Fortinet black logo

Administration Guide

Run backend-shell commands

Run backend-shell commands

Sometimes we need to login to FortiWeb backend shell to check logs or collect some specific files. Though we expect all useful logs are collected or archived in the debug log file or can be downloaded from System > Maintenance > Backup & Restore > GUI File Download, some files especially logs for new features may not be included, so you may have to login to the backend shell to collect these logs or execute some commands, for example, executing curl to verify if the backend servers is reachable.

Login to backend shell on 6.4 or 6.3 builds

It’s simple but really dangerous. The admin user can login to the backend shell with the root permission just by executing “fn sh”.

FortiWeb # fn sh

/# pwd

/

/# whoami

root

Login to backend shell on 7.0.0 and later builds

To access the backend shell, you need to enable shell-access and create a temporary user/password through CLI first, then login via SSH.

config system global

set shell-access enable

set shell-username <user_name>

set shell-password <password>

set shell-timeout 1200 #Optional

end

Login from remote PC:

ssh <user_name>@<x.x.x.x>

Login from local FortiWeb:

FortiWeb # fn ssh test@localhost #or replace localhost as local IP address; “test” is the username

shell@localhost's password:

-- WARNING! All configurations should be done through CLI shell.

-- You now have full access.

~# whoami

test

Note: With this secure shell access changes on 7.0.0, only normal users, that is, the user created as shell-username can access backend shell instead of root user. And accordingly, only the permission of /bin and /var/log/gui_upload is writable. That means you can do the binary/daemon replacement for debugging in 7.0. or copy/move file to /var/log/gui_upload, but may have no permission to operate or write in other system directories.

Use “fn <command>” in CLI to execute backend commands

To simplify, you can execute some commonly used backend commands directly in FortiWeb CLI, without enabling shell-access and adding username/password.

FortiWeb # fn

Below are the usable commands:

basename cat date df dmesg

du ifconfig netstat nslookup ping

sleep uname ps kill killall

lspci df fdisk mount free

lsusb insmod mknod smartctl MegaCli ssh dmidecode pstack

strace tcpdump gdb

FortiWeb # fn df -h

Filesystem Size Used Available Use% Mounted on

/dev/root 472.5M 358.2M 114.4M 76% /

none 1.1G 44.3M 1.1G 4% /tmp

none 3.8G 3.0M 3.8G 0% /dev/shm

/dev/sda2 362.4M 271.5M 71.3M 79% /data

/dev/sda3 90.6M 56.0K 85.6M 0% /home

/dev/sda4 30.5G 4.1G 24.9G 14% /var/log

Run backend-shell commands

Sometimes we need to login to FortiWeb backend shell to check logs or collect some specific files. Though we expect all useful logs are collected or archived in the debug log file or can be downloaded from System > Maintenance > Backup & Restore > GUI File Download, some files especially logs for new features may not be included, so you may have to login to the backend shell to collect these logs or execute some commands, for example, executing curl to verify if the backend servers is reachable.

Login to backend shell on 6.4 or 6.3 builds

It’s simple but really dangerous. The admin user can login to the backend shell with the root permission just by executing “fn sh”.

FortiWeb # fn sh

/# pwd

/

/# whoami

root

Login to backend shell on 7.0.0 and later builds

To access the backend shell, you need to enable shell-access and create a temporary user/password through CLI first, then login via SSH.

config system global

set shell-access enable

set shell-username <user_name>

set shell-password <password>

set shell-timeout 1200 #Optional

end

Login from remote PC:

ssh <user_name>@<x.x.x.x>

Login from local FortiWeb:

FortiWeb # fn ssh test@localhost #or replace localhost as local IP address; “test” is the username

shell@localhost's password:

-- WARNING! All configurations should be done through CLI shell.

-- You now have full access.

~# whoami

test

Note: With this secure shell access changes on 7.0.0, only normal users, that is, the user created as shell-username can access backend shell instead of root user. And accordingly, only the permission of /bin and /var/log/gui_upload is writable. That means you can do the binary/daemon replacement for debugging in 7.0. or copy/move file to /var/log/gui_upload, but may have no permission to operate or write in other system directories.

Use “fn <command>” in CLI to execute backend commands

To simplify, you can execute some commonly used backend commands directly in FortiWeb CLI, without enabling shell-access and adding username/password.

FortiWeb # fn

Below are the usable commands:

basename cat date df dmesg

du ifconfig netstat nslookup ping

sleep uname ps kill killall

lspci df fdisk mount free

lsusb insmod mknod smartctl MegaCli ssh dmidecode pstack

strace tcpdump gdb

FortiWeb # fn df -h

Filesystem Size Used Available Use% Mounted on

/dev/root 472.5M 358.2M 114.4M 76% /

none 1.1G 44.3M 1.1G 4% /tmp

none 3.8G 3.0M 3.8G 0% /dev/shm

/dev/sda2 362.4M 271.5M 71.3M 79% /data

/dev/sda3 90.6M 56.0K 85.6M 0% /home

/dev/sda4 30.5G 4.1G 24.9G 14% /var/log