Fortinet white logo
Fortinet white logo

Administration Guide

Run backend-shell commands

Run backend-shell commands

Sometimes we need to login to FortiWeb backend shell to check logs or collect some specific files. Though we expect all useful logs are collected or archived in the debug log file or can be downloaded from System > Maintenance > Backup & Restore > GUI File Download, some files especially logs for new features may not be included, so you may have to login to the backend shell to collect these logs or execute some commands, for example, executing curl to verify if the backend servers is reachable.

Login to backend shell on 6.4 or 6.3 builds

It’s simple but really dangerous. The admin user can login to the backend shell with the root permission just by executing “fn sh”.

FWB # fn sh

/#

Login to backend shell on 7.0.0 and later builds

To access the backend shell, you need to enable shell-access and create a temporary user/password through CLI first, then login via SSH.

config system global

set shell-access enable

set shell-username <user_name>

set shell-password <password>

set shell-timeout 1200 #The shell-access will be disabled in 1200 minutes

end

Then you can login to the backend shell with a SSH client:

C:\>ssh shell@192.168.0.99

shell@192.168.0.99's password:

-- WARNING! All configurations should be done through CLI shell.

-- You now have full access.

/#

Use “fnsysctl” in CLI to execute backend commands

To simplify, you can execute some commonly used backend commands directly in FortiWeb CLI, without enabling shell-access and adding username/password.

On 7.0.3 and previous builds, below commands are supported:

FortiWeb # fnsysctl

Below are the usable commands:

basename cat date df dmesg

du ifconfig netstat nslookup ping

sleep uname ps kill killall

lspci df fdisk mount free

lsusb insmod mknod smartctl MegaCli ssh dmidecode pstack

strace tcpdump gdb

FortiWeb # fnsysctl df -h

Filesystem Size Used Available Use% Mounted on

/dev/root 472.5M 358.2M 114.4M 76% /

none 1.1G 44.3M 1.1G 4% /tmp

none 3.8G 3.0M 3.8G 0% /dev/shm

/dev/sda2 362.4M 271.5M 71.3M 79% /data

/dev/sda3 90.6M 56.0K 85.6M 0% /home

/dev/sda4 30.5G 4.1G 24.9G 14% /var/log

For security purpose, 7.0.4 and newer builds only support below commands:

FortiWeb # fnsysctl

Below are the usable commands:

basename date df dmesg ifconfig

netstat nslookup ping sleep uname

ps lspci free lsusb traceroute

pidof smartctl dmidecode nmon

Please note that some commands such as “fn pstack” and “fn ssh” are not supported. To collect the pstack information, you need to configure shell-access and login into the backend shell first.

Run backend-shell commands

Run backend-shell commands

Sometimes we need to login to FortiWeb backend shell to check logs or collect some specific files. Though we expect all useful logs are collected or archived in the debug log file or can be downloaded from System > Maintenance > Backup & Restore > GUI File Download, some files especially logs for new features may not be included, so you may have to login to the backend shell to collect these logs or execute some commands, for example, executing curl to verify if the backend servers is reachable.

Login to backend shell on 6.4 or 6.3 builds

It’s simple but really dangerous. The admin user can login to the backend shell with the root permission just by executing “fn sh”.

FWB # fn sh

/#

Login to backend shell on 7.0.0 and later builds

To access the backend shell, you need to enable shell-access and create a temporary user/password through CLI first, then login via SSH.

config system global

set shell-access enable

set shell-username <user_name>

set shell-password <password>

set shell-timeout 1200 #The shell-access will be disabled in 1200 minutes

end

Then you can login to the backend shell with a SSH client:

C:\>ssh shell@192.168.0.99

shell@192.168.0.99's password:

-- WARNING! All configurations should be done through CLI shell.

-- You now have full access.

/#

Use “fnsysctl” in CLI to execute backend commands

To simplify, you can execute some commonly used backend commands directly in FortiWeb CLI, without enabling shell-access and adding username/password.

On 7.0.3 and previous builds, below commands are supported:

FortiWeb # fnsysctl

Below are the usable commands:

basename cat date df dmesg

du ifconfig netstat nslookup ping

sleep uname ps kill killall

lspci df fdisk mount free

lsusb insmod mknod smartctl MegaCli ssh dmidecode pstack

strace tcpdump gdb

FortiWeb # fnsysctl df -h

Filesystem Size Used Available Use% Mounted on

/dev/root 472.5M 358.2M 114.4M 76% /

none 1.1G 44.3M 1.1G 4% /tmp

none 3.8G 3.0M 3.8G 0% /dev/shm

/dev/sda2 362.4M 271.5M 71.3M 79% /data

/dev/sda3 90.6M 56.0K 85.6M 0% /home

/dev/sda4 30.5G 4.1G 24.9G 14% /var/log

For security purpose, 7.0.4 and newer builds only support below commands:

FortiWeb # fnsysctl

Below are the usable commands:

basename date df dmesg ifconfig

netstat nslookup ping sleep uname

ps lspci free lsusb traceroute

pidof smartctl dmidecode nmon

Please note that some commands such as “fn pstack” and “fn ssh” are not supported. To collect the pstack information, you need to configure shell-access and login into the backend shell first.