CLI basics
Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.
Help
Press the question mark (?) key to display command help and complete commands.
- Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.
- Enter a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.
- Enter a command followed by an option and press the question mark (?) key to display a list of additional options available for that command option combination and a description of each option.
- Enter a question mark after entering a portion of a command to see a list of valid complete commands and their descriptions. If there is only one valid command, it will be automatically filled in.
Shortcuts and key commands
Shortcut key | Action |
---|---|
? |
List valid complete or subsequent commands. If multiple commands can complete the command, they are listed with their descriptions. |
Tab |
Complete the word with the next available match. Press multiple times to cycle through available matches. |
Up arrow or Ctrl + P |
Recall the previous command. Command memory is limited to the current session. |
Down arrow, or Ctrl + N |
Recall the next command. |
Left or Right arrow |
Move the cursor left or right within the command line. |
Ctrl + A |
Move the cursor to the beginning of the command line. |
Ctrl + E |
Move the cursor to the end of the command line. |
Ctrl + B |
Move the cursor backwards one word. |
Ctrl + F |
Move the cursor forwards one word. |
Ctrl + D |
Delete the current character. |
Ctrl + C |
Abort current interactive commands, such as when entering multiple lines. If you are not currently within an interactive command such as |
\ then Enter |
Continue typing a command on the next line for a multiline command. For each line that you want to continue, terminate it with a backslash ( \ ). To complete the command, enter a space instead of a backslash, and then press Enter. |
Command tree
Enter tree
to display the CLI command tree. To capture the full output, connect to your device using a
terminal emulation program and capture the output to a log file. For some commands, use the
tree
command to view all available variables and subcommands.
Command abbreviation
You can abbreviate words in the command line to their smallest number of non-ambiguous characters.
For example, the command get system status could be abbreviated to g sy stat
.
Adding and removing options from lists
When configuring a list, the set
command will remove the previous configuration.
For example, if a user group currently includes members A, B, and C, the command set member D
will remove members A, B, and C. To avoid removing the existing members from the group, the command set members A B C D
must be used.
To avoid this issue, the following commands are available:
append |
Add an option to an existing list. For example, |
select |
Clear all of the options except for those specified. For example, |
unselect |
Remove an option from an existing list. For example, |
Environment variables
The following environment variables are support by the CLI. Variable names are case-sensitive.
$USERFROM |
The management access type ( |
$USERNAME |
The account name of the administrator that configured the item. |
$SerialNum |
The serial number of the FortiGate. |
For example, to set a FortiGate device's host name to its serial number, use the following CLI command:
config system global set hostname $SerialNum end
Special characters
The following characters cannot be used in most CLI commands: <
, >
, (
, )
, #
, '
, and "
If one of those characters, or a space, needs to be entered as part of a string, it can be entered by using a special command, enclosing the entire string in quotes, or preceding it with an escape character (backslash, \).
To enter a question mark (?
) or a tab, Ctrl + V or Ctrl + Shift + - (depending on the method being used to access the CLI) must be entered first.
Question marks and tabs cannot be copied into the CLI Console or some SSH clients. They must be typed in. |
Character | Keys |
---|---|
? |
Ctrl + V or Ctrl + Shift + - then ? |
Tab |
Ctrl + V then Tab |
Space (as part of a string value, not to end the string) |
Enclose the string in single or double quotation marks: Precede the space with a backslash: |
' (as part of a string value, not to begin or end the string) |
\' |
" (as part of a string value, not to begin or end the string) |
\" |
\ |
\\ |
Using grep to filter command output
The get
, show
, and diagnose
commands can produce large amounts of output. The grep
command can be used to filter the output so that it only shows the required information.
The grep command is based on the standard UNIX grep, used for searching text output based on regular expressions.
For example, the following command displays the MAC address of the internal interface:
get hardware nic internal | grep Current_HWaddr Current_HWaddr 00:09:0f:cb:c2:75
The following command will display all TCP sessions that are in the session list, including the session list line number in the output:
get system session list | grep -n tcp
The following command will display all of the lines in the HTTP replacement message that contain URL
or url
:
show system replacemsg http | grep -i url
The following options can also be used:
-A <num> After
-B <num> Before
-C <num> Context
The -f
option is available to support contextual output, in order to show the complete configuration. The following example shows the difference in the output when -f
is used versus when it is not used:
Without show | grep ldap-group1 edit "ldap-group1" set groups "ldap-group1" |
With show | grep -f ldap-group1 config user group edit "ldap-group1" set member "pc40-LDAP" next end config firewall policy edit 2 set srcintf "port31" set dstintf "port32" set srcaddr "all" set action accept set identity-based enable set nat enable config identity-based-policy edit 1 set schedule "always" set groups "ldap-group1" set dstaddr "all" set service "ALL" next end next end |
Language support and regular expressions
Characters such as ñ and é, symbols, and ideographs are sometimes acceptable input. Support varies depending on the type of item that is being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but some items with arbitrary names or values can be input using your language of choice. To use other languages in those cases, the correct encoding must be used.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into UTF-8 before it is stored. If your input method encodes some characters differently than in UTF-8, configured items may not display or operate as expected.
Regular expressions are especially impacted. Matching uses the UTF‑8 character values. If you enter a regular expression using a different encoding, or if an HTTP client sends a request in a different encoding, matches may not be what is expected.
For example, with Shift-JIS, backslashes could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ ), and vice versa. A regular expression intended to match HTTP requests containing monetary values with a yen symbol may not work it if the symbol is entered using the wrong encoding.
For best results:
- use UTF-8 encoding, or
- use only characters whose numerically encoded values are the same in UTF‑8, such as the US-ASCII characters that are encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS, and other encoding methods, or
- for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.
|
HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary based on the client’s operating system or input language. If the client's encoding method cannot be predicted, you might only be able to match the parts of the request that are in English, as the values for English characters tend to be encoded identically, regardless of the encoding method. |
If the FortiGate is configured to use an encoding method other than UTF-8, the management computer's language may need to be changed, including the web browse and terminal emulator. If the FortiGate is configured using non-ASCII characters, all the systems that interact with the FortiGate must also support the same encoding method. If possible, the same encoding method should be used throughout the configuration to avoid needing to change the language settings on the management computer.
The GUI and CLI client normally interpret output as encoded using UTF-8. If they do not, configured items may not display correctly. Exceptions include items such as regular expression that may be configured using other encodings to match the encoding of HTTP requests that the FortiGate receives.
To enter non-ASCII characters in a terminal emulator:
- On the management computer, start the terminal client.
-
Configure the client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by terminal client.
- Log in to the FortiGate.
-
At the command prompt, type your command and press Enter.
Words that use encoded characters may need to be enclosed in single quotes ( ' ).
Depending on your terminal client’s language support, you may need to interpret the characters into character codes before pressing Enter. For example, you might need to enter:
edit '\743\601\613\743\601\652'
- The CLI displays the command and its output.
Screen paging
By default, the CLI will pause after displaying each page worth of text when a command has multiple pages of output. this can be useful when viewing lengthy outputs that might exceed the buffer of terminal emulator.
When the display pauses and shows --More--
, you can:
- Press Enter to show the next line,
- Press Q to stop showing results and return to the command prompt,
- Press an arrow key, Insert, Home, Delete, End, Page Up, or Page Down to show the next few pages,
- Press any other key to show the next page, or
- Wait for about 30 seconds for the console to truncate the output and return to the command prompt.
When pausing the screen is disabled, press Ctrl + C to stop the output and log out of the FortiGate.
To disable pausing the CLI output:
config system console set output standard end
To enable pausing the CLI output:
config system console set output more end
Changing the baud rate
The baud rate of the local console connection can be changed from its default value of 9600.
To change the baud rate:
config system console set baudrate {9600 | 19200 | 38400 | 57600 | 115200} end
Editing the configuration file
The FortiGate configuration file can be edited on an external host by backing up the configuration, editing the configuration file, and then restoring the configuration to the FortiGate.
Editing the configuration file can save time is many changes need to be made, particularly if the plain text editor that you are using provides features such as batch changes.
To edit the configuration file:
- Backup the configuration. See Configuration backups and reset for details.
- Open the configuration file in a plain text editor that supports UNIX-style line endings.
- Edit the file as needed.
Do not edit the first line of the configuration file.
This line contains information about the firmware version and FortiGate model. If you change the model number, the FortiGate will reject the configuration when you attempt to restore it.
- Restore the modified configuration to the FortiGate. See Configuration backups and reset for details.
The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the configuration file is loaded and each line is checked for errors. If a command is invalid, that command is ignored. If the configuration file is valid, the FortiGate restarts and loads the downloaded configuration.