakutsk

21 (GMT-2:00) Mid-Atlantic 62 (GMT+9:30) Adelaide

22 (GMT-1:00) Azores 63 (GMT+9:30) Darwin

23 (GMT-1:00) Cape Verde Is 64 (GMT+10:00) Brisbane

24 (GMT) Casablanca, Monrovia 65 (GMT+10:00) Canberra, Melbourne,

Sydney

25 (GMT) Greenwich Mean Time:Dublin, 66 (GMT+10:00) Guam, Port Moresby

Edinburgh, Lisbon, London

26 (GMT+1:00) Amsterdam, Berlin, Bern, 67 (GMT+10:00) Hobart

Rome, Stockholm, Vienna

27 (GMT+1:00) Belgrade, Bratislava, Bud- 68 (GMT+10:00) Vladivostok

apest, Ljubljana, Prague

28 (GMT+1:00) Brussels, Copenhagen, 69 (GMT+11:00) Magadan

Madrid, Paris

29 (GMT+1:00) Sarajevo, Skopje, Sofija, Vil- 70 (GMT+11:00) Solomon Is., New Cale-
nius, Warsaw, Zagreb donia

30 (GMT+1:00) West Central Africa 71 (GMT+12:00) Auckland, Wellington

31 (GMT+2:00) Athens, Istanbul, Minsk 72 (GMT+12:00) Fiji, Kamchatka, Marshall

Is

CLI Reference 75
Fortinet Technologies Inc.
 system interface

Integer Time zone Integer Time zone

32 (GMT+2:00) Bucharest 73 (GMT+13:00) Nuku'alofa

33 (GMT+2:00) Cairo 74 (GMT-4:30) Caracas

34 (GMT+2:00) Harare, Pretoria 75 (GMT+1:00) Namibia

35 (GMT+2:00) Helsinki, Riga,Tallinn 76 (GMT-5:00) Brazil-Acre)

36 (GMT+2:00) Jerusalem 77 (GMT-4:00) Brazil-West

37 (GMT+3:00) Baghdad 78 (GMT-3:00) Brazil-East

38 (GMT+3:00) Kuwait, Riyadh 79 (GMT-2:00) Brazil-DeNoronha

39 (GMT+3:00) Moscow, St.Petersburg, Vol-

gograd

40 (GMT+3:00) Nairobi

interface

Use this command to edit the configuration of a FortiAnalyzer network interface.

Syntax
config system interface
edit <port>
set status {up | down}
set ip <ipv4_mask>
set allowaccess {http https ping snmp ssh telnet webservice}
set serviceaccess {fclupdates fgtupdates webfilter-antispam}
set speed {1000full 100full 100half 10full 10half auto}
set description <string>
set alias <string>
config <ipv6>
set ip6-address <ipv6 prefix>
set ip6-allowaccess {http https ping snmp ssh telnet webservice}
end
end
Variable Description

<port> <port> can be set to a port number such as port1, port2, port3, or port4.
Different FortiAnalyzer models have different numbers of ports.

status {up | down} Start or stop the interface. If the interface is stopped it does not accept or
send packets. If you stop a physical interface, VLAN interfaces associated
with it also stop. Default: up

76 CLI Reference
Fortinet Technologies Inc.
interface system

Variable Description

ip <ipv4_mask> Enter the interface IPv4 address and netmask.

The IPv4 address cannot be on the same subnet as any other interface.

allowaccess {http https ping Enter the types of management access permitted on this interface. Separ-
snmp ssh telnet web- ate multiple selected types with spaces.
service} If you want to add or remove an option from the list, retype the list as
required. The following options are available:
l http: HTTP access.
l https: HTTPS access.
l ping: PING access.
l snmp: SNMP access.
l ssh: SSH access.
l telnet: TELNET access.
l webservice: Web service access.

serviceaccess {fclupdates Enter the types of service access permitted on this interface. Separate mul-
fgtupdates webfilter-antispam} tiple selected types with spaces. If you want to add or remove an option
from the list, retype the list as required. The following options are available:
l fclupdates: FortiClient updates access.
l fgtupdates: FortiGate updates access.
l webfilter-antispam: Web filtering and antispam access.

speed {1000full 100full Enter the speed and duplexing the network port uses. Enter auto to auto-
100half 10full 10half auto} matically negotiate the fastest common speed. The following options are
available:
l 100full: 100M full-duplex.
l 100half: 100M half-duplex.
l 10full: 10M full-duplex.
l 10half: 10M half-duplex.
l auto: Auto adjust speed.
Default: auto

description <string> Enter a description of the interface. Character limit: 63

alias <string> Enter an alias for the interface.

<ipv6> Configure the interface IPv6 settings.

ip6-address <ipv6 prefix> IPv6 address/prefix of interface.

CLI Reference 77
Fortinet Technologies Inc.
 system locallog

Variable Description

ip6-allowaccess {http https Allow management access to the interface. The following options are
ping snmp ssh telnet web- available:
service} l http: HTTP access.
l https: HTTPS access.
l ping: PING access.
l snmp: SNMP access.
l ssh: SSH access.
l telnet: TELNET access.
l webservice: Web service access.

Example
This example shows how to set the FortiAnalyzer port1 interface IPv4 address and network mask to
192.168.100.159 255.255.255.0, and the management access to ping, https, and ssh.
config system interface
edit port1
set allowaccess ping https ssh
set ip 192.168.110.26 255.255.255.0
set status up
end

locallog

Use the following commands to configure local log settings.

locallog disk setting

Use this command to configure the disk settings for uploading log files, including configuring the severity of log
levels.

status must be enabled to view diskfull, max-log-file-size and upload variables.

upload must be enabled to view/set other upload* variables.

Syntax
config system locallog disk setting
set status {enable | disable}
set severity {alert | critical | debug | emergency | error | information |
notification | warning}
set max-log-file-size <integer>
set roll-schedule {none | daily | weekly}
set roll-day <string>
set roll-time <hh:mm>
set diskfull {nolog | overwrite}
set log-disk-full-percentage <integer>
set upload {disable | enable}
set uploadip <ipv4_address>
set server-type {FAZ | FTP | SCP | SFTP}

78 CLI Reference
Fortinet Technologies Inc.
locallog system

set uploadport <integer>

set uploaduser <string>
set uploadpass <passwd>
set uploaddir <string>
set uploadtype <event>
set uploadzip {disable | enable}
set uploadsched {disable | enable}
set upload-time <hh:mm>
set upload-delete-files {disable | enable}
end
Variable Description

status {enable | disable} Enable or diable logging to the local disk. Default: disable

severity {alert | critical | debug | Select the logging severity level. The FortiAnalyzer unit logs all messages
emergency | error | at and above the logging severity level you select. For example, if you
information | notification | select critical, the unit logs critical, alert and emergency level
warning} messages.
Default: alert
The logging levels in descending order are:
l emergency: The unit is unusable.
l alert: Immediate action is required.
l critical: Functionality is affected.
l error: Functionality is probably affected.
l warning: Functionality might be affected.
l notification: Information about normal events.
l information: General information about unit operations.
l debug: Information used for diagnosis or debugging.

max-log-file-size <integer> Enter the size at which the log is rolled.

Range: 1 to 1024 (MB)
Default: 100

roll-schedule {none | daily | Enter the period for the scheduled rolling of a log file. If roll-schedule
weekly} is none, the log rolls when max-log-file-size is reached. The fol-
lowing options are available:
l none: Not scheduled.
l daily: Every day.
l weekly: Every week.
Default: none

roll-day <string> Enter the day for the scheduled rolling of a log file.

roll-time <hh:mm> Enter the time for the scheduled rolling of a log file.

diskfull {nolog | overwrite} Enter action to take when the disk is full:
l nolog: stop logging
l overwrite: overwrites oldest log entries
Default: overwrite

CLI Reference 79
Fortinet Technologies Inc.
system locallog

Variable Description

log-disk-full-percentage Enter the percentage at which the log disk will be considered full (50-90%).
<integer>

upload {disable | enable} Enable to permit uploading of logs. Default: disable

uploadip <ipv4_address> Enter IPv4 address of the destination server. Default: 0.0.0.0

server-type {FAZ | FTP | SCP | Enter the server type to use to store the logs. The following options are
SFTP} available:
l FAZ: Upload to FortiAnalyzer.
l FTP: Upload via FTP.
l SCP: Upload via SCP.
l SFTP: Upload via SFTP.

uploadport <integer> Enter the port to use when communicating with the destination server.
Default: 21
Range: 1 to 65535

uploaduser <string> Enter the user account on the destination server.

uploadpass <passwd> Enter the password of the user account on the destination server. Char-
acter limit: 127

uploaddir <string> Enter the destination directory on the remote server.

uploadtype <event> Enter to upload the event log files. Default: event

uploadzip {disable | enable} Enable to compress uploaded log files. Default: disable

uploadsched {disable | enable} Enable to schedule log uploads. The following options are available:
l disable: Upload when rolling.
l enable: Scheduled upload.

upload-time <hh:mm> Enter to configure when to schedule an upload.

upload-delete-files {disable | Enable to delete log files after uploading. Default: enable
enable}

Example
In this example, the logs are uploaded to an upload server and are not deleted after they are uploaded.
config system locallog disk setting
set status enable
set severity information
set max-log-file-size 1000MB
set roll-schedule daily
set upload enable
set uploadip 10.10.10.1
set uploadport port 443

80 CLI Reference
Fortinet Technologies Inc.
 locallog system

set uploaduser myname2

set uploadpass 12345
set uploadtype event
set uploadzip enable
set uploadsched enable
set upload-time 06:45
set upload-delete-file disable
end

locallog filter
Use this command to configure filters for local logs. All keywords are visible only when event is enabled.

Syntax
config system locallog [memory | disk | fortianalyzer | fortianalyzer2 |
fortianalyzer3 | syslogd | syslogd2 | syslogd3] filter
set devcfg {disable | enable}
set devops {disable | enable}
set dm {disable | enable}
set dvm {disable | enable}
set epmgr {disable | enable}
set event {disable | enable}
set faz {enable | disable|
set fgd {disable | enable}
set fgfm {disable | enable}
set fips {disable | enable}
set fmgws {disable | enable}
set fmlmgr {disable | enable}
set fmwmgr {disable | enable}
set glbcfg {disable | enable}
set ha {disable | enable}
set iolog {disable | enable}
set logd {disable | enable}
set lrmgr {disable | enable}
set objcfg {disable | enable}
set rev {disable | enable}
set rtmon {disable | enable}
set scfw {disable | enable}
set scply {disable | enable}
set scrmgr {disable | enable}
set scvpn {disable | enable}
set system {disable | enable}
set webport {disable | enable}
end
Variable Description

devcfg {disable | enable} Enable to log device configuration messages.

devops {disable | enable} Enable managed devices operations messages.

dm {disable | enable} Enable to log deployment manager messages. Default: disable

CLI Reference 81
Fortinet Technologies Inc.
system locallog

Variable Description

dvm {disable | enable} Enable to log device manager messages. Default: disable

epmgr {disable | enable} Enable to log endpoint manager messages. Default: disable

event {disable | enable} Enable to configure log filter messages. Default: disable

faz {enable | disable| Enable to log FortiAnalyzer messages. Default: disable

fgd {disable | enable} Enable to log FortiGuard service messages. Default: disable

fgfm {disable | enable} Enable to log FortiGate/FortiAnalyzer communication protocol messages.

Default: disable

fips {disable | enable} Enable to log FIPS messages. Default: disable

fmgws {disable | enable} Enable to log web service messages. Default: disable

fmlmgr {disable | enable} Enable to log FortiMail manager messages. Default: disable

fmwmgr {disable | enable} Enable to log firmware manager messages. Default: disable

glbcfg {disable | enable} Enable to log global database messages. Default: disable

ha {disable | enable} Enable to log high availability activity messages. Default: disable

iolog {disable | enable} Enable input/output log activity messages. Default: disable

logd {disable | enable} Enable logd messages. Default: disable

lrmgr {disable | enable} Enable to log log and report manager messages. Default: disable

objcfg {disable | enable} Enable to log object configuration. Default: disable

rev {disable | enable} Enable to log revision history messages. Default: disable

rtmon {disable | enable} Enable to log real-time monitor messages. Default: disable

scfw {disable | enable} Enable to log firewall objects messages. Default: disable

scply {disable | enable} Enable to log policy console messages. Default: disable

scrmgr {disable | enable} Enable to log script manager messages. Default: disable

scvpn {disable | enable} Enable to log VPN console messages. Default: disable

system {disable | enable} Enable to log system manager messages. Default: disable

webport {disable | enable} Enable to log web portal messages. Default: disable

82 CLI Reference
Fortinet Technologies Inc.
 locallog system

Example
In this example, the local log filters are log and report manager, and system settings. Events in these areas of the
FortiAnalyzer unit will be logged.
config system locallog filter
set event enable
set lrmgr enable
set system enable
end

locallog fortianalyzer (fortianalyzer2, fortianalyzer3) setting

Use this command to enable or disable, and select the severity threshold of, remote logging to the FortiAnalyzer
units. You can configure up to three FortiAnalyzer devices.

The severity threshold required to forward a log message to the FortiAnalyzer unit is separate from event, syslog,
and local logging severity thresholds.

Syntax
config system locallog {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting
set severity {emergency | alert | critical | error | warning | notification |
information | debug}
set status {disable | enable}
end
Variable Description

severity {emergency | alert | Enter the severity threshold that a log message must meet or exceed to be
critical | error | warning | logged to the unit. The following options are available:
notification | information | l emergency: The unit is unusable.
debug} l alert: Immediate action is required.
l critical: Functionality is affected.
l error: Functionality is probably affected.
l warning: Functionality might be affected.
l notification: Information about normal events.
l information: General information about unit operations.
l debug: Information used for diagnosis or debugging.
Default: alert

status {disable | enable} Enable/disable remote logging to the FortiAnalyzer unit. Default: disable

Example
You might enable remote logging to the FortiAnalyzer unit configured. Events at the information level and higher,
which is everything except debug level events, would be sent to the FortiAnalyzer unit.
config system locallog fortianalyzer setting
set status enable
set severity information
end

CLI Reference 83
Fortinet Technologies Inc.
 system locallog

locallog memory setting

Use this command to configure memory settings for local logging purposes.

Syntax
config system locallog memory setting
set diskfull {nolog | overwrite}
set severity {emergency | alert | critical | error | warning | notification |
information | debug}
set status <disable | enable>
end
Variable Description

diskfull {nolog | overwrite} Enter the action to take when the disk is full:
l nolog: Stop logging when disk full
l overwrite: Overwrites oldest log entries

severity {emergency | alert | Enter the log severity level to log files. The following options are available:
critical | error | warning | l emergency: The unit is unusable.
notification | information | l alert: Immediate action is required.
debug}
l critical: Functionality is affected.
l error: Functionality is probably affected.
l warning: Functionality might be affected.
l notification: Information about normal events.
l information: General information about unit operations.
l debug: Information used for diagnosis or debugging.
Default: alert

status <disable | enable> Enable/disable memory buffer logging. Default: disable

Example
This example shows how to enable logging to memory for all events at the notification level and above. At this
level of logging, only information and debug events will not be logged.
config system locallog memory
set severity notification
set status enable
end

locallog syslogd (syslogd2, syslogd3) setting

Use this command to configure the settings for logging to a syslog server. You can configure up to three syslog
servers; syslogd, syslogd2 and syslogd3.

Syntax
config system locallog {syslogd | syslogd2 | syslogd3} setting
set csv {disable | enable}

84 CLI Reference
Fortinet Technologies Inc.
locallog system

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp |
kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 |
lpr | mail | news | ntp | syslog | user | uucp}
set severity {emergency | alert | critical | error | warning | notification |
information | debug}
set status {enable | disable}
set syslog-name <string>
end
Variable Description

csv {disable | enable} Enable to produce the log in comma separated value (CSV) format. If you
do not enable CSV format the FortiAnalyzer unit produces space separated
log files. Default: disable

facility {alert | audit | auth | Enter the facility type. facility identifies the source of the log message
authpriv | clock | cron | daemon to syslog. Change facility to distinguish log messages from different
| ftp | kernel | local0 | local1 | FortiAnalyzer units so you can determine the source of the log messages.
local2 | local3 | local4 | local5 | Available facility types are:
local6 | local7 | lpr | mail | news l alert: Log alert.
| ntp | syslog | user | uucp} l audit: Log audit.
l auth: Security/authorization messages.
l authpriv: Security/authorization messages (private).
l clock: Clock daemon
l cron: Clock daemon.
l daemon: System daemons.
l ftp: File Transfer Protocol (FTP) daemon
l kernel: Kernel messages.
l local0 to local7: reserved for local use
l lpr: Line printer subsystem.
l mail: Mail system.
l news: Network news subsystem.
l ntp: Network Time Protocol (NTP) daemon
l syslog: Messages generated internally by the syslog daemon.
l user: Random user-level messages.
l uucp: Network news subsystem.
Default: local7

CLI Reference 85
Fortinet Technologies Inc.
 system log

Variable Description

severity {emergency | alert | Select the logging severity level. The FortiAnalyzer unit logs all messages
critical | error | warning | at and above the logging severity level you select. For example, if you
notification | information | select critical, the unit logs critical, alert and emergency level
debug} messages.
The logging levels in descending order are:
l emergency: The unit is unusable.
l alert: Immediate action is required.
l critical: Functionality is affected.
l error: Functionality is probably affected.
l warning: Functionality might be affected.
l notification: Information about normal events.
l information: General information about unit operations.
l debug: Information used for diagnosis or debugging.

status {enable | disable} Enter enable to begin logging. The following options are available:
l disable: Do not log to remote syslog server.
l enable: Log to remote syslog server.

syslog-name <string> Enter the remote syslog server name.

Use the show command to display the current configuration if it has been changed from its default value:
show system locallog syslogd setting

Example
In this example, the logs are uploaded to a syslog server at IPv4 address 10.10.10.8. The FortiAnalyzer unit is
identified as facility local0.
config system locallog syslogd setting
set facility local0
set server 10.10.10.8
set status enable
set severity information
end

log

Use the following commands to configure log settings:

log alert
Use this command to configure log based alert settings.

Syntax
config system log alert
set max-alert-count <integer>

86 CLI Reference
Fortinet Technologies Inc.
 log system

end
Variable Description

max-alert-count <integer> Maximum number of alerts supported. Range: 100 to 1000

log mail-domain
Use this command to enable restrictions on email domains. By default, this option is disabled. The logs for
different email domains are stored in the same ADOM.
When this option is enabled through the CLI, FortiAnalyzer identifies the email doamins from the logs. It creates
a list of VDOMS in the device manager based on the email domains. The VDOMS are assigned to different
ADOMS. When inserting a log to the database, FortiAnalyzer records the log to its corresponding ADOM based
on the email domain information in the log. The VDOM field of the log is sent to the email domain name.

Syntax
config system log mail-domain
edit <id>
set domain <string>
set code <string>
set device <id>
end
Variable Description

<id> Identity of the FortiMail domain.

domain <string> Domain name of the organization.

code <string> URL of the organization.

device <id> Device ID.

Example
conf system log mail-domain
edit 1
set domain company-name.
set code name.com
set device All_FortiMails
next
edit 2
set domain network-cnet
set code cnet.net
set device FE00000000000001
next
edit 3
set domain mail.myfortinet.com
set code myftntmail
set device FE00000000000002,FE00000000000003
next
end

CLI Reference 87
Fortinet Technologies Inc.
 system log

log settings
Use this command to configure settings for logs.

Syntax
config system log settings
set download-mac-logs <integer>
set log-file-archive-name {basic | extended}
set FCH-custom-field1 <string>
set FCT-custom-field1 <string>
set FGT-custom-field1 <string>
set FML-custom-field1 <string>
set FWB-custom-field1 <string>
set FAZ-custom-field1 <string>
set FSA-custom-field1 <string>
config rolling-regular
set days {fri | mon| sat | sun | thu | tue | wed}
set del-files {disable | enable}
set directory <string>
set file-size <integer>
set gzip-format {disable | enable}
set hour <integer>
set ip <ipv4_address>
set ip2 <ipv4_address>
set ip3 <ipv4_address>
set log-format {csv | native | text}
set min <integer>
set password <passwd>
set password2 <passwd>
set password3 <passwd>
set server-type {ftp | scp | sftp}
set upload {disable | enable}
set upload-hour <integer>
set upload-mode {backup | mirror}
set upload-trigger {on-roll | on-schedule}
set username <string>
set username2 <string>
set username3 <string>
set when {daily | none | weekly}
end
end
Variable Description

download-max-logs <integer> Maximum number of logs for each log download attempt.

log-file-archive-name {basic | Log file name format for archiving.

extended} l basic: Basic format for log archive file name, for example:
FGT20C0000000001.tlog.1417797247.log.
l extended: Extended format for log archive file name, for
example:
FGT20C0000000001.2014-12-05-
08:34:58.tlog.1417797247.log.

88 CLI Reference
Fortinet Technologies Inc.
log system

Variable Description

FCH-custom-field1 <string> Enter a name of the custom log field to index. Character limit: 31

FCT-custom-field1 <string> Enter a name of the custom log field to index. Character limit: 31

FGT-custom-field1 <string> Enter a name of the custom log field to index. Character limit: 31

FML-custom-field1 <string> Enter a name of the custom log field to index. Character limit: 31

FWB-custom-field1 <string> Enter a name of the custom log field to index. Character limit: 31

FAZ-custom-field1 <string> Enter a name of the custom log field to index. Character limit: 31

FSA-custom-field1 <string> Enter a name of the custom log field to index. Character limit: 31

Subcommand variables

Variables for config rolling-regular subcommand:

days {fri | mon| sat | sun | thu Log files rolling schedule (days of the week). When when is set to weekly,
| tue | wed} you can configure days, hour, and min values.

del-files {disable | enable} Enable/disable log file deletion after uploading.

directory <string> The upload server directory. Character limit: 127

file-size <integer> Roll log files when they reach this size (MB).
Range: 10 to 500 (MB)
Default: 200 (MB)

gzip-format {disable | enable} Enable/disable compression of uploaded log files.

hour <integer> Log files rolling schedule (hour).

ip <ipv4_address> Upload server IPv4 addresses. Configure up to three servers.

ip2 <ipv4_address>
ip3 <ipv4_address>

log-format {csv | native | text} Format of uploaded log files. The following options are available:
l csv: CSV (comma-separated value) format.
l native: Native format (text or compact).
l text: Text format (convert if necessary).

min <integer> Log files rolling schedule (minutes).

password <passwd> Upload server login passwords. Character limit: 128

password2 <passwd>
password3 <passwd>

CLI Reference 89
Fortinet Technologies Inc.
system mail

Variables for config rolling-regular subcommand:

server-type {ftp | scp | sftp} Upload server type. The following options are available:
l ftp: Upload via FTP server.
l scp: Upload via SCP server.
l sftp: Upload via SFTP server.

upload {disable | enable} Enable/disable log file uploads.

upload-hour <integer> Log files upload schedule (hour).

upload-mode {backup | mirror} Configure upload mode with multiple servers. Servers are attempted and
used one after the other upon failure to connect. The following options are
available:
l backup: Servers are attempted and used one after the other upon
failure to connect.
l mirror: All configured servers are attempted and used.

upload-trigger {on-roll | on- Event triggering log files upload:

schedule} l on-roll: Upload log files after they are rolled.
l on-schedule: Upload log files daily.

username <string> Upload server login usernames. Character limit: 35

username2 <string>
username3 <string>

when {daily | none | weekly} Roll log files periodically. The following options are available:
l daily: Roll log files daily.
l none: Do not roll log files periodically.
l weekly: Roll log files on certain days of week.

mail

Use this command to configure mail servers on your FortiAnalyzer unit.

Syntax
config system mail
edit <id>
set auth {enable | disable}
set passwd <passwd>
set port <integer>
set secure-option {default | none | smtps | starttls}
set server <string>
set user <string>
end

90 CLI Reference
Fortinet Technologies Inc.
ntp system

Variable Description

<id> Enter the mail service ID of the entry you would like to edit or type a new
name to create an entry. Character limit: 63

<server> Enter the name of the mail server.

auth {enable | disable} Enable/disable authentication.

passwd <passwd> Enter the SMTP account password value. Character limit: 63

port <integer> Enter the SMTP server port. Range: 1 to 65535

secure-option {default | none | Select the communication secure option. One of:
smtps | starttls} l default:Try STARTTLS, proceed as plain text communication
otherwise.
l none: Communication will be in plain text format.
l smtps: Communication will be protected by SMTPS.
l starttls: Communication will be protected by STARTTLS.

server <string> Enter the SMTP server name.

user <string> Enter the SMTP account user name.

ntp

Use this command to configure automatic time setting using a network time protocol (NTP) server.

Syntax
config system ntp
set status {enable | disable}
set sync_interval <string>
config ntpserver
edit <id>
set ntpv3 {disable | enable}
set server <string>}
set authentication {disable | enable}
set key <passwd>
set key-id <integer>
end
end
Variable Description

status {enable | disable} Enable/disable NTP time setting. Default: disable

CLI Reference 91
Fortinet Technologies Inc.
system password-policy

Variable Description

sync_interval <string> Enter the time, in minutes, how often the FortiAnalyzer unit synchronizes
its time with the NTP server.
Range: 1 to 1440 (minutes)
Default: 60

Variables for config ntpserver subcommand:

ntpv3 {disable | enable} Enable/disable NTPv3. Default: disable

server <string>} Enter the IPv4 address or fully qualified domain name of the NTP server.

authentication {disable | Enable/disable MD5 authentication. Default: disable

enable}

key <passwd> The authentication key. String maximum: 63 characters

key-id <integer> The key ID for authentication. Default: 0

password-policy

Use this command to configure access password policies.

Syntax
config system password-policy
set status {disable | enable}
set minimum-length <integer>
set must-contain <lower-case-letter | non-alphanumeric | number | upper-case-letter>
set change-4-characters {disable | enable}
set expire <integer>
end
Variable Description

status {disable | enable} Enable/disable the password policy. Default: enable

minimum-length <integer> Set the password’s minimum length.

Range: 8 to 256 (characters)
Default: 8

92 CLI Reference
Fortinet Technologies Inc.
 report system

Variable Description

must-contain <lower-case-let- Characters that a password must contain.

ter | non-alphanumeric | num- l lower-case-letter: the password must contain at least one
ber | upper-case-letter> lower case letter
l non-alphanumeric: the password must contain at least one
non-alphanumeric characters
l number: the password must contain at least one number
l upper-case-letter: the password must contain at least one
upper case letter.

change-4-characters {disable | Enable/disable changing at least 4 characters for a new password. Default:
enable} disable

expire <integer> Set the number of days after which admin users' password will expire; 0
means never. Default: 0

report

Use the following command to configure report related settings.

report auto-cache
Use this command to view or configure report auto-cache settings.

Syntax
config system report auto-cache
set aggressive-drilldown {enable | disable}
set aggressive-schedule {enable | disable}
set drilldown-interval <integer>
set drilldown-status {enable | disable}
set order {latest-first | oldest-first}
set status {enable | disable}
end
Variable Description

aggressive-drilldown {enable | Enable/disable the aggressive drill-down auto-cache.

disable}

aggressive-schedule {enable | Enable/disable aggressive schedule auto-cache.

disable}

drilldown-interval <integer> The time interval in hours for drill-down auto-cache. Range: 1 to 8784
(hours)

CLI Reference 93
Fortinet Technologies Inc.
 system report

Variable Description

drilldown-status {enable | dis- Enable/disable drill-down auto-cache. The following options are available:
able} l disable: Disable the SQL report auto-cache.
l enable: Enable the SQL report auto-cache.

order {latest-first | oldest-first} The order of which SQL log table is processed first.
l latest-first: The latest SQL log table is processed first.
l oldest-first: The oldest SQL log table is processed first.

status {enable | disable} Enable/disable the SQL report auto-cache. The following options are
available:
l disable: Disable the SQL report auto-cache.
l enable: Enable the SQL report auto-cache.

report est-browse-time
Use this command to view or configure report settings.

Syntax
config system report est-browse-time
set compensate-read-time <integer>
set max-num-user <integer>
set max-read-time <integer>
set status {enable | disable}
end
Variable Description

compensate-read-time Set the compensate read time for last page view. Range: 1 to 3600
<integer>

max-num-user <integer> Set the maximum number of users to estimate browse time. Range: 100 to
1 000 000

max-read-time <integer> Set the read time threshold for each page view. Range: 1 to 3600

status {enable | disable} Enable/disable estimating browse time.

report group
Use these commands to configure report groups.

Syntax
config system report group
edit <group-id>
set adom <adom-name>
set case-insensitive {enable | disable}
set report-like <string>

94 CLI Reference
Fortinet Technologies Inc.
 report system

config chart-alternative
edit <chart-name>
set chart-replace <string>
end
config group-by
edit <var-name>
set var-expression <string>
end
end
Variable Description

<group-id> The identification number of the group to be edited or created.

adom <adom-name> The ADOM that conatins the report group.

case-insensitive {enable Enable or diable case sensitivity.

| disable}

report-like <string> Report pattern

Subcommand variables

Variable for config chart-alternative subcommand:

<chart-name> The chart name.

chart-replace <string> Chart replacement.

Variable for config group-by subcommand:

<var-name> The variable name.

var-expression <string> Variable expression..

report setting
Use these commands to view or configure report settings.

Syntax
config system report setting
set hcache-lossless {enable | disable}
set max-table-rows <integer>
set report-priority {low | normal}
set week-start {mon | sun}
end

CLI Reference 95
Fortinet Technologies Inc.
system route

Variable Description

hcache-lossless {enable | dis- Enable or disable ready-with-loss hcaches.

able}

max-table-rows <integer> Set the maximum number of rows that can be generated in a single table.
Range: 10 000 to 100 000

report-priority {low | normal} Set the Priority of the SQL report.

week-start {mon | sun} Set the day that the week starts on, either Sunday or Monday. The fol-
lowing options are available:
l mon: Monday.
l sun: Sunday.

Use the show command to display the current configuration if it has been changed from its default value:
show system report settings

route

Use this command to view or configure static routing table entries on your FortiAnalyzer unit.

Syntax
config system route
edit <seq_int>
set device <port>
set dst <dst_ipv4mask>
set gateway <gateway_ipv4_address>
end
Variable Description

<seq_int> Enter an unused routing sequence number to create a new route. Enter an
existing route number to edit that route.

device <port> Enter the port (interface) used for this route.

dst <dst_ipv4mask> Enter the IPv4 address and mask for the destination network.

gateway <gateway_ipv4_ Enter the default gateway IPv4 address for this network.
address>

route6

Use this command to view or configure static IPv6 routing table entries on your FortiAnalyzer unit.

96 CLI Reference
Fortinet Technologies Inc.
snmp system

Syntax
config system route6
edit <seq_int>
set device <string>
set dst <ipv6_prefix>
set gateway <ipv6_address>
end
Variable Description

<seq_int> Enter an unused routing sequence number to create a new route. Enter an
existing route number to edit that route.

device <string> Enter the port (interface) used for this route.

dst <ipv6_prefix> Enter the IPv4 address and mask for the destination network.

gateway <ipv6_address> Enter the default gateway IPv6 address for this network.

Use the show command to display the current configuration if it has been changed from its default value:
show system route6

snmp

Use the following commands to configure SNMP related settings.

snmp community
Use this command to configure SNMP communities on your FortiAnalyzer unit.

You add SNMP communities so that SNMP managers, typically applications running on computers to monitor
SNMP status information, can connect to the FortiAnalyzer unit (the SNMP agent) to view system information
and receive SNMP traps. SNMP traps are triggered when system events happen such as when there is a system
restart, or when the log disk is almost full.

You can add up to three SNMP communities, and each community can have a different configuration for SNMP
queries and traps. Each community can be configured to monitor the FortiAnalyzer unit for a different set of
events.

Hosts are the SNMP managers that make up this SNMP community. Host information includes the IPv4 address
and interface that connects it to the FortiAnalyzer unit.

For more information on SNMP traps and variables, see the Fortinet Document Library.

Part of configuring an SNMP manager is to list it as a host in a community on the FortiAna-

lyzer unit that it will be monitoring. Otherwise that SNMP manager will not receive any traps
or events from the FortiAnalyzer unit, and will be unable to query the FortiAnalyzer unit as
well.

CLI Reference 97
Fortinet Technologies Inc.
system snmp

Syntax
config system snmp community
edit <index_number>
set events <events_list>
set name <community_name>
set query-v1-port <integer>
set query-v1-status {enable | disable}
set query-v2c-port <integer>
set query-v2c-status {enable | disable}
set status {enable | disable}
set trap-v1-rport <integer>
set trap-v1-status {enable | disable}
set trap-v2c-rport <integer>
set trap-v2c-status {enable | disable}
config hosts
edit <host_number>
set interface <interface_name>
set ip <ipv4_address>
end
end
Variable Description

<index_number> Enter the index number of the community in the SNMP communities table.
Enter an unused index number to create a new SNMP community.

events <events_list> Enable the events for which the FortiAnalyzer unit should send traps to the
SNMP managers in this community. The raid_changed event is only
available for devices which support RAID.
l cpu-high-exclude-nice: CPU usage exclude NICE
threshold.
l cpu_high: CPU usage too high.
l disk_low: Disk usage too high.
l ha_switch: HA switch.
l intf_ip_chg: Interface IP address changed.
l lic-dev-quota: High licensed device quota detected.
l lic-gbday: High licensed log GB/day detected.
l log-alert: Log base alert message.
l log-data-rate: High incoming log data rate detected.
l log-rate: High incoming log rate detected.
l mem_low: Available memory is low.
l raid_changed: RAID status changed.
l sys_reboot: System reboot.
Default: All events enabled

98 CLI Reference
Fortinet Technologies Inc.
snmp system

Variable Description

name <community_name> Enter the name of the SNMP community. Names can be used to dis-
tinguish between the roles of the hosts in the groups.
For example the Logging and Reporting group would be interested in the
disk_low events, but likely not the other events.
The name is included in SNMPv2c trap packets to the SNMP manager, and
is also present in query packets from, the SNMP manager.

query-v1-port <integer> Enter the SNMPv1 query port number used when SNMP managers query
the FortiAnalyzer unit.
Default: 161
Range: 1 to 65535

query-v1-status {enable | dis- Enable/disable SNMPv1 queries for this SNMP community. Default:
able} enable

query-v2c-port <integer> Enter the SNMP v2c query port number used when SNMP managers query
the FortiAnalyzer unit. SNMP v2c queries will include the name of the com-
munity.
Default: 161
Range: 1 to 65535

query-v2c-status {enable | dis- Enable/disable SNMPv2c queries for this SNMP community. Default:
able} enable

status {enable | disable} Enable/disable this SNMP community. Default: enable

trap-v1-rport <integer> Enter the SNMPv1 remote port number used for sending traps to the SNMP
managers.
Default: 162
Range: 1 to 65535

trap-v1-status {enable | dis- Enable/disable SNMPv1 traps for this SNMP community. Default: enable
able}

trap-v2c-rport <integer> Enter the SNMPv2c remote port number used for sending traps to the
SNMP managers.
Default: 162
Range: 1 to 65535

trap-v2c-status {enable | dis- Enable/disable SNMPv2c traps for this SNMP community.
able} SNMP v2c traps sent out to SNMP managers include the community name.
Default: enable

hosts variables

<host_number> Enter the index number of the host in the table. Enter an unused index num-
ber to create a new host.

CLI Reference 99
Fortinet Technologies Inc.
 system snmp

Variable Description

interface <interface_name> Enter the name of the FortiAnalyzer unit that connects to the SNMP man-
ager.

ip <ipv4_address> Enter the IPv4 address of the SNMP manager. Default: 0.0.0.0

Example
This example shows how to add a new SNMP community named SNMP_Com1. The default configuration can be
used in most cases with only a few modifications. In the example below the community is added, given a name,
and then because this community is for an SNMP manager that is SNMP v1 compatible, all v2c functionality is
disabled. After the community is configured the SNMP manager, or host, is added. The SNMP manager IPv4
address is 192.168.20.34 and it connects to the FortiAnalyzer unit internal interface.
config system snmp community
edit 1
set name SNMP_Com1
set query-v2c-status disable
set trap-v2c-status disable
config hosts
edit 1
set interface internal
set ip 192.168.10.34
end
end

snmp sysinfo
Use this command to enable the FortiAnalyzer SNMP agent and to enter basic system information used by the
SNMP agent. Enter information about the FortiAnalyzer unit to identify it. When your SNMP manager receives
traps from the FortiAnalyzer unit, you will know which unit sent the information. Some SNMP traps indicate high
CPU usage, log full, or low memory.

For more information on SNMP traps and variables, see the Fortinet Document Library.

Syntax
config system snmp sysinfo
set contact-info <string>
set description <description>
set engine-id <string>
set location <location>
set status {enable | disable}
set trap-high-cpu-threshold <percentage>
set trap-low-memory-threshold <percentage>
set trap-cpu-high-exclude-nice-threshold <percentage>
end
Variable Description

contact-info <string> Add the contact information for the person responsible for this FortiAna-
lyzer unit. Character limit: 35

100 CLI Reference

Fortinet Technologies Inc.
snmp system

Variable Description

description <description> Add a name or description of the FortiAnalyzer unit. Character limit: 35

engine-id <string> Local SNMP engine ID string. Character limit: 24

location <location> Describe the physical location of the FortiAnalyzer unit. Character limit: 35

status {enable | disable} Enable/disable the FortiAnalyzer SNMP agent. Default: disable

trap-high-cpu-threshold <per- CPU usage when trap is set. Default: 80

centage>

trap-low-memory-threshold Memory usage when trap is set. Default: 80

<percentage>

trap-cpu-high-exclude-nice- CPU high usage excludes nice when the trap is sent.
threshold <percentage>

Example
This example shows how to enable the FortiAnalyzer SNMP agent and add basic SNMP information.
config system snmp sysinfo
set status enable
set contact-info 'System Admin ext 245'
set description 'Internal network unit'
set location 'Server Room A121'
end

snmp user
Use this command to configure SNMPv3 users on your FortiAnalyzer unit. To use SNMPv3, you will first need to
enable the FortiAnalyzer SNMP agent. For more information, see snmp sysinfo. There should be a corresponding
configuration on the SNMP server in order to query to or receive traps from FortiAnalyzer .

For more information on SNMP traps and variables, see the Fortinet Document Library.

Syntax
config system snmp user
edit <name>
set auth-proto {md5 | sha}
set auth-pwd <passwd>
set events <events_list>
set notify-hosts <ipv4_address>
set priv-proto {aes | des}
set priv-pwd <passwd>
set queries {enable | disable}
set query-port <integer>
set security-level {auth-no-priv | auth-priv | no-auth-no-priv}
end
end

CLI Reference 101

Fortinet Technologies Inc.
system snmp

Variable Description

<name> Enter a SNMPv3 user name to add, edit, or delete.

auth-proto {md5 | sha} Authentication protocol. The security level must be set to auth-no-priv
or auth-priv to use this variable. The following options are available:
l md5: HMAC-MD5-96 authentication protocol
l sha: HMAC-SHA-96 authentication protocol

auth-pwd <passwd> Password for the authentication protocol. The security level must be set to
auth-no-priv or auth-priv to use this variable.

events <events_list> Enable the events for which the FortiAnalyzer unit should send traps to the
SNMPv3 managers in this community. The raid_changed event is only
available for devices which support RAID.
l cpu-high-exclude-nice: CPU usage exclude nice threshold.
l cpu_high: The CPU usage is too high.
l disk_low: The log disk is getting close to being full.
l ha_switch: A new unit has become the HA master.
l intf_ip_chg: An interface IP address has changed.
l lic-dev-quota: High licensed device quota detected.
l lic-gbday: High licensed log GB/Day detected.
l log-alert: Log base alert message.
l log-data-rate: High incoming log data rate detected.
l log-rate: High incoming log rate detected.
l mem_low: The available memory is low.
l raid_changed: RAID status changed.
l sys_reboot: The FortiAnalyzer unit has rebooted.
Default: All events enabled.

notify-hosts <ipv4_address> Hosts to send notifications (traps) to.

priv-proto {aes | des} Privacy (encryption) protocol. The security level must be set to auth-no-
priv or auth-priv to use this variable. The following options are
available:
l aes: CFB128-AES-128 symmetric encryption protocol
l des: CBC-DES symmetric encryption protocol

priv-pwd <passwd> Password for the privacy (encryption) protocol. The security level must be
set to auth-no-priv or auth-priv to use this variable.

queries {enable | disable} Enable/disable queries for this user. Default: enable

query-port <integer> SNMPv3 query port.

Default: 161
Range: 1 to 65535

102 CLI Reference

Fortinet Technologies Inc.
 sql system

Variable Description

security-level {auth-no-priv | Security level for message authentication and encryption. The following
auth-priv | no-auth-no-priv} options are available:
l auth-no-priv: Message with authentication but no privacy
(encryption).
l auth-priv: Message with authentication and privacy
(encryption).
l no-auth-no-priv: Message with no authentication and no
privacy (encryption).
Default: no-auth-no-priv

Use the show command to display the current configuration if it has been changed from its default value:
show system snmp user

sql

Configure Structured Query Language (SQL) settings.

Syntax
config system sql
set background-rebuild {enable | disable}
set database-name <string>
set database-type <postgres>
set device-count-high {enable | disable}
set event-table-partition-time <integer>
set fct-table-partition-time <integer>
set logtype {none | app-ctrl | attack | content | dlp | emailfilter | event |
generic | history | traffic | virus | voip | webfilter | netscan}
set password <passwd>
set prompt-sql-upgrade {enable | disable}
set rebuild-event {enable | disable}
set rebuild-event-start-time <hh:mm> <yyyy/mm/dd>
set reset {enable | disable}
set server <string>
set start-time <hh>:<mm> <yyyy>/<mm>/<dd>
set status {disable | local | remote}
set text-search-index {disable | enable}
set traffic-table-partition-time <integer>
set utm-table-partition-time <integer>
set username <string>
config custom-index
edit <id>
set device-type {FortiCache | FortiGate | FortiMail | FortiSandbox | FortiWeb}
set index-field <Field-Name>
set log-type <Log-Enter>
end
config ts-index-field
edit <category>
set <value> <string>
end

CLI Reference 103

Fortinet Technologies Inc.
system sql

end
Variable Description

background-rebuild {enable | Disable or enable rebuilding the SQL database in the background.
disable}

database-name <string> Remote SQL database name. Character limit: 64

Command only available when status is set to remote.

database-type <postgres> Database type. Command only available when status is set to local or
remote.

device-count-high {enable | dis- You must set to enable if the count of registered devices is greater than
able} 8000.
Caution: Enabling or disabling this command will result in an SQL database
rebuild. The time required to rebuild the database is dependent on the size
of the database. Please plan a maintenance window to complete the data-
base rebuild. This operation will also result in a device reboot.

event-table-partition-time Maximum SQL database table partitioning time range in minutes for event
<integer> logs. Range: 0 to 525600 (minutes). Enter 0 for unlimited

fct-table-partition-time Maximum SQL database table partitioning time range, in minutes, for
<integer> FortiClient logs: 0 to 525600 (minutes), or 0 for unlimited.

logtype {none | app-ctrl | attack Log type. Command only available when status is set to local or
| content | dlp | emailfilter | remote.
event | generic | history | traffic
| virus | voip | webfilter
| netscan}

password <passwd> The password that the Fortinet unit will use to authenticate with the remote
database. Command only available when status is set to remote.

prompt-sql-upgrade {enable | Prompt to convert log database into SQL database at start time on GUI.
disable}

rebuild-event {enable | disable} Enable/disable a rebuild event during SQL database rebuilding. The fol-
lowing options are available:
l disable: Do not rebuild event during SQL database rebuilding.
l enable: Rebuild event during SQL database rebuilding.

rebuild-event-start-time The rebuild event starting date and time.

<hh:mm> <yyyy/mm/dd>

reset {enable | disable} This command is hidden. The following options are available:
l disable: Do not resend logs to database.
l enable: Resend logs to database.

server <string> Set the database ip or hostname.

104 CLI Reference

Fortinet Technologies Inc.
sql system

Variable Description

start-time <hh>:<mm> Start date and time <hh:mm yyyy/mm/dd>. Command only available when
<yyyy>/<mm>/<dd> status is set to local or remote.

status {disable | local | remote} SQL database status. The following options are available:
l disable: Disable SQL database.
l local: Enable local database.
l remote: Enable remote database.

text-search-index {disable | Disable or enable the text search index. The following options are
enable} available:
l disable: Do not create text search index.
l enable: Create text search index.

traffic-table-partition-time Maximum SQL database table partitioning time range for traffic logs.
<integer> Range: 0 to 525 600 (minutes). Enter 0 for unlimited

utm-table-partition-time Maximum SQL database table partitioning time range in minutes for UTM
<integer> logs. Range: 0 to 525600 (minutes). Enter 0 for unlimited

username <string> The user name that the Fortinet unit will use to authenticate with the
remote database. Character limit: 64
Command only available when status is set to remote.

Subcommand variables

Variables for config custom-index subcommand:

device-type {FortiCache | Set the device type. The following options are available:
FortiGate | FortiMail | l FortiCache: Set device type to FortiCache
FortiSandbox | FortiWeb} l FortiGate: Set device type to FortiGate.
l FortiMail: Set device type to FortiMail.
l FortiSandbox: Set device type to FortiSandbox
l FortiWeb: Set device type to FortiWeb.

index-field <Field-Name> Enter a valid field name. Select one of the available field names. The avail-
able options for index-field is dependent on the device-type entry.

log-type <Log-Enter> Enter the log type. The available options for log-type is dependent on
the device-type entry. Enter one of the available log types.
l FortiCache: N/A
l FortiGate: app-ctrl, content, dlp, emailfilter,
event, netscan, traffic, virus, voip,
webfilter
l FortiMail: emailfilter, event, history, virus
l FortiSandbox: N/A
l FortiWeb: attack, event, traffic

CLI Reference 105

Fortinet Technologies Inc.
system syslog

Subcommand variables

Variables for config ts-index-field subcommand:

<category> Category of the text search index fields. The following is the list of cat-
egories and their default fields. The following options are available:
l FGT-app-ctrl: user, group, srcip, dstip, dstport,
service, app, action, status, hostname
l FGT-attack: severity, srcip, proto, user, attackname
l FGT-content: from, to, subject, action, srcip, dstip,
hostname, status
l FGT-dlp: user, srcip, service, action, file
l FGT-emailfilter: user, srcip, from, to, subject
l FGT-event: subtype, ui, action, msg
l FGT-traffic: user, srcip, dstip, service, app,
utmaction, utmevent
l FGT-virus: service, srcip, file, virus, user
l FGT-voip: action, user, src, dst, from, to
l FGT-webfilter: user, srcip, status, catdesc
l FGT-netscan: user, dstip, vuln, severity, os
l FML-emailfilter: client_name, dst_ip, from, to,
subject
l FML-event: subtype, msg
l FML-history: classifier, disposition, from, to,
client_name, direction, domain, virus
l FML-virus: src, msg, from, to
l FWB-attack: http_host, http_url, src, dst, msg,
action
l FWB-event: ui, action, msg
l FWB-traffic: src, dst, service, http_method, msg

<value> Fields of the text search filter.

<string> Select one or more field names separated with a comma. The available
field names is dependent on the category selected.

Use the show command to display the current configuration if it has been changed from its default value:
show system sql

syslog

Use this command to configure syslog servers.

106 CLI Reference

Fortinet Technologies Inc.
syslog system

Syntax
config system syslog
edit <name>
set ip <string>
set port <integer>
end
end
Variable Description

<name> Syslog server name.

ip <string> Enter the syslog server IPv4 address or hostname.

port <integer> Enter the syslog server port. Range: 1 to 65535

Use the show command to display the current configuration if it has been changed from its default value:
show system syslog

CLI Reference 107

Fortinet Technologies Inc.
fmupdate

Use fmupdate to configure settings related to FortiGuard service updates and the FortiAnalyzer unit’s built-in
FortiGuard Distribution Server (FDS).

analyzer

analyzer virusreport
Use this command to enable or disable notification of virus detection to Fortinet.

Syntax
config fmupdate analyzer virusreport
set status {enable | disable}
end
Variables Description

status {enable | disable} Enable/disable sending virus detection notification to Fortinet. Default:
enable

Example
This example enables virus detection notifications to Fortinet.
config fmupdate analyzer virusreport
set status enable
end

av-ips

Use the following commands to configure antivirus settings.

av-ips advanced-log
Use this command to enable logging of FortiGuard Antivirus and IPS update packages received by the
FortiAnalyzer unit’s built-in FDS from the FortiGuard Distribution Network (FDN).

Syntax
config fmupdate av-ips advanced-log
set log-fortigate {enable | disable}
set log-server {enable | disable}
end

108 CLI Reference

Fortinet Technologies Inc.
 av-ips fmupdate

Variables Description

log-fortigate {enable | disable} Enable/disable logging of FortiGuard Antivirus and IPS service updates of
FortiGate devices. Default: disable

log-server {enable | disable} Enable/disable logging of update packages received by the built-in FDS
server. Default: disable

Example
Enable logging of FortiGuard Antivirus updates to FortiClient installations and update packages downloaded by
the built-in FDS from the FDN.
config fmupdate av-ips advanced-log
set log-forticlient enable
set log-server enable
end

av-ips fct server-override

Use this command to override the default IP address and port that the built-in FDS contacts when requesting
FortiGuard Antivirus updates for FortiClient from the FDN.

Syntax
config fmupdate av-ips fct server-override
set status {enable | disable
config servlist
edit <id>
set ip <ipv4_address>
set ip6 <ipv6_address>
set port <integer>
end
end
Variables Description

status {enable | disable} Enable/disable the override. Default: disable

Keywords and variables for config servlist subcommand:

<id> Override server ID. Range: 1 to 10

ip <ipv4_address> Enter the IPv4 address of the override server. Default: 0.0.0.0

ip6 <ipv6_address> Enter the IPv6 address of the override server.

port <integer> Enter the port number to use when contacting the FDN. Default: 443

Example
Configure the FortiAnalyzer unit’s built-in FDS to use a specific FDN server and a different port when retrieving
FortiGuard Antivirus updates for FortiClient from the FDN.

CLI Reference 109

Fortinet Technologies Inc.
 fmupdate av-ips

config fmupdate av-ips fct server-override

set status enable
config servlist
edit 1
set ip 192.168.25.152
set port 80
end
end

av-ips fgt server-override

Use this command to override the default IP address and port that the built-in FDS contacts when requesting
FortiGuard Antivirus and IPS updates for FortiGate units from the FDN.

Syntax
config fmupdate av-ips fgt server-override
set status {enable | disable}
config servlist
edit <id>
set ip <ipv4_address>
set ip6 <ipv6_address>
set port <integer>
end
end
Variables Description

status {enable | disable} Enable/disable the override. Default: disable

Keywords and variables for config servlist subcommand:

<id> Override server ID. Range: 1 to 10

ip <ipv4_address> Enter the IPv4 address of the override server. Default: 0.0.0.0

ip6 <ipv6_address> Enter the IPv6 address of the override server.

port <integer> Enter the port number to use when contacting the FDN.
Range: 1 to 65535
Default: 443

Example
You could configure the FortiAnalyzer unit’s built-in FDS to use a specific FDN server and a different port when
retrieving FortiGuard Antivirus and IPS updates for FortiGate units from the FDN.
config fmupdate av-ips fgt server-override
set status enable
config servlist
edit 1
set ip 172.27.152.144
set port 8890
end
end

110 CLI Reference

Fortinet Technologies Inc.
 av-ips fmupdate

av-ips push-override
Use this command to enable or disable push updates, and to override the default IP address and port to which the
FDN sends FortiGuard Antivirus and IPS push messages.

This is useful if push notifications must be sent to an IP address and/or port other than the FortiAnalyzer unit,
such as the external or virtual IP address of a NAT device that forwards traffic to the FortiAnalyzer unit.

Syntax
config fmupdate av-ips push-override
set ip <ipv4_address>
set ip6 <ipv6_address>
set port <recipientport_int>
set status {enable | disable}
end
Variables Description

ip <ipv4_address> Enter the external or virtual IPv4 address of the NAT device that will for-
ward push messages to the FortiAnalyzer unit. Default: 0.0.0.0

ip6 <ipv6_address> Enter the external or virtual IPv6 address of the NAT device that will for-
ward push messages to the FortiAnalyzer unit.

port <recipientport_int> Enter the receiving port number on the NAT device.
Range: 1 to 65535
Default: 9443

status {enable | disable} Enable/disable the push updates. Default: disable

Example
You could enable the FortiAnalyzer unit’s built-in FDS to receive push messages.

If there is a NAT device or firewall between the FortiAnalyzer unit and the FDN, you could also notify the FDN to
send push messages to the external IP address of the NAT device, instead of the FortiAnalyzer unit’s private
network IP address.
config fmupdate av-ips push-override
set status enable
set ip 172.16.124.135
set port 9000
end
You would then configure port forwarding on the NAT device, forwarding push messages received on UDP port
9000 to the FortiAnalyzer unit on UDP port 9443.

av-ips push-override-to-client
Use this command to enable or disable push updates, and to override the default IP address and port to which the
FDN sends FortiGuard Antivirus and IPS push messages.

CLI Reference 111

Fortinet Technologies Inc.
 fmupdate av-ips

This command is useful if push notifications must be sent to an IP address and/or port other than the
FortiAnalyzer unit, such as the external or virtual IP address of a NAT device that forwards traffic to the
FortiAnalyzer unit.

Syntax
config fmupdate av-ips push-override-to-client
set status {enable | disable}
config <announce-ip>
edit <id>
set ip <ipv4_address>
set ip6 <ipv6_address>
set port <recipientport_int>
end
end
Variables Description

status {enable | disable} Enable/disable the push updates. Default: disable

<announce-ip> Configure the IP information of the device.

<id> Edit the announce IP ID.

ip <ipv4_address> Enter the announce IPv4 address. Default: 0.0.0.0

ip6 <ipv6_address> Enter the announce IPv6 address.

port <recipientport_int> Enter the announce IP port.

Range: 1 to 65535
Default: 9443

av-ips update-schedule
Use this command to configure the built-in FDS to retrieve FortiGuard Antivirus and IPS updates at a specified
day and time.

Syntax
config fmupdate av-ips update-schedule
set frequency {every | daily | weekly}
set status {enable | disable}
set time <hh:mm>
end

112 CLI Reference

Fortinet Technologies Inc.
 av-ips fmupdate

Variables Description

frequency {every | daily | Enter to configure the frequency of the updates. The following options are
weekly} available:
l every: Time interval.
l daily: Every day.
l weekly: Every week.
Default: every

status {enable | disable} Enable/disable regularly scheduled updates. Default: enable

time <hh:mm> Enter the time or interval when the update will begin. For example, if you
want to schedule an update every day at 6:00 PM, enter 18:00.
The time period format is the 24-hour clock: hh=0-23, mm=0-59. If the
minute is 60, the updates will begin at a random minute within the hour.
If the frequency is every, the time is interpreted as an hour and minute
interval, rather than a time of day.
Default: 01:60

Example
You could schedule the built-in FDS to request the latest FortiGuard Antivirus and IPS updates every five hours,
at a random minute within the hour.
config fmupdate av-ips udpate-schedule
set status enable
set frequency every
set time 05:60
end

av-ips web-proxy
Use this command to configure a web proxy if FortiGuard Antivirus and IPS updates must be retrieved through a
web proxy.

Syntax
config fmupdate av-ips web-proxy
set ip <ipv4_address>
set ip <ipv4_address>
set mode {proxy | tunnel}
set password <password>
set port <integer>
set status {enable | disable}
set username <username_string>
end
Variables Description

ip <ipv4_address> Enter the IPv4 address of the web proxy. Default: 0.0.0.0

ip6 <ipv6_address> Enter the IPv6 address of the web proxy.

CLI Reference 113

Fortinet Technologies Inc.
fmupdate device-version

Variables Description

mode {proxy | tunnel} Enter the web proxy mode. The following options are available:
l proxy: HTTP proxy.
l tunnel: HTTP tunnel.

password <password> If the web proxy requires authentication, enter the password for the user
name.

port <integer> Enter the port number of the web proxy.

Range: 1 to 65535
Default: 80

status {enable | disable} Enable/disable connections through the web proxy. Default: disable

username <username_string> If the web proxy requires authentication, enter the user name.

Example
You could enable a connection through a non-transparent web proxy on an alternate port.
config fmupdate av-ips web-proxy
set status enable
set mode proxy
set ip 10.10.30.1
set port 8890
set username avipsupdater
set password cvhk3rf3u9jvsYU
end

device-version

Use this command to configure the correct firmware version of the device or devices connected or that will be
connecting to the FortiAnalyzer unit. You should verify what firmware version is currently running on the device
before using this command.

Syntax
config fmupdate device-version
set faz <firmware_version>
set fct <firmware_version>
set fgt <firmware_version>
set fml <firmware_version>
set fsa <firmware_version>
set fsw <firmware_version>
end

114 CLI Reference

Fortinet Technologies Inc.
disk-quota fmupdate

Variables Description

faz <firmware_version> Enter the FortiAnalyzer firmware version.

l 3.0: Support version 3.0
l 4.0: Support version 4.0
l 5.0: Support version 5.0
l 6.0: Support versions greater than 5.0

fct <firmware_version> Enter the FortiClient firmware version: 3.0, 4.0,5.0, or 6.0.

fgt <firmware_version> Enter the correct firmware version that is currently running for FortiGate
units: 3.0, 4.0,5.0, or 6.0.

fml <firmware_version> Enter the correct firmware version that is currently running for the FortiMail
units: 3.0, 4.0,5.0, or 6.0.

fsa <firmware_version> Enter the correct firmware version that is currently running for the
FortiSandbox units.
l 1.0: Support version 1.0
l 2.0: Support versions greater than 2.0

fsw <firmware_version> Enter the correct firmware version that is currently running for the
FortiSwitch units: 3.0, 4.0,5.0, or 6.0.

Example
In the following example, the FortiGate units, including FortiClient agents, are configured with the new firmware
version 4.0.
config fmupdate device-version
set fct 4.0
set fgt 4.0
end

disk-quota

Use this command to configure the disk space available for use by the Upgrade Manager.

If the Upgrade Manager disk space is full or if there is insufficient space to save an update package to disk, the
package will not download and an alert will be sent to notify you.

Syntax
config fmupdate disk-quota
set value <size_int>
end
Use value to set the size of the Upgrade Manager disk quota in MBytes. The default size is 10 MBytes. If you
set the disk-quota smaller than the size of an update package, the update package will not download and you will
get a disk full alert.

CLI Reference 115

Fortinet Technologies Inc.
 fmupdate fct-services

fct-services

Use this command to configure the built-in FDS to provide FortiGuard services to FortiClient installations.

Syntax
config fmupdate fct-services
set status {enable | disable}
set port <port_int>
end
Variables Description

status {enable | disable} Enable/disable built-in FDS service to FortiClient installations. Default:
enable

port <port_int> Enter the port number on which the built-in FDS should provide updates to
FortiClient installations.
Range: 1 to 65535
Default: 80

Example
You could configure the built-in FDS to accommodate older versions of FortiClient installations by providing
service on their required port.
config fmupdate fct-services
set status enable
set port 80
end

multilayer

Use this command for multilayer mode configuration.

Syntax
config fmupdate multilayer
set webspam-rating {disable | enable}
end
Variables Description

webspam-rating {disable | Enable/disable URL/antispam rating service. Default: enable

enable}

116 CLI Reference

Fortinet Technologies Inc.
 publicnetwork fmupdate

publicnetwork

Use this command to enable access to the public FDS. If this function is disabled, the service packages, updates,
and license upgrades must be imported manually.

Syntax
config fmupdate publicnetwork
set status {disable | enable}
end
Variables Description

status {disable | enable} Enable/disable the publicnetwork. Default: enable

server-access-priorities

Use this command to configure how a FortiGate unit may download antivirus updates and request web filtering
services from multiple FortiAnalyzer units and private FDS servers.

By default, the FortiGate unit receives updates from the FortiAnalyzer unit if the
FortiGate unit is managed by the FortiAnalyzer unit and the FortiGate unit was con-
figured to receive updates from the FortiAnalyzer unit.

Syntax
config fmupdate server-access-priorities
set access-public {disable | enable}
set av-ips {disable | enable}
end
Variables Description

access-public {disable | Disable to prevent FortiAnalyzer default connectivity to public FDS and
enable} FortiGuard servers. Default: enable

av-ips Enable to allow the FortiGate unit to get antivirus updates from other
{disable | FortiAnalyzer units or private FDS servers. The following options are avail-
enable}
able:
l disable: Disable setting.
l enable: Enable setting.
l Default: disable

config private-server
Use this command to configure multiple FortiAnalyzer units and private servers.

CLI Reference 117

Fortinet Technologies Inc.
 fmupdate server-override-status

Syntax
config fmupdate server-access-priorities
config private-server
edit <id>
set ip <ipv4_address>
set ip6 <ipv6_address>
set time_zone <integer>
end
end
Variables Description

<id> Enter a number to identify the FortiAnalyzer unit or private server.

ip <ipv4_address> Enter the IPv4 address of the FortiAnalyzer unit or private server.

ip6 <ipv6_address> Enter the IPv6 address of the FortiAnalyzer unit or private server.

time_zone <integer> Enter the correct time zone of the private server. Using -24 indicates that
the server is using the local time zone.

Example
The following example configures access to public FDS servers and allows FortiGate units to receive antivirus
updates from other FortiAnalyzer units and private FDS servers. This example also configures two private
servers.
config fmupdate server-access-priorities
set access-public enable
set av-ips enable
config private-server
edit 1
set ip 172.16.130.252
next
edit 2
set ip 172.31.145.201
end
end

server-override-status

Syntax
config fmupdate server-override-status
set mode {loose | strict}
end

118 CLI Reference

Fortinet Technologies Inc.
 service fmupdate

Variables Description

mode {loose | strict} Set the server override mode. The following options are available:
l loose: allow access other servers
l strict: access override server only).
Default: loose

service

Use this command to enable or disable the services provided by the built-in FDS.

Syntax
config fmupdate service
set avips {enable | disable}
set use-cert {BIOS | FortiGuard}
end
Variables Description

avips {enable | disable} Enable/disable the built-in FDS to provide FortiGuard Antivirus and IPS
updates. Default: disable

use-cert {BIOS | FortiGuard} Choose local certificate. The following options are available:
l BIOS: Use default certificate in BIOS.
l FortiGuard: Use default certificate as FortiGuard.
Default: BIOS

Example
config fmupdate service
set avips enable
end

support-pre-fgt43

Use this command to allow support for FortiOS v4.2 and older.

Syntax
config fmupdate support-pre-fgt43
set status {enable | disable}
end
Variables Description

status {enable | disable} Enable/disable support for FortiOS v4.2 and older. Default: disable

CLI Reference 119

Fortinet Technologies Inc.
execute

The execute commands perform immediate operations on the FortiAnalyzer unit. You can:

l Back up and restore the system settings, or reset the unit to factory settings.
l Set the unit date and time.
l Use ping to diagnose network problems.
l View the processes running on the FortiAnalyzer unit.
l Start and stop the FortiAnalyzer unit.
l Reset or shut down the FortiAnalyzer unit.

FortiAnalyzer commands and variables are case sensitive.

add-vm-license

Use this command to add a license to your FortiAnalyzer VM.

This command is only available on FortiAnalyzer VM models.

Syntax
execute add-vm-license <vmware license>
Variable Description

<vmware license> Enter the FortiAnalyzer VMware license string.

backup

Use the following commands to backup all settings or logs on your FortiAnalyzer.

backup all-settings
Backup the FortiAnalyzer unit settings to an FTP, SFTP, or SCP server.

When you back up the unit settings from the vdom_admin account, the backup file contains global settings and
the settings for each VDOM. When you back up the unit settings from a regular administrator account, the backup
file contains the global settings and only the settings for the VDOM to which the administrator belongs.

Syntax
execute backup all-settings ftp <ip> <string> <username> <password> <crptpassword>

120 CLI Reference

Fortinet Technologies Inc.
 backup execute

execute backup all-settings sftp <ip> <string> <username> <password> <crptpassword>

execute backup all-settings scp <ip> <string> <username> <ssh-cert> <crptpassword>
Variable Description

<ip> Enter the FTP/SFTP/SCP server IP address.

<string> Enter the file name for the backup and if required, enter the path to where
the file will be backed up to on the backup server.

<username> Enter username to use to log on the backup server.

<password> Enter the password for the username on the backup server.

<ssh-cert> Enter the SSH certificate used for user authentication. This options is only
available when selecting to backup to an SCP server.

<crptpassword> Enter an encryption key (password) to encrypt data. (optional)

backup logs
Backup device logs to a FTP, SFTP, or SCP server.

Syntax
execute backup logs <device name(s)| all> <service> <ipv4_address> <user_name_string>
<password> <directory>
Variable Description

<device name(s)| all> Enter the device name(s) separated by commas, or all for all devices.
Example: FWF40C3911000061

<service> Select the transfer protocol. The following options are available:
l ftp: Backup to FTP server.
l scp: Backup to SCP server.
l sftp: Backup to SFTP server.

<ipv4_address> Enter the server IPv4 address

<user_name_string> Enter the username on the server

<password> Enter the password, or '-' for none.

<directory> Enter the directory on the server, or press <Enter> for none.

backup logs-only
Backup device logs only to an FTP, SFTP, or SCP server.

CLI Reference 121

Fortinet Technologies Inc.
 execute backup

Syntax
execute backup logs-only <device name(s)> <service> <ipv4_address> <user_name>
<password> <directory>
Variable Description

<device name(s)> Enter the device name(s) separated by commas, or all for all devices.
Example: FWF40C3911000061

<service> Select the transfer protocol. The following options are available:
l ftp: Backup to FTP server.
l scp: Backup to SCP server.
l sftp: Backup to SFTP server.

<ipv4_address> Enter the server IPv4 address

<user_name> Enter the username on the server

<password> Enter the password, or '-' for none.

<directory> Enter the directory on the server, or press <Enter> for none.

backup logs-rescue
Use this hidden command to backup logs regardless of the DVM database for emergency reasons. This
command will scan folders under /Storage/Logs/ for possible device logs to backup.

Syntax
execute backup logs-rescue <device serial number(s)> <service> <ipv4_address> <user_
name> <password> <directory>
Variable Description

<device serial number(s)> Enter the device serial number(s) separated by commas, or all for all
devices. Example: FWF40C3911000061

<service> Select the transfer protocol. The following options are available:
l ftp: Backup to FTP server.
l scp: Backup to SCP server.
l sftp: Backup to SFTP server.

<ipv4_address> Enter the server IPv4 address

<user_name> Enter the username on the server

<password> Enter the password, or '-' for none.

<directory> Enter the directory on the server, or press <Enter> for none.

122 CLI Reference

Fortinet Technologies Inc.
 backup execute

backup reports
Backup reports to an FTP, SFTP, or SCP server.

Syntax
execute backup reports <report schedule name(s)>/<report name pattern> <service> <ipv4_
address> <user_name> <password> <directory>
Variable Description

<report schedule name(s)> Enter the report name(s) separated by commas, or all for all reports.

<report name pattern> Backup reports with names containing given pattern.
A '?' matches any single character.
A '*' matches any string, including the empty string, e.g.:
l foo: for exact match
l *foo: for report names ending with foo
l foo*: for report names starting with foo
l *foo*: for report names containing foo substring.

<service> Select the transfer protocol:

l ftp: Backup to FTP server.
l scp: Backup to SCP server.
l sftp: Backup to SFTP server.

<ipv4_address> Enter the server IP address

<user_name> Enter the username on the server

<password> Enter the password, or '-' for none.

<directory> Enter the directory on the server, or press <Enter> for none.

backup reports-config
Backup the report configuration to a specified server.

Syntax
execute backup <reports-config> {<adom_name> | all]} <service> <ipv4_address> <user_
name> <password> <directory>
Variable Description

{<adom_name> | all]} Select to backup a specific ADOM or all ADOMs.

CLI Reference 123

Fortinet Technologies Inc.
 execute bootimage

Variable Description

<service> Select the transfer protocol. The following options are available:
l ftp: Backup to FTP server.
l scp: Backup to SCP server.
l sftp: Backup to SFTP server.

<ipv4_address> Enter the server IPv4 address

<user_name> Enter the username on the server

<password> Enter the password, or '-' for none.

<directory> Enter the directory on the server, or press <Enter> for none.

bootimage

Set the image from which the FortiAnalyzer unit will boot the next time it is restarted.

Syntax
execute bootimage {primary | secondary}
Variable Description

{primary | secondary} Select to boot from either the primary or secondary partition.

If you do not specify primary or secondary, the command will report whether it last booted from the primary or
secondary boot image.

If your FortiAnalyzer unit does not have a secondary image, the bootimage command will inform you that option
is not available.

To reboot your FortiAnalyzer unit, use:

execute reboot

This command is only available on hardware-based FortiAnalyzer models.

certificate

Use these commands to manage certificates.

certificate ca
Use these commands to list CA certificates, and to import or export CA certificates.

124 CLI Reference

Fortinet Technologies Inc.
 certificate execute

Syntax
To list the CA certificates installed on the FortiAnalyzer unit:
execute certificate ca list
To export or import CA certificates:
execute certificate ca {<export>|<import>} <cert_name> <tftp_ip>
Variable Description

<export> Export CA certificate to TFTP server.

<import> Import CA certificate from a TFTP server.

list Generate a list of CA certificates on the FortiAnalyzer system.

<cert_name> Enter the name of the certificate.

<tftp_ip> Enter the IPv4 address of the TFTP server.

certificate local
Use these commands to list, import, export, and generate local certificates.

Syntax
To list the local certificates installed on the FortiAnalyzer unit:
execute certificate local list
To export or import local certificates:
execute certificate local {<export>|<import>} <cert_name> <tftp_ip>
To generate local certificates:
execute certificate local generate <certificate-name_str> <key_size> <subject>
<country> <state> <city> <org> <unit> <email>
Variable Description

<export> Export CA certificate to TFTP server.

<import> Import CA certificate from a TFTP server.

list Generate a list of CA certificates on the FortiAnalyzer system.

generate Generate a certificate request (X.509 certificate).

<cert_name> Enter the name of the certificate.

<tftp_ip> Enter the IPv4 address of the TFTP server.

CLI Reference 125

Fortinet Technologies Inc.
 execute console

Variable Description

<certificate-name_str> Enter a name for the certificate. The name can contain numbers (0-9),
uppercase and lowercase letters (A-Z, a-z), and the special characters - and
_. Other special characters and spaces are not allowed.

<key_size> Enter 512, 1024, 1536 or 2048 for the size in bits of the encryption key
(RSA key).

<subject> Enter one of the following pieces of information to identify the FortiAna-
lyzer unit being certified:
l the FortiAnalyzer unit IP address
l the fully qualified domain name of the FortiAnalyzer unit
l an email address that identifies the FortiAnalyzer unit
An IP address or domain name is preferable to an email address.

<country> Enter the country name, country code, or null for none.

<state> Enter the name of the state or province where the FortiAnalyzer unit is loc-
ated.

<city> Enter the name of the city, or town, where the person or organization cer-
tifying the FortiAnalyzer unit resides.

<org> Enter the name of the organization that is requesting the certificate for the
FortiAnalyzer unit.

<unit> Enter a name that identifies the department or unit within the organization
that is requesting the certificate for the FortiAnalyzer unit.

<email> Enter a contact e-mail address for the FortiAnalyzer unit.

console

console baudrate
Use this command to get or set the console baudrate.

Syntax
execute console baudrate [9600 | 19200 | 38400 | 57600 | 115200]
If you do not specify a baudrate, the command returns the current baudrate. Setting the baudrate will disconnect
your console session.

Example
Get the baudrate:
execute console baudrate
The response is displayed:

126 CLI Reference

Fortinet Technologies Inc.
date execute

current baud rate is: 9600

date

Get or set the FortiAnalyzer system date.

Syntax
execute date [<date_str>]
where

date_str has the form mm/dd/yyyy

l mm is the month and can be 1 to 12

l dd is the day of the month and can be 1 to 31
l yyyy is the year and can be 2001 to 2037
If you do not specify a date, the command returns the current system date.

Dates entered will be validated - mm and dd require one or two digits, and yyyy requires four digits. Entering
fewer digits will result in an error.

Example
This example sets the date to 29 September 2013:
execute date 9/29/2013

device

Use this command to change a device’s serial number when changing devices due to a hardware issue, or to
change a device’s password.

Syntax
To replace a device’s password:
execute device replace pw <name> <pw>
To change a device’s serial number:
execute device replace sn <name> <SN>
Variable Description

Variable Description

pw Replace the device password.

sn Replace the device serial number. Example: FWF40C3911000061

<name> Enter the name of the device.

CLI Reference 127

Fortinet Technologies Inc.
 execute factory-license

Variable Description

<pw> Enter the new password for the new device.

<SN> Enter the new serial number for the new device. Example:
FWF40C3911000062

factory-license

Use this command to enter a factory license key. This command is hidden.

Syntax
execute factory-license <key>
Variable Description

<key> Enter the factory license key.

fmupdate

Import or export packages using the FTP, SCP, or FTFP servers, and import database files from a CD-ROM

Syntax
execute fmupdate {ftp | scp | tftp} import <type> <remote_file> <ip> <port> <remote_
path> <user> <password>
execute fmupdate {ftp | scp | tftp} export <type> <remote_file> <ip> <port> <remote_
path> <user> <password>
execute fmupdate cdrom {import | list | mount | unmount} <type> <string>
Variables Description

{ftp | scp | tftp} Select the file transfer protocol to use: ftp, scp, or tftp.

<type> Select the type of file to export or import. The following options are avail-
able: av-ips, fct-av, url, spam, file-query, license-fgt,
license-fct, custom-url, or domp.

<remote_file> Update manager packet file name on the server or host.

<ip> Enter the FQDN or the IP address of the server.

<port> Enter the port to connect to on the remote SCP host. Range: 1 to 65535

<remote_path> Enter the name of the directory of the file to download from the FTP server
or SCP host. If the directory name has spaces, use quotes instead.

128 CLI Reference

Fortinet Technologies Inc.
 format execute

Variables Description

<user> Enter the user name to log into the FTP server or SCP host

<password> Enter the password to log into the FTP server or SCP host

fmupdate cdrom
Import database files from a CD-ROM. The CD-ROM must be mounted first.

Syntax
execute fmupdate cdrom import <type> <string>
execute fmupdate cdrom list <folder>
execute fmupdate cdrom mount
execute fmupdate cdrom unmount
Variables Description

import Import database files.

<type> Set the packet type: url, spam, or file-query.

<string> The FortiGuard packet file name on the CD TFTP driver.

list List the packets in a specific folder.

<folder> The name of the folder to list.

mount Mount the CD-ROM.

unmount Unmount the CD-ROM.

format

Format the hard disk on the FortiAnalyzer system. You can select to perform a secure (deep-erase) format which
overwrites the hard disk with random data. You can also specify the number of time to erase the disks.

Syntax
execute format <disk | disk-ext3 | disk-ext4> <RAID level> deep-erase <erase-times>
When you run this command, you will be prompted to confirm the request.

Executing this command will erase all device settings/images, databases, and log
data on the FortiAnalyzer system’s hard drive. The FortiAnalyzer device’s IP address,
and routing information will be preserved.

CLI Reference 129

Fortinet Technologies Inc.
 execute log

Variable Description

<disk | disk-ext3 | disk-ext4> Select to format the hard disk or format the hard disk with ext3 or ext4 file
system.

deep-erase Overwrite the hard disk with random data. Selecting this option will take
longer than a standard format.

<erase-times> Number of times to overwrite the hard disk with random data.
Range: 1 to 35
Default: 1

<RAID level> Enter the RAID level to be set on the device. This option is only available
on FortiAnalyzer models that support RAID. Press the Enter key to show
available RAID levels.

log

Use the following commands to manage device logs.

log device disk_quota

Set the log device disk quota.

Syntax
execute log device disk_quota <device_id> <value>
Variable Description

<device_id> Enter the log device ID, or select All for all devices. Example:
FWF40C3911000061

<value> Enter the disk quota value in MB.

log device logstore

Use this command to view and edit log storage information.

Syntax
execute log device logstore clear <device_id>
execute log device logstore list
execute log device logstore move <source_device_id> <destination_device_id>
Variable Description

clear <device_id> Remove leftover log directory.

130 CLI Reference

Fortinet Technologies Inc.
 log execute

Variable Description

list List log storage directories.

move <source_device_id> Move HA member logs to the HA cluster log directory.

<destination_device_id>

log device permissions

Use this command to view and set log device permissions.

Syntax
execute log device permissions <device_id> <permission> {enable | disable}
Variable Description

<device_id> Enter the log device ID, or select All for all devices. Example:
FWF40C3911000061

<permission> The following options are available:

l all: All permissions
l logs: Log permission
l content: Content permission
l quar: Quarantine permission
l ips: IPS permission.

{enable | disable} Enable/disable permissions.

log dlp-files
Use this command to clear DLP log files on a specific log device.

Syntax
execute log dlp-files clear <device_name> <archive type>
Variable Description

<device_name> Enter the name of the log device. Example: FWF40C3911000061

<archive type> Enter the archive type one of: all, email, im, ftp, ttp, or mms.

log import
Use this command to import log files from another device and replace the device ID on imported logs.

CLI Reference 131

Fortinet Technologies Inc.
 execute log-aggregation

Syntax
execute log import <service> <ipv4_address> <user-name> <password> <file-name> <device-
id>
Variable Description

<service> Enter the transfer protocol one of: ftp, sftp, scp,or tftp.

<ipv4_address> Enter the server IP address.

<user-name> Enter the username.

<password> Enter the password or ‘-’ for no password. The <password> field is not
required when <service> is tftp.

<file-name> The file name (e.g. dir/fgt.alog.log) or directory name (e.g. dir/subdir/).

<device-id> Replace the device ID on imported logs. Enter a device serial number of
one of your log devices. For example, FG100A2104400006.

log ips-pkt
Use this command to clear IPS packet logs on a specific log device.

Syntax
execute log ips-pkt clear <device_name>
Variable Description

<device_name> Enter the name of the log device.

log quarantine-files
Use this command to clear quarantine log files on a specific log device.

Syntax
execute log quarantine-files clear <device_name>
Variable Description

<device_name> Enter the name of the log device. Example: FWF40C3911000061

log-aggregation

Immediately upload the log to the server.

132 CLI Reference

Fortinet Technologies Inc.
 log-integrity execute

Syntax
execute log-aggregation <id>
where <id> is the client ID, or all for all clients.

log-integrity

Query the log file’s MD5 checksum and timestamp.

Syntax
execute log-integrity <device_name> <string>
Variable Description

<device_name> Enter the name of the log device. Example: FWF40C3911000061

<string> The log file name

lvm

With Logical Volume Manager (LVM), a FortiAnalyzer VM device can have up to twelve total log disks added to an
instance. More space can be added by adding another disk and running the LVM extend command.

This command is only available on FortiAnalyzer VM models.

Syntax
execute lvm extend <arg ...>
execute lvm info
execute lvm start
Variable Description

extend Extend the LVM logical volume.

info Get system LVM information.

start Start using LVM.

<arg ...> Argument list (0-11). Example disk00.

CLI Reference 133

Fortinet Technologies Inc.
 execute ping

ping

Send an Internet Control Message Protocol (ICMP) echo request (ping) to test the network connection between
the FortiAnalyzer system and another network device.

Syntax
execute ping {<ip> | <hostname>}
Variable Description

<ip> Enter the IP address of network device to contact.

<hostname> Enter the DNS resolvable hostname of network device to contact.

ping6

Send an ICMP echo request (ping) to test the network connection between the FortiAnalyzer system and another
network device.

Syntax
execute ping6 {<ip> | <hostname>}
Variable Description

<ip> Enter the IPv6 address of network device to contact.

<hostname> Enter the DNS resolvable hostname of network device to contact.

raid

This command allows you to add and delete RAID disks.

Syntax
execute raid add-disk <disk index>
execute raid delete-disk <disk index>
Variable Description

add-disk <disk index> Enables you to add a disk and giving it a number.

delete-disk <disk index> Enables you to delete the selected disk.

134 CLI Reference

Fortinet Technologies Inc.
 reboot execute

reboot

Restart the FortiAnalyzer system. This command will disconnect all sessions on the FortiAnalyzer system.

remove

Use this command to remove reports for a specific device from the FortiAnalyzer system.

Syntax
execute remove reports <device-id>

reset

Use this command to reset the FortiAnalyzer unit to factory defaults. This command will disconnect all sessions
and restart the FortiAnalyzer unit.

Syntax
execute reset all-settings

reset-sqllog-transfer

Use this command to reset SQL logs to the database.

Syntax
execute reset-sqllog-transfer <enter>

restore

Use this command to:

l restore the configuration or database from a file

l change the FortiAnalyzer unit image
l Restore device logs, DLP archives, and reports from specified servers.
This command will disconnect all sessions and restart the FortiAnalyzer unit.

restore all-settings
Restore all settings from an FTP, SFTP, or SCP server.

CLI Reference 135

Fortinet Technologies Inc.
 execute restore

Syntax
execute restore all-settings {ftp | sftp} <ip> <string> <username> <password>
<crptpasswd> [option1+option2+...]
execute restore all-settings <scp> <ip> <string> <username> <ssh-cert> <crptpasswd>
[option1+option2+...]
Variable Description

all-settings Restore all FortiAnalyzer settings from a file on a FTP, SFTP, or SCP
server. The new settings replace the existing settings, including admin-
istrator accounts and passwords.

{ftp | sftp} Select to restore from an FTP or SFTP server.

<scp> Select to restore from an SCP server.

<ip> Enter the IP address of the server to get the file from.

<string> Enter the file to get from the server. You can enter a path with the file-
name, if required.

<username> Enter the username to log on to the SCP server.

<password> Enter the password for username on the FTP server.

<ssh-cert> Enter the SSH certificate used for user authentication on the SCP server.
This option is not available for restore operations from FTP and SFTP serv-
ers.

<crptpasswd> Enter the password to protect backup content. Use any for no password.
(optional)

[option1+option2+...] Select whether to keep IP, and routing info on the original unit.

restore image
Use this command to restore an image to the FortiAnalyzer.

Syntax
execute restore image ftp <filepath> <ip> <username> <password>
execute restore image tftp <string> <ip>
Variable Description

image Upload a firmware image from a TFTP server to the FortiAnalyzer unit. The
FortiAnalyzer unit reboots, loading the new firmware.

<filepath> Enter the file path on the FTP server.

136 CLI Reference

Fortinet Technologies Inc.
 restore execute

Variable Description

<string> Enter the image file name on the TFTP server.

<ip> Enter the IP address of the server to get the file from.

<username> Enter the username to log on to the server. This option is not available for
restore operations from FTP servers.

<password> Enter the password for username on the FTP server. This option is not
available for restore operations from TFTP servers.

restore {logs | logs-only}

Use this command to restore logs and DLP archives from a specified server.

Syntax
execute restore logs <device name> <service> <ip> <user name> <password> <directory>
execute restore logs-only <device name> <service> <ip> <user name> <password>
<directory>
Variable Description

logs Restore device logs and DLP archives from a specified server.

logs-only Restore device logs from a specified server.

<device name> Device name or names, separated by commas, or all for all devices.
Example: FWF40C3911000061

<service> Select the transfer protocol. The following options are available FTP,
SFTP, or SCP.

<ip> Enter the IP address of the server to get the file from.

<user name> Enter the username to log on to the SCP server. This option is not available
for restore operations from FTP servers.

<password> Enter the password for username on the FTP server. This option is not
available for restore operations from TFTP servers.

<directory> Enter the directory on the server.

restore reports
Use this command to restore reports from a specified server.

CLI Reference 137

Fortinet Technologies Inc.
 execute restore

Syntax
execute restore reports {<report name> | all | <report name pattern} <service> <ip>
<user name> <password> <directory>
Variable Description

reports Restore reports from a specified server.

{<report name> | all | Backup specific reports, all reports, or reports with names containing given
<report name pattern} pattern.
A '?' matches any single character.
A '*' matches any string, including the empty string, e.g.:
l foo: for exact match
l *foo: for report names ending with foo
l foo*: for report names starting with foo
l *foo*: for report names containing foo substring.

<service> Select the transfer protocol. The following options are available FTP,
SFTP, or SCP.

<ip> Enter the IP address of the server to get the file from.

<user name> Enter the username to log on to the SCP server. This option is not available
for restore operations from FTP servers.

<password> Enter the password for username on the FTP server. This option is not
available for restore operations from TFTP servers.

<directory> Enter the directory on the server.

restore reports-config
Use this command to restore a report configuration from a specified server.

Syntax
execute restore <reports-config> {<adom_name> | all]} <service> <ip> <user name>
<password> <directory>
Variable Description

{<adom_name> | all]} Select to backup a specific ADOM or all ADOMs.

<service> Select the transfer protocol. The following options are available: ftp,
sftp, scp.

<ip> Enter the server IP address

<user name> Enter the username on the server

138 CLI Reference

Fortinet Technologies Inc.
 shutdown execute

Variable Description

<password> Enter the password, or '-' for none.

<directory> Enter the directory on the server, or press <Enter> for none.

shutdown

Shut down the FortiAnalyzer system. This command will disconnect all sessions.

Syntax
execute shutdown

sql-local

Use this command to remove the SQL database and logs from the FortiAnalyzer system and to rebuild the
database and devices.

When rebuilding the SQL database, new logs will not be available until the rebuild is
complete. The time required to rebuild the database is dependent on the size of the
database. Please plan a maintenance window to complete the database rebuild. You
can use the diagnose sql status rebuild-db command to display the SQL
log database rebuild status.

sql-local rebuild-adom
Rebuild the log SQL database from log data for particular ADOMs.

Syntax
execute sql-local rebuild-adom
Variable Description

<adom> The ADOM name. Multiple ADOM names can be entered.

sql-local rebuild-db
Use this command to rebuild the entire local SQL database.

Syntax
execute sql-local <rebuild-db>

CLI Reference 139

Fortinet Technologies Inc.
 execute sql-query-dataset

sql-local remove-db
Use this command to remove an entire local SQL database.

Syntax
execute sql-local remove-db

sql-local remove-logtype
Use this command to remove all log entries of the designated log type.

Syntax
execute sql-local remove-logtype <log type>
Variable Description

<log type> Enter the log type from available log types. Example: app-ctrl

sql-query-dataset

Use this command to execute a SQL dataset against the FortiAnalyzer system.

Syntax
execute sql-query-dataset <adom> <dataset-name> <device/group name> <faz/dev> <start-
time> <end-time>
Variable Description

<adom> Enter an ADOM name.

<dataset-name> Enter the dataset name.

<device/group name> Enter the name of the device. Example: FWF40C3911000061

<faz/dev> Enter the name of the FortiAnalyzer.

<start-time> Enter the log start time.

<end-time> Enter the log end time.

sql-query-generic

Use this command to execute a SQL statement against the FortiAnalyzer system.

140 CLI Reference

Fortinet Technologies Inc.
 sql-report execute

Syntax
execute sql-query-generic <string>
Variable Description

<string> Enter the SQL statement to run.

sql-report

Use these commands to import and display language translation files and run a SQL report schedule once
against the FortiAnalyzer system.

Syntax
execute sql-report hcache-check <adom> <schedule-name> <start-time> <end-time>
execute sql-report import-lang <name> <service> <ip> <argument 1> <argument 2> <argument
3>
execute sql-report list <adom> [days-range] [layout-name]
execute sql-report list-lang
execute sql-report list-schedule <adom>
execute sql-report run <adom> <schedule-name> <num-threads>
execute sql-report view <data-type> <adom> <report-name>
Variable Description

<name> Enter the new language name to import a new language translation file or
select one of the following options:
l English
l French
l Japanese
l Korean
l Portuguese
l Simplified_Chinese
l Spanish
l Traditional_Chinese

<service> Enter the transfer protocol. The following options are available:
l ftp: FTP service.
l sftp: SFTP service.
l scp: SCP service.
l tftp: TFTP service.

<ip> Server IP address.

<argument 1> For FTP, SFTP, or SCP, enter a user name. For TFTP, enter a file name.

CLI Reference 141

Fortinet Technologies Inc.
execute ssh

Variable Description

<argument 2> For FTP, SFTP, or SCP, enter a password or ‘-’. For TFTP, press <enter>.

<argument 3> Enter a filename and press <enter>.

<adom> Specify the ADOM name.

<data-type> The data type to view. Must be report-data.

<report-name> The name of the report to view.

<schedule-name> The following options are available the available SQL report schedule
names.

<num-threads> The number of threads

<start-time> The start date and time of the report schedule, in the format:
"HH:MM yyyy/mm/dd"

<end-time> The enddate and time of the report schedule, in the format:
"HH:MM yyyy/mm/dd"

[days-range] The recent n days to list reports, from 1 to 99.

[layout-name] One of the available SQL report layout names.

ssh

Use this command to establish an SSH session with another system.

Syntax
execute ssh <destination> <username>
Variable Description

<destination> Enter the IP or FQ DNS resolvable hostname of the system you are con-
necting to.

<username> Enter the user name to use to log on to the remote system.

To leave the SSH session type exit. To confirm you are connected or disconnected from the SSH session, verify
that the command prompt has changed.

ssh-known-hosts

Use this command to remove all known SSH hosts.

142 CLI Reference

Fortinet Technologies Inc.
 tac execute

Syntax
execute ssh-known-hosts remove-all
execute ssh-known-hosts remove-host <host/ip>

tac

Use this command to run a TAC report.

Syntax
execute tac report <file_name>
Variable Description

<file_name> Optional output file name.

time

Get or set the system time.

Syntax
execute time [<time_str>]
where

time_str has the form hh:mm:ss

l hh is the hour and can be 00 to 23

l mm is the minutes and can be 00 to 59
l ss is the seconds and can be 00 to 59
All parts of the time are required. Single digits are allowed for each of hh, mm, and ss. If you do not specify a
time, the command returns the current system time.
execute time <enter>
current time is: 12:54:22

Example
This example sets the system time to 15:31:03:
execute time 15:31:03

top

Use this command to view the processes running on the FortiAnalyzer system.

CLI Reference 143

Fortinet Technologies Inc.
 execute traceroute

Syntax
execute top

Help menu

Command Description

Z,B Global: 'Z' change color mappings; 'B' disable/enable bold

l,t,m Toggle Summaries: 'l' load average; 't' task/cpu statistics; 'm' memory information

1,I Toggle SMP view: '1' single/separate states; 'I' Irix/Solaris mode

f,o Fields/Columns: 'f' add or remove; 'o' change display order

F or O Select the sort field

<,> Move sort field: '<' next column left; '>' next column right

R,H Toggle: 'R' normal/reverse sort; 'H' show threads

c,i,S Toggle: 'c' command name/line; 'i' idle tasks; 'S' cumulative time

x,y Toggle highlights: 'x' sort field; 'y' running tasks

z,b Toggle: 'z' color/mono; 'b' bold/reverse (only if 'x' or 'y')

u Show specific user only

n or # Set maximum tasks displayed

k,r Manipulate tasks: 'k' kill; 'r' renice

d or s Set update interval

W Write configuration file

q Quit

traceroute

Test the connection between the FortiAnalyzer system and another network device, and display information
about the network hops between the device and the FortiAnalyzer system.

Syntax
execute traceroute <host>

144 CLI Reference

Fortinet Technologies Inc.
 traceroute6 execute

Variable Description

<host> Enter the IP address or hostname of network device.

traceroute6

Test the connection between the FortiAnalyzer system and another network device, and display information
about the network hops between the device and the FortiAnalyzer system.

Syntax
execute traceroute6 <host>
Variable Description

<host> Enter the IPv6 address or hostname of network device.

CLI Reference 145

Fortinet Technologies Inc.
diagnose

The diagnose commands display diagnostic information that help you to troubleshoot problems.

Commands and variables are case sensitive.

auto-delete

Use this command to view and configure auto-deletion settings.

Syntax
diagnose auto-delete dlp-files {list | delete-now}
diagnose auto-delete log-files {list | delete-now}
diagnose auto-delete quar-files {list | delete-now}
diagnose auto-delete report-files {list | delete-now}
Variable Description

dlp-files {list | delete-now} View and configure auto-deletion of DLP files. The following options are
available:
l delete-now: Delete DLP files right now according to system
automatic deletion policy.
l list: List DLP files according to system automatic deletion policy.

log-files {list | delete-now} View and configure auto-deletion of log files. The following options are
available:
l delete-now: Delete log files right now according to system
automatic deletion policy.
l list: List log files according to system automatic deletion policy.

quar-files {list | delete-now} View and configure auto-deletion of quarantined files. The following
options are available:
l delete-now: Delete quarantine files right now according to
system automatic deletion policy.
l list: List quarantine files according to system automatic deletion
policy.

report-files {list | delete-now} View and configure auto-deletion of report files. The following options are
available:
l list: List report files according to system automatic deletion
policy.
l delete-now: Delete report files right now according to system
automatic deletion policy.

146 CLI Reference

Fortinet Technologies Inc.
 cdb check diagnose

cdb check

Use this command to check the object configuration database integrity, the global policy assignment table, and
repair configuration database.

Syntax
diagnose cdb check objcfg-integrity
diagnose cdb check policy-assignment
diagnose cdb check reference-integrity
diagnose cdb check update-devinfo <item> <new value> {0 | 1) <model-name>
Variable Description

objcfg-integrity Check object configuration database integrity.

policy-assignment Check the global policy assignment table.

reference-integrity Check the ADOM reference table integrity.

update-devinfo Update device information by directly changing the database.

<item> Device info item.

<new value> Item new value. Default sump summary only.

{0 | 1) The following options are available:

l 0: default only update empty value (0)
l 1: always update

<model-name> Only update on model name. Default: all models

debug

Use the following commands to debug the FortiAnalyzer.

debug application
Use this command to set the debug levels for the FortiAnalyzer applications.

Syntax
diagnose debug application alertmail <integer>
diagnose debug application curl <integer>
diagnose debug application dmapi <integer>
disgnose debug application dns <integer>
diagnose debug application fazcfgd <integer>
diagnose debug application fazmaild <integer>

CLI Reference 147

Fortinet Technologies Inc.
diagnose debug

diagnose debug application fazsvcd <integer>

diagnose debug application fgdsvr <integer>
diagnose debug application fgdupd <integer>
diagnose debug application fnbam <integer>
diagnose debug application fortilogd <integer>
diagnose debug application fortimanagerws <integer>
diagnose debug application gui <integer>
diagnose debug application ipsec <integer>
diagnose debug application localmod <integer>
diagnose debug application log-aggregate <integer>
diagnose debug application logd <integer>
diagnose debug application logfiled <integer>
diagnose debug application lrm <integer>
diagnose debug application ntpd <integer>
diagnose debug application oftpd <integer> <IP/deviceSerial/deviceName>
diagnose debug application snmpd <integer>
diagnose debug application sql_dashboard_rpt <integer>
diagnose debug application sql-integration <integer>
diagnose debug application sqllogd <integer>
diagnose debug application sqlplugind <integer>
diagnose debug application sqlrptcached <integer>
diagnose debug application ssh <integer>
diagnose debug application sshd <integer>
diagnose debug application storaged <integer>
diagnose debug application uploadd <integer>
diagnose debug application vmtools <integer>
Variable Description Default

alertmail <integer> Set the debug level of the alert email daemon. 0

curl <integer> This command is not in use.

dmapi <integer> Set the debug level of the dmapi daemon. 0

dns <integer> Set the debug level of DNS daemon.

fazcfgd <integer> Set the debug level of the fazcfgd daemon. 0

fazmaild <integer> Set the debug level of the fazmaild daemon.

fazsvcd <integer> Set the debug level of the fazsvcd daemon. 0

fgdsvr <integer> Set the debug level of the FortiGuard query daemon. 0

fgdupd <integer> Set the debug level of the FortiGuard update daemon. 0

fnbam <integer> Set the debug level of the Fortinet authentication module. 0

fortilogd <integer> Set the debug level of the fortilogd daemon. 0

fortimanagerws <integer> Set the debug level of the FortiAnalyzer Web Service. 0

148 CLI Reference

Fortinet Technologies Inc.
debug diagnose

Variable Description Default

gui <integer> Set the debug level of the Web-based Manager. 0

ipsec <integer> Set the debug level of the IPsec daemon. 0

localmod <integer> Set the debug level of the localmod daemon. 0

log-aggregate <integer> Set the debug level of the log aggregate daemon. 0

logd <integer> Set the debug level of the log daemon. 0

logfiled <integer> Set the debug level of the logfilled daemon. 0

lrm <integer> Set the debug level of the Log and Report Manager. 0

ntpd <integer> Set the debug level of the Network Time Protocol (NTP) dae- 0
mon.

oftpd <integer> <IP/deviceSeri- Set the debug level of the oftpd daemon. 0
al/deviceName>

snmpd <integer> Set the debug level of the SNMP daemon from 0-8. 0

sql_dashboard_rpt <integer> Set the debug level of the SQL dashboard report daemon. 0

sql-integration <integer> Set the debug level of SQL applications. 0

sqllogd <integer> Set the debug level of SQL log daemon..

sqlplugind <integer> Set the debug level of the SQL plugin daemon. 0

sqlrptcached <integer> Set the debug level of the SQL report caching daemon. 0

ssh <integer> Set the debug level of SSH protocol transactions. 0

sshd <integer> Set the debug level of the SSH daemon.

storaged <integer> Set the debug level of communication with java clients. 0

uploadd <integer> Set the debug level of the upload daemon. 0

vmtools <integer> Set the debug level for vmtools. 0

Example
This example shows how to set the debug level to 7 for the upload daemon:
diagnose debug application uploadd 7

CLI Reference 149

Fortinet Technologies Inc.
 diagnose debug

debug cli
Use this command to set the debug level of CLI.

Syntax
diagnose debug cli <integer>
Variable Description Default

<integer> Set the debug level of the CLI. Range: 0 to 8 3

debug console
Use this command to enable or disable console debugging.

Syntax
diagnose debug console {enable | disable}
Variable Description

{enable | disable} Enable/disable console debugging. The following options are available:
l disable: Disable console debug output.
l enable: Enable console debug output.

debug crashlog
Use this command to clear the debug crash log.

Syntax
diagnose debug crashlog clear
Variable Description

clear Clear the crash log.

debug disable
Use this command to disable debugging.

Syntax
diagnose debug disable

debug enable
Use this command to enable debugging.

150 CLI Reference

Fortinet Technologies Inc.
 debug diagnose

Syntax
diagnose debug enable

debug info
Use this command to show active debug level settings.

Syntax
diagnose debug info
Variable Description

info Show active debug level settings.

debug reset
Use this command to reset the debug level settings.

Syntax
diagnose debug reset

debug service
Use this command to debug service daemons.

Syntax
diagnose debug service cdb <integer>
diagnose debug service cmdb <integer>
diagnose debug service dvmcmd <integer>
diagnose debug service dvmdb <integer>
diagnose debug service fazconf <integer>
diagnose debug service main <integer>
daignose debug service sys <integer>
diagnose debug service task <integer>
Variable Description

<integer> Debug level.

debug sysinfo
Use this command to show system information.

Syntax
diagnose debug sysinfo

CLI Reference 151

Fortinet Technologies Inc.
 diagnose debug

Variable Description

sysinfo Show system information.

debug sysinfo-log
Use this command to generate one system info log file every 2 minutes.

Syntax
diagnose debug sysinfo-log {on | off}
Variable Description

sysinfo-log {on | off} Enable to generate one system info log file every 2 minutes.

debug sysinfo-log-backup
Use this command to backup all sysinfo log files to an FTP server.

Syntax
diagnose debug sysinfo-log-backup <ip> <string> <username> <password>
Variable Description

sysinfo-log-backup Show system information.

<ip> Enter the FTP server IP address.

<string> Enter the path/filename to save the log to the FTP server.

<username> Enter the user name on the FTP server.

<password> Enter the password associated with the user name.

debug sysinfo-log-list
Use this command to display system info elogs.

Syntax
diagnose debug sysinfo
Variable Description

sysinfo Show system information.

debug timestamp
Use this command to enable or disable debug timestamp.

152 CLI Reference

Fortinet Technologies Inc.
 dlp-archives diagnose

Syntax
diagnose debug timestamp {enable | disable}
Variable Description

{enable | disable} Enable/disable debug timestamp.

debug vminfo
Use this command to show FortiAnalyzer VM license information.

Syntax
diagnose debug vminfo

dlp-archives

Use this command to manage the DLP archives.

Syntax
diagnose dlp-archives quar-cache list-all-process
diagnose dlp-archives quar-cache kill-process <pid>
diagnose dlp-archives rebuild-quar-db
diagnose dlp-archives remove
diagnose dlp-archives statistics {show | flush}
diagnose dlp-archives status
diagnose dlp-archives upgrade
Variable Description

quar-cache list-all-process List all processes that are using the quarantine cache.

quar-cache kill-process <pid> Kill a process that is using the quarantine cache.

rebuild-quar-db Rebuild Quarantine Cache DB

remove Remove all upgrading DLP archives.

statistics {show | flush} Display or flush the quarantined and DLP archived file statistics. The fol-
lowing options are available:
l flush: Flush quarantined and DLP archived file statistics.
l show: Display quarantined and DLP archived file statistics.

status Running status.

upgrade Upgrade the DLP archives.

CLI Reference 153

Fortinet Technologies Inc.
 diagnose dvm

dvm

Use the following commands for DVM related settings.

dvm adom
Use this command to list ADOMs.

Syntax
diagnose dvm adom list
Variable Description

list List the ADOMs configured on the FortiAnalyzer.

dvm chassis
Use this command to list chassis.

Syntax
diagnose dvm chassis list
Variable Description

list List chassis.

dvm check-integrity
Use this command to check the DVM database integrity.

Syntax
diagnose dvm check-integrity

dvm debug
Use this command to enable or disable debug channels.

Syntax
diagnose dvm debug enable <channel>
diagnose dvm debug disable <channel>

154 CLI Reference

Fortinet Technologies Inc.
 dvm diagnose

Variable Description

enable <channel> Select to enable debug channel including: all, dvm_db, dvm_dev,
shelfmgr, ipmi, lib, dvmcmd, dvmcore, gui, monitor.

disable <channel> Select to disable debug channel including: all, dvm_db, dvm_dev,
shelfmgr, ipmi, lib, dvmcmd, dvmcore, gui, monitor.

dvm device
Use this command to list devices or objects referencing a device.

Syntax
diagnose dvm device dynobj <device> <cli>
diagnose dvm device list <device> <vdom>
diagnose dvm device delete <adom> <device>
Variable Description

dynobj <device> <cli> List dynamic objects on this device.

For <device>, enter the name of the displayed in the diagnose dvm
device list command.
Optionally, use 1 for <cli> to display the CLI configuration.

list <device> <vdom> List devices and VDOMs that are currently managed by the FortiAnalyzer.
This command displays the following information: type, OID, SN, HA, IP,
name, ADOM, and firmware.

delete <adom> <device> Delete devices.

dvm device-tree-update
Use this command to enable or disable device tree automatic updates.

Syntax
diagnose dvm device-tree-update {enable | disable}
Variable Description

{enable | disable} Enable/disable DVM device tree autoupdates.

dvm extender
Use these commands to list FortiExtender devices and synchronize FortiExtender data via JSON.

Syntax
diagnose dvm extender list
diagnose dvm extender sync-extender-data <device>
diagnose dvm extender get-extender-modem-ip <device> <id>

CLI Reference 155

Fortinet Technologies Inc.
 diagnose dvm

Variable Description

list List FortiExtender devices.

sync-extender-data Synchronize FortiExtender data by JSON.

get-extender-modem-ip Get the FortiExtender modem IPv4 address by JSON.

<device> Enter the device name.

<id> Enter the FortiExtender ID.

dvm group
Use this command to list groups.

Syntax
diagnose dvm group list
Variable Description

list List groups.

dvm lock
Use this command to print the DVM lock states.

Syntax
diagnose dvm lock

dvm proc
Use this command to list DVM processes.

Syntax
diagnose dvm proc list
Variable Description

list List DVM process (dvmcmd) information.

dvm task
Use this command to repair or reset the task database.

Syntax
diagnose dvm task list <adom> <type>

156 CLI Reference

Fortinet Technologies Inc.
 fmnetwork diagnose

diagnose dvm task repair

diagnose dvm task reset
Variable Description

list <adom> <type> List the task database.

l ADOM filter options: all, global, adom
l Type filter options: all, type

repair Repair the task database while preserving existing data where possible.
The FortiAnalyzer will reboot after the repairs.

reset Reset the task database to its factory default state. All existing tasks and
the task history will be erased. The FortiAnalyzer will reboot after the reset.

dvm transaction-flag
Use this command to edit or display DVM transaction flags.

Syntax
diagnose dvm transaction-flag {abort | debug | none}
Variable Description

transaction-flag {abort | DVM transaction flag options: abort, debug, and none
debug | none}

dvm workflow
Use this command to edit or display workflow information.

Syntax
diagnose dvm workflow log-list <ADOM_name> <workflow_session_ID>
diagnose dvm workflow session-list <ADOM_name>

fmnetwork

Use the following commands for network related settings.

fmnetwork arp
Use this command to manage ARP.

Syntax
diagnose fmnetwork arp del <intf-name> <ip>
diagnose fmnetwork arp list

CLI Reference 157

Fortinet Technologies Inc.
 diagnose fmupdate

Variable Description

del <intf-name> <ip> Delete an ARP entry.

list List ARP entries.

fmnetwork interface
Use this command to view interface information.

Syntax
diagnose fmnetwork interface detail <portX>
diagnose fmnetwork interface list <portx>
Variable Description

detail <portX> View a specific interface’s details. This command displays the following
information: status, speed, and duplex.

list <portx> List all interface details, or enter <portx> to display information for a spe-
cific interface.

fmnetwork netstat
Use this command to view network statistics.

Syntax
diagnose fmnetwork netstat list [-r]
diagnose fmnetwork netstat tcp [-r]
diagnose fmnetwork netstat udp [-r]
Variable Description

list [-r] List all connections, or use -r to list only resolved IP addresses.

tcp [-r] List all TCP connections, or use -r to list only resolved IP addresses.

udp [-r] List all UDP connections, or use -r to list only resolved IP addresses.

fmupdate

Use these commands to diagnose update services.

Syntax
diagnose fmupdate add-device <serial> <ip> <firmware> <build>
diagnose fmupdate deldevice {fct | fds | fgd | fgc} <serial> <uid>
diagnose fmupdate dellog

158 CLI Reference

Fortinet Technologies Inc.
fmupdate diagnose

diagnose fmupdate fct-configure

diagnose fmupdate fct-dbcontract
diagnose fmupdate fct-delserverlist
diagnose fmupdate fct-getobject
diagnose fmupdate fct-serverlist
diagnose fmupdate fct-update-status
diagnose fmupdate fct-updatenow
diagnose fmupdate fds-configure
diagnose fmupdate fds-dbcontract
diagnose fmupdate fds-delserverlist
diagnose fmupdate fds-dump-breg
diagnose fmupdate fds-dump-srul
diagnose fmupdate fds-getobject
diagnose fmupdate fds-serverlist
diagnose fmupdate fds-service-info
diagnose fmupdate fds-update-status
diagnose fmupdate fds-updatenow
diagnose fmupdate fgc-configure
diagnose fmupdate fgc-delserverlist
diagnose fmupdate fgc-serverlist
diagnose fmupdate fgc-update-status
diagnose fmupdate fgt-del-statistics
diagnose fmupdate fgt-del-um-db
diagnose fmupdate fmg-statistic-info
diagnose fmupdate fortitoken {seriallist | add | del} {add | del | required}
diagnose fmupdate getdevice {fct | fds | fgd | fgc} <serial>
diagnose fmupdate service-restart <string>
diagnose fmupdate show-bandwidth <type> <time_period>
diagnose fmupdate show-dev-obj <string>
diagnose fmupdate view-linkd-log <string>
diagnose fmupdate vm-license
Variables Description

add-device <serial> <ip> <firm- Add an unregistered device. The build number is optional.
ware> <build>

deldevice {fct | fds | fgd | fgc} Delete a device. The UID applies only to FortiClient devices.
<serial> <uid>

dellog Delete log for FDS/FortiGuard update events.

fct-configure Dump the FortiClient running configuration.

fct-dbcontract Dump the FortiClient subscriber contract.

fct-delserverlist Dump the FortiClient server list file fdni.dat.

fct-getobject Get the version of all FortiClient objects.

fct-serverlist Dump the FortiClient server list.

fct-update-status Display the FortiClient update status.

CLI Reference 159

Fortinet Technologies Inc.
diagnose fmupdate

Variables Description

fct-updatenow Update the FortiClient AV/IPS immediately.

fds-configure Dump the FDS running configuration.

fds-dbcontract Dump the FDS subscriber contract

fds-delserverlist Delete the FDS server list file fdni.dat.

fds-dump-breg Dump the FDS beta serial numbers.

fds-dump-srul Dump the FDS select filtering rules.

fds-getobject Get the version of all FortiGate objects.

fds-serverlist Dump the FDS server list.

fds-service-info Display FDS service information.

fds-update-status Display the FDS update status.

fds-updatenow Update the FortiGate AV/IPS immediately.

fgc-configure Dump FGC running config.

fgc-delserverlist Delete FGC server list file fdni.dat.

fgc-serverlist Dump FGC server list.

fgc-update-status Display FGC update status.

fgt-del-statistics Remove all statistics (AV/IPS and web filter / antispam). This command
requires a reboot.

fgt-del-um-db Remove UM and UM-GUI databases.This command requires a reboot.

fmg-statistic-info Display statistic information for FortiAnalyzer and Java Client.

fortitoken {seriallist | add | del} FortiToken related operations.

{add | del | required}

getdevice {fct | fds | fgd | fgc} Get device information.

<serial>

service-restart <string> Restart the linkd service. The string value includes the type [fct|f-
ds|fgd|fgc].

show-bandwidth <type> Display the download bandwidth. The type value includes [fct|fds|fgd|fgc].
<time_period> The time_period value includes [1h|6h|12h|24|7d|30d>.

160 CLI Reference

Fortinet Technologies Inc.
 fortilogd diagnose

Variables Description

show-dev-obj <string> Display objects version of device. Serial number of the device. (optional)

view-linkd-log <string> View the linkd log file. The string value includes the type [fct|fds|fgd|fgc].

vm-license Dump the FortiGate VM license.

Example
To view antispam server statistics for the past seven days, enter the following:
diagnose fmupdate fgd-asserver_stat 7d
The command returns information like this:
Server Statistics
Total Spam Look-ups: 47
Total # Spam: 21(45%)
Total # Non-spam:26(55%)
Estimated bandwidth usage:17MB

fortilogd

Use this command to view FortiLog daemon information.

Syntax
diagnose fortilogd msgrate
diagnose fortilogd msgrate-device
diagnose fortilogd msgrate-total
diagnose fortilogd msgrate-type
diagnose fortilogd msgstat <flush>
diagnose fortilogd lograte
diagnose fortilogd status
Variable Description

msgrate Display log message rate.

msgrate-device Display log message rate devices.

msgrate-total Display log message rate totals.

msgrate-type Display log message rate types.

msgstat <flush> Display or flush log message statuses.

lograte Display the log rate.

status Running status.

CLI Reference 161

Fortinet Technologies Inc.
 diagnose hardware

Example
This is an example of the output of diagnose fortilogd status:
fortilogd is starting
config socket OK
cmdb socket OK
cmdb register log.device OK
cmdb register log.settings OK
log socket OK
reliable log socket OK

hardware

Use this command to view hardware information. This command provides comprehensive system information
including: CPU, memory, disk, and RAID information.

Syntax
diagnose hardware info

log

Use the following command for log related settings.

log device
Use this command to view device log usage.

Syntax
diagnose log device

pm2

Use these commands to check the integrity of the database.

Syntax
diagnose pm2 check-integrity db-category {all | adom | device |global | ips | task |
ncmdb}
diagnose pm2 print <log-type>

162 CLI Reference

Fortinet Technologies Inc.
 report diagnose

Variable Description

db-category {all | adom | Check the integrity of the database. Multiple database categories can be
device |global | ips | task | selected.
ncmdb}

<log-type> Print the database log messages.

report

Use this command to check the SQL database.

Syntax
diagnose report clean
diagnose report status {pending | running}
Variable Description

clean Cleanup the SQL report queue.

status {pending | running} Check status information on pending and running reports list.

sniffer

Use this command to perform a packet trace on one or more network interfaces.

Packet capture, also known as sniffing, records some or all of the packets seen by a network interface. By
recording packets, you can trace connection states to the exact point at which they fail, which may help you to
diagnose some types of problems that are otherwise difficult to detect.

FortiAnalyzer units have a built-in sniffer. Packet capture on FortiAnalyzer units is similar to that of FortiGate
units. Packet capture is displayed on the CLI, which you may be able to save to a file for later analysis, depending
on your CLI client.

Packet capture output is printed to your CLI display until you stop it by pressing CTRL + C, or until it reaches the
number of packets that you have specified to capture.

Packet capture can be very resource intensive. To minimize the performance impact
on your FortiAnalyzer unit, use packet capture only during periods of minimal traffic,
with a serial console CLI connection rather than a Telnet or SSH CLI connection, and
be sure to stop the command when you are finished.

Syntax
diagnose sniffer packet <interface> <filter> <verbose> <count> <Timestamp_format>

CLI Reference 163

Fortinet Technologies Inc.
diagnose sniffer

Variable Description

<interface> Type the name of a network interface whose packets you want to capture,
such as port1, or type any to capture packets on all network interfaces.

<filter> Type either none to capture all packets, or type a filter that specifies which
protocols and port numbers that you do or do not want to capture, such as
'tcp port 25'. Surround the filter string in quotes.
The filter uses the following syntax:
'[[src|dst] host {<host1_fqdn> | <host1_ipv4>}]
[and|or] [[src|dst] host {<host2_fqdn> | <host2_
ipv4>}] [and|or] [[arp|ip|gre|esp|udp|tcp] port
<port1_int>] [and|or] [[arp|ip|gre|esp|udp|tcp]
port <port2_int>]'
To display only the traffic between two hosts, specify the IP addresses of
both hosts. To display only forward or only reply packets, indicate which
host is the source, and which is the destination.
For example, to display UDP port 1812 traffic between 1.example.com and
either 2.example.com or 3.example.com, you would enter:
'udp and port 1812 and src host 1.example.com and
dst \( 2.example.com or 2.example.com \)'

<verbose> Type one of the following numbers indicating the depth of packet headers
and payloads to capture:
l 1: print header of packets (default)
l 2: print header and data from ip of packets
l 3: print header and data from ethernet of packets (if available)
l 4: print header of packets with interface name
l 5: print header and data from ip of packets with interface name
l 6: print header and data from ethernet of packets (if available) with
intf name
For troubleshooting purposes, Fortinet Technical Support may request the
most verbose level (3).
Default: 1

<count> Type the number of packets to capture before stopping.

If you do not specify a number, the command will continue to capture pack-
ets until you press Control + C.

<Timestamp_format> Type the timestamp format.

l a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
l l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
l otherwise: relative to the start of sniffing, ss.ms

Example
The following example captures the first three packets’ worth of traffic, of any port number or protocol and
between any source and destination (a filter of none), that passes through the network interface named port1.
The capture uses a low level of verbosity (indicated by 1).

Commands that you would type are highlighted in bold; responses from the Fortinet unit are not in bold.
FortiAnalyzer# diag sniffer packet port1 none 1 3

164 CLI Reference

Fortinet Technologies Inc.
sniffer diagnose

interfaces=[port1]
filters=[none]
0.918957 192.168.0.1.36701 -> 192.168.0.2.22: ack 2598697710
0.919024 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697710 ack 2587945850
0.919061 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697826 ack 2587945850
If you are familiar with the TCP protocol, you may notice that the packets are from the middle of a TCP
connection. Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the
packets might be from an SSH session.

Example
The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1
and 192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify
either host as the source or destination in the IP header (src or dst), the sniffer captures both forward and reply
traffic.

A specific number of packets to capture is not specified. As a result, the packet capture continues until the
administrator presses CTRL + C. The sniffer then confirms that five packets were seen by that network interface.

Commands that you would type are highlighted in bold; responses from the Fortinet unit are not in bold.
FortiAnalyzer# diag sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp
port 80' 1
192.168.0.2.3625 -> 192.168.0.1.80: syn 2057246590
192.168.0.1.80 -> 192.168.0.2.3625: syn 3291168205 ack 2057246591
192.168.0.2.3625 -> 192.168.0.1.80: ack 3291168206
192.168.0.2.3625 -> 192.168.0.1.80: psh 2057246591 ack 3291168206
192.168.0.1.80 -> 192.168.0.2.3625: ack 2057247265
5 packets received by filter
0 packets dropped by kernel

Example
The following example captures all TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of
its source or destination IP address. The capture uses a high level of verbosity (indicated by 3).

A specific number of packets to capture is not specified. As a result, the packet capture continues until the
administrator presses CTRL + C. The sniffer then confirms that five packets were seen by that network interface.

Verbose output can be very long. As a result, output shown below is truncated after only one packet.

Commands that you would type are highlighted in bold; responses from the Fortinet unit are not in bold.
FortiAnalyzer # diag sniffer port1 'tcp port 443' 3
interfaces=[port1]
filters=[tcp port 443]
10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898
0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E.
0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W....
0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........
0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............
0x0040 86bb 0000 0000 0103 0303 ..........
Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain
text file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly
than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using
encodings other than US-ASCII. It is usually preferable to analyze the output by loading it into in a network
protocol analyzer application such as Wireshark (http://www.wireshark.org/).

CLI Reference 165

Fortinet Technologies Inc.
diagnose sniffer

For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output. Methods may vary.
See the documentation for your CLI client.

Requirements

l terminal emulation software such as PuTTY

l a plain text editor such as Notepad
l a Perl interpreter
l network protocol analyzer software such as Wireshark

To view packet capture output using PuTTY and Wireshark:

1. On your management computer, start PuTTY.

2. Use PuTTY to connect to the Fortinet appliance using either a local serial console, SSH, or Telnet connection.
3. Type the packet capture command, such as:
diagnose sniffer packet port1 'tcp port 541' 3 100
but do not press Enter yet.

4. In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select
Change Settings.
A dialog appears where you can configure PuTTY to save output to a plain text file.

5. In the Category tree on the left, go to Session > Logging.

6. In Session logging, select Printable output.
7. In Log file name, click the Browse button, then choose a directory path and file name such as
C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. (You do not
need to save it with the .log file extension.)
8. Click Apply.
9. Press Enter to send the CLI command to the FortiMail unit, beginning packet capture.
10. If you have not specified a number of packets to capture, when you have captured all packets that you want to
analyze, press CTRL + C to stop the capture.
11. Close the PuTTY window.
12. Open the packet capture file using a plain text editor such as Notepad.
13. Delete the first and last lines, which look like this:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015-04-08.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~=
Fortinet-2000 #
These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you
do not delete them, they could interfere with the script in the next step.

14. Convert the plain text file to a format recognizable by your network protocol analyzer application.
You can convert the plain text file to a format (.pcap) recognizable by Wireshark using the fgt2eth.pl Perl
script. To download fgt2eth.pl, see the Fortinet Knowledge Base article Using the FortiOS built-in packet
sniffer.

The fgt2eth.pl script is provided as-is, without any implied warranty or technical
support, and requires that you first install a Perl module compatible with your
operating system.

To use fgt2eth.pl, open a command prompt, then enter a command such as the following:

166 CLI Reference

Fortinet Technologies Inc.
 sql diagnose

fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap

where:

l fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is
indicated by the command prompt
l packet_capture.txt is the name of the packet capture’s output file; include the directory path relative to
your current directory
l packet_capture.pcap is the name of the conversion script’s output file; include the directory path relative
to your current directory where you want the converted output to be saved
15. Open the converted file in your network protocol analyzer application. For further instructions, see the
documentation for that application.
For additional information on packet capture, see the Fortinet Knowledge Base article Using the FortiOS
built-in packet sniffer.

sql

Use this command to diagnose the SQL database.

Syntax
diagnose sql config auto-cache-delay [set <integer>]
diagnose sql config debug-filter set <string>
diagnose sql config debug-filter test <string>
diagnose sql config deferred-index-timespan set <string>
diagnose sql config top-dev set [{log-thres | num-max}] <integer>
diagnose sql gui-rpt-shm <list-all>
diagnose sql gui-rpt-shm clear <number>
diagnose sql process list full
diagnose sql process kill <pid>
diagnose sql rebuild-report-hcache <start-time> <end-time>
diagnose sql remove hcache <device-id>
diagnose sql remove query-cache
diagnose sql remove tmp-table
diagnose sql show {db-size | hcache-size | log-filters | log-stfile}
diagnose sql show log-filters
diagnose sql show log-stfile <device-id>
diagnose sql status {rebuild-adom <adom> | rebuild-db | run_sql_rpt | sqlplugind |
sqlreportd | sql_hcache_chk}
diagnose sql upload <ftp_host_ip> <ftp_directory> <ftp_user_name> <ftp_password>
Variable Description

auto-cache-delay [set Show or set the auto-cache delay, in seconds.

<integer>]

debug-filter set <string> Set the sqlplugin debug filter.

debug-filter test <string> Test the sqlplugin debug filter

CLI Reference 167

Fortinet Technologies Inc.
diagnose sql

Variable Description

deferred-index-timespan set Set the time span for the deferred index.
<string>

config top-dev set [{log-thres | Set the SQL plugin top devices settings. The following options are
num-max}] <integer> available:
l log-thres: Log threshold of top devices.
l num-max: Maximum number of top devices. Select a number
between 0 and 1000.

gui-rpt-shm <list-all> List all asynchronous GUI report shared memory slot information.

gui-rpt-shm clear <number> Clear asynchronous GUI report shared memory slot information.

process list full List running query processes.

process kill <pid> Kill a running query.

rebuild-report-hcache <start- Rebuild hcache for report. Enter the start time/end time in the format
time> <end-time> “yyyy-mm-dd hh:mm:ss”.

remove hcache <device-id> Remove the hcache tables created for the SQL report.

remove query-cache Remove the SQL query cache for log search.

remove tmp-table Remove the SQL database temporary tables.

show {db-size | hcache-size | Show the database, hcache size, log filters, or log status file. The following
log-filters | log-stfile} options are available:
l db-size: Show database size.
l hcache-size: Show hcache size.
l log-filters: Show log view searching filters.
l log-stfile: Show logstatus file.

show log-filters Show log view searching filters.

show log-stfile <device-id> Show the log status file.

status {rebuild-adom <adom> | The following options are available:

rebuild-db | run-sql-rpt | l rebuild-adom: Show SQL log database rebuild status of
sqlplugind | sqlreportd | sql- ADOMs..
hcache-chk} l rebuild-db: Show SQL log database rebuild status.
l run-sql-rpt: Show run_sql_rpt status.
l sqlplugind: Show sqlplugind status.
l sqlreportd: Show sqlreportd status.
l sql-hcache-chk: Show report hcache check status

168 CLI Reference

Fortinet Technologies Inc.
 system diagnose

Variable Description

upload <ftp_host_ip> <ftp_dir- Upload sqlplugind messages / pgsvr logs via FTP.
ectory> <ftp_user_name>
<ftp_password>

system

Use the following commands for system related settings.

system admin-session
Use this command to view login session information.

Syntax
diagnose system admin-session list
diagnose system admin-session status
diagnose system admin-session kill
Variable Description

list List login sessions.

status Show the current session.

kill Kill a current session.

system disk
Use this command to view disk diagnostic information.

Syntax
diagnose system disk attributes
diagnose system disk disable
diagnose system disk enable
diagnose system disk health
diagnose system disk info
diagnose system disk errors
Variable Description

attributes Show vendor specific SMART attributes.

disable Disable SMART support.

enable Enable SMART support.

CLI Reference 169

Fortinet Technologies Inc.
 diagnose system

Variable Description

health Show the SMART health status.

info Show the SMART information.

errors Show the SMART error logs.

system export
Use this command to export logs.

Syntax
diagnose system export crashlog <server> <user> <password> <directory> <filename>
diagnose system export dminstallog <devid> <server> <user> <password> <directory>
<filename>
diagnose system export fmwslog {sftp | ftp} <type> <(s)ftp server> <username>
<password> <directory> <filename>
diagnose system export umlog {sftp | ftp} <type> <(s)ftp server> <username> <password>
<directory> <filename>
diagnose system export upgradelog <ftp server> <username> <password> <directory>
<filename>
Variable Description

crashlog <server> <user> Export the crash log.

<password> <directory> <file-
name>

dminstallog <devid> <server> Export deployment manager install log.

<user> <password> <dir-
ectory> <filename>

fmwslog {sftp | ftp} <type> <(s) Export the FortiAnalyzer Web Service log files to an SFTP or FTP server.
ftp server> <username> <pass-
word> <directory> <filename> The type options are: SENT, RECV, TEST.

umlog {sftp | ftp} <type> <(s) Export the update manager and firmware manager log files.
ftp server> <username> <pass- The type option are: fdslinkd, fctlinkd, fgdlinkd, usvr,
word> <directory> <filename> update, service, misc, umad, and fwmlinkd.

upgradelog <ftp server> <user- Export the upgrade error log.

name> <password> <dir-
ectory> <filename>

system flash
Use this command to diagnose the flash memory.

170 CLI Reference

Fortinet Technologies Inc.
 system diagnose

Syntax
diagnose system flash list
Variable Description

list List flash images. This command displays the following information: image
name, version, total size (KB), used (KB), percent used, boot image, and
running image.

system fsck
Use this command to check and repair the file system, and to reset the disk mount count.

Syntax
diagnose system fsck harddisk
diagnose system fsck reset-mount-count
Variable Description

harddisk Check and repair the file system, then reboot the system.

reset-mount-count Reset the mount-count of the disk.

system geoip
Use this command to list geo IPv4 information.

Syntax
diagnose system geoip info
diagnose system geoip dump
diagnose system geoip <ipv4_address>
Variable Description

info Display brief geo IP information.

dump Display all geo IP information.

<ipv4_address> Find the IP’s country.

system ntp
Use this command to list NTP server information.

Syntax
diagnose system ntp status

CLI Reference 171

Fortinet Technologies Inc.
 diagnose system

Variable Description

status List NTP servers’ information.

system print
Use this command to print server information.

Syntax
diagnose system print certificate
diagnose system print cpuinfo
diagnose system print df
diagnose system print hosts
diagnose system print interface <interface>
diagnose system print loadavg
diagnose system print netstat
diagnose system print partitions
diagnose system print route
diagnose system print rtcache
diagnose system print slabinfo
diagnose system print sockets
diagnose system print uptime
Variable Description

certificate Print the IPsec certificate.

cpuinfo Print the CPU information.

This command includes the following: processor, vendor ID, CPU family,
model, model name, stepping, CPU MHz, cache size, physical ID, sibling,

df Print the file system disk space usage.

This command displays the following information: file system, 1K-blocks,
used, available, percent used, mounted on.

hosts Print the static table lookup for host names.

interface <interface> Print the information of the interface.

This command displays the following information: status, speed, duplex,
supported ports, auto-negotiation, advertised link modes, and advertised
auto-negotiation.

loadavg Print the average load of the system.

netstat Print the network statistics for active Internet connections (servers and
established).
This command displays the following information: protocol, local address,
foreign address, and state.

partitions Print the partition information of the system.

172 CLI Reference

Fortinet Technologies Inc.
 system diagnose

Variable Description

route Print the main route list.

This command displays the following information: destination, gateway,
gateway mask, flags, metric, reference, use, and interface,

rtcache Print the contents of the routing cache.

slabinfo Print the slab allocator statistics.

sockets Print the currently used socket ports.

This command displays the following information: number, protocol, and
port.

uptime Print how long the system has been running.

system process
Use this command to view and kill processes.

Syntax
diagnose system process kill -<signal> <pid>
diagnose system process killall <module>
diagnose system process list
Variable Description

kill -<signal> <pid> Kill a process. For example: -9 or -KILL

killall <module> Kill all the related processes.

list List all processes running on the FortiAnalyzer. This command displays the
PID, UID, stat, and command.

system raid
Use this command to view RAID information.

Syntax
diagnose system raid alarms
diagnose system raid hwinfo
diagnose system raid status
Variable Description

alarms Show RAID alarm logs.

hwinfo Show RAID controller hardware information.

CLI Reference 173

Fortinet Technologies Inc.
 diagnose test

Variable Description

status Show RAID status. This command displays the following information: RAID
level, RAID status, RAID size, and hard disk information.

system route
Use this command to diagnose routes.

Syntax
diagnose system route list
Variable Description

list List all routes. This command displays the following information: des-
tination IP, gateway IP, netmask, flags, metric, reference, use, and inter-
face.

system route6
Use this command to diagnose IPv6 routes.

Syntax
diagnose system route6 list
Variable Description

list List all IPv6 routes. This command displays the following information: des-
tination IP, gateway IP, interface, metric, and priority.

test

Use the following commands to test the FortiAnalyzer.

test application
Use this command to test application daemons. Leave the integer value blank to see the available options for
each command.

Syntax
diagnose test application fazautormd <integer>
diagnose test application fazcfgd <integer>
diagnose test application fazmaild <integer>
diagnose test application fazsvcg <integer>
diagnose test application fortilogd <integer>
diagnose test application logfiled <integer>
diagnose test application miglogd <integer>

174 CLI Reference

Fortinet Technologies Inc.
test diagnose

diagnose test application oftpd <integer>

diagnose test application snmpd <integer>
diagnose test application sqllogd <integer>
diagnose test application sqlrptcached <integer>
Variable Description

fazautormd <integer> Autodelete Daemon Test Usage:

l 1: show PID
l 2: show statistics
l 3: show processing device
l 99: restart daemon

fazcfgd <integer> Config Daemon Test Usage:

l 1: show PID
l 2: show statistics
l 50: test get app icon
l 51: test download app logo files
l 52: dvm call stats
l 53: dvm call stats clear
l 54: check ips/app meta-data update
l 55: log disk readahead get
l 56: log disk readahead toggle
l 99: restart daemon

fazmaild <integer> Fazmail Daemon test.

fazsvcg <integer> Service Daemon Test Usage:

l 1: show PID
l 2: list async search threads
l 3: dump async search slot info
l 4: show cache builder stats
l 5: dump cache builder playlist
l 6: dump log search filters
l 50: enable or disable cache builder
l 60: rawlog idx cache test
l 51: enable or disable auto custom index
l 99: restart daemon

CLI Reference 175

Fortinet Technologies Inc.
diagnose test

Variable Description

fortilogd <integer> Fortilogd Diag Test Usage:

l 0: usage information
l 1: show fortilogd pid
l 2: dump message status
l 3: logstat status test
l 4: log forwarding status
l 5: client devices status
l 6: print log received
l 10: pdfv2 debug enable/disable
l 99: restart fortilogd

logfiled <integer> Logfile Daemon Test Usage:

l 1: show PID
l 2: show statistics and state
l 90: reset statistics and state
l 99: restart daemon

miglogd <integer> Miglogd Daemon Test Usage:

l 1: show PID
l 2: dump memory pool
l 99: restart daemon

oftpd <integer> Oftpd Daemon Test Usage:

l 1: show PID
l 2: show statistics and state
l 3: show connected device name and IP
l 4: show detailed session state
l 5: show oftp request statistics
l 6: show cmdb device cache
l 99: restart daemon

snmpd <integer> SNMP Daemon Test Usage

l 1: display daemon pid
l 2: display snmp statistics
l 3: clear snmp statistics
l 4: generate test trap (cpu high)
l 5: generate test traps (log alert, rate, data rate)
l 6: generate test traps (licensed gb/day, device quota)
l 99: restart daemon

176 CLI Reference

Fortinet Technologies Inc.
 test diagnose

Variable Description

sqllogd <integer> SqlLog Daemon Test Usage:

l 1: show PID
l 2: show statistics and state
l 3: show worker init state
l 4: show worker thread info
l 5: show log device scan info, optionally filter by <devid>
l 6: worker control setting
l 7: show ADOM device list by <adom-name>
l 8: show dev to sID bitmap
l 41: show worker 1 info
l 42: show worker 2 info
l 43: show worker 3 info
l 44: show worker 4 info
l 45: show worker 5 info
l 70: show SQL database building progress
l 80: show daemon status flags
l 82: show IPsec up tunnels
l 84: show all unreg logdevs
l 90: reset statistics and state
l 91: backup all log status files
l 99: restart daemon
l 200: log based alert tests
l 201: utmref cache tests
l 221: estimated browsing time stats
l 222: estimated browsing time cleanup
l 223: estimated browsing time debug on/off

sqlrptcached <integer> Sqlrptcache Daemon Test Usage:

l 1: show PID
l 2: show statistics and state
l 3: reset statistics and state
l 99: restart daemon

test connection
Test the connection to the mail server and syslog server.

Syntax
diagnose test connection fortianalyzer <ip>
diagnose test connection mailserver <server-name> <mail-from> <mail-to>
diagnose test connection syslogserver <server-name>

CLI Reference 177

Fortinet Technologies Inc.
 diagnose upload

Variable Description

fortianalyzer <ip> Test the connection to the FortiAnalyzer.

mailserver <server-name> Test the connection to the mail server.

<mail-from> <mail-to>

syslogserver <server-name> Test the connection to the syslog server.

test sftp
Use this command to test the secure file transfer protocol (SFTP).

Syntax
diagnose test sftp auth <sftp server> <username> <password> <directory>
Variable Description

<sftp server> SFTP server IP address.

<username> SFTP server username.

<password> SFTP server password.

<directory> The directory variable represents the directory on the SFTP server where
you want to put the file. The default directory is "/".

upload

Use the following commands for upload related settings:

l upload clear
l upload force-retry
l upload status

upload clear
Use this command to clear the upload request.

Syntax
diagnose upload clear all
diagnose upload clear failed
Variable Description

all Clear all upload requests.

failed Clear the failed upload requests.

178 CLI Reference

Fortinet Technologies Inc.
 vpn diagnose

upload force-retry
Use this command to retry the last failed upload request.

Syntax
diagnose upload force-retry

upload status
Use this command to get the running status on files in the upload queue.

Syntax
diagnose upload status

vpn

Use this command to flush SAD entries and list tunnel information.

Syntax
diagnose vpn tunnel flush-SAD
diagnose vpn tunnel list
Variable Description

flush-SAD Flush the SAD entries.

list List tunnel information.

CLI Reference 179

Fortinet Technologies Inc.
get

The get commands display a part of your FortiAnalyzer unit’s configuration in the form of a list of settings and
their values.

Although not explicitly shown in this section, for all config commands there are
related get and show commands that display that part of the configuration. get and
show commands use the same syntax as their related config command, unless oth-
erwise specified.

Commands and variables are case sensitive.

The get command displays all settings, even if they are still in their default state.

Unlike the show command, get requires that the object or table whose settings you want to display are
specified, unless the command is being used from within an object or table.

For example, at the root prompt, this command would be valid:

get system status
and this command would not:
get

system admin

Use these commands to view admin configuration.

Syntax
get system admin group <group name>
get system admin ldap <server entry name>
get system admin profile <profile ID>
get system admin radius <server entry name>
get system admin setting
get system admin tacacs <server entry name>
get system admin user <username>

Example
This example shows the output for get system admin setting:
access-banner : disable
admin_server_cert : server.crt
allow_register : disable
auto-update : enable
banner-message : (null)
chassis-mgmt : disable
chassis-update-interval: 15

180 CLI Reference

Fortinet Technologies Inc.
 system aggregation-client get

demo-mode : disable
device_sync_status : enable
http_port : 80
https_port : 443
idle_timeout : 480
install-ifpolicy-only: disable
mgmt-addr : (null)
mgmt-fqdn : (null)
offline_mode : disable
register_passwd : *
show-add-multiple : enable
show-adom-central-nat-policies: disable
show-adom-devman : enable
show-adom-dos-policies: disable
show-adom-dynamic-objects: enable
show-adom-icap-policies: enable
show-adom-implicit-policy: enable
show-adom-ipv6-settings: enable
show-adom-policy-consistency-button: disable
show-adom-rtmlog : disable
show-adom-sniffer-policies: disable
show-adom-taskmon-button: enable
show-adom-terminal-button: disable
show-adom-voip-policies: enable
show-adom-vpnman : enable
show-adom-web-portal: disable
show-device-import-export: enable
show-foc-settings : enable
show-fortimail-settings: disable
show-fsw-settings : enable
show-global-object-settings: enable
show-global-policy-settings: enable
show_automatic_script: disable
show_grouping_script: disable
show_tcl_script : disable
unreg_dev_opt : add_allow_service
webadmin_language : auto_detect

system aggregation-client

Use this command to view log aggregation settings.

Syntax
get system aggregation-client <id>

Example
This example shows the output for get system aggregation-client:
id : 1
mode : realtime
fwd-facility : local7
fwd-log-source-ip : local_ip
fwd-min-level : information

CLI Reference 181

Fortinet Technologies Inc.
 get system aggregation-service

fwd-remote-server : fortianalyzer
server-ip : 1.1.11.1

system aggregation-service

Use this command to view log aggregation service settings.

Syntax
get system aggregation-service

Example
This example shows the output for get system aggregation-service:
accept-aggregation : enable
aggregation-disk-quota: 1234
password : *

system alert-console

Use this command to view the alert console settings.

Syntax
get system alert-console

Example
This example shows the output for get system alert-console:
period : 7
severity-level : information

system alert-event

Use this command to view alert event settings.

Syntax
get system alert-event <alert name>

Example
This example shows the output for get system alert-event Test:
name : Test
alert-destination:
== 1 ==
enable-generic-text : enable
enable-severity-filter: enable

182 CLI Reference

Fortinet Technologies Inc.
system alertemail get

event-time-period : 0.5
generic-text : Test
num-events : 1
severity-filter : medium-low
severity-level-comp : =
severity-level-logs : information

system alertemail

Use this command to view alertemail settings.

Syntax
get system alertemail

Example
This example shows the output for get system alertemail:
authentication : enable
fromaddress : (null)
fromname : (null)
smtppassword : *
smtpport : 25
smtpserver : (null)
smtpuser : (null)

system auto-delete

Use this command to view automatic deletion policies for logs, reports, archived and quarantined files.

Syntax
get system auto-delete

system backup

Use the following commands to view backups:

Syntax
get system backup all-settings
get system backup status

Example
This example shows the output for get system backup status:
All-Settings Backup
Last Backup: Tue Jan 15 16:55:35 2013
Next Backup: N/A

CLI Reference 183

Fortinet Technologies Inc.
 get system certificate

system certificate

Use these commands to view certificate configuration.

Syntax
get system certificate ca <certificate name>
get system certificate crl <crl name>
get system certificate local <certificate name>
get system certificate oftp <certificate name>
get system certificate ssh <certificate name>

Example
This example shows the output for get system certificate CA Fortinet_CA:
name : Fortinet_CA
ca :
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate
Authority, CN = support, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate
Authority, CN = support, emailAddress = support@fortinet.com
Valid from: 2000-04-09 01:25:49 GMT
Valid to: 2038-01-19 03:14:07 GMT
Fingerprint:
Root CA: Yes
Version: 3
Serial Num:
00
Extensions:
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:TRUE
comment : Default CA certificate

system dns

Use this command to view DNS settings.

Syntax
get system dns

Example
This example shows the output for get system dns:
primary : 208.91.112.53
secondary : 208.91.112.63

184 CLI Reference

Fortinet Technologies Inc.
system fips get

system fips

Use this command to view FIPS settings.

Syntax
get system fips

Example
This example shows the output for get system fips:
fortitrng : enable
re-seed-interval : 1440

system global

Use this command to view global system settings.

Syntax
get system global

Example
This example shows the output for get system global:
admin-https-pki-required: disable
admin-lockout-duration: 60
admin-lockout-threshold: 3
admin-maintainer : enable
admintimeout : 5
adom-mode : advanced
adom-status : enable
auto-register-device: enable
backup-compression : normal
backup-to-subfolders: disable
clt-cert-req : disable
console-output : standard
daylightsavetime : enable
default-disk-quota : 1000
enc-algorithm : low
hostname : FortiAnalyzer-4000B
language : english
ldapconntimeout : 60000
log-checksum : md5-auth
log-mode : analyzer
max-concurrent-users: 20
max-running-reports : 1
pre-login-banner : disable
remoteauthtimeout : 10
ssl-low-encryption : enable

CLI Reference 185

Fortinet Technologies Inc.
 get system interface

swapmem : enable
timezone : (GMT-8:00) Pacific Time (US & Canada).
webservice-support-sslv3: disable

system interface

Use these commands to view interface configuration and status.

Syntax
get system interface
get system interface <interface name>

Examples
This example shows the output for get system interface:
name Interface name.
port1 up 172.16.81.60 255.255.255.0 auto
port2 up 192.168.2.99 255.255.255.0 auto
port3 up 192.168.3.99 255.255.255.0 auto
port4 up 192.168.4.99 255.255.255.0 auto
port5 up 192.168.5.99 255.255.255.0 auto
port6 up 192.168.6.99 255.255.255.0 auto
This example shows the output for get system interface port1:
name : port1
status : up
ip : 172.16.81.60 255.255.255.0
allowaccess : ping https ssh telnet http webservice aggregator
serviceaccess :
speed : auto
description : (null)
alias : (null)
ipv6:
ip6-address: ::/0 ip6-allowaccess:

system locallog

Use these commands to view local log configuration.

Syntax
get system locallog disk filter
get system locallog disk setting
get system locallog fortianalyzer filter
get system locallog fortianalyzer setting
get system locallog memory filter
get system locallog memory setting
get system locallog [syslogd | syslogd2 | syslogd3] filter
get system locallog [syslogd | syslogd2 | syslogd3] setting

186 CLI Reference

Fortinet Technologies Inc.
system log get

Examples
This example shows the output for get system locallog disk filter:
event : enable
dvm : enable
fmgws : disable
iolog : enable
system : enable
This example shows the output for get system locallog disk setting:
status : enable
severity : notification
upload : disable
server-type : FTP
max-log-file-size : 100
roll-schedule : none
diskfull : overwrite
log-disk-full-percentage: 80

system log

Use these commands to view log settings:

Syntax
get system log alert
get system log fortianalyzer
get system log settings

Example
This example shows the output for get system log fortianalyzer:
status : disable
ip : 0.0.0.0
secure_connection : disable
username : admin
passwd : *
auto_install : disable

system mail

Use this command to view alert email configuration.

Syntax
get system mail <server name>

Example
This example shows the output for get system mail Test2:

CLI Reference 187

Fortinet Technologies Inc.
get system ntp

server : Test2
auth : enable
passwd : *
port : 25
user : test@fortinet.com

system ntp

Use this command to view NTP settings.

Syntax
get system ntp

Example
This example shows the output for get system ntp:
ntpserver:
== [ 1 ]
id: 1
status : enable
sync_interval : 60

system password-policy

Use this command to view the system password policy.

Syntax
get system password-policy

Example
This example shows the output for get system password-policy:
status : enable
minimum-length : 8
must-contain : upper-case-letter lower-case-letter number non-alphanumeric
change-4-characters : disable
expire : 60

system performance

Use this command to view performance statistics on your FortiAnalyzer unit.

Syntax
get system performance

188 CLI Reference

Fortinet Technologies Inc.
system report get

Example
This example shows the output for get system performance:
CPU:
Used: 2.7%
Used(Excluded NICE): 2.6%
CPU_num: 4.
CPU[0] usage: 5%
CPU[1] usage: 3%
CPU[2] usage: 0%
CPU[3] usage: 3%
Memory:
Total: 5,157,428 KB
Used: 666,916 KB 12.9%
Hard Disk:
Total: 4,804,530,144 KB
Used: 3,260,072 KB 0.1%
Flash Disk:
Total: 38,733 KB
Used: 37,398 KB 96.6%

system report

Use this command to view report configuration.

Syntax
get system report auto-cache
get system report est-browse-time
get system report setting

Example
This example shows the output for get system report auto-cache:
aggressive-drilldown: disable
drilldown-interval : 168
status : enable

system route

Use this command to view routing table configuration.

Syntax
get system route <seq_num>

Example
This example shows the output for get system route 1:
seq_num : 1

CLI Reference 189

Fortinet Technologies Inc.
get system route6

device : port1
dst : 0.0.0.0 0.0.0.0
gateway : 172.16.81.1

system route6

Use this command to view IPv6 routing table configuration.

Syntax
get system route6 <entry number>

system snmp

Use these commands to view SNMP configuration.

Syntax
get system snmp community <community ID>
get system snmp sysinfo
get system snmp user <SNMP user name>

Example
This example shows the output for get system snmp sysinfo:
contact_info : (null)
description : (null)
engine-id : (null)
location : (null)
status : disable
trap-cpu-high-exclude-nice-threshold: 80
trap-high-cpu-threshold: 80
trap-low-memory-threshold: 80

system sql

Use this command to view SQL settings.

Syntax
get system sql

system status

Use this command to view the status of your FortiAnalyzer unit.

190 CLI Reference

Fortinet Technologies Inc.
system syslog get

Syntax
get system status

Example
This example shows the output for get system status:
Platform Type : FAZ4000B
Platform Full Name : FortiAnalyzer-4000B
Version : v5.2.0-build0574 140606 (Interim)
Serial Number : FL-4KB3M10600006
BIOS version : 00010016
Hostname : FAZ4000B
Max Number of Admin Domains : 2000
Admin Domain Configuration : Enabled
FIPS Mode : Disabled
Branch Point : 574
Release Version Information : Interim
Current Time : Wed Jun 11 13:49:39 PDT 2014
Daylight Time Saving : Yes
Time Zone : (GMT-8:00) Pacific Time (US & Canada).
64-bit Applications : Yes
Disk Usage : Free 9155.59GB, Total 9157.91GB

system syslog

Use this command to view syslog information.

Syntax
get system syslog <name of syslog server>

CLI Reference 191

Fortinet Technologies Inc.
show

The show commands display a part of your Fortinet unit’s configuration in the form of commands that are
required to achieve that configuration from the firmware’s default state.

Although not explicitly shown in this section, for all config commands, there are
related show commands that display that part of the configuration.The show com-
mands use the same syntax as their related config command.

Commands and variables are case sensitive.

Unlike the get command, show does not display settings that are assumed to remain in their default state.

The following examples show the difference between the output of the show command branch and the get
command branch.

Example show command

show system dns
config system dns
set primary 208.91.112.53
set secondary 208.91.112.63
end

Example get command

get system dns
primary : 208.91.112.53
secondary : 208.91.112.63

192 CLI Reference

Fortinet Technologies Inc.
Appendix A - Object Tables

Global object categories

38 "webfilter ftgd-local-cat" 47 "webfilter urlfilter" 51 "webfilter ftgd-local-rating"

52 "vpn certificate ca" 56 "spamfilter bword" 60 "spamfilter dnsbl"

64 "spamfilter mheader" 67 "spamfilter iptrust" 85 "ips custom"

140 "firewall address" 142 "firewall addrgrp" 255 "user adgrp"

145 "user radius" 146 "user ldap" 147 "user local"

148 "user peer" 152 "user group" 167 "firewall service custom"

254 "firewall service predefined" 168 "firewall service group" 170 "firewall schedule onetime"

171 "firewall schedule recurring" 172 "firewall ippool" 173 "firewall vip"

288 "ips sensor" 292 "log custom-field" 293 "user tacacs+"

296 "firewall ldb-monitor" 1028 "application list" 1038 "dlp sensor"

1043 "wanopt peer" 1044 "wanopt auth-group" 1054 "vpn ssl web portal"

1076 "system replacemsg-group" 1097 "firewall mms-profile" 1203 "firewall gtp"

1213 "firewall carrier-endpoint- 1216 "antivirus notification" 1327 "webfilter content"

bwl"

1337 "endpoint-control profile" 1338 "firewall schedule group" 1364 "firewall shaper traffic-
shaper"

1365 "firewall shaper per-ip- 1367 "vpn ssl web virtual-desktop- 1370 "vpn ssl web host-check-soft-
shaper" app-list" ware"

1413 "webfilter profile" 1420 "antivirus profile" 1433 "spamfilter profile"

1472 "antivirus mms-checksum" 1482 "voip profile" 150 "system object-tag"

184 "user fortitoken" 273 "web-proxy forward-server" 335 "dlp filepattern"

343 "icap server" 344 "icap profile" 321 "user fsso"

CLI Reference 193

Fortinet Technologies Inc.
 Appendix A - Object Tables Device object ID values

390 "system sms-server" 397 "spamfilter bwl" 457 "wanopt profile"

384 "firewall service category" 474 "application custom" 475 "user device-category"

476 "user device" 492 "firewall deep-inspection- 800 "dynamic interface"

options"

810 "dynamic address" 1004 "vpnmgr vpntable" 1005 "vpnmgr node"

1100 "system meta" 820 "report output" 822 "sql-report chart"

824 "sql-report dataset" 825 "sql-report dashboard" 827 "sql-report layout"

1494 "dynamic vip" 1495 "dynamic ippool" 1504 "dynamic certificate local"

1509 "dynamic vpntunnel"

Device object ID values

1 "system vdom" 3 "system accprofile" 5 "system admin"

8 "system interface" 16 "system replacemsg mail" 17 "system replacemsg http"

18 "system replacemsg ftp" 19 "system replacemsg nntp" 20 "system replacemsg alertmail"

21 "system replacemsg fortiguard- 22 "system replacemsg spam" 23 "system replacemsg admin"

wf"

24 "system replacemsg auth" 25 "system replacemsg im" 26 "system replacemsg sslvpn"

28 "system snmp community" 38 "webfilter ftgd-local-cat" 1300 "application recognition pre-

defined"

47 "webfilter urlfilter" 51 "webfilter ftgd-local-rating" 52 "vpn certificate ca"

53 "vpn certificate local" 54 "vpn certificate crl" 55 "vpn certificate remote"

56 "spamfilter bword" 60 "spamfilter dnsbl" 64 "spamfilter mheader"

67 "spamfilter iptrust" 74 "imp2p aim-user" 75 "imp2p icq-user"

76 "imp2p msn-user" 77 "imp2p yahoo-user" 85 "ips custom"

117 "system session-helper" 118 "system tos-based-priority" 124 "antivirus service"

128 "antivirus quarfilepattern" 130 "system ipv6-tunnel" 314 "system sit-tunnel"

194 CLI Reference

Fortinet Technologies Inc.
Device object ID values Appendix A - Object Tables

131 "system gre-tunnel" 132 "system arp-table" 135 "system dhcp server"

137 "system dhcp reserved- 138 "system zone" 140 "firewall address"
address"

142 "firewall addrgrp" 255 "user adgrp" 145 "user radius"

146 "user ldap" 147 "user local" 148 "user peer"

152 "user group" 155 "vpn ipsec phase1" 156 "vpn ipsec phase2"

157 "vpn ipsec manualkey" 158 "vpn ipsec concentrator" 165 "vpn ipsec forticlient"

167 "firewall service custom" 254 "firewall service predefined" 168 "firewall service group"

170 "firewall schedule onetime" 171 "firewall schedule recurring" 172 "firewall ippool"

173 "firewall vip" 178 "firewall ipmacbinding table" 181 "firewall policy"

189 "firewall dnstranslation" 190 "firewall multicast-policy" 199 "system mac-address-table"

200 "router access-list" 202 "router aspath-list" 204 "router prefix-list"

206 "router key-chain" 208 "router community-list" 210 "router route-map"

225 "router static" 226 "router policy" 253 "system proxy-arp"

284 "system switch-interface" 285 "system session-sync" 288 "ips sensor"

292 "log custom-field" 293 "user tacacs+" 296 "firewall ldb-monitor"

297 "ips decoder" 299 "ips rule" 307 "router auth-path"

317 "system wccp" 318 "firewall interface-policy" 1020 "system replacemsg ec"

1021 "system replacemsg nac- 1022 "system snmp user" 1027 "application name"
quar"

1028 "application list" 1038 "dlp sensor" 1041 "user ban"

1043 "wanopt peer" 1044 "wanopt auth-group" 1045 "wanopt ssl-server"

1047 "wanopt storage" 1054 "vpn ssl web portal" 1061 "system wireless ap-status"

1075 "system replacemsg-image" 1076 "system replacemsg-group" 1092 "system replacemsg mms"

1093 "system replacemsg mm1" 1094 "system replacemsg mm3" 1095 "system replacemsg mm4"

1096 "system replacemsg mm7" 1097 "firewall mms-profile" 1203 "firewall gtp"

CLI Reference 195

Fortinet Technologies Inc.
Appendix A - Object Tables Device object ID values

1213 "firewall carrier-endpoint- 1216 "antivirus notification" 1326 "system replacemsg traffic-
bwl" quota"

1327 "webfilter content" 1337 "endpoint-control profile" 1338 "firewall schedule group"

1364 "firewall shaper traffic- 1365 "firewall shaper per-ip- 1367 "vpn ssl web virtual-desktop-
shaper" shaper" app-list"

1370 "vpn ssl web host-check-soft- 1373 "report dataset" 1375 "report chart"
ware"

1382 "report summary" 1387 "firewall sniff-interface- 1396 "wireless-controller vap"

policy"

1399 "wireless-controller wtp" 1402 "wireless-controller ap- 1412 "system replacemsg web-
status" proxy"

1413 "webfilter profile" 1420 "antivirus profile" 1433 "spamfilter profile"

1440 "firewall profile-protocol- 1453 "firewall profile-group" 1461 "system storage"

options"

1462 "report style" 1463 "report layout" 1472 "antivirus mms-checksum"

1482 "voip profile" 1485 "netscan assets" 1487 "firewall central-nat"

1490 "report theme" 150 "system object-tag" 169 "system dhcp6 server"

180 "system port-pair" 182 "system 3g-modem custom" 183 "application rule-settings"

184 "user fortitoken" 212 "webfilter override" 270 "firewall local-in-policy"

273 "web-proxy forward-server" 330 "system ddns" 331 "system replacemsg captive-
portal-dflt"

335 "dlp filepattern" 337 "dlp fp-sensitivity" 338 "dlp fp-doc-source"

342 "webfilter ftgd-warning" 343 "icap server" 344 "icap profile"

352 "system monitors" 354 "system sp" 321 "user fsso"

355 "router gwdetect" 386 "system physical-switch" 388 "system virtual-switch"

390 "system sms-server" 394 "system replacemsg utm" 397 "spamfilter bwl"

406 "vpn certificate ocsp-server" 408 "user password-policy" 412 "webfilter search-engine"

428 "firewall identity-based-route" 431 "web-proxy debug-url" 432 "firewall ttl-policy"

434 "firewall isf-acl" 435 "firewall DoS-policy" 437 "firewall sniffer"

196 CLI Reference

Fortinet Technologies Inc.
Device object ID values Appendix A - Object Tables

438 "wireless-controller wids-pro- 439 "switch-controller vlan" 441 "switch-controller managed-

file" switch"

453 "firewall ip-translation" 457 "wanopt profile" 269 "firewall multicast-address"

384 "firewall service category" 466 "system ips-urlfilter-dns" 467 "system geoip-override"

474 "application custom" 475 "user device-category" 476 "user device"

483 "system server-probe" 473 "system replacemsg device- 492 "firewall deep-inspection-
detection-portal" options"

CLI Reference 197

Fortinet Technologies Inc.
Appendix B - Maximum Values Table

Maximum values table

Feature FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ- FAZ-
100C, 300D, 1000C, 3000D, 3500E, VM- VM- VM- VM- VM-
FAZ- FAZ- FAZ- FAZ- FAZ- BASE GB1 GB5 GB25 GB100
200D 400C 1000D 3000D, 3900E
FAZ-
4000B

Administrative 100, 175, 2000 2000 4000 10000 10000 10000 10000 10000
Domains 150 200,
(ADOMS) 300

Administrators 256 256 256 256 256 256 256 256 256 256

Administrator 256 256 256 256 256 256 256 256 256 256
access profiles

SNMP com- 256 256 256 256 256 256 256 256 256 256
munity

SNMP man- 256 256 256 256 256 256 256 256 256 256
agers per com-
munity

Email servers 256 256 256 256 256 256 256 256 256 256

Syslog servers 256 256 256 256 256 256 256 256 256 256

TACACS+ serv- 256 256 256 256 256 256 256 256 256 256
ers

Administrator 256 256 256 256 256 256 256 256 256 256
RADIUS servers

Administrator 256 256 256 256 256 256 256 256 256 256
LDAP servers

Static routes 256 256 256 256 256 256 256 256 256 256

NTP Servers 256 256 256 256 256 256 256 256 256 256

198 CLI Reference

Fortinet Technologies Inc.
Maximum values table Appendix B - Maximum Values Table

Log devices 100, 175, 2000 2000 4000 10000 10000 10000 10000 10000
150 200,
300

Devices per 100, 175, 2000 2000 4000 10000 10000 10000 10000 10000
ADOM 150 200,
300

Report output 250 250 500 1000 1000 1000 1000 1000 1000 1000
profiles

SQL report tem- 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000
plates

SQL report 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000
charts

SQL report data- 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000
sets

SQL database 1000 4000, 1000, 16K, 200 +200 +1000 +8K +16K
size (GB) 1000, 8000 6K,
2000 24K

CLI Reference 199

Fortinet Technologies Inc.
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.