Appendix E - FortiClient (Linux) CLI commands
FortiClient (Linux) supports an installer targeted towards the headless version of Linux server. FortiClient (Linux) 7.0.0 for servers (forticlient_server_7.0.0xxx) offers a command line interface and is intended to be used with the CLI-only (headless) installation. The same set of CLI commands also work with a FortiClient (Linux) GUI installation.
The following summarizes the CLI commands available for FortiClient (Linux) 7.0.0:
Endpoint control
FortiClient 7.0.0 must establish a Telemetry connection to EMS to receive license information. FortiClient features are only enabled after connecting to EMS.
Usage
You can access endpoint control features through the epctrl
CLI command. This command offers the end user the ability to connect or disconnect from EMS and check the connection status. You can access usage information by using the following commands:
jameslee@sunshine:~$ /opt/forticlient/epctrl -h FortiClient Endpoint Control Usage: /opt/forticlient/epctrl -r|--register <address> [-p|--port ] [-s|--site] /opt/forticlient/epctrl -c|--cloud <invitation code> /opt/forticlient/epctrl -u|--unregister /opt/forticlient/epctrl -d|--details Options: -h --help Show the help screen -r --register Register to an EMS address -p --port EMS port -s --site EMS site name (when EMS multitenancy is enabled) -c --cloud Register to FortiClient Cloud using the invitation code -u --unregister Unregister from the current EMS -d --details Show telemetry details and status
Connecting to on-premise EMS
FortiClient can connect to on-premise EMS using the following commands. If EMS is listening on the default port, 8013, you do not need to specify the port number. If EMS is listening on another port, such as 8444, you must specify the port number with the EMS IP address. The example illustrates both use cases:
jameslee@sunshine:~$ /opt/forticlient/epctrl -r 172.17.60.251
Registering to EMS 172.17.60.251:8013.
jameslee@sunshine:~$ /opt/forticlient/epctrl -r 172.17.60.251 -p 8444
Registering to EMS 172.17.60.251:8444.
If EMS multitenancy is enabled, you can also specify the site name. If connecting to the default site, you do not need to provide a site name. The example illustrates connecting to a site named "headquarters".
jameslee@sunshine:~$ /opt/forticlient/epctrl -r 172.17.60.251 -s headquarters
Connecting to FortiClient Cloud
FortiClient can connect to FortiClient Cloud using the following commands. You must enter the invitation code (ABCDEF123 in the example) that you received from the FortiClient Cloud administrator:
jameslee@sunshine:~$ /opt/forticlient/epctrl -c ABCDEF123
Endpoint control status
You can check FortiClient endpoint control status details with the -d
argument. When FortiClient is connected to EMS only, the command output is as follows:
jameslee@sunshine:~$ /opt/forticlient/epctrl -d
=====================================
FortiClient EMS Details
=====================================
IP: 172.17.60.251:8013
Host: DESKTOP-ID2CVUA
SN: FCTEMS3764894213
Status: Connected
If FortiClient is connected to EMS and notifying FortiGate, the endpoint control status displays the serial numbers and hostnames of the EMS and FortiGates as follows:
jameslee@sunshine:~$ /opt/forticlient/epctrl -d
=====================================
FortiClient EMS Details
=====================================
IP: ems.fortinet.net:80
Host: DESKTOP-ID2CVUA
SN: FCTEMS3764894213
Status: Connected
=====================================
FortiGate Details
=====================================
IP: 172.17.60.40
Host: FGVM02TM18001119
SN: FGVM02TM18001119
Status: Connected
When FortiClient is not connected to EMS, the endpoint control status has no Telemetry data available as shown:
jameslee@sunshine:~$ /opt/forticlient/epctrl -d
No telemetry data available.
Disconnecting from EMS
FortiClient can disconnect from EMS only if the configuration received from EMS allows it. You can disconnect using the -u
argument.
jameslee@sunshine:~$ /opt/forticlient/epctrl -u
Unregistering from EMS.
AV scanning
You may run an AV scan from the CLI on the entire file system or on a specified directory. You can only run an AV scan as the root user. After completing an AV scan, FortiClient prints the scan results and detailed log file locations. You can run the following command to run an AV scan, where <dir>
is the directory to scan. You can perform a full scan by inputting /
in place of <dir>
.
sudo /opt/forticlient/fmon -s /opt/forticlient/vir_sig/ -o /opt/forticlient/ --unit /opt/forticlient -d <dir>
The following shows an AV scan performed on the /var
directory:
jameslee@sunshine:/var$ sudo /opt/forticlient/fmon -s /opt/forticlient/vir_sig/ -o /opt/forticlient/ --unit /opt/forticlient -d /var
Signature dir : /opt/forticlient/vir_sig/
Log dir : /opt/forticlient/
Fmon on daemon mode.
Dest dir : /var
CPU number : 1
Server port : 40140
AV Engine path : /opt/forticlient/libav.so
AV Signature path : /opt/forticlient/vir_sig/vir_high:/opt/forticlient/vir_sig/vir_sandbox_sig
Load AV signature success.
<=== PID : 13821 Client Hello rc = 2185
Child : 13821 ready
===> Scan : /var/spool/anacron/cron.daily
===> Scan : /var/spool/anacron/cron.weekly
===> Scan : /var/spool/anacron/cron.monthly
===> Scan : /var/crash/_usr_bin_gedit.1001.crash
===> Scan : /var/crash/_opt_forticlient_fmon.1000.crash
===> Scan : /var/backups/apt.extended_states.1.gz
===> Scan : /var/backups/shadow.bak
===> Scan : /var/backups/dpkg.statoverride.2.gz
===> Scan : /var/backups/passwd.bak
===> Scan : /var/backups/dpkg.diversions.1.gz
===> Scan : /var/backups/apt.extended_states.0
===> Scan : /var/backups/dpkg.arch.2.gz
===> Scan : /var/backups/alternatives.tar.1.gz
===> Scan : /var/backups/dpkg.arch.0
===> Scan : /var/backups/dpkg.status.1.gz
===> Scan : /var/backups/dpkg.statoverride.0
===> Scan : /var/backups/dpkg.arch.1.gz
===> Scan : /var/backups/gshadow.bak
===> Scan : /var/backups/dpkg.diversions.2.gz
===> Scan : /var/backups/alternatives.tar.2.gz
................................
................................
................................
-------------- scan_dispatch_worker finished -------------
Scan started at Mon Apr 22 14:43:45 2019
Found virus : EICAR_TEST_FILE
In file : /var/eicar.com
Action : Quarantine success
Quarantine file : /opt/forticlient/quarantine/eicar.com.1
--------------- Scan summary ---------------------
Total scan files : 10947
Found virus : 1
Worker crash : 0
Worker timeout : 0
--------------------------------------------------
Scan ended at Mon Apr 22 14:44:01 2019
Full results can be found in /opt/forticlient/Daemon - Mon Apr 22 14:43:45 2019.log
Vulnerability scanning
You can run a vulnerability scan from the CLI to check for vulnerable applications on the machine. You can only run a vulnerability scan as the root user. After completing a vulnerability scan, FortiClient prints the number of vulnerabilities present on the machine, their severity levels, and detailed log file locations. You can run a vulnerability scan by running the following command:
jameslee@sunshine:/home/jameslee$ sudo /opt/forticlient/vulscan -v /opt/forticlient/vcm_sig/ -c -o /var/log/forticlient/vcm_log/
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig
[INFO] Decryption success!
[INFO] LoadFromDb
[INFO] Total sig : 13163
[INFO] Signature version=1.38
[INFO] Engine version=2.0.0.22
[INFO] Build install list
................................
................................
................................
[INFO] Output directory: /var/log/forticlient/vcm_log/2019-04-18 18-45-42/
--------------- Scan summary ---------------------
Critical : 7
High : 2
Medium : 7
Low : 0
--------------------------------------------------
You can patch existing vulnerabilities using FortiClient. FortiClient runs a vulnerability scan again after patching the vulnerabilities and prints the results. You can patch vulnerabilities as shown:
jameslee@sunshine:/home/jameslee$ sudo /opt/forticlient/vulscan -v /opt/forticlient/vcm_sig/ -c -o /var/log/forticlient/vcm_log/ -p
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig
[INFO] Decryption success!
[INFO] LoadFromDb
[INFO] Total sig : 13163
[INFO] Signature version=1.38
[INFO] Engine version=2.0.0.22
[INFO] Build install list
...
Patching vid 55441
Hit:1 http://ca.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://ca.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:4 http://ca.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:5 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main amd64 DEP-11 Metadata [278 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [9,364 B]
Get:7 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 48x48 Icons [66.7 kB]
Get:8 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 64x64 Icons [123 kB]
Get:9 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 DEP-11 Metadata [222 kB]
Get:10 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 48x48 Icons [7,788 B]
Get:11 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [35.7 kB]
Get:12 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 48x48 Icons [194 kB]
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 48x48 Icons [16.4 kB]
Get:14 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 64x64 Icons [92.2 kB]
Get:15 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 64x64 Icons [406 kB]
Get:16 http://ca.archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 DEP-11 Metadata [2,468 B]
Get:17 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2,464 B]
Get:18 http://ca.archive.ubuntu.com/ubuntu bionic-backports/universe amd64 DEP-11 Metadata [7,352 B]
Fetched 1,716 kB in 3s (591 kB/s)
Reading package lists... Done
[INFO] install command is: apt-get -y install --only-upgrade firefox
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
fonts-lyx
The following packages will be upgraded:
firefox
1 upgraded, 0 newly installed, 0 to remove and 315 not upgraded.
Need to get 0 B/48.1 MB of archives.
After this operation, 7,509 kB of additional disk space will be used.
(Reading database ... 162206 files and directories currently installed.)
Preparing to unpack .../firefox_66.0.3+build1-0ubuntu0.18.04.1_amd64.deb ...
Unpacking firefox (66.0.3+build1-0ubuntu0.18.04.1) over (59.0.2+build1-0ubuntu1) ...
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for desktop-file-utils (0.23-1ubuntu3.18.04.1) ...
Setting up firefox (66.0.3+build1-0ubuntu0.18.04.1) ...
Installing new version of config file /etc/apparmor.d/usr.bin.firefox ...
Please restart all running instances of firefox, or you will experience problems.
Processing triggers for man-db (2.8.3-2) ...
Processing triggers for gnome-menus (3.13.3-11ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
[INFO] query command is: dpkg-query --show firefox
Package version found is 66.0.3+build1-0ubuntu0.18.04.1
Patching vid 55442
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://ca.archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://ca.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://ca.archive.ubuntu.com/ubuntu bionic-backports InRelease
Reading package lists... Done
................................
................................
................................
--------------- Scan summary ---------------------
Critical : 0
High : 0
Medium : 0
Low : 0
--------------------------------------------------
FortiClient updates
You can run a FortiClient update task from the CLI once FortiClient has connected to EMS and is licensed. The update task downloads the latest FortiClient engine and signatures. You can only run an update task as the root user. Following are the command and its output:
root@sunshine:/home/jameslee# /opt/forticlient/update
****************Update starting***************
Sandbox test = 0
Sandbox host to test = (null)
log_level: 6
Enable custom fds server :80 failover port: 8000 failover to fdg: 1 allow sw update: 0
Updating FCTDATA: Update started forced update
[INFO] Engine version=2.0.0.22
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig [INFO] Decryption success!
[INFO] LoadFromDb [INFO] Total sig : 13163
[INFO] Signature version=1.38
Getting current FortiClient Components information
current av engine version: 6.2.126
av engine id: 06002000FVEN04100-00006.00126-9999999999
current av main sig full version: 67.1895
av main sig id: 06002000FVDB04000-00067.01895-9999999999
current av ext sig full version: 67.1892
...
...
user jameslee, type:7, session:0, pid:6913
user = jameslee
sandbox server not configured.
Updating FCTDATA: Update finished
[INFO] Engine version=2.0.0.22
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig
[INFO] Decryption success!
[INFO] LoadFromDb
[INFO] Total sig : 13163
[INFO] Signature version=1.38
Downloading done ret = 0
root@sunshine:/home/jameslee#
Existing signature details
You can check details of the existing FortiClient engine and signatures by running the update task with the -d
argument:
jameslee@sunshine:/home/jameslee$ /opt/forticlient/update -d
=====================================
Engines
=====================================
AntiVirus: 6.2.00126
Vulnerability: 2.00022
=====================================
Signatures
=====================================
AntiVirus: 67.01895
AntiVirus Extended: 67.01892
Vulnerability: 1.00038
Sandbox: 3.00442
Update help
The update help option lists all options available for the update task. You can access this option as shown:
jameslee@sunshine:~$ /opt/forticlient/update -h
FortiClient Update
Usage:
/opt/forticlient/update
/opt/forticlient/update -d
Options:
-h Show the help screen
-d Show engine and signature versions
VPN
You can access VPN features through the fortivpn
CLI command. This command offers the end user the ability to connect to or disconnect from VPN and perform other VPN tasks.
Usage:
/opt/forticlient/fortivpn edit <my_vpn_name> /opt/forticlient/fortivpn list /opt/forticlient/fortivpn view <my_vpn_name> /opt/forticlient/fortivpn connect <my_van_name> /opt/forticlient/fortivpn connect <my_vpn_name> --user=<username> /opt/forticlient/fortivpn connect <my_vpn_name> --user=<username> --password /opt/forticlient/fortivpn connect <my_vpn_name> --user=<username> --password --save-password --always-up /opt/forticlient/fortivpn status /opt/forticlient/fortivpn disconnect /opt/forticlient/fortivpn remove <my_vpn_name>
Option |
Description |
---|---|
edit <my_vpn_name> |
Create or edit a VPN tunnel configuration. |
list |
List existing VPN tunnel configurations. |
view <my_vpn_name> |
View a VPN tunnel configuration's details. |
connect <my_van_name> |
Connect to a configured VPN tunnel. Use the - |
status |
Show VPN status. |
disconnect |
Disconnect from VPN. |
remove <my_vpn_name> |
Remove the VPN tunnel configuration. |
Connecting to VPN using the Linux CLI may not function correctly on Ubuntu if gnome-keyring
is not configured. See the Ubuntu Manpage.
To configure gnome-keyring
:
- Install
gnome-keyring
:sudo apt install gnome-keyring
- Initialize and unlock the login keyring:
killall gnome-keyring-daemon
echo -n “your-login-password" | gnome-keyring-daemon --unlock