Introduction

This chapter explains how to use the FortiPolicy command line interface (CLI) to configure, administer and troubleshoot FortiPolicy deployments.

This chapter contains the following sections:

Accessing the CLI
CLI help and keyboard shortcuts
CLI modes

Accessing the CLI

Use SSH to access the FortiPolicy CLI.

Always use the latest version of PuTTY for SSH operations, if using PuTTY as an SSH client.

To access the FortiPolicy CLI over the management network:

Start a terminal window session and use the ssh command to access the basic mode system.

For example, if the IP address of the appliance is 10.1.1.1, enter the following command:

ssh admin@10.1.1.1
When prompted, enter the initial password provided at the time of licensing.
Immediately enter a new password after your initial login and then retype when prompted.

Accessing the support shell

To escalate and gain support access, you will require a One Time Password (OTP) login. First, enable support access through the CLI. Once enabled, access a support session via a customer-controlled OTP key and secret key.

To access the Restricted Shell support mode for troubleshooting issues in conjunction with your FortiPolicy Technical Support representative, use the following command sequence:

fortipolicy_um> set support enabled maxdays 14 remote

WARNING: *********************************************************

WARNING: Remote ssh access to the support account will be enabled,

WARNING:  which may conflict with your local security policies.

WARNING: If that is not what you wanted, please re-run the command

WARNING:  without the option 'remote'

WARNING: *********************************************************

Version              : 3

Shared Secret        : 001RJGURYT9H5RC0BXJPU7GMOLZDC

One-Time Password(s) : 00199673877 00102869729 00128354530 0016243754400137353324

To obtain access keys, use the following command:

fortipolicy-um> show support keys

Version              : 3

Shared Secret        : 001RJGURYT9H5RC0BXJPU7GMOLZDC

One-Time Password(s) : 00199673877 00102869729 00128354530 00162437544 00137353324

Be sure to provide the 'Shared Secret' or one of the 'One-Time Passwords' to your FortiPolicy support contact.

When the troubleshooting session is finished, quit the restricted support shell session:

fortipolicy-um> set support enabled [maxdays [1-14]] [remote]

maxdays [1-14] defines how many "end-of-days" the account is enabled for.
[remote] opens up the support account for remote ssh access.

CLI help and keyboard shortcuts

To display FortiPolicyCLI help, type the command help to display CLI keys and auto-completion usage.

For context-sensitive help, alternatively, enter a “?” to display either a list of possible command completions with summaries, or the full syntax of the current command. A subsequent repeat of this key, when a command has been resolved, will display a detailed reference, as described below.

Enter “?” at the prompt to display a list of the available commands in the current mode.
Enter “?” after you type a command to display its available options and parameters.
Enter “?” after a partially typed keyword to display command matches for auto-completions.

You can enter commands in abbreviated form if you enter enough characters to uniquely identify each keyword. For example, the history command can be abbreviated as:

hist

To identify a command’s minimum abbreviation, type a few characters then press Tab. When you have entered enough characters, the keyword is completed.

The following table outlines the available CLI shortcuts.

Action	Shortcut	Description
Auto-Completion	`Enter`, `Tab`, or `Space Key`	Completes a partial command during typing if enough characters are typed to uniquely identify it.
Recall	`Ctrl+P` or `↑`	Retrieve previous command from CLI history.
	`Ctrl+N` or `↓`	Retrieve next command from CLI history.
	`Ctrl+L` or `Ctrl+R`	Clear the screen or Redisplay the current command line.
Delete	`Ctrl+D`	Delete character.
	`Ctrl+H`	Delete character before cursor (`Backspace`).
	`Ctrl+K`	Delete all characters from cursor to end of line.
	`Ctrl+U` or `Ctrl+W`	Delete all characters or words on line.
Cursor move	`Ctrl+A`	Move cursor to start of line.
	`Ctrl+B`	Move cursor back a single character.
	`Ctrl+E`	Move cursor to end of line.
	`Ctrl+F`	Move cursor forward a single character.
Character Transpose	`Ctrl+T`	Transpose character at the cursor with preceding character.
Interrupt output	`Ctrl+C`	Interrupt presentation of the CLI output.
Replace	`!!`	Substitute the last command line
Replace	`!N`	Substitute the Nth command line (absolute as per 'history' command)
Exit mode or logout	`exit`	Exit current mode or exit the CLI session.

SPECIAL CHARACTER REQUIREMENT

You must enclose non-alphabet characters in double quotes in CLI commands; for example:

fortipolicy-um> set passphrase “kfe$nd#$^S”

CLI modes

The CLI commands that you can enter depend on your user privileges and the CLI command mode. User roles are “admin” and “debugging.” The following table describes the CLI command mode.

Note that the prompt in each mode includes the host name of the FortiPolicy appliance.

Mode	Description	How to Exit
Basic Mode	Monitor system operation and issue basic system commands. This is the default login mode. The following prompt is displayed: `fortipolicy-um>`	Enter `exit` to log out of the CLI.
Support Mode	Troubleshoot issues with FortiPolicy Technical Support via the support restricted shell mode. fortipolicy-um> set support enable	Enter `exit` to leave support mode.

Mode

Description

How to Exit

Basic Mode

Monitor system operation and issue basic system commands. This is the default login mode. The following prompt is displayed:

fortipolicy-um>

Enter exit to log out of the CLI.

Support Mode

Troubleshoot issues with FortiPolicy Technical Support via the support restricted shell mode.

fortipolicy-um> set support enable

Enter exit to leave support mode.

Introduction

This chapter explains how to use the FortiPolicy command line interface (CLI) to configure, administer and troubleshoot FortiPolicy deployments.

This chapter contains the following sections:

Accessing the CLI
CLI help and keyboard shortcuts
CLI modes

Accessing the CLI

Use SSH to access the FortiPolicy CLI.

Always use the latest version of PuTTY for SSH operations, if using PuTTY as an SSH client.

To access the FortiPolicy CLI over the management network:

Start a terminal window session and use the ssh command to access the basic mode system.

For example, if the IP address of the appliance is 10.1.1.1, enter the following command:

ssh admin@10.1.1.1
When prompted, enter the initial password provided at the time of licensing.
Immediately enter a new password after your initial login and then retype when prompted.

Accessing the support shell

To access the Restricted Shell support mode for troubleshooting issues in conjunction with your FortiPolicy Technical Support representative, use the following command sequence:

fortipolicy_um> set support enabled maxdays 14 remote

WARNING: *********************************************************

WARNING: Remote ssh access to the support account will be enabled,

WARNING:  which may conflict with your local security policies.

WARNING: If that is not what you wanted, please re-run the command

WARNING:  without the option 'remote'

WARNING: *********************************************************

Version              : 3

Shared Secret        : 001RJGURYT9H5RC0BXJPU7GMOLZDC

One-Time Password(s) : 00199673877 00102869729 00128354530 0016243754400137353324

To obtain access keys, use the following command:

fortipolicy-um> show support keys

Version              : 3

Shared Secret        : 001RJGURYT9H5RC0BXJPU7GMOLZDC

One-Time Password(s) : 00199673877 00102869729 00128354530 00162437544 00137353324

Be sure to provide the 'Shared Secret' or one of the 'One-Time Passwords' to your FortiPolicy support contact.

When the troubleshooting session is finished, quit the restricted support shell session:

fortipolicy-um> set support enabled [maxdays [1-14]] [remote]

maxdays [1-14] defines how many "end-of-days" the account is enabled for.
[remote] opens up the support account for remote ssh access.

CLI help and keyboard shortcuts

To display FortiPolicyCLI help, type the command help to display CLI keys and auto-completion usage.

Enter “?” at the prompt to display a list of the available commands in the current mode.
Enter “?” after you type a command to display its available options and parameters.
Enter “?” after a partially typed keyword to display command matches for auto-completions.

You can enter commands in abbreviated form if you enter enough characters to uniquely identify each keyword. For example, the history command can be abbreviated as:

hist

To identify a command’s minimum abbreviation, type a few characters then press Tab. When you have entered enough characters, the keyword is completed.

The following table outlines the available CLI shortcuts.

Action	Shortcut	Description
Auto-Completion	`Enter`, `Tab`, or `Space Key`	Completes a partial command during typing if enough characters are typed to uniquely identify it.
Recall	`Ctrl+P` or `↑`	Retrieve previous command from CLI history.
	`Ctrl+N` or `↓`	Retrieve next command from CLI history.
	`Ctrl+L` or `Ctrl+R`	Clear the screen or Redisplay the current command line.
Delete	`Ctrl+D`	Delete character.
	`Ctrl+H`	Delete character before cursor (`Backspace`).
	`Ctrl+K`	Delete all characters from cursor to end of line.
	`Ctrl+U` or `Ctrl+W`	Delete all characters or words on line.
Cursor move	`Ctrl+A`	Move cursor to start of line.
	`Ctrl+B`	Move cursor back a single character.
	`Ctrl+E`	Move cursor to end of line.
	`Ctrl+F`	Move cursor forward a single character.
Character Transpose	`Ctrl+T`	Transpose character at the cursor with preceding character.
Interrupt output	`Ctrl+C`	Interrupt presentation of the CLI output.
Replace	`!!`	Substitute the last command line
Replace	`!N`	Substitute the Nth command line (absolute as per 'history' command)
Exit mode or logout	`exit`	Exit current mode or exit the CLI session.

SPECIAL CHARACTER REQUIREMENT

You must enclose non-alphabet characters in double quotes in CLI commands; for example:

fortipolicy-um> set passphrase “kfe$nd#$^S”

CLI modes

The CLI commands that you can enter depend on your user privileges and the CLI command mode. User roles are “admin” and “debugging.” The following table describes the CLI command mode.

Note that the prompt in each mode includes the host name of the FortiPolicy appliance.

Mode	Description	How to Exit
Basic Mode	Monitor system operation and issue basic system commands. This is the default login mode. The following prompt is displayed: `fortipolicy-um>`	Enter `exit` to log out of the CLI.
Support Mode	Troubleshoot issues with FortiPolicy Technical Support via the support restricted shell mode. fortipolicy-um> set support enable	Enter `exit` to leave support mode.

Mode

Description

How to Exit

Basic Mode

Monitor system operation and issue basic system commands. This is the default login mode. The following prompt is displayed:

fortipolicy-um>

Enter exit to log out of the CLI.

Support Mode

Troubleshoot issues with FortiPolicy Technical Support via the support restricted shell mode.

fortipolicy-um> set support enable

Enter exit to leave support mode.

CLI Reference

Introduction

Introduction

Accessing the CLI

Accessing the support shell

CLI help and keyboard shortcuts

CLI modes

Introduction

Accessing the CLI

Accessing the support shell

CLI help and keyboard shortcuts

CLI modes