CLI Command syntax – FortiOS 6.2

Command syntax

When entering a command, the CLI console requires that you use valid syntax and conform to expected input constraints. It will reject invalid commands.

Fortinet documentation uses the conventions below to describe valid command syntax.

Terminology

Each command line consists of a command word that is usually followed by configuration data or other specific item that the command uses or affects.

To describe the function of each word in the command line, especially if that nature has changed between firmware versions, Fortinet uses terms with the following definitions:

  • Command — A word that begins the command line and indicates an action that the FortiGate should perform on a part of the configuration or host on the network, such as config or execute. Together with other words, such as fields or values, that end when you press the Enter key, it forms a command line. Exceptions include multiline command lines, which can be entered using an escape sequence. Valid command lines must be unambiguous if abbreviated. Optional words or other command line permutations are indicated by syntax notation.
  • Sub-command — A config sub-command that is available only when nested within the scope of another command. After entering a command, its applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command. Indentation is used to indicate levels of nested commands.Not all top-level commands have sub-commands. Available sub-commands vary by their containing scope.
  • Object — A part of the configuration that contains tables and /or fields. Valid command lines must be specific enough to indicate an individual object.
  • Table — A set of fields that is one of possibly multiple similar sets which each have a name or number, such as an administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by other parts of the configuration that use them.
  • Field — The name of a setting, such as ip or hostname. Fields in some tables must be configured with values. Failure to configure a required field will result in an invalid object configuration error message, and the FortiGate will discard the invalid table.
  • Value — A number, letter, IP address, or other type of input that is usually your configuration setting held by a field. Some commands, however, require multiple input values which may not be named but are simply entered in sequential order in the same command line. Valid input types are indicated by constraint notation. l Option — A kind of value that must be one or more words from of a fixed set of options.

Indentation

Indentation indicates levels of nested commands, which indicate what other sub-commands are available from within the scope. The “next” and “end” lines are used to maintain a hierarchy and flow to CLI commands, especially helping to distinguish those commands with extensive sub-commands.

The “next” line is entered at the same indentation-level as the previous “edit”, to mark where you would like to finish that table entry and move on to the next table entry; doing so will not mean that you have “left” that sub-command.

next

Below is an example command, with a sub-command of entries:

After entering settings for <2> and entering next, the <2> table entry has been saved, and you be set back one level of indentation so you can continue to create more entries (if you wish).

This hierarchy is best indicated in the CLI console, as the example below is what displays in the console after entering

end

Below is the same command and sub-command, except end has been entered instead of next after the subcommand:

Entering end will save the <2> table entry, but bring you out of the sub-command entirely; in this example, you would enter this when you don’t wish to continue creating new entries.

Again, your hierarchy is best indicated by the CLI console. Below is what displays in the console after entering end:

Notation

Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

All syntax uses the following conventions:

Convention                                  Description
Square brackets [ ]         An optional word or series of words. For example:

[verbose {1 | 2 | 3}]

indicates that you may either omit or type both the word verbose and its accompanying option/s, such as verbose 3.

See Optional values and ranges below for more information.

Curly braces { }           A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].
Mutually exclusive options –    Both mutually and non-mutually exclusive commands will use curly braces, as delimited by vertical bars |   they provide multiple options, however mutually exclusive commands will divide each option with a pipe. This indicates that you are permitted to enter one option or the other:

{enable | disable}

Convention Description
Non-mutually exclusive options – delimited by spaces Non-mutually exclusive commands do not use pipes to divide their options. In those circumstances, multiple options can be entered at once, as long as they are entered with a space separating each option:

{http https ping snmp ssh telnet}

Angle brackets < > A word constrained by data type. The angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example, <retries_int>, indicates that you should enter a number of retries as an integer.

Data types include: l <xxx_name>: A name referring to another part of the configuration, such as policy_A.

l  <xxx_index>: An index number referring to another part of the configuration, such as 0 for the first static route.

l  <xxx_pattern>: A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

l  <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com.

l  <xxx_email>: An email address, such as admin@example.com. l <xxx_ipv4>: An IPv4 address, such as 192.168.1.99. l <xxx_v4mask>: A dotted decimal IPv4 netmask, such as 255.255.255.0.

l  <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated by a space, such as 192.168.1.99 255.255.255.0.

l  <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as 192.168.1.1/24

l  <xxx_ipv4range>  : A hyphen ( – )-delimited inclusive range of IPv4 addresses, such as 192.168.1.1-192.168.1.255.

l  <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

l  <xxx_v6mask>: An IPv6 netmask, such as /96.

l  <xxx_ipv6mask>: A dotted decimal IPv6 address and netmask separated by a space.

l  <xxx_str>: A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences.

l  <xxx_int>: An integer number that represents a metric, minutes_int for the number of minutes.

Optional values and ranges

Any field that is optional will use square-brackets, such as set comment. This is because it doesn’t matter whether it’s set or not. The overall config command will still successfully be taken.

Another example of where square-brackets would be used is to show that multiple options can be set, even intermixed with ranges. The example below shows a field that can be set to either a specific value or range, or multiple instances:

config firewall service custom

set iprange <range1> [<range2> <range3> …]

end

Sub-commands

Each command line consists of a command word that is usually followed by configuration data or other specific item that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level, the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:

config system interface edit port1 set status up

next

end

Sub-command scope is indicated by indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

l commands affecting fields l commands affecting tables

Commands for tables

clone <table> Clone (or make a copy of) a table from the current object.

For example, in config firewall policy, you could enter the following command to clone security policy 27 to create security policy 30: clone 27 to 30

In config antivirus profile, you could enter the following command to clone an antivirus profile named av_pro_1 to create a new antivirus profile named av_pro_2:

clone av_pro_1 to av_pro_2 clone may not be available for all tables.

delete <table> Remove a table from the current object.
  For example, in config system admin, you could delete an administrator account named newadmin by typing delete newadmin and pressing Enter. This deletes newadmin and all its fields, such as newadmin’s first-name and email-address. delete is only available within objects containing tables.
edit <table> Create or edit a table in the current object.

For example, in config system admin:

l  edit the settings for the default admin administrator account by typing edit admin.

l  add a new administrator account with the name newadmin and edit newadmin‘s settings by typing edit newadmin.

edit is an interactive sub-command: further sub-commands are available from within edit. edit changes the prompt to reflect the table you are currently editing. edit is only available within objects containing tables.

In objects such as security policies, <table> is a sequence number. To create a new entry without the risk of overwriting an existing one, enter edit 0. The CLI initially confirms the creation of entry 0, but assigns the next unused number after you finish editing and enter end.

end Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.
get List the configuration of the current object or table.•   In objects, get lists the table names (if present), or fields and their values.•   In a table, get lists the fields and their values.For more information on get commands, see the CLI Reference.
purge Remove all tables in the current object.

For example, in config user local, you could type get to see the list of user names, then type purge and then y to confirm that you want to delete all users.purge is only available for objects containing tables.

Caution: Back up the FortiGate before performing a purge. purge cannot be undone. To restore purged tables, the configuration must be restored from a backup.

Caution: Do not purge system interface or system admin tables.

purge does not provide default tables. This can result in being unable to connect or log in, requiring the FortiGate to be formatted and restored.

rename <table> to <table> Rename a table.

For example, in config system admin, you could rename admin3 to fwadmin by typing rename admin3 to fwadmin.rename is only available within objects containing tables.

show Display changes to the default configuration. Changes are listed in the form of configuration commands.

Example of table commands

From within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1 table:

new entry ‘admin_1’ added

(admin_1)#

Commands for fields

abort   Exit both the edit and/or config commands without saving the fields.
append   Add an option to an existing list.
end   Save the changes made to the current table or object fields, and exit the config command (to exit without saving, use abort instead).
get   List the configuration of the current object or table. l In objects, get lists the table names (if present), or fields and their values. l In a table, get lists the fields and their values.
move   Move an object within a list, when list order is important. For example, rearranging security policies within the policy list.
next   Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt (to save and exit completely to the root prompt, use end instead).

next is useful when you want to create or edit several tables in the same object, without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

select   Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all users except for B, use the command select member B.

set <field> <value>   Set a field’s value.

For example, in config system admin, after typing edit admin, you could type set password newpass to change the password of the admin administrator to newpass.

Note: When using set to change a field containing a space-delimited list, type the whole new list. For example, set <field> <new-value> will replace the list with the <new-value> rather than appending <new-value> to the list.

show   Display changes to the default configuration. Changes are listed in the form of configuration commands.
unselect   Remove an option from an existing list.
unset <field>   Reset the table or object’s fields to default values.

For example, in config system admin, after typing edit admin, typing unset password resets the password of the admin administrator account to the default (in this case, no password).

Example of field commands

To assign the value my1stExamplePassword to the password field, enter the following command from within the admin_1 table:

set password my1stExamplePassword

Next, to save the changes and edit the next administrator’s table, enter the next command.

This entry was posted in Administration Guides, FortiGate, Fortinet Cookbook, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.