Category Archives: FortiOS 6.2

Basic administration – FortiOS 6.2

Basic administration

This section contains information about basic FortiGate administration that you can do after you installing the unit in your network.

Registration

In order to have full access to Fortinet Support and FortiGuard Services, you must register your FortiGate.

Registering your FortiGate:

  1. Go to the Dashboard and locate the Licenses
  2. Click on FortiCare Support to display a pop-up window and Register.
  3. In the pop-up window, either use an existing Fortinet Support account or create a new one. Select your Country and Reseller.
  4. Select OK.

FortiGate platforms don’t impose any limitations on the number or type of customers, users, devices, IP addresses, or number of VPN clients being served by the platform. Such factors are limited solely by the hardware capacity of each given model.

System settings

There are several system settings that should be configured once your FortiGate is installed:

  • Default administrator password on page 46
  • Settings on page 46 l Changing the host name on page 46 l System time on page 46 l Administration settings on page 47 l Password policy on page 48 l View settings on page 48 l Administrator password retries and lockout time on page 48

Default administrator password

By default, your FortiGate has an administrator account set up with the username admin and no password. In order to prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.

To change the default password:

  1. Go to System > Administrators.
  2. Edit the admin
  3. Select Change Password.
  4. Enter the New Password and re-enter the password for confirmation.
  5. Select OK.

It is also recommended to change the user name of this account; however, since you cannot change the user name of an account that is currently in use, a second administrator account will need to be created in order to do this.

Settings

Settings can be accessed by going to System > Settings. On this page, you can change the Host name, set the system time and identify time zone in System Time, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle timeout in Administration Settings, designate the Password Policy, and manage display options and designate inspection mode in View Settings.

Changing the host name

The host name of your FortiGate appears in the Hostname row in the System Information widget on the Dashboard. The host name also appears at the CLI prompt when you are logged in to the CLI, and as the SNMP system name.

To change the host name on the FortiGate

Go to System > Settings and type in the new name in the Host name row. The only administrators that can change a

FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the cluster.

System time

For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either manually set the system time and date or configure the FortiGate to automatically synchronize with a Network Time Protocol (NTP) server.

NTP enables you to keep the FortiGate time synchronized with other network systems. By enabling NTP on the FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that logs and other time-sensitive settings on the FortiGate are correct.

The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate will indicate the hardware clock time, which may not be accurate. When using NTP, the system time might change after the FortiGate has successfully obtained the time from a configured NTP server.

To set the date and time

  1. Go to the System > Settings.
  2. Under System Time, select your Time Zone by using the drop-down menu.
  3. Set Time by either selecting Synchronize with NTP Server or Manual settings. If you select synchronization, you can either use the default FortiGuard servers or specify a custom server. You can also set the Sync interval.
  4. If you use an NTP server, you can identify a specific interface for this self-originating traffic by enabling Setup device as local NTP server.
  5. Select Apply.

Administration settings

In order to improve security, you can change the default port configurations for administrative connections to the FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the URL would be https://192.168.1.99:99.

To configure the port settings:

  1. Go to System > Settings.
  2. Under Administration Settings, change the port numbers for HTTP, HTTPS, SSH, and/or Telnet as needed. You can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
  3. Select Apply.

When you change the default port number for HTTP, HTTPS, SSH, or Telnet, ensure that the port number is unique. If a conflict exists with a particular port, a warning message will appear.

By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management PC is left unattended.

To change the idle timeout

  1. Go to System > Settings.
  2. In the Administration Settings section, enter the time in minutes in the Idle timeout
  3. Select Apply.

Password policy

The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:

  • minimum length between 8 and 64 characters.
  • if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l if the password must contain numbers (1, 2, 3). l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l where the password applies (admin or IPsec or both). l the duration of the password before a new one must be specified.

To create a password policy – GUI

  1. Go to System > Settings.
  2. Configure Password Policy settings as required.
  3. Click Apply.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

View settings

Three settings can change the presentation of information in the GUI: Language, Lines per page, and Theme.

To change the language, go to System > Settings. Select the language you want from the Language drop-down list: English (the default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. For best results, you should select the language that is used by the management computer.

To change the number of lines per page displayed in the GUI tables, set Lines per page to a value between 20 and 1,000. The default is 50 lines per page.

Five color themes are currently available: Green (the default), Red, Blue, Melongene, and Mariner. To change your theme, select the color from the Theme drop-down list.

This is also where you select either Flow-based or Proxy Inspection Mode . If you select Flow-based mode, then you need to specify if it is NGFW Profile-based or NGFW Policy-based inspection.

Administrator password retries and lockout time

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

To configure the lockout options:

config system global set admin-lockout-threshold <failed_attempts> set admin-lockout-duration <seconds> end

The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The adminlockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

Example:

To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

config system global set admin-lockout-threshold 1

Passwords

Using secure passwords are vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

  • Do not make passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
  • Use numbers in place of letters, for example, passw0rd. l Administrator passwords can be up to 64 characters. l Include a mixture of letters, numbers, and upper and lower case. l Use multiple words together, or possibly even a sentence, for example keytothehighway. l Use a password generator.
  • Change the password regularly and always make the new password unique and not a variation of the existing password, such as changing from password to password1.
  • Make note of the password and store it in a safe place away from the management computer, in case you forget it or ensure that at least two people know the password in the event that one person becomes ill, is away on vacation, or leaves the company. Alternatively, have two different admin logins.

Downgrades will typically maintain the administrator password. If you need to downgrade to FortiOS 4.3, remove the password before the downgrade, then log in after the downgrade and re-configure the password.

Password policy

The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:

  • minimum length between 8 and 64 characters.
  • if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l if the password must contain numbers (1, 2, 3). l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l where the password applies (admin or IPsec or both). l the duration of the password before a new one must be specified.

To create a password policy – GUI

  1. Go to System > Settings.
  2. Configure Password Policy settings as required.
  3. Click Apply.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you backup the configuration after any changes are made, to ensure you have the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not appear.

You can also backup and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration using the GUI

  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

  1. If VDOMs are enabled, indicate whether the scope of the backup is for the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).
  2. If backing up a VDOM configuration, select the VDOM name from the list.
  3. Select Encryption.

Encryption must be enabled on the backup file to back up VPN certificates.

  1. Enter a password and enter it again to confirm it. You will need this password to restore the file.
  2. Select OK.
  3. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension.

Backing up the configuration using the CLI

Use one of the following commands:

execute backup config management-station <comment> or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> <password> Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom edit <vdom_name>

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip> where:

l <cert_name> is the name of the server certificate. l <filename> is a name for the output file. l <tftp_ip> is the IP address assigned to the TFTP server host interface.

To restore the local certificates – GUI:

  1. Move the output file from the TFTP server location to the management computer.
  2. Go to System > Certificates and select Import.
  3. Select the appropriate type of certificate from the dropdown menu and fill in any required fields.
  4. Select Upload. Browse to the location on the management computer where the exported file has been saved, select the file and select Open.
  5. If required, enter the Password needed to upload the exported file.
  6. Select OK.

To restore the local certificates – CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restoring a configuration

Should you need to restore a configuration file, use the following steps:

To restore the FortiGate configuration – GUI:

  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored : your Local PC or a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  1. Enter the path and file name of the configuration file, or select Browse to locate the file.
  2. Enter a password if required.
  3. Select Restore.

To restore the FortiGate configuration – CLI:

execute restore config management-station normal 0 or:

execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message Reason and Solution
Configuration file error This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Error message Reason and Solution
Invalid password When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiCloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either:

l Enable central management, or l obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on admin in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset using the CLI by entering the command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration. Use the following command: execute factoryreset2

LED specifications – FortiOS 6.2

LED specifications

LED status codes

For more information about alarms, see About Alarm Levels.

LABEL STATE MEANING
PWR Green Power is on.
Off Power is off.
LABEL        STATE MEANING
STA Green Normal status.
Flashing Green Booting up. If the FortiGate has a reset button, this could also means that the reset button was used.
Red The FortiGate has a critical alarm.
ALARM Off No alarms or the FortiGate has a minor alarm.
Amber The FortiGate has a major alarm.
Red The FortiGate has a critical alarm. The status LED will also be red.
HA Green FortiGate is operating in an FGCP HA cluster.
Red A failover has occurred. The failover operation feature is not available in all models.
Off HA not configured.
WIFI Green Wireless port is active.
Flashing Green Wireless interface is transmitting and receiving data.
Off Wireless interface is down.

About alarm levels

Minor, major, and critical alarms are defined based on IPMI, ATCA, and Telco standards for naming alarms.

  • A minor alarm (also called an IPMI non-critical (NC) alarm) indicates a temperature or a power level outside of the normal operating range that is not considered a problem. In the case of a minor temperature alarm, the system could respond by increasing fan speed. A non-critical threshold can be an upper non-critical (UNC) threshold (for example, a high temperature or a high power level) or a lower non-critical (LNC) threshold (for example, a low power level). The LEDs do not indicate minor alarms since user intervention is not required.
  • A major alarm (also called an IPMI critical or critical recoverable (CR) alarm) indicates that the system itself cannot correct the cause for the alarm and that intervention is required. For example, the cooling system cannot provide enough cooling to reduce the temperature. It could also mean that conditions (e.g. temperature) are approaching the outside limit of the allowed operating range. A critical threshold can also be an upper critical (UC) threshold (e.g. a high temperature or a high power level) or a lower critical (LC) threshold (e.g. a low power level).
  • A critical alarm (also called an IPMI non-recoverable (NR) alarm) indicates detection of a temperature or power level that is outside of the allowed operating range and could potentially cause physical damage.

LED status codes for ports

TYPE OF PORT STATE MEANING
Ethernet Ports Link / Activity Green Connected.

On FortiGate models with front-facing ports, this LED is to the left of the port. On FortiGate models with ports at the back of the device, this LED is in the upper row.

TYPE OF PORT           STATE MEANING
  Flashing Green Transmitting and receiving data.
Off No link established.
Ethernet Ports Speed Green Connected at 1Gbps.

On FortiGate models with front-facing ports, this LED is to the right of the port. On FortiGate models with ports at the back of the device, this LED is in the lower row.

Amber Connected at 100Mbps.
Off Not connected or connected at 10Mbps.
SFP Ports Green Connected.
Flashing Green Transmitting and receiving data.
Off No link established.

FortiExplorer for iOS – FortiOS 6.2

FortiExplorer for iOS

FortiExplorer for iOS is a user-friendly application that helps you to quickly and easily configure, manage, and monitor

FortiGate appliances using an iOS device. FortiExplorer lets you rapidly provision, deploy, and monitor Security Fabric components including FortiGate, FortiWiFi, and FortiAP devices.

FortiExplorer for iOS requires iOS 9.3 or later and is compatible with iPhone, iPad, and iPod Touch. It is supported by FortiOS 5.6+ and is only available on the App Store for iOS devices.

Advanced features are available with the purchase of FortiExplorer Pro. Paid features include the ability to add more than two devices and the ability to download firmware images from FortiCare.

Up to six members can use this app with ‘Family Sharing’ enabled in the App Store.

Getting started with FortiExplorer

If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that your iOS device is on the same network (see Connecting FortiExplorer to a FortiGate via WiFi). Otherwise, you will need to physically connect your iOS device to the FortiGate using a USB cable.

Connecting FortiExplorer to a FortiGate via USB

For the purpose of this document, we assume that you are just getting started; you do not have access to the FortiGate over the wireless network, and the FortiGate is in its factory configuration.

  1. Connect your iOS device to your FortiGate’s USB management port.If prompted on your iOS device, Trust this ‘computer’.
  2. Open the FortiExplorer app and select your FortiGate from the list under USB Attached Device.
  3. On the Login screen, select USB.
  4. Enter the default Username (admin) and leave the Password field blank.
  5. You can opt to Remember Password. Tap Done when you are ready.
  6. FortiExplorer opens the FortiGate management interface to the Device Status page:
  7. Go to Network > Interfaces and configure the WAN interface(s).In the example, the wan1 interface Address mode is set to DHCP by default. Set it to Manual and enter its Address, Netmask, and Default Gateway, and then Apply your changes.
  8. (Optional) Configure Administrative Access to allow HTTP and HTTPS This will allow administrators to access the FortiGate GUI using a web browser.
  9. Go to Network > Interfaces and configure the local network (internal) interface.Set the Address mode as before and configure Administrative Access if desired.
  10. Configure a DHCP Server for the internal network subnet.
  11. Return to the internal interface using the < button at the top of the screen.
  12. Go to Network > Static Routes and configure the static route to the gateway.
  13. Go to Policy & Objects > IPv4 Policy and edit the Internet access policy. As a best practice, provide a Name for the policy, enable the desired Security Profiles, and configure Logging Options. Select OK to finalize.

Running a Security Fabric Rating

The FortiGate is now configured in a very basic state. Once you’ve configured the other potential elements of your network, such as other Interfaces, Schedules, or Managed FortiAPs, it is recommended that you run a Security Fabric Rating to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance.

Go to Security Fabric > Security Rating and follow the steps to determine a Security Score for the selected device (s). The results should identify issues ranging from Medium to Critical importance, and may provide recommended actions where possible.

Connecting FortiExplorer to a FortiGate via WiFi

If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that your iOS device is on the same network. Assuming this is the case:

  1. Open the FortiExplorer app and select Add from the Devices
  2. Enter the Host information and appropriate Username and Password If necessary, change the default Port number, and opt to Remember Password.
  3. If the FortiGate device identity cannot be verified, click Connect at the prompt. FortiExplorer opens the FortiGate management interface to the Device Status

Upgrading to FortiExplorer Pro

Paid features provided with the purchase of FortiExplorer Pro include the ability to add more than two devices and the ability to download firmware images from FortiCare.

To upgrade to FortiExplorer Pro, open the FortiExplorer app, go to Settings and select Upgrade to FortiExplorer Pro. Follow the on-screen prompts.

Tips – FortiOS 6.2

Tips

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

Help

To display brief help during command entry, press the question mark (?) key.

  • Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.
  • Type a word or part of a word, then press the question mark (?) key to display a list of valid word completions or subsequent words, and to display a description of each.

Shortcuts and key commands

Keys Action
? List valid word completions or subsequent words.

If multiple words could complete your entry, display all possible completions with helpful descriptions of each.

Tab Complete the word with the next available match.

Press the Tab key multiple times to cycle through available matches.

Keys Action
Up arrow, or Ctrl + P Recall the previous command.

Command memory is limited to the current session.

Down arrow, or Ctrl + N Recall the next command.
Left or Right arrow Move the cursor left or right within the command line.
Ctrl + A Move the cursor to the beginning of the command line.
Ctrl + E Move the cursor to the end of the command line.
Ctrl + B Move the cursor backwards one word.
Ctrl + F Move the cursor forwards one word.
Ctrl + D Delete the current character.
Ctrl + C Abort current interactive commands, such as when entering multiple lines. If you are not currently within an interactive command such as config or edit, this closes the CLI connection.
\ then Enter Continue typing a command on the next line for a multiline command.

For each line that you want to continue, terminate it with a backslash ( \ ). To complete the command line, terminate it by pressing the spacebar and then the Enter key, without an immediately preceding backslash.

Command abbreviation

You can abbreviate words in the command line to their smallest number of non-ambiguous characters.

For example, the command get system status could be abbreviated to g sy stat.

Adding and removing options from lists

When adding options to a list, such as a user group, using the set command will remove the previous configuration. For example, if you wish to add user D to a user group that already contains members A, B, and C, the command would need to be set member A B C D. If only set member D was used, then all former members would be removed from the group.

However, there are additional commands which can be used instead of set for changing options in a list.

Additional commands for lists

append   Add an option to an existing list.

For example, append member would add user D to a user group while all previous group members are retained

select   Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all users except for B, use the command select member B.

unselect   Remove an option from an existing list.

For example, unselect member A would remove member A from a group will all previous group members are retained.

Environment variables

The CLI supports the following environment variables. Variable names are case-sensitive.

Environment variables

$USERFROM The management access type (ssh, telnet, jsconsole for the CLI Console widget in the GUI, and so on) and the IP address of the administrator that configured the item.
$USERNAME The account name of the administrator that configured the item.
$SerialNum The serial number of the FortiGate unit.

For example, the FortiGate unit’s host name can be set to its serial number:

config system global set hostname $SerialNum

end

Special characters

The following special characters, also known as reserved characters, are not permitted in most CLI fields: <, >, (, ), #, ‘, and “. You may be able to enter special characters as part of a string’s value by using a special command, enclosing it in quotes, or preceding it with an escape sequence — in this case, a backslash ( \ ) character.

In other cases, different keystrokes are required to input a special character. If you need to enter ? as part of config, you first need to input CTRL-V. If you enter ? without first using CTRL-V, the question mark has a different meaning in the CLI; it will show available command options in that section.

For example, if you enter ? without CTRL-V:

edit “*.xe token line: Unmatched double quote.

If you enter ? with CTRL-V:

edit “*.xe?” new entry ‘*.xe?’ added

Entering special characters

Character Keys
? Ctrl + V then ?
Tab Ctrl + V then Tab
Space

(to be interpreted as part of a string value, not to end the string)

Enclose the string in quotation marks: “Security Administrator”.

Enclose the string in single quotes: ‘Security Administrator’.

Character Keys
  Precede the space with a backslash: Security\ Administrator.

(to be interpreted as part of a string value, not to end the string)

\’

(to be interpreted as part of a string value, not to end the string)

\”
\ \\

Using grep to filter get and show command output

In many cases, the get and show (and diagnose) commands may produce a large amount of output. If you are looking for specific information in a large get or show command output, you can use the grep command to filter the output to only display what you are looking for. The grep command is based on the standard UNIX grep, used for searching text output based on regular expressions.

Use the following command to display the MAC address of the FortiGate unit internal interface:

get hardware nic internal | grep Current_HWaddr Current_HWaddr      00:09:0f:cb:c2:75

Use the following command to display all TCP sessions in the session list and include the session list line number in the output:

get system session list | grep -n tcp

Use the following command to display all lines in HTTP replacement message commands that contain URL (upper or lower case):

show system replacemsg http | grep -i url

There are three additional options that can be applied to grep:

  • <num> After
  • <num> Before
  • <num> Context

The option -f is also available to support contextual output, in order to show the complete configuration. The following example shows the difference in output when -f option is used versus when it is not.

Using -f:

show | grep -f ldap-group1 config user group edit “ldap-group1” set member “pc40-LDAP”

next

end

config firewall policy edit 2 set srcintf “port31” set dstintf “port32”

set srcaddr “all” set action accept set identity-based enable set nat enable

config identity-based-policy edit 1 set schedule “always” set groups “ldap-group1”

set dstaddr “all”

set service “ALL”

next

end

next

end

Without using -f:

show | grep ldap-group1 edit “ldap-group1” set groups “ldap-group1”

Language support and regular expressions

Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the item being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but some items with arbitrary names or values may be input using your language of choice. To use other languages in those cases, you must use the correct encoding.

Input is stored using Unicode UTF-8 encoding but is not normalized from other encodings into UTF-8 before it is stored. If your input method encodes some characters differently than in UTF-8, your configured items may not display or operate as expected.

Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may not be what you expect.

For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ ) and vice versa. A regular expression intended to match HTTP requests containing money values with a yen symbol therefore may not work it if the symbol is entered using the wrong encoding.

For best results, you should:

  • use UTF-8 encoding, or
  • use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other encodings, or l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.

HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the client’s operating system or input language. If you cannot predict the client’s encoding, you may only be able to match any parts of the request that are in English, because regardless of the encoding, the values for English characters tend to be encoded identically. For example, English words may be legible regardless of interpreting a web page as either ISO 8859-1 or as GB2312, whereas simplified Chinese characters might only be legible if the page is interpreted as GB2312.

If you configure your FortiGate unit using other encodings, you may need to switch language settings on your management computer, including for your web browser or Telnet/SSH client. For instructions on how to configure your management computer’s operating system language, locale, or input method, see its documentation.

If you choose to configure parts of the FortiGate unit using non-ASCII characters, verify that all systems interacting with the FortiGate unit also support the same encodings. You should also use the same encoding throughout the configuration if possible in order to avoid needing to switch the language settings of the GUI and your web browser or Telnet/SSH client while you work.

Similarly to input, your web browser or CLI client should normally interpret display output as encoded using UTF-8. If it does not, your configured items may not display correctly in the GUI or CLI. Exceptions include items such as regular expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that the FortiGate unit receives.

To enter non-ASCII characters in the CLI console:

  1. On your management computer, start your web browser and go to the URL for the FortiGate unit’s GUI.
  2. Configure your web browser to interpret the page as UTF-8 encoded.
  3. Log in to the FortiGate unit.
  4. Open the CLI Console from the upper right-hand corner.
  5. In the title bar of the CLI Console widget, click Edit (the pencil icon).
  6. Enable Use external command input box and select OK.
  7. The Command field appears below the usual input and display area of the CLI Console .
  8. Type a command in this field and press Enter.

In the display area, the CLI Console widget displays your previous command interpreted into its character code equivalent, such as:

edit \743\601\613\743\601\652

and the command’s output.

To enter non-ASCII characters in a Telnet/SSH client

  1. On your management computer, start your Telnet or SSH client.
  2. Configure your Telnet or SSH client to send and receive characters using UTF-8 encoding.

Support for sending and receiving international characters varies by each Telnet/SSH client. Consult the documentation for your Telnet/SSH client.

  1. Log in to the FortiGate unit.
  2. At the command prompt, type your command and press Enter.

You may need to surround words that use encoded characters with single quotes ( ‘ ).

Depending on your Telnet/SSH client’s support for your language’s input methods and for sending international characters, you may need to interpret them into character codes before pressing Enter. For example, you might need to enter: edit ‘\743\601\613\743\601\652’

  1. The CLI displays your previous command and its output.

Screen paging

You can configure the CLI to pause after displaying each page’s worth of text when displaying multiple pages of output.

When the display pauses, the last line displays –More–. You can then either:

l press the spacebar to display the next page. l type Q to truncate the output and return to the command prompt.

This may be useful when displaying lengthy output, such as the list of possible matching commands for command completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of your terminal emulator, you can simply display one page at a time.

To configure the CLI Console to pause display when the screen is full:

config system console set output more

end

Baud rate

You can change the default baud rate of the local console connection.

To change the baud rate enter the following commands:

config system console set baudrate {9600 | 19200 | 38400 | 57600 | 115200} end

Editing the configuration file on an external host

You can edit the FortiGate configuration on an external host by first backing up the configuration file to a TFTP server. Then edit the configuration file and restore it to the FortiGate unit.

Editing the configuration on an external host can be timesaving if you have many changes to make, especially if your plain text editor provides advanced features such as batch changes.

To edit the configuration on your computer:

  1. Use execute backup to download the configuration file to a TFTP server, such as your management computer.
  2. Edit the configuration file using a plain text editor that supports Unix-style line endings.

Do not edit the first line. The first line(s) of the configuration file (preceded by a # character) contains information about the firmware version and FortiGate model. If you change the model number, the FortiGate unit will reject the configuration file when you attempt to restore it.

  1. Use execute restore to upload the modified configuration file back to your FortiGate.

The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the

FortiGate unit loads the configuration file and checks each command for errors. If a command is invalid, the FortiGate unit ignores the command. If the configuration file is valid, the FortiGate unit restarts and loads the new configuration.

Permissions – FortiOS 6.2

Permissions

Access profiles control which CLI commands an administrator account can access. Access profiles assign either read, write, or no access to each area of FortiOS. To view configurations, you must have read access. To make changes, you must have write access. So, depending on the account used to log in to the FortiGate, you may not have complete access to all CLI commands. For complete access to all commands, you must log in with an administrator account that has the super_admin access profile. By default the admin administrator account has the super_admin access profile.

Administrator accounts, with the super_admin access profile are similar to a root administrator account that always has full permission to view and change all FortiGate configuration options, including viewing and changing all other administrator accounts and including changing other administrator account passwords.

Increasing the security of administrator accounts

Set strong passwords for all administrator accounts (including the admin account) and change passwords regularly.

CLI Command syntax – FortiOS 6.2

Command syntax

When entering a command, the CLI console requires that you use valid syntax and conform to expected input constraints. It will reject invalid commands.

Fortinet documentation uses the conventions below to describe valid command syntax.

Terminology

Each command line consists of a command word that is usually followed by configuration data or other specific item that the command uses or affects.

To describe the function of each word in the command line, especially if that nature has changed between firmware versions, Fortinet uses terms with the following definitions:

  • Command — A word that begins the command line and indicates an action that the FortiGate should perform on a part of the configuration or host on the network, such as config or execute. Together with other words, such as fields or values, that end when you press the Enter key, it forms a command line. Exceptions include multiline command lines, which can be entered using an escape sequence. Valid command lines must be unambiguous if abbreviated. Optional words or other command line permutations are indicated by syntax notation.
  • Sub-command — A config sub-command that is available only when nested within the scope of another command. After entering a command, its applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command. Indentation is used to indicate levels of nested commands.Not all top-level commands have sub-commands. Available sub-commands vary by their containing scope.
  • Object — A part of the configuration that contains tables and /or fields. Valid command lines must be specific enough to indicate an individual object.
  • Table — A set of fields that is one of possibly multiple similar sets which each have a name or number, such as an administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by other parts of the configuration that use them.
  • Field — The name of a setting, such as ip or hostname. Fields in some tables must be configured with values. Failure to configure a required field will result in an invalid object configuration error message, and the FortiGate will discard the invalid table.
  • Value — A number, letter, IP address, or other type of input that is usually your configuration setting held by a field. Some commands, however, require multiple input values which may not be named but are simply entered in sequential order in the same command line. Valid input types are indicated by constraint notation. l Option — A kind of value that must be one or more words from of a fixed set of options.

Indentation

Indentation indicates levels of nested commands, which indicate what other sub-commands are available from within the scope. The “next” and “end” lines are used to maintain a hierarchy and flow to CLI commands, especially helping to distinguish those commands with extensive sub-commands.

The “next” line is entered at the same indentation-level as the previous “edit”, to mark where you would like to finish that table entry and move on to the next table entry; doing so will not mean that you have “left” that sub-command.

next

Below is an example command, with a sub-command of entries:

After entering settings for <2> and entering next, the <2> table entry has been saved, and you be set back one level of indentation so you can continue to create more entries (if you wish).

This hierarchy is best indicated in the CLI console, as the example below is what displays in the console after entering

end

Below is the same command and sub-command, except end has been entered instead of next after the subcommand:

Entering end will save the <2> table entry, but bring you out of the sub-command entirely; in this example, you would enter this when you don’t wish to continue creating new entries.

Again, your hierarchy is best indicated by the CLI console. Below is what displays in the console after entering end:

Notation

Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

All syntax uses the following conventions:

Convention                                  Description
Square brackets [ ]         An optional word or series of words. For example:

[verbose {1 | 2 | 3}]

indicates that you may either omit or type both the word verbose and its accompanying option/s, such as verbose 3.

See Optional values and ranges below for more information.

Curly braces { }           A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].
Mutually exclusive options –    Both mutually and non-mutually exclusive commands will use curly braces, as delimited by vertical bars |   they provide multiple options, however mutually exclusive commands will divide each option with a pipe. This indicates that you are permitted to enter one option or the other:

{enable | disable}

Convention Description
Non-mutually exclusive options – delimited by spaces Non-mutually exclusive commands do not use pipes to divide their options. In those circumstances, multiple options can be entered at once, as long as they are entered with a space separating each option:

{http https ping snmp ssh telnet}

Angle brackets < > A word constrained by data type. The angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example, <retries_int>, indicates that you should enter a number of retries as an integer.

Data types include: l <xxx_name>: A name referring to another part of the configuration, such as policy_A.

l  <xxx_index>: An index number referring to another part of the configuration, such as 0 for the first static route.

l  <xxx_pattern>: A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

l  <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com.

l  <xxx_email>: An email address, such as admin@example.com. l <xxx_ipv4>: An IPv4 address, such as 192.168.1.99. l <xxx_v4mask>: A dotted decimal IPv4 netmask, such as 255.255.255.0.

l  <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated by a space, such as 192.168.1.99 255.255.255.0.

l  <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as 192.168.1.1/24

l  <xxx_ipv4range>  : A hyphen ( – )-delimited inclusive range of IPv4 addresses, such as 192.168.1.1-192.168.1.255.

l  <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

l  <xxx_v6mask>: An IPv6 netmask, such as /96.

l  <xxx_ipv6mask>: A dotted decimal IPv6 address and netmask separated by a space.

l  <xxx_str>: A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences.

l  <xxx_int>: An integer number that represents a metric, minutes_int for the number of minutes.

Optional values and ranges

Any field that is optional will use square-brackets, such as set comment. This is because it doesn’t matter whether it’s set or not. The overall config command will still successfully be taken.

Another example of where square-brackets would be used is to show that multiple options can be set, even intermixed with ranges. The example below shows a field that can be set to either a specific value or range, or multiple instances:

config firewall service custom

set iprange <range1> [<range2> <range3> …]

end

Sub-commands

Each command line consists of a command word that is usually followed by configuration data or other specific item that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level, the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:

config system interface edit port1 set status up

next

end

Sub-command scope is indicated by indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

l commands affecting fields l commands affecting tables

Commands for tables

clone <table> Clone (or make a copy of) a table from the current object.

For example, in config firewall policy, you could enter the following command to clone security policy 27 to create security policy 30: clone 27 to 30

In config antivirus profile, you could enter the following command to clone an antivirus profile named av_pro_1 to create a new antivirus profile named av_pro_2:

clone av_pro_1 to av_pro_2 clone may not be available for all tables.

delete <table> Remove a table from the current object.
  For example, in config system admin, you could delete an administrator account named newadmin by typing delete newadmin and pressing Enter. This deletes newadmin and all its fields, such as newadmin’s first-name and email-address. delete is only available within objects containing tables.
edit <table> Create or edit a table in the current object.

For example, in config system admin:

l  edit the settings for the default admin administrator account by typing edit admin.

l  add a new administrator account with the name newadmin and edit newadmin‘s settings by typing edit newadmin.

edit is an interactive sub-command: further sub-commands are available from within edit. edit changes the prompt to reflect the table you are currently editing. edit is only available within objects containing tables.

In objects such as security policies, <table> is a sequence number. To create a new entry without the risk of overwriting an existing one, enter edit 0. The CLI initially confirms the creation of entry 0, but assigns the next unused number after you finish editing and enter end.

end Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.
get List the configuration of the current object or table.•   In objects, get lists the table names (if present), or fields and their values.•   In a table, get lists the fields and their values.For more information on get commands, see the CLI Reference.
purge Remove all tables in the current object.

For example, in config user local, you could type get to see the list of user names, then type purge and then y to confirm that you want to delete all users.purge is only available for objects containing tables.

Caution: Back up the FortiGate before performing a purge. purge cannot be undone. To restore purged tables, the configuration must be restored from a backup.

Caution: Do not purge system interface or system admin tables.

purge does not provide default tables. This can result in being unable to connect or log in, requiring the FortiGate to be formatted and restored.

rename <table> to <table> Rename a table.

For example, in config system admin, you could rename admin3 to fwadmin by typing rename admin3 to fwadmin.rename is only available within objects containing tables.

show Display changes to the default configuration. Changes are listed in the form of configuration commands.

Example of table commands

From within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1 table:

new entry ‘admin_1’ added

(admin_1)#

Commands for fields

abort   Exit both the edit and/or config commands without saving the fields.
append   Add an option to an existing list.
end   Save the changes made to the current table or object fields, and exit the config command (to exit without saving, use abort instead).
get   List the configuration of the current object or table. l In objects, get lists the table names (if present), or fields and their values. l In a table, get lists the fields and their values.
move   Move an object within a list, when list order is important. For example, rearranging security policies within the policy list.
next   Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt (to save and exit completely to the root prompt, use end instead).

next is useful when you want to create or edit several tables in the same object, without leaving and re-entering the config command each time.

next is only available from a table prompt; it is not available from an object prompt.

select   Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all users except for B, use the command select member B.

set <field> <value>   Set a field’s value.

For example, in config system admin, after typing edit admin, you could type set password newpass to change the password of the admin administrator to newpass.

Note: When using set to change a field containing a space-delimited list, type the whole new list. For example, set <field> <new-value> will replace the list with the <new-value> rather than appending <new-value> to the list.

show   Display changes to the default configuration. Changes are listed in the form of configuration commands.
unselect   Remove an option from an existing list.
unset <field>   Reset the table or object’s fields to default values.

For example, in config system admin, after typing edit admin, typing unset password resets the password of the admin administrator account to the default (in this case, no password).

Example of field commands

To assign the value my1stExamplePassword to the password field, enter the following command from within the admin_1 table:

set password my1stExamplePassword

Next, to save the changes and edit the next administrator’s table, enter the next command.

CLI-only features – FortiOS 6.2

CLI-only features

As you can see in the Feature / Platform Matrix, the entry level models have a number of features that are only available using the CLI, rather than appearing in the GUI.

You can open the CLI console so that it automatically opens to the object you wish to configure. For example, to edit a firewall policy, right-click on the policy in the policy list (Policy & Objects > IPv4 Policy) and select Edit in CLI. The CLI console will appear, with the commands to access this part of the configuration added automatically.

Once you have access to the CLI, you can enter instructions for specific tasks that can be found throughout the FortiOS Handbook. Options are also available at the top of the CLI Console to Clear console, Download, and Copy to clipboard.

Refer to the CLI Reference for a list of the available commands.

Connecting to the CLI – FortiOS 6.2

Connecting to the CLI

You can access the CLI in three ways:

  • Local console — Connect your computer directly to the console port of your FortiGate. Local access is required in some cases:
  • If you are installing your FortiGate for the first time and it is not yet configured to connect to your network, you may only be able to connect to the CLI using a local serial console connection, unless you reconfigure your computer’s network settings for a peer connection.
  • Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, making local CLI access the only viable option.
  • SSH or Telnet access — Connect your computer through any network interface attached to one of the network ports on your FortiGate. The network interface must have enabled Telnet or SSH administrative access if you connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI Console in the GUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-out window. l — Use the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate.

Local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:

  • A computer with an available serial communications (COM) port.
  • The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.
  • Terminal emulation software such as HyperTerminal for Microsoft Windows.

The following procedure describes the connection using Microsoft HyperTerminal software; steps may vary with other terminal emulators.

To connect to the CLI using a local serial console connection

  1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.
  2. On your management computer, start HyperTerminal.
  3. For the Connection Description, enter a Name for the connection, and select OK.
  4. On the Connect using drop-down, select the communications (COM) port on your management computer you are using to connect to the FortiGate unit.
  5. Select OK.
  6. Select the following Port settings and select OK.
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
  1. Press Enter or Return on your keyboard to connect to the CLI.
  2. Type a valid administrator account name (such as admin) and press Enter.
  3. Type the password for that administrator account and press Enter. (In its default state, there is no password for the admin )

The CLI displays the following text:

Welcome!

Type ? to list available commands.

You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

SSH or Telnet access

SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its RJ-45 network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiGate unit with a static route to a router that can forward packets from the FortiGate unit to your computer. You can do this using either a local console connection or the GUI.

Requirements

l A computer with an available serial communications (COM) port and RJ-45 port l Terminal emulation software such as HyperTerminal for Microsoft Windows l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package l A network cable l Prior configuration of the operating mode, network interface, and static route.

To enable SSH or Telnet access to the CLI using a local console connection

  1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiGate unit.
  2. Note the number of the physical network port.
  3. Using a local console connection, connect and log into the CLI.
  4. Enter the following command:

config system interface edit <interface_str> set allowaccess <protocols_list>

end

where:

  • <interface_str> is the name of the network interface associated with the physical network port and containing its number, such as port1.
  • <protocols_list> is the complete, space-delimited list of permitted administrative access protocols, such as https ssh telnet.
  1. To confirm the configuration, enter the command to display the network interface’s settings:

show system interface <interface_str>

  1. The CLI displays the settings, including the allowed administrative access protocols, for the network interfaces.

Connecting using SSH

Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate units support 3DES and Blowfish encryption algorithms for SSH.

Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSH connections. The following procedure uses PuTTY. Steps may vary with other SSH clients.

To connect to the CLI using SSH

  1. On your management computer, start an SSH client.
  2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH administrative access.
  3. Set Port to 22.
  4. For the Connection type, select SSH.
  5. Select Open. The SSH client connects to the FortiGate unit.

The SSH client may display a warning if this is the first time you are connecting to the FortiGate unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiGate unit but used a different IP address or SSH key. This is normal if your management computer is directly connected to the FortiGate unit with no network hosts between them.

  1. Click Yes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until you have accepted the key.
  2. The CLI displays a login prompt.
  3. Type a valid administrator account name (such as admin) and press Enter.
  4. Type the password for this administrator account and press Enter.

The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

Connecting using Telnet

Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnet connections.

To connect to the CLI using Telnet

  1. On your management computer, start a Telnet client.
  2. Connect to a FortiGate network interface on which you have enabled Telnet.
  3. Type a valid administrator account name (such as admin) and press Enter.
  4. Type the password for this administrator account and press Enter. The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.