Run backend-shell commands
Sometimes we need to login to FortiWeb backend shell to check logs or collect some specific files. Though we expect all useful logs are collected or archived in the debug log file or can be downloaded from System > Maintenance > Backup & Restore > GUI File Download, some files especially logs for new features may not be included, so you may have to login to the backend shell to collect these logs or execute some commands, for example, executing curl to verify if the backend servers is reachable.
Login to backend shell on 6.4 or 6.3 builds
It’s simple but really dangerous. The admin user can login to the backend shell with the root permission just by executing “fn sh
”.
FWB # fn sh
/#
Login to backend shell on 7.0.0 and later builds
To access the backend shell, you need to enable shell-access and create a temporary user/password through CLI first, then login via SSH.
config system global
set shell-access enable
set shell-username <user_name>
set shell-password <password>
set shell-timeout 1200 #The shell-access will be disabled in 1200 minutes
end
Then you can login to the backend shell with a SSH client:
C:\>ssh shell@192.168.0.99
shell@192.168.0.99's password:
-- WARNING! All configurations should be done through CLI shell.
-- You now have full access.
/#
Use “fnsysctl” in CLI to execute backend commands
To simplify, you can execute some commonly used backend commands directly in FortiWeb CLI, without enabling shell-access and adding username/password.
On 7.0.3 and previous builds, below commands are supported:
FortiWeb # fnsysctl
Below are the usable commands:
basename cat date df dmesg
du ifconfig netstat nslookup ping
sleep uname ps kill killall
lspci df fdisk mount free
lsusb insmod mknod smartctl MegaCli ssh dmidecode pstack
strace tcpdump gdb
FortiWeb # fnsysctl df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 472.5M 358.2M 114.4M 76% /
none 1.1G 44.3M 1.1G 4% /tmp
none 3.8G 3.0M 3.8G 0% /dev/shm
/dev/sda2 362.4M 271.5M 71.3M 79% /data
/dev/sda3 90.6M 56.0K 85.6M 0% /home
/dev/sda4 30.5G 4.1G 24.9G 14% /var/log
For security purpose, 7.0.4 and newer builds only support below commands:
FortiWeb # fnsysctl
Below are the usable commands:
basename date df dmesg ifconfig
netstat nslookup ping sleep uname
ps lspci free lsusb traceroute
pidof smartctl dmidecode nmon
Please note that some commands such as “fn pstack” and “fn ssh” are not supported. To collect the pstack information, you need to configure shell-access and login into the backend shell first.