Anda di halaman 1dari 178

FortiAnalyzer v5.

0 Patch Release 2
CLI Reference

FortiAnalyzer v5.0 Patch Release 2 CLI Reference April 26, 2013 05-502-185032-20130426 Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation Knowledge Base Customer Service & Support Training Services FortiGuard Document Feedback

docs.fortinet.com kb.fortinet.com support.fortinet.com training.fortinet.com fortiguard.com techdocs@fortinet.com

Table of Contents
Change Log....................................................................................................... 9 Introduction..................................................................................................... 10 Using the Command Line Interface .............................................................. 11
CLI command syntax............................................................................................. 11 Connecting to the CLI............................................................................................ 12 CLI objects............................................................................................................. 12 CLI command branches ........................................................................................ config branch ................................................................................................... get branch........................................................................................................ show branch .................................................................................................... execute branch ................................................................................................ diagnose branch .............................................................................................. Example command sequences........................................................................ CLI basics .............................................................................................................. Command help ................................................................................................ Command completion ..................................................................................... Recalling commands ....................................................................................... Editing commands ........................................................................................... Line continuation.............................................................................................. Command abbreviation ................................................................................... Environment variables...................................................................................... Encrypted password support .......................................................................... Entering spaces in strings................................................................................ Entering quotation marks in strings ................................................................. Entering a question mark (?) in a string ........................................................... International characters ................................................................................... Special characters ........................................................................................... IP address formats........................................................................................... Editing the configuration file ............................................................................ Changing the baud rate ................................................................................... Debug log levels............................................................................................... 12 13 15 17 18 18 18 19 19 20 20 20 20 20 21 21 22 22 22 22 22 22 22 23 24

Administrative Domains................................................................................. 25
About administrative domains (ADOMs)................................................................ 25 Configuring ADOMs ............................................................................................... 26

system ............................................................................................................. 28
admin ldap ............................................................................................................. 29 admin profile .......................................................................................................... 30 admin radius .......................................................................................................... 34

Page 3

admin setting ......................................................................................................... 35 admin tacacs ......................................................................................................... 39 admin user ............................................................................................................. 40 aggregation-client .................................................................................................. 46 aggregation-service ............................................................................................... 48 alert-console .......................................................................................................... 49 alert-event .............................................................................................................. 50 alertemail................................................................................................................ 52 backup all-settings ................................................................................................ 53 certificate ca .......................................................................................................... 54 certificate local....................................................................................................... 55 certificate ssh......................................................................................................... 56 dns ......................................................................................................................... 57 fips ......................................................................................................................... 57 global ..................................................................................................................... 58 interface ................................................................................................................. 60 locallog disk setting ............................................................................................... 62 locallog filter........................................................................................................... 65 locallog fortianalyzer setting .................................................................................. 66 locallog memory setting......................................................................................... 67 locallog syslogd (syslogd2, syslogd3) setting........................................................ 68 log alert .................................................................................................................. 70 log fortianalyzer...................................................................................................... 71 log setting .............................................................................................................. 72 config rolling-analyzer, rolling-local, and rolling-regular.................................. 75 mail ........................................................................................................................ 78 ntp.......................................................................................................................... 79 password-policy .................................................................................................... 80 route....................................................................................................................... 81 route6..................................................................................................................... 81 snmp community ................................................................................................... 82 snmp sysinfo.......................................................................................................... 85 snmp user .............................................................................................................. 86 sql .......................................................................................................................... 88 syslog..................................................................................................................... 89

execute ............................................................................................................ 90
add-vm-license ...................................................................................................... 90

Table of Contents

Page 4

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

backup ................................................................................................................... backup all-settings........................................................................................... backup logs ..................................................................................................... backup logs-only ............................................................................................. backup reports................................................................................................. backup reports-config .....................................................................................

91 91 91 92 92 93

bootimage .............................................................................................................. 94 certificate ............................................................................................................... 94 certificate ca..................................................................................................... 94 certificate local ................................................................................................. 95 console .................................................................................................................. 96 console baudrate ............................................................................................. 96 date ........................................................................................................................ 96 device..................................................................................................................... 97 devicelog................................................................................................................ 97 devicelog clear ................................................................................................. 97 factory-license ....................................................................................................... 97 fgfm........................................................................................................................ 98 fgfm reclaim-dev-tunnel................................................................................... 98 format..................................................................................................................... 98 log device disk_quota ............................................................................................ 99 log-aggregation...................................................................................................... 99 lvm ....................................................................................................................... 100 ping ...................................................................................................................... 100 ping6 .................................................................................................................... 101 raid ....................................................................................................................... 101 reboot................................................................................................................... 102 remove ................................................................................................................. 102 reset ..................................................................................................................... 102 reset-sqllog-transfer ............................................................................................ 102 restore.................................................................................................................. restore all-settings ......................................................................................... restore image ................................................................................................. restore {logs | logs-only} ................................................................................ restore reports ............................................................................................... restore reports-config .................................................................................... sql-local ............................................................................................................... sql-local remove-db....................................................................................... sql-local remove-device................................................................................. sql-local remove-logs .................................................................................... sql-local remove-logtype ............................................................................... 103 103 104 104 105 105 106 106 107 107 107

shutdown ............................................................................................................. 106

Table of Contents

Page 5

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

sql-query-dataset ................................................................................................ 108 sql-query-generic................................................................................................. 108 sql-report run ....................................................................................................... 108 ssh ....................................................................................................................... 109 time ...................................................................................................................... 110 top........................................................................................................................ 110 traceroute............................................................................................................. 112 traceroute6........................................................................................................... 112

diagnose........................................................................................................ 113
cdb check ............................................................................................................ 114 debug application ................................................................................................ 114 debug cli .............................................................................................................. 117 debug console ..................................................................................................... 117 debug crashlog .................................................................................................... 118 debug disable ...................................................................................................... 118 debug dpm .......................................................................................................... 118 debug enable ....................................................................................................... 119 debug info ............................................................................................................ 119 debug service ...................................................................................................... 119 debug sysinfo ...................................................................................................... 120 debug sysinfo-log ................................................................................................ 121 debug sysinfo-log-backup................................................................................... 121 debug sysinfo-log-list .......................................................................................... 121 debug timestamp................................................................................................. 123 debug vminfo ....................................................................................................... 123 dlp-archives quar-cache...................................................................................... 124 dlp-archives rebuild-quar-db ............................................................................... 124 dlp-archives statistics .......................................................................................... 125 dlp-archives status .............................................................................................. 125 dvm adom............................................................................................................ 125 dvm chassis ......................................................................................................... 126 dvm check-integrity ............................................................................................. 126 dvm debug........................................................................................................... 127 dvm device........................................................................................................... 127 dvm device-tree-update ...................................................................................... 127 dvm group............................................................................................................ 128 dvm lock .............................................................................................................. 128 dvm proc.............................................................................................................. 128 dvm supported-platforms .................................................................................... 129 dvm task .............................................................................................................. 129
Table of Contents Page 6 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

dvm transaction-flag ............................................................................................ 129 fgfm...................................................................................................................... 130 fmnetwork arp...................................................................................................... 130 fmnetwork interface ............................................................................................. 131 fmnetwork netstat ................................................................................................ 131 fortilogd................................................................................................................ 132 hardware .............................................................................................................. 132 log device............................................................................................................. 136 sniffer ................................................................................................................... 137 sql ........................................................................................................................ 143 system admin-session ......................................................................................... 143 system disk .......................................................................................................... 144 system export ...................................................................................................... 145 system flash ......................................................................................................... 145 system fsck .......................................................................................................... 146 system ntp ........................................................................................................... 146 system print ......................................................................................................... 146 system process.................................................................................................... 148 system raid .......................................................................................................... 148 system route ........................................................................................................ 149 system route6 ...................................................................................................... 149 system server....................................................................................................... 149 test application .................................................................................................... 150 test policy-check ................................................................................................. 150 test search ........................................................................................................... 151 test sftp ................................................................................................................ 151 upload clear ......................................................................................................... 151 upload force-retry ................................................................................................ 152 upload status ....................................................................................................... 152

get .................................................................................................................. 153


system admin setting........................................................................................... 154 system aggregation-client ................................................................................... 155 system aggregation-service................................................................................. 155 system alert-console............................................................................................ 155 system alert-event ............................................................................................... 156 system alertemail ................................................................................................. 156 system backup all-settings .................................................................................. 156 system backup status.......................................................................................... 157 system certificate ca ............................................................................................ 157 system certificate local ........................................................................................ 157
Table of Contents Page 7 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system certificate ssh .......................................................................................... 158 system dns........................................................................................................... 158 system fips........................................................................................................... 158 system global....................................................................................................... 158 system interface................................................................................................... 159 system locallog disk setting................................................................................. 159 system locallog disk filter..................................................................................... 160 system locallog fortianalyzer setting.................................................................... 160 system locallog fortianalyzer filter........................................................................ 160 system locallog memory setting .......................................................................... 161 system locallog memory filter .............................................................................. 161 system locallog syslogd setting (also syslogd2 and syslogd3) ........................... 161 system locallog syslogd filter (also syslogd2 and syslogd3) ............................... 162 system log alert.................................................................................................... 162 system log fortianalyzer ....................................................................................... 162 system log settings .............................................................................................. 163 system mail .......................................................................................................... 164 system ntp ........................................................................................................... 164 system password-policy...................................................................................... 164 system performance ............................................................................................ 165 system snmp community..................................................................................... 165 system snmp sysinfo ........................................................................................... 166 system snmp user................................................................................................ 166 system route ........................................................................................................ 166 system route6 ...................................................................................................... 167 system sql............................................................................................................ 167 system status....................................................................................................... 167 system syslog ...................................................................................................... 168

show .............................................................................................................. 169 Appendix A: Object Tables .......................................................................... 170


Global object categories...................................................................................... 170 Device object ID values ....................................................................................... 171

Index .............................................................................................................. 174

Table of Contents

Page 8

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Change Log
Date 2012-11-23 2013-01-11 Change Description Initial release. Document updated for FortiAnalyzer v5.0 Patch Release 1. Command support-pre-fgt43 added. Variable pre-login-banner and pre-login-banner-message added to config system global command. 2013-03-28 Document updated for FortiAnalyzer v5.0 Patch Release 2. fmsystem and fasystem branches merged into system branch. show-adom-implicit-id-based-policy and policy-display-threshold variables added to the config system admin setting command. execute branch expanded: backup all-settings fgt, backup all-settings scp, backup logs, backup logs-only, backup reports commands added restore all-settings fgt, restore all-settings scp, restore image, restore logs, restore logs-only, restore reports commands added factory-license command added diagnose branch expanded: diagnose dlp-archives quar-cache, diagnose dlp-archives rebuild-quar-db, diagnose dlp-archives statistics, diagnose dlp-archives status commands added fmupdate, fmpolicy, fmscript, dmserver, and other FortiManager related commands have been removed. Added Appendix A: Object Tables 2013-04-26 The execute lvm command was added.

Page 9

Introduction
FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network traffic, such as e-mail, FTP and web browsing activity, to help identify security issues and reduce network misuse and abuse.

Introduction

Page 10

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Using the Command Line Interface


This chapter explains how to connect to the CLI and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings. This chapter describes: CLI command syntax Connecting to the CLI CLI objects CLI command branches CLI basics

CLI command syntax


This guide uses the following conventions to describe command syntax. Angle brackets < > indicate variables. For example: execute restore image ftp <filepath> You enter: execute restore image ftp myfile.bak <xxx_ipv4> indicates a dotted decimal IPv4 address. <xxx_v4mask> indicates a dotted decimal IPv4 netmask. <xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask. Vertical bar and curly brackets {|} separate alternative, mutually exclusive required variable. For example: set protocol {ftp | sftp} You can enter set protocol ftp or set protocol sftp. Square brackets [ ] indicate that a variable is optional. For example: show system interface [<name_str>] To show the settings for all interfaces, you can enter show system interface. To show the settings for the Port1 interface, you can enter show system interface port1. A space separates options that can be entered in any combination and must be separated by spaces. For example: set allowaccess {ping https ping ssh snmp telnet http webservice aggregator} You can enter any of the following: set allowaccess ping set allowaccess https

Using the Command Line Interface

Page 11

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set allowaccess ssh set allowaccess https ssh set allowaccess https ping ssh webservice In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. Special characters: The \ is supported to escape spaces or as a line continuation character. The single quotation mark ' and the double quotation mark are supported, but must be used in pairs. If there are spaces in a string, you must precede the spaces with the \ escape character or put the string in a pair of quotation marks.

Connecting to the CLI


You can use a direct console connection or SSH to connect to the FortiAnalyzer CLI. You can also access through the CLI console widget on the Web-based Manager. For more information, see the FortiAnalyzer v5.0 Patch Release 2 Administration Guide, and your devices QuickStart Guide.

CLI objects
The FortiAnalyzer CLI is based on configurable objects. The top-level object are the basic components of FortiAnalyzer functionality. Table 1: CLI top level object system Configuration options related to the overall operation of the FortiAnalyzer unit, such as interfaces, virtual domains, and administrators. See system on page 28.

This object contains more specific lower level objects. For example, the system object contains objects for administrators, DNS, interfaces and so on.

CLI command branches


The FortiAnalyzer CLI consists of the following command branches: config branch get branch show branch Examples showing how to enter command sequences within each branch are provided in the following sections. See also Example command sequences on page 18. execute branch diagnose branch

Using the Command Line Interface

Page 12

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

config branch
The config commands configure objects of FortiAnalyzer functionality. Top-level objects are not configurable, they are containers for more specific lower level objects. For example, the system object contains administrators, DNS addresses, interfaces, routes, and so on. When these objects have multiple sub-objects, such as administrators or routes, they are organized in the form of a table. You can add, delete, or edit the entries in the table. Table entries each consist of variables that you can set to particular values. Simpler objects, such as system DNS, are a single set of variables. To configure an object, you use the config command to navigate to the objects command shell. For example, to configure administrators, you enter the command config system admin user The command prompt changes to show that you are in the admin shell. (user)# This is a table shell. You can use any of the following commands: edit Add an entry to the FortiAnalyzer configuration or edit an existing entry. For example in the config system admin shell: Type edit admin and press Enter to edit the settings for the default admin administrator account. Type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account. delete Remove an entry from the FortiAnalyzer configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin. Remove all entries configured in the current shell. For example in the config user local shell: Type get to see the list of user names added to the FortiAnalyzer configuration, Type purge and then y to confirm that you want to purge all the user names, Type get again to confirm that no user names are displayed. get show end List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values. Show changes to the default configuration as configuration commands. Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You will return to the root FortiAnalyzer CLI prompt. The end command is also used to save set command changes and leave the shell. If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name: edit admin_1

purge

Using the Command Line Interface

Page 13

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

The FortiAnalyzer unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry: new entry 'admin_1' added (admin_1)# From this prompt, you can use any of the following commands: config In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add restrict the user to specific devices or VDOMs. Assign values. For example from the edit admin command shell, typing set password newpass changes the password of the admin administrator account to newpass. Note: When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. unset Reset values to defaults. For example from the edit admin command shell, typing unset password resets the password of the admin administrator account to the default of no password. List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the variables and their values. Show changes to the default configuration in the form of configuration commands. Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new admin user accounts enter the config system admin user shell. Type edit User1 and press Enter. Use the set commands to configure the values for the new admin account. Type next to save the configuration for User1 without leaving the config system admin user shell. Continue using the edit, set, and next commands to continue adding admin user accounts. Type end and press Enter to save the last configuration and leave the shell. abort end Exit an edit shell without saving the configuration. Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. The end command is also used to save set command changes and leave the shell. The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.

set

get show next

Using the Command Line Interface

Page 14

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

get branch
Use get to display settings. You can use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for the specified shell. To use get from the root prompt, you must include a path to a shell. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#). Example 1 When you type get in the config system admin user shell, the list of administrators is displayed. At the (user)# prompt, type: get The screen displays: == [ admin ] userid: admin == [ admin2 ] userid: admin2 == [ admin3 ] userid: admin3 Example 2 When you type get in the admin user shell, the configuration values for the admin administrator account are displayed. edit admin At the (admin)# prompt, type: get The screen displays: userid : admin password : * trusthost1 : 0.0.0.0 0.0.0.0 trusthost2 : 0.0.0.0 0.0.0.0 trusthost3 : 127.0.0.1 255.255.255.255 ipv6_trusthost1 : ::/0 ipv6_trusthost2 : ::/0 ipv6_trusthost3 : ::1/128 profileid : Super_User adom: == [ all_adoms ] adom-name: all_adoms policy-package: == [ all_policy_packages ] policy-package-name: all_policy_packages restrict-access : disable restrict-dev-vdom: description : (null) user_type : local ssh-public-key1 :
Using the Command Line Interface Page 15 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

ssh-public-key2 : ssh-public-key3 : meta-data: == [ Contact Email ] fieldname: Contact Email == [ Contact Phone ] fieldname: Contact Phone last-name : (null) first-name : (null) email-address : (null) phone-number : (null) mobile-number : (null) pager-number : (null) hidden : 0 dashboard-tabs: dashboard: == [ 7 ] moduleid: 7 == [ 10 ] moduleid: 10 == [ 1 ] moduleid: 1 == [ 2 ] moduleid: 2 == [ 3 ] moduleid: 3 == [ 4 ] moduleid: 4 == [ 5 ] moduleid: 5 Example 3 You want to confirm the IP address and netmask of the port1 interface from the root prompt. At the (command) # prompt, type: get system interface port1 The screen displays: name status ip allowaccess aggregator serviceaccess speed description alias ipv6: ip6-address: ::/0 : : : : port1 up 172.16.81.30 255.255.255.0 ping https ssh snmp telnet http webservice

: : auto : (null) : (null) ip6-allowaccess:

Using the Command Line Interface

Page 16

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

show branch
Use show to display the FortiAnalyzer unit configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified shell. To display the configuration of all config shells, you can use show from the root prompt. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#). Example 1 When you type show and press Enter within the port1 interface shell, the changes to the default interface configuration are displayed. At the (port1)# prompt, type: show The screen displays: config system interface edit "port1" set ip 172.16.81.30 255.255.255.0 set allowaccess ping https ssh snmp telnet http webservice aggregator next edit "port2" set ip 1.1.1.1 255.255.255.0 set allowaccess ping https ssh snmp telnet http webservice aggregator next edit "port3" next edit "port4" next end Example 2 You are working in the port1 interface shell and want to see the system dns configuration. At the (port1)# prompt, type: show system dns The screen displays: config system dns set primary 65.39.139.53 set secondary 65.39.139.63 end

Using the Command Line Interface

Page 17

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

execute branch
Use execute to run static commands, to reset the FortiAnalyzer unit to factory defaults, or to back up or restore the FortiAnalyzer configuration. The execute commands are available only from the root prompt. The root prompt is the FortiAnalyzer host or model name followed by a number sign (#). Example 1 At the root prompt, type: execute reboot The system will be rebooted. Do you want to continue? (y/n) and press Enter to restart the FortiAnalyzer unit.

diagnose branch
Commands in the diagnose branch are used for debugging the operation of the FortiAnalyzer unit and to set parameters for displaying different levels of diagnostic information.

Diagnose commands are intended for advanced users only. Contact Fortinet technical support before using these commands.

Example command sequences

The command prompt changes for each shell.

To configure the primary and secondary DNS server addresses: 1. Starting at the root prompt, type: config system dns and press Enter. The prompt changes to (dns)#. 2. At the (dns)# prompt, type (question mark) ? The following options are displayed. set unset get show abort end 3. Type set (question mark)? The following options are displayed: primary secondary

Using the Command Line Interface

Page 18

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

4. To set the primary DNS server address to 172.16.100.100, type: set primary 172.16.100.100 and press Enter. 5. To set the secondary DNS server address to 207.104.200.1, type: set secondary 207.104.200.1 and press Enter. 6. To restore the primary DNS server address to the default address, type unset primary and press Enter. 7. If you want to leave the config system dns shell without saving your changes, type abort and press Enter. 8. To save your changes and exit the dns sub-shell, type end and press Enter. 9. To confirm your changes have taken effect after leaving the dns sub-shell, type get system dns and press Enter.

CLI basics
This section includes: Command help Command completion Recalling commands Editing commands Line continuation Command abbreviation Environment variables Encrypted password support Entering spaces in strings Entering quotation marks in strings Entering a question mark (?) in a string International characters Special characters IP address formats Editing the configuration file Changing the baud rate Debug log levels

Command help
You can press the question mark (?) key to display command help. Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command. Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option. Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command option combination and a description of each option.

Using the Command Line Interface

Page 19

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Command completion
You can use the tab key or the question mark (?) key to complete commands: You can press the tab key at any prompt to scroll through the options available for that prompt. You can type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position. After completing the first word of a command, you can press the space bar and then the tab key to scroll through the options available at the current cursor position.

Recalling commands
You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.

Editing commands
Use the left and right arrow keys to move the cursor back and forth in a recalled command. You can also use the backspace and delete keys and the control keys listed in Table 2 to edit the command. Table 2: Control keys for editing commands Function Beginning of line End of line Back one character Forward one character Delete current character Previous command Next command Abort the command If used at the root prompt, exit the CLI Key combination CTRL+A CTRL+E CTRL+B CTRL+F CTRL+D CTRL+P CTRL+N CTRL+C CTRL+C

Line continuation
To break a long command over multiple lines, use a \ at the end of each line.

Command abbreviation
You can abbreviate commands and command options to the smallest number of unambiguous characters. For example, the command get system status can be abbreviated to g sy st.

Using the Command Line Interface

Page 20

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Environment variables
The FortiAnalyzer CLI supports several environment variables. $USERFROM $USERNAME $SerialNum The management access type (SSH, Telnet and so on) and the IP address of the logged in administrator. The user account name of the logged in administrator. The serial number of the FortiAnalyzer unit.

Variable names are case sensitive. In the following example, when entering the variable, you can type (dollar sign) $ followed by a tab to auto-complete the variable to ensure that you have the exact spelling and case. Continue pressing tab until the variable you want to use is displayed. config system global set hostname $SerialNum end

Encrypted password support


After you enter a clear text password using the CLI, the FortiAnalyzer unit encrypts the password and stores it in the configuration file with the prefix ENC. For example: show system admin user user1 config system admin user edit "user1" set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1 rVJmMFc9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9Xq Oit82PgScwzGzGuJ5a9f set profileid "Standard_User" next end It is also possible to enter an already encrypted password. For example, type: config system admin then press Enter. Type: edit user1 then press Enter. Type: set password ENC UAGUDZ1yEaG30620s6afD3Gac1FnOT0BC1rVJmMF c9ubLlW4wEvHcqGVq+ZnrgbudK7aryyf1scXcXdnQxskRcU3E9XqOit82PgScwz GzGuJ5a9f then press Enter. Type: end then press Enter.

Using the Command Line Interface

Page 21

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Entering spaces in strings


When a string value contains a space, do one of the following: Enclose the string in quotation marks, for example "Security Administrator". Enclose the string in single quotes, for example 'Security Administrator'. Use a backslash (\) preceding the space, for example Security\ Administrator.

Entering quotation marks in strings


If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.

Entering a question mark (?) in a string


If you want to include a question mark (?) in a string, you must precede the question mark with CTRL-V. Entering a question mark without first entering CTRL-V causes the CLI to display possible command completions, terminating the string.

International characters
The CLI supports international characters in strings.

Special characters
The characters <, >, (, ), #, , and " are not permitted in most CLI fields, but you can use them in passwords. If you use the apostrophe () or quote (") character, you must precede it with a backslash (\) character when entering it in the CLI set command.

IP address formats
You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type either: set ip 192.168.1.1 255.255.255.0 or set ip 192.168.1.1/24 The IP address is displayed in the configuration file in dotted decimal format.

Editing the configuration file


You can change the FortiAnalyzer configuration by backing up the configuration file to a TFTP server. Then you can make changes to the file and restore it to the FortiAnalyzer unit. 1. Use the execute backup all-settings command to back up the configuration file to a TFTP server. For example, execute backup all-settings 10.10.0.1 mybackup.cfg myid mypass 2. Edit the configuration file using a text editor. Related commands are listed together in the configuration file. For instance, all the system commands are grouped together. You can edit the configuration by adding, changing or deleting the CLI commands in the configuration file.

Using the Command Line Interface

Page 22

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

The first line of the configuration file contains information about the firmware version and FortiAnalyzer model. Do not edit this line. If you change this information the FortiAnalyzer unit will reject the configuration file when you attempt to restore it. 3. Use the execute restore all-settings command to copy the edited configuration file back to the FortiAnalyzer unit. For example, execute restore all-settings 10.10.0.1 mybackup.cfg myid mypass The FortiAnalyzer unit receives the configuration file and checks to make sure the firmware version and model information is correct. If it is, the FortiAnalyzer unit loads the configuration file and checks each command for errors. If the FortiAnalyzer unit finds an error, an error message is displayed after the command and the command is rejected. Then the FortiAnalyzer unit restarts and loads the new configuration.

Changing the baud rate


Using execute console baudrate, you can change the default console connection baud rate. To check the current baud rate enter the following CLI command: # execute console baudrate [enter] current baud rate is: 9600 To view baudrate options, enter the CLI command with the question mark (?). # execute console baudrate ? baudrate 9600 | 19200 | 38400 | 57600 | 115200 To change the baudrate, enter the CLI command as listed below. # execute console baudrate 19200 Your console connection will get lost after changing baud rate. Change your console setting! Do you want to continue? (y/n)

Changing the default baud rate is not available on all models.

Using the Command Line Interface

Page 23

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Debug log levels


The following table lists available debug log levels on your FortiAnalyzer. Table 3: Debug log levels Level 0 1 2 3 4 5 6 7 8 Type Emergency Alert Critical Error Warning Notification Information Debug Maximum Description Emergency the system has become unusable. Alert immediate action is required. Critical Functionality is affected. Error an erroneous condition exists and functionality is probably affected. Warning function might be affected. Notification of normal events. Information General information about system operations. Debugging Detailed information useful for debugging purposes. Maximum log level.

Using the Command Line Interface

Page 24

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Administrative Domains
Administrative domains (ADOMs) enable the admin administrator to constrain other Fortinet unit administrators access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific FortiGate VDOM. This section contains the following topics: About administrative domains (ADOMs) Configuring ADOMs

About administrative domains (ADOMs)


Enabling ADOMs alters the structure and available functionality of the Web-based Manager and CLI according to whether you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator accounts assigned access profile. The admin administrator can further restrict other administrators access to specific configuration areas within their ADOM by using access profiles. For more information, see admin profile on page 30.

Table 4: Characteristics of the CLI and Web-based Manager when ADOMs are enabled admin administrator account Other administrators Access to config system global Yes No No No

Can create administrator accounts Yes Can enter all ADOMs Yes

If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted access and ADOM configuration. config system global contains settings used by the FortiAnalyzer unit itself and settings shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM. If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files, content archives, IP aliases, and LDAP queries specific to your ADOM. You cannot access Global Configuration, or enter other ADOMs. By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list, and assigning them to administrator accounts, you can

Administrative Domains

Page 25

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

restrict other administrator accounts to a subset of the FortiAnalyzer units total devices or VDOMs. The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM, and cannot configure ADOMs or Global Configuration. The maximum number of ADOMs varies by FortiAnalyzer model. Table 5: ADOM maximum values FortiAnalyzer Model FAZ-100C FAZ-200D FAZ-400B and FAZ-400C FAZ-1000B and FAZ-1000C FAZ-2000A and 2000B FAZ-4000A and FAZ-4000B FAZ-VM32 and FAZ-VM64 Number of ADOMs 150 150 200 2 000 2 000 2 000 10 000

Configuring ADOMs
To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign existing FortiAnalyzer administrators to ADOMs.

Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiAnalyzer unit configuration before enabling ADOMs.

Within the CLI, you can enable ADOMs and set the administrator ADOM. To configure the ADOMs, you must use the Web-based Manager. To enable or disable ADOMs: Enter the following CLI command: config system global set adom-status {enable | disable} end An administrative domain has two modes: normal and advanced. Normal mode is the default device mode. In normal mode, a FortiGate unit can only be added to a single administrative domain. In advanced mode, you can assign different VDOMs from the same FortiGate to multiple administrative domains.

Enabling the advanced mode option will result in a reduced operation mode and more complicated management scenarios. It is recommended only for advanced users.

Administrative Domains

Page 26

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

To change administrative domain device modes: Enter the following CLI command: config system global set adom-mode {advanced | normal} end To assign an administrator to an ADOM: Enter the following CLI command: config system admin user edit <name> set adom <adom_name> next end where <name> is the administrator user name and <adom_name> is the ADOM name.

Administrative Domains

Page 27

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system
Use system commands to configure options related to the operation of the FortiAnalyzer unit. This chapter contains following sections: admin ldap admin profile admin radius admin setting admin tacacs admin user aggregation-client aggregation-service alert-console alert-event alertemail backup all-settings certificate ca certificate local certificate ssh dns fips global interface locallog disk setting locallog filter locallog fortianalyzer setting locallog memory setting locallog syslogd (syslogd2, syslogd3) setting log alert log fortianalyzer log setting mail ntp password-policy route route6 snmp community snmp sysinfo snmp user sql syslog

For more information about configuring ADOMs, see Administrative Domains on page 25.

system

Page 28

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

admin ldap
Use this command to add, edit, and delete LDAP users.

Syntax
config system admin ldap edit name {LDAP server entry name} set server {name_str | ip_str} set cnid <string> set dn <string> set port <integer> set type {anonymous | regular | simple} set username <string> set password <string> set group <string> set filter <query_string> set secure {disable | ldaps | starttls} set ca-cert <string> end Variable Description

server {name_str | ip_str} Enter the LDAP server domain name or IP address. cnid <string> Enter common name identifier. Default: cn dn <string> port <integer> Enter the distinguished name. Enter the port number for LDAP server communication. Default: 389 type {anonymous | regular | simple} Set a binding type: anonymous: Bind using anonymous user search. regular: Bind using username or password and then search. simple: Simple password authentication without search. Default: simple username <string> password <string> group <string> Enter a username. This variable appears only when type is set to regular. Enter a password for the username above. This variable appears only when type is set to regular. Enter an authorization group. The authentication user must be a member of this group (full DN) on the server.

system

Page 29

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable filter <query_string>

Description Enter content for group searching. For example: (&(objectcategory=group)(member=*)) (&(objectclass=groupofnames)(member=*)) (&(objectclass=groupofuniquenames)(uniquem ember=*)) (&(objectclass=posixgroup)(memberuid=*))

secure {disable | ldaps | starttls}

Set the SSL connection type: disable: No SSL connection ldaps: Use LDAPS starttls: Use STARTTLS

ca-cert <string>

CA certificate name. This variable appears only when secure is set to ldaps or starttls. Default: disable

Example
This example shows how to add the LDAP user user1 at the IP address 206.205.204.203. config system admin ldap edit user1 set server 206.205.204.203 set dn techdoc set type regular set username auth1 set password auth1_pwd set group techdoc end

Related topics
admin profile

admin profile
Use this command to configure access profiles. In a newly-created access profile, no access is enabled.

Syntax
config system admin profile edit <profile_name> set description <text> set scope <adom | global> set system-setting {none | read-write} set adom-switch {none | read | read-write} set global-policy-packages {none | read | read-write} set global-objects {none | read | read-write}
system Page 30 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set end Variable

assignment {none | read | read-write} read-passwd {none | read | read-write} device-manager {none | read | read-write} device-config {none | read | read-write} device-op {none | read | read-write} device-profile {none | read | read-write} policy-objects {none | read | read-write} deploy-management {none | read | read-write} config-retrieve {none | read | read-write} term-access {none | read | read-write} adom-policy-packages {none | read | read-write} adom-policy-objects {none | read | read-write} vpn-manager {none | read | read-write} realtime-monitor {none | read | read-write} forticonsole {none | read | read-write} consistency-check {none | read | read-write} faz-management {none | read | read-write} report-viewer {none | read | read-write} log-viewer {none | read | read-write} network {none | read | read-write} admin {none | read | read-write} system {none | read | read-write} devices {none | read | read-write} alerts {none | read | read-write} dlp {none | read | read-write} reports {none | read | read-write} log {none | read | read-write} quar {none | read | read-write} net-monitor {none | read | read-write} vuln-mgmt {none | read | read-write}

Description Edit the access profile. Enter a new name to create a new profile. The pre-defined access profiles are: Super_User Standard_User Restricted_User

<profile_name>

description <text> scope <adom | global> system-setting {none | read-write} adom-switch {none | read | read-write}
system

Enter a description for this access profile. Enclose the description in quotes if it contains spaces. Set the scope for this access profile to either ADOM or Global. Set the level of access to system settings for this profile. Set the administrator domain for this profile.

Page 31

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable global-policy-packages {none | read | read-write} global-objects {none | read | read-write} assignment {none | read | read-write} read-passwd {none | read | read-write} device-manager {none | read | read-write} device-config {none | read | read-write} device-op {none | read | read-write} device-profile {none | read | read-write} policy-objects {none | read | read-write} deploy-management {none | read | read-write} config-retrieve {none | read | read-write} term-access {none | read | read-write} adom-policy-packages {none | read | read-write} adom-policy-objects {none | read | read-write} vpn-manager {none | read | read-write} realtime-monitor {none | read | read-write} forticonsole {none | read | read-write} consistency-check {none | read | read-write} faz-management {none | read | read-write}
system

Description Set the global policy packages for this profile.

Set the global objects for this profile. Set the profile permissions. Add the capability to view the authentication password in clear text to this profile. Enter the level of access to device manager settings for this profile. Enter the level of access to device configuration settings for this profile. Add the capability to add, delete, and edit devices to this profile. Device profile permissions. Policy objects permissions. Enter the level of access to the deployment management configuration settings for this profile. Set the configuration retrieve settings for this profile. Set the terminal access for this profile. Enter the level of access to ADOM policy packages for this profile. Enter the level of access to ADOM policy objects for this profile. Enter the level of access to VPN console configuration settings for this profile. Enter the level of access to the Real Time monitor configuration settings for this profile. Enable or disable the FortiConsole for this profile. Enable or disable consistency check for this profile. Enter the level of access to FortiAnalyzer configuration management settings for this profile.
Page 32 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable report-viewer {none | read | read-write} log-viewer {none | read | read-write} network {none | read | read-write} admin {none | read | read-write} system {none | read | read-write} devices {none | read | read-write} alerts {none | read | read-write} dlp {none | read | read-write} reports {none | read | read-write} log {none | read | read-write} quar {none | read | read-write} net-monitor {none | read | read-write} vuln-mgmt {none | read | read-write}

Description Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission. Enable or disable access permission.

Related topics
admin radius

system

Page 33

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

admin radius
Use this command to add, edit, and delete administration RADIUS servers.

Syntax
config system admin radius edit <server> set auth-type <auth_prot_type> set nas-ip <ip> set port <integer> set secondary-secret <passwd> set secondary-server <string> set secret <passwd> set server <string> end Variable Description

auth-type <auth_prot_type> Enter the authentication protocol the RADIUS server will use: any: Use any supported authentication protocol. mschap2 chap pap nas-ip <ip> port <integer> Enter the NAS IP address. Enter the RADIUS server port number. Default: 1812 secondary-secret <passwd> secondary-server <string> secret <passwd> server <string> Enter the password to access the RADIUS secondary-server. Enter the RADIUS secondary-server DNS resolvable domain name or IP address. Enter the password to access the RADIUS server. Enter the RADIUS server DNS resolvable domain name or IP address.

Example
This example shows how to add the RADIUS server RAD1 at the IP address 206.205.204.203 and set the shared secret as R1a2D3i4U5s. config system admin radius edit RAD1 set server 206.205.204.203 set secret R1a2D3i4U5s end

system

Page 34

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

admin setting
Use this command to configure system administration settings, including web administration ports, timeout, and language.

Syntax
config system admin setting set access-banner {enable | disable} set admin_server_cert <admin_server_cert> set allow_register {enable | disable} set auto-update {enable | disable} set banner-message <string> set demo-mode {enable | disable} set device_sync_status {enable | disable} set http_port <integer> set https_port <integer> set idle_timeout <integer> set install-ifpolicy-only {enable | disable} set mgmt-addr <string> set mgmt-fqdn <string> set offline_mode {enable | disable} set policy-display-threshold <integer> set register_passwd <password> set show-add-multiple {enable | disable} set show-adom-central-nat-policies {enable | disable} set show-adom-devman {enable | disable} set show-adom-dos-policies {enable | disable} set show-adom-dynamic-objects {enable | disable} set show-adom-forticonsole-button {enable | disable} set show-adom-icap-policies {enable | disable} set show-adom-implicit-policy {enable | disable} set show-adom-implicit-id-based-policy {enable | disable} set show-adom-ipv6-settings {enable | disable} set show-adom-policy-consistency-button {enable | disable} set show-adom-rtmlog {enable | disable} set show-adom-sniffer-policies {enable | disable} set show-adom-taskmon-button {enable | disable} set show-adom-terminal-button {enable | disable} set show-adom-voip-policies {enable | disable} set show-adom-vpnman {enable | disable} set show-adom-web-portal {enable | disable} set show-device-import-export {enable | disable} set show-foc-settings {enable | disable} set show-fortimail-settings {enable | disable} set show-fsw-settings {enable | disable} set show-global-object-settings {enable | disable} set show-global-policy-settings {enable | disable} set show_automatic_script {enable | disable}
system Page 35 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set set set set end Variable

show_grouping_script {enable | disable} show_tcl_script {enable | disable} unreg_dev_opt {add_allow_service | add_no_service | ignore} webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}

Description Enable or disable the access banner. Default: disable Enter the name of an https server certificate to use for secure connections. Default: server.crt

access-banner {enable | disable} admin_server_cert <admin_server_cert>

allow_register {enable | disable}

Enable or disable an unregistered device to be registered. Default: disable

auto-update {enable | disable} Enable or disable device config auto update. banner-message <string> demo-mode {enable | disable} Enable the banner messages. Maximum of 255 characters. Enable or disable demo mode. Default: disable device_sync_status {enable | disable} Enable or disable device synchronization status indication. Default: enable http_port <integer> Enter the HTTP port number for web administration. Default: 80 https_port <integer> Enter the HTTPS port number for web administration. Default: 443 idle_timeout <integer> Enter the idle timeout value. The range is from 1 to 480 minutes. Default: 5 install-ifpolicy-only {enable | disable} Enable to allow only the interface policy to be installed. Default: disable mgmt-addr <string> mgmt-fqdn <string> GQDN/IP of FortiAnalyzer used by FGFM. FQDN of FortiAnalyzer used by FGFM.

system

Page 36

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable offline_mode {enable | disable}

Description Enable offline mode to shut down the protocol used to communicate with managed devices. Default: disable

policy-display-threshold <integer> register_passwd <password> show-add-multiple {enable | disable}

Set the policy page display threshold (1 - 10000). Enter the password to use when registering a device. Show the add multiple button.

show-adom-central-nat-policies Show ADOM central NAT policy settings on the {enable | disable} Web-based Manager. Default: disable show-adom-devman {enable | disable} Show ADOM device manager tools on the Web-based Manager. Default: disable show-adom-dos-policies {enable | disable} Show ADOM DOS policy settings on the Web-based Manager. Default: disable show-adom-dynamic-objects {enable | disable} Show ADOM dynamic object settings on the Web-based Manager. Default: enable show-adom-forticonsole-button {enable | disable} Show ADOM banner button FortiConsole on the Web-based Manager. Default: enable show-adom-icap-policies {enable | disable} show-adom-implicit-policy {enable | disable} Show the ADOMICAP policy settings in the Web-based Manager. Show the ADOM implicit policy settings in the Web-based Manager.

show-adom-implicit-id-based-po Show the ADOM implicit ID based policy settings in licy {enable | disable} the Web-based Manager. show-adom-ipv6-settings {enable | disable} Show ADOM IPv6 settings in the Web-based Manager. Default: disable show-adom-policy-consistency-b Show ADOM banner button Policy Consistency in utton {enable | disable} the Web-based Manager. Default: disable

system

Page 37

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable show-adom-rtmlog {enable | disable}

Description Show ADOM RTM device log in the Web-based Manager. Default: disable

show-adom-sniffer-policies {enable | disable}

Show ADOM sniffer policy settings in the Web-based Manager. Default: disable

show-adom-taskmon-button {enable | disable}

Show ADOM banner button Task Monitor in the Web-based Manager. Default: enable

show-adom-terminal-button {enable | disable}

Show ADOM banner button Terminal in the Web-based Manager. Default: enable

show-adom-voip-policies {enable | disable} show-adom-vpnman {enable | disable}

Show ADOM VoIP policy settings in the Web-based Manager. Show ADOM VPN manager in the Web-based Manager. Default: enable

show-adom-web-portal {enable | disable}

Show ADOM web portal settings in the Web-based Manager. Default: disable

show-device-import-export {enable | disable} show-foc-settings {enable | disable}

Enable import/export of ADOM, device, and group lists. Show FortiCarrier settings in the Web-based Manager. Default: disable

show-fortimail-settings {enable | disable} show-fsw-settings {enable | disable}

Show FortiMail settings in the Web-based Manager. Default: disable Show FortiSwitch settings in the Web-based Manager. Default: disable

show-global-object-settings {enable | disable}

Show global object settings in the Web-based Manager. Default: enable

show-global-policy-settings {enable | disable}

Show global policy settings in the Web-based Manager. Default: enable

show_automatic_script {enable | disable}


system Page 38

Enable or disable automatic script.

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable show_grouping_script {enable | disable} show_tcl_script {enable | disable} unreg_dev_opt {add_allow_service | add_no_service | ignore}

Description Enable or disable grouping script. Enable or disable TCL script. Select action to take when an unregistered device connects to FortiAnalyzer. add_allow_service: Add unregistered devices and allow service requests. add_no_service: Add unregistered devices and deny service requests. ignore: Ignore unregistered devices. Default: add_all_service

webadmin_language {auto_detect Enter the language to be used for web administration. | english | japanese | korean | Default: auto_detect simplified_chinese | traditional_chinese}

admin tacacs
Use this command to add, edit, and delete administration TACACS+ servers.

Syntax
config system admin tacacs edit <name_str> set authen-type <auth_prot_type> set authorization {enable | disable} set key <passw> set port <integer> set secondary-key <passw> set secondary-server <string> set server <string> set tertiary-key <passw> set tertiary-server <string> end Variable authen-type <auth_prot_type> Description Choose which authentication type to use. Default: auto authorization {enable | disable} Enable or disable TACACS+ authorization. key <passw> Key to access the server.

system

Page 39

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable port <integer> secondary-key <passw> secondary-server <string> server <string> tertiary-key <passw> tertiary-server <string>

Description Port number of the TACACS+ server. Key to access the secondary server. Secondary server domain name or IP. The server domain name or IP. Key to access the tertiary server. Tertiary server domain name or IP.

Example
This example shows how to add the TACACS+ server TAC1 at the IP address 206.205.204.203 and set the key as R1a2D3i4U5s. config system admin tacacs edit TAC1 set server 206.205.204.203 set key R1a2D3i4U5s end

admin user
Use this command to add, edit, and delete administrator accounts. Use the admin account or an account with System Settings read and write privileges to add new administrator accounts and control their permission levels. Each administrator account must include a minimum of an access profile. The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change the default profile from Restricted_User.You cannot delete the admin administrator account. You cannot delete an administrator account if that user is logged on. For information about ADOMs, see Administrative Domains on page 25.

You can create meta-data fields for administrator accounts. These objects must be created using the FortiAnalyzer Web-based Manager. The only information you can add to the object is the value of the field (pre-determined text/numbers).

Syntax
config system admin user edit <name_str> set password <password> set trusthost1 <ip_mask> set trusthost2 <ip_mask> set trusthost3 <ip_mask> set ipv6_trusthost1 <ip_mask> set ipv6_trusthost2 <ip_mask> set ipv6_trusthost3 <ip_mask>

system

Page 40

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set profileid <profile-name> set adom <adom_name(s)> set policy-package {<adom name>: <policy package id> <adom policy folder name>/ <package name> | all_policy_packages} set restrict-access {enable | disable} set description <string> set user_type <local | radius | ldap | tacacs-plus> set ldap-server <string> set radius_server <string> set tacacs-plus-server <string> set ssh-public-key1 <key-type> <key-value> set ssh-public-key2 <key-type>, <key-value> set ssh-public-key3 <key-type> <key-value> set wildcard <enable | disable> set radius-accprofile-override <enable | disable> set radius-adom-override <enable | disable> set radius-group-match <string> set last-name <string> set first-name <string> set email-address <string> set phone-number <string> set mobile-number <string> set pager-number <string> end config meta-data edit <fieldname> set fieldlength set fieldvalue <string> set importance set status end end config dashboard-tabs edit tabid <integer> set name <string> end config dashboard edit moduleid set name <string> set column <column_pos> set refresh-inverval <integer> set status {close | open} set tabid <integer> set widget-type {alert | devsummary | jsconsole | licinfo | logrecv | raid | rpteng | statisctics | sysinfo | sysop | sysres | top-lograte} set log-rate-type {device | log} set log-rate-topn {1 | 2 | 3 | 4 | 5}
system Page 41 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set log-rate-period {1hour | 2min | 6hours} set res-view-type {history | real-time} set res-period {10min | day | hour} set num-entries <integer> end end config restrict-dev-vdom edit dev-vdom <string> end end Variable password <password> Description Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This variable is available only if user_type is local. Type the trusted host IP address and netmask from which the administrator can log in to the FortiAnalyzer system. You can specify up to three trusted hosts. (optional) Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 45. ipv6_trusthost1 <ip_mask> ipv6_trusthost2 <ip_mask> ipv6_trusthost3 <ip_mask> Type the trusted host IP address from which the administrator can log in to the FortiAnalyzer system. You can specify up to three trusted hosts. (optional) Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 45. profileid <profile-name> Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiAnalyzer features. Default: Restricted_User adom <adom_name(s)> Enter the name(s) of the ADOM(s) the administrator belongs to. Any configuration of ADOMs takes place via the FortiAnalyzer Web-based Manager. For more information, see Administrative Domains on page 25. Policy package access.

trusthost1 <ip_mask> trusthost2 <ip_mask> trusthost3 <ip_mask>

policy-package {<adom name>: <policy package id> <adom policy folder name>/ <package name> | all_policy_packages} restrict-access {enable | disable}

Enable or disable restricted access to the dev-vdom. Default: disable

system

Page 42

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable description <string> user_type <local | radius | ldap | tacacs-plus>

Description Enter a description for this administrator account. When using spaces, enclose description in quotes. Enter local if the FortiAnalyzer system verifies the administrators password. Enter radius if a RADIUS server verifies the administrators password. Default: local

ldap-server <string> radius_server <string> tacacs-plus-server <string> ssh-public-key1 <key-type> <key-value> ssh-public-key2 <key-type>, <key-value> ssh-public-key3 <key-type> <key-value>

Enter the LDAP server name if the user type is set to LDAP. Enter the RADIUS server name if the user type is set t o RADIUS. Enter the TACACS+ server name if the user type is set to TACACS+. You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application. <key type> The ssh-dss for a DSA key, ssh-rsa for an RSA key. <key-value> The public key string of the SSH client.

wildcard <enable | disable> radius-accprofile-override <enable | disable> radius-adom-override <enable | disable> radius-group-match <string> last-name <string> first-name <string> email-address <string> phone-number <string> mobile-number <string> pager-number <string>

Enable or disable wildcard remote authentication Allow access profile to be overridden from RADIUS. Allow ADOM to be overridden from RADIUS Only admin that belong to this group are allowed to login. Administrators last name. Administrators first name. Administrators email address. Administrators phone number. Administrators mobile phone number. Administrators pager number.

Variable for config meta-data subcommand: Note: This subcommand can only change the value of an existing field. To create a new metadata field, use the config meta-data command.

system

Page 43

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable fieldname

Description The label/name of the field. Read-only. Default: 50

fieldlength fieldvalue <string>

The maximum number of characters allowed for this field. Read-only. Enter a pre-determined value for the field. This is the only value that can be changed with the config meta-data subcommand. Indicates whether the field is compulsory (required) or optional (optional). Read-only. Default: optional

importance

status

For display only. Value cannot be changed. Default: enabled

Variable for config dashboard-tabs subcommand: tabid <integer> name <string> Tab ID. Tab name.

Variable for config dashboard subcommand: moduleid name <string> column <column_pos> Widget ID. Widget name. Widgets column ID. Default: 0 refresh-inverval <integer> Widgets refresh interval. Default: 300 status {close | open} Widgets opened/closed status. Default: open tabid <integer> ID of the tab where the widget is displayed. Default: 0

system

Page 44

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable widget-type {alert | devsummary | jsconsole | licinfo | logrecv | raid | rpteng | statisctics | sysinfo | sysop | sysres | top-lograte}

Description Widget type. Enter one of the following: alert: Alert message console devsummary: Device summary jsconsole: CLI console licinfo: License information logrecv: Data receive raid: Disk monitor rpteng: Report engine statistics: Statistics sysinfo: System information sysop: Unit operation sysres: System resources top-lograte: Log rates

log-rate-type {device | log} Log receive monitor widget's statistics breakdown options. log-rate-topn {1 | 2 | 3 | 4 | 5} log-rate-period {1hour | 2min | 6hours} res-view-type {history | real-time} res-period {10min | day | hour} num-entries <integer> Log receive monitor widget's number of top items to display Log receive monitor widget's data period. Widgets data view type. Widgets data period. Can be set to 10 minutes, one day, or one hour. Number of entries.

Variable for config restrict-dev-vdom subcommand: dev-vdom <string> Enter device or VDOM to edit.

Using trusted hosts


Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255. When you set trusted hosts for all administrators, the FortiAnalyzer system does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access. The trusted hosts you define apply both to the Web-based Manager and to the CLI when accessed through SSH. CLI access through the console connector is not affected.

system

Page 45

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
Use the following commands to add a new administrator account named admin_2 with the password set to p8ssw0rd and the Super_User access profile. Administrators that log in to this account will have administrator access to the FortiAnalyzer system from any IP address. config system admin user edit admin_2 set description "Backup administrator" set password p8ssw0rd set profileid Super_User end

aggregation-client
Syntax
config system aggregation-client edit <id> set mode {aggregation | both | disable | realtime} set agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets} set agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan} set agg-password <passwd> set agg-time <integer> set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp} set fwd-log-source-ip {local_ip | original_ip} set fwd-min-level {alert | critical | debug | emergency | error | information | notification | warning} set fwd-remote-server {fortianalyzer | syslog} set server-ip <ip> end Variable <id> mode {aggregation | both | disable | realtime} Description Log aggregation ID. Log aggregation mode: aggregation: Aggregate logs to FortiAnalyzer both: Forward and aggregate logs to the FortiAnalyzer disable: Do not forward or aggregate logs realtime: Real time forward logs to the FortiAnalyzer

system

Page 46

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable

Description

agg-archive-types Archive type. Command only available when the mode is set {Web_Archive | to aggregation or both. Email_Archive | File_Transfer_Arch ive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets} agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan} agg-password <passwd> agg-time <integer> fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp} Log type. Command only available when the mode is set to aggregation or both.

Log aggregation access password for server. Command only available when the mode is set to aggregation or both. Daily at the selected time. Command only available when the mode is set to aggregation or both. Facility for remote syslog. The command is only available when the mode is set to realtime or both. Select one of the following: alert: Log alert audit: Log audit auth: Security/authorization messages authpriv: Security/authorization messages (private) clock: Clock daemon cron: Clock daemon daemon: System daemons ftp: FTP daemon kernel: Kernel messages local0, local1, local2, local3, local4, local5, local 6, local7: Reserved for local use lpr: Line printer subsystem mail: Mail system news: Network news subsystem ntp: NTP daemon syslog: Messages generated internally by syslogd user: Random user level messages uucp: Network news subsystem

system

Page 47

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable fwd-log-source-ip {local_ip | original_ip}

Description The logs source IP address. Command only available when the mode is set to realtime or both. Select one of the following: local_ip: Use local IP original_ip: Use original source IP

fwd-min-level {alert | critical | debug | emergency | error | information | notification | warning}

Forward logs more sever than this level. Command only available when the mode is set to realtime or both. Select one of the following severity levels: alert: Alert log level critical: Critical log level debug: Debug log level emergency: Emergency log level error: Error log level information: Information log level notification: Notification log level warning: Warning log level

fwd-remote-server {fortianalyzer | syslog} server-ip <ip>

Forwarding all logs to a generic syslog server or the FortiAnalyzer device. Command only available when the mode is set to realtime or both. Remote server ip address. Command only available when the mode is set to aggregation, both, or realtime.

aggregation-service
Syntax
config system aggregation-service set accept-aggregation {enable | disable} set accept-realtime-log {enable | disable} set aggregation-disk-quota <integer> set password <passwd> end Variable Description

accept-aggregation Enable or disable accept log aggregation option. {enable | disable} accept-realtime-log Enable to accept real time logs. {enable | disable} aggregation-disk-quota <integer> password <passwd> Aggregated device disk quota (MB) on server. accept-aggregation must be enabled. Log aggregation access password for server. accept-aggregation must be enabled.
Page 48 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system

alert-console
Use this command to configure the alert console options. The alert console appears on the dashboard in the Web-based Manager.

Syntax
config system alert-console set period <integer> set severity-level {debug | information | notify | warning | error | critical | alert | emergency} end Variable period <integer> Description Enter the number of days to keep the alert console information on the dashboard in days between 1 and 7. Default: 7 severity-level {debug | information | notify | warning | error | critical | alert | emergency} Enter the severity level to display on the alert console on the dashboard.

Example
This example sets the alert console message display to warning for a duration of three days. config system alert-console set period 3 set severity-level warning end

system

Page 49

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

alert-event
Use alert-event commands to configure the FortiAnalyzer unit to monitor logs for log messages with certain severity levels, or information within the logs. If the message appears in the logs, the FortiAnalyzer unit sends an email or SNMP trap to a predefined recipient(s) of the log message encountered. Alert event messages provide immediate notification of issues occurring on the FortiAnalyzer unit. When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server. name

Syntax
config system alert-event edit <name_string> config alert-destination edit destination_id <integer> set type {mail | snmp | syslog} set from <email_addr> set to <email_addr> set smtp-name <server_name> set snmp-name <server_name> set syslog-name <server_name>
end

enable-generic-text {enable | disable} enable-severity-filter {enable | disable} event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168} generic-text <string> num-events {1 | 5 | 10 | 50 | 100} severity-filter {high | low | medium | medium-high | medium-low} set severity-level-comp {>= | = | <=} set severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency} end Variable <name_string> destination_id <integer> type {mail | snmp | syslog} Description Enter a name for the alert event. Enter the table sequence number, beginning at 1. Select the alert event message method of delivery. Default: mail from <email_addr> to <email_addr> smtp-name <server_name> Enter the email address of the sender of the message. This is available when the type is set to mail. Enter the recipient of the alert message. This is available when the type is set to mail. Enter the name of the mail server. This is available when the type is set to mail.
Page 50 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set set set set set set

system

Variable snmp-name <server_name> syslog-name <server_name> enable-generic-text {enable | disable} enable-severity-filter {enable | disable} event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168} generic-text <string> num-events {1 | 5 | 10 | 50 | 100} severity-filter {high | low | medium | medium-high | medium-low}

Description Enter the snmp server name. This is available when the type is set to snmp. Enter the syslog server name or IP address. This is available when the type is set to syslog. Enable the text alert option. Default: disable Enable the severity filter option. Default: disable The period of time in hours during which if the threshold number is exceeded, the event will be reported. Enter the text the alert looks for in the log messages. Set the number of events that must occur in the given interval before it is reported. Set the alert severity indicator for the alert message the FortiAnalyzer unit sends to the recipient. Select one of the following: high low medium medium-high medium-low

severity-level-comp {>= | = | <=}

Set the severity level in relation to the log level. Log messages are monitored based on the log level. For example, alerts may be monitored if the messages are greater than, and equal to (>=) the Warning log level. Set the log level the FortiAnalyzer looks for when monitoring for alert messages. Select one of the following: no-check information notify warning error critical alert emergency

severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

system

Page 51

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
In the following example, the alert message is set to send an email to the administrator when 5 warning log messages appear over the span of three hours. config system alert-event edit warning config alert-destination edit 1 set type mail set from fmgr@exmample.com set to admin@example.com set smtp-name mail.example.com end set enable-severity-filter enable set event-time-period 3 set severity-level-log warning set severity-level-comp = set severity-filter medium end

Related topics
alert-console alertemail

alertemail
Use this command to configure alert email settings for your FortiMail unit. All variables are required if authentication is enabled.

Syntax
config system alertemail set authentication {enable | disable} set fromaddress <email-addr_str> set fromname <name_str> set smtppassword <pass_str> set smtpport <port_int> set smtpserver {<ipv4>|<fqdn_str>} set smtpuser <username_str> end Variable authentication {enable | disable} Description Enable or disable alert email authentication. Default: enable fromaddress <email-addr_str> The email address the alertmessage is from. This is a required variable.

system

Page 52

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable fromname <name_str>

Description The SMTP name associated with the email address. To enter a name that includes spaces, enclose the whole name in quotes. Set the SMTP server password. The SMTP server port. Default: 25

smtppassword <pass_str> smtpport <port_int>

smtpserver {<ipv4>|<fqdn_str>} smtpuser <username_str>

The SMTP server address. Enter either a DNS resolvable host name or an IP address. Set the SMTP server username.

Example
Here is an example of configuring alertemail. Enable authentication, the alert is set in Mr. Customers name and from his email address, the SMTP server port is the default port(25), and the SMTP server is at IP address of 192.168.10.10. config system alertemail set authentication enable set fromaddress customer@example.com set fromname Mr. Customer set smtpport 25 set smtpserver 192.168.10.10 end

backup all-settings
Use this command to set or check the settings for scheduled backups.

Syntax
config system backup all-settings set status {enable | disable} set server {<ipv4>|<fqdn_str>} set user <username_str> set directory <dir_str> set week_days {monday tuesday wednesday thursday friday saturday sunday} set time <hh:mm:ss> set protocol {ftp | sftp} set password <pass_str> set crptpasswd <pass_str> end

system

Page 53

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable status {enable | disable}

Description Enable or disable scheduled backups. Default: disable

server {<ipv4>|<fqdn_str>} user <username_str> directory <dir_str> week_days {monday tuesday wednesday thursday friday saturday sunday} time <hh:mm:ss> protocol {ftp | sftp}

Enter the IP address or DNS resolvable host name of the backup server. Enter the user account name for the backup server. Enter the name of the directory on the backup server in which to save the backup file. Enter days of the week on which to perform backups. You may enter multiple days. Enter time of day to perform the backup. Time is required in the form <hh:mm:ss>. Enter the transfer protocol. Default: sftp

password <pass_str> crptpasswd <pass_str>

Enter the password for the backup server. Optional password to protect backup content

Example
This example shows a whack where backup server is 172.20.120.11 using the admin account with no password, saving to the /usr/local/backup directory. Backups are done on Mondays at 1:00pm using ftp. config system backup all-settings set status enable set server 172.20.120.11 set user admin set directory /usr/local/backup set week_days monday set time 13:00:00 set protocol ftp end

certificate ca
Use this command to install Certificate Authority (CA) root certificates. When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL). The process for obtaining and installing certificates is as follows: 1. Use the execute certificate local generate command to generate a CSR. 2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL.
system Page 54 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

3. Use the system certificate local command to install the signed local certificate. 4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax
config system certificate ca edit <ca_name> set ca <cert> set comment <string> end To view all of the information about the certificate, use the get command: get system certificate ca <ca_name> Variable edit <ca_name> ca <cert> comment <string> Description Enter a name for the CA certificate. Enter or retrieve the CA certificate in PEM format. Enter a descriptive comment. (optional)

certificate local
Use this command to install local certificates. When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the signed local certificate and the Certificate Revocation List (CRL). The process for obtaining and installing certificates is as follows: 1. Use the execute certificate local generate command to generate a CSR. 2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL. 3. Use the system certificate local command to install the signed local certificate. 4. Use the system certificate ca command to install the CA certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax
config system certificate local edit <cert_name> set password <cert_password> set comment <comment_text> set private-key <prkey> set certificate <cert_PEM> set csr <csr_PEM> end

system

Page 55

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

To view all of the information about the certificate, use the get command: get system certificate local [cert_name] Variable edit <cert_name> password <cert_password> comment <comment_text> certificate <cert_PEM> Description Enter the local certificate name. Enter the local certificate password. Enter any relevant information about the certificate. Enter the signed local certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit. private-key <prkey> csr <csr_PEM> The private key in PEM format. The CSR in PEM format.

certificate ssh
Use this command to install SSH certificates. The process for obtaining and installing certificates is as follows: 1. Use the execute certificate local generate command to generate a CSR. 2. Send the CSR to a CA. The CA sends you the CA certificate, the signed local certificate and the CRL. 3. Use the system certificate local command to install the signed local certificate. 4. Use the system certificate ca command to install the CA certificate. 5. Use the system certificate SSH command to install the SSH certificate. Depending on your terminal software, you can copy the certificate and paste it into the command.

Syntax
config system certificate local edit <name> set comment <comment_text> set certificate <certificate> set private-key <key> end To view all of the information about the certificate, use the get command: get system certificate local [cert_name] Variable edit <name> comment <comment_text> Description Enter the SSH certificate name. Enter any relevant information about the certificate.

system

Page 56

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable certificate <certificate>

Description Enter the signed SSH certificate in PEM format.

You should not modify the following variables if you generated the CSR on this unit. private-key <key> The private key in PEM format.

dns
Use this command to set the DNS server addresses. Several FortiAnalyzer functions, including sending alert email, use DNS.

Syntax
config system dns set primary <ipv4> set secondary <ipv4> end Variable primary <ipv4> Description Enter the primary DNS server IP address. Default: 65.39.139.53 secondary <ipv4> Enter the secondary DNS IP server address. Default: 65.39.139.63

Example
This example shows how to set the primary FortiAnalyzer DNS server IP address to 172.20.120.99 and the secondary FortiAnalyzer DNS server IP address to 192.168.1.199. config system dns set primary 172.20.120.99 set secondary 192.168.1.199 end

fips
Use this command to set the FIPS status.

Syntax
config system fips set end

system

Page 57

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

global
Use this command to configure global settings that affect miscellaneous FortiAnalyzer features.

Syntax
config system global set admin-lockout-duration <integer> set admin-lockout-threshold <integer> set admintimeout <integer> set adom-mode {advanced | normal} set adom-status {enable | disable} set console-output {more | standard} set daylightsavetime {enable | disable} set default-disk-quota <integer> set enc-algorithm {default | high | low} set hostname <string> set language {english | japanese | simch | trach} set lcdpin <pin_int> set ldapconntimeout <integer> set log-mode {analyzer | collector | standalone} set max-concurrent-users <integer> set max-running-reports <integer> set pre-login-banner {enable | disable} set pre-login-banner-message <string> set remoteauthtimeout <integer> set ssl-low-encryption {enable disable} set swapmem {enable | disable} set timezone <timezone_int> set webservice-support-sslv3 {disable | enable} end Variable admin-lockout-duration <integer> Description Set the lockout duration (seconds) for FortiAnalyzer administration. Default: 60 admin-lockout-threshold <integer> Set the lockout threshold for FortiAnalyzer administration (1 to 10). Default: 3 admintimeout <integer> Set the administrator idle timeout (in minutes). Default: 5 adom-mode {advanced | normal} Set the ADOM mode. adom-status {enable | disable} Enable or disable administrative domains (ADOMs). Default: disable

system

Page 58

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable console-output {more | standard}

Description Select how the output is displayed on the console. Select more to pause the output at each full screen until keypress. Select standard for continuous output without pauses. Default: standard

daylightsavetime {enable | disable}

Enable or disable daylight saving time. If you enable daylight saving time, the FortiAnalyzer unit automatically adjusts the system time when daylight saving time begins or ends. Default: enable

default-disk-quota <integer> enc-algorithm {default | high | low} hostname <string> language {english | japanese | simch | trach} lcdpin <pin_int> ldapconntimeout <integer>

Default disk quota (MB) for auto-registered device. Set SSL communication encryption algorithms. Default: default FortiAnalyzer host name. Web interface language. Select from English, Japanese, Simplified Chinese, or Traditional Chinese. Default: English Set the 6 digit PIN administrators must enter to use the LCD panel. LDAP connection timeout (in milliseconds). Default: 60000

log-mode {analyzer | collector | standalone} max-concurrent-users <integer>

Log system operation mode Maximum number of concurrent administrators. Default: 20

max-running-reports <integer> Maximum running reports number (from 1 to 10). pre-login-banner {enable | disable} pre-login-banner-message <string> remoteauthtimeout <integer> Enable or disable the pre-login banner. The pre-login banner message. Remote authentication (RADIUS/LDAP) timeout (in seconds). Default: 10 ssl-low-encryption {enable disable} Enable or disable low-grade (40-bit) encryption. Default: enable

system

Page 59

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable swapmem {enable | disable}

Description Enable or disable virtual memory. Default: enable

timezone <timezone_int>

The time zone for the FortiAnalyzer unit. Default: (GMT-8)Pacific Time(US & Canada)

webservice-support-sslv3 {disable | enable}

Enable or disable SSLv3 protocol for web service TLS/SSL connections.

Example
The following command turns on daylight saving time, sets the FortiAnalyzer unit name to FMG3k, sets the LCD password to 123856, and chooses the Eastern time zone for US & Canada. config system global set daylightsavetime enable set hostname FMG3k set lcdpin 123856 set timezone 12 end

interface
Use this command to edit the configuration of a FortiAnalyzer network interface.

Syntax
config system interface edit <port_str> set status {up | down} set ip <ipv4_mask> set allowaccess {aggregator http https ping snmp ssh telnet webservice} set serviceaccess {fclupdates fgtupdates} set speed {1000full | 100full | 100half | 10full | 10half | auto} set description <string> set alias <string> config ipv6 set ip6-address <IPv6 prefix> set ip6-allowaccess {aggregator http https ping6 snmp ssh telnet webservice} end end

system

Page 60

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable <port_str>

Description <port_str> can be set to a port number such as port1, port2, port3, or port4. Different FortiAnalyzer models have different numbers of ports. Start or stop the interface. If the interface is stopped it does not accept or send packets. If you stop a physical interface, VLAN interfaces associated with it also stop. Default: up

status {up | down}

ip <ipv4_mask>

Enter the interface IP address and netmask. The IP address cannot be on the same subnet as any other interface.

allowaccess {aggregator http https ping snmp ssh telnet webservice} serviceaccess {fclupdates fgtupdates}

Enter the types of management access permitted on this interface. Separate multiple selected types with spaces. If you want to add or remove an option from the list, retype the list as required. Enter the types of service access permitted on this interface. (FortiClient updates and FortiGate updates) Separate multiple selected types with spaces. If you want to add or remove an option from the list, retype the list as required.

speed {1000full | 100full | 100half | 10full | 10half | auto}

Enter the speed and duplexing the network port uses. Enter auto to automatically negotiate the fastest common speed. Select from the following: 1000full: 1000Mbps full-duplex 100full: 100Mbps full-duplex 100half: 100Mbps half-duplex 10full: 10Mbps full-duplex 10half: 10Mbps half-duplex auto: Auto adjust speed Default: auto

description <string> alias <string> config ipv6 ip6-address <IPv6 prefix> ip6-allowaccess {aggregator http https ping6 snmp ssh telnet webservice}
system

Enter a description of the interface. Enter an alias for the interface. Configure the interface IPv6 settings. IPv6 address/prefix of interface. Allow management access to the interface.

Page 61

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This example shows how to set the FortiAnalyzer port1 interface IP address and netmask to 192.168.100.159 255.255.255.0, and the management access to ping, https, and ssh. config system interface edit port1 set allowaccess ping https ssh set ip 192.168.110.26 255.255.255.0 set status up end

locallog disk setting


Use this command to configure the FortiAnalyzer disk settings for uploading log files, including configuring the severity of log levels. status must be enabled to view diskfull, max-log-file-size and upload variables. upload must be enabled to view/set other upload* variables.

Syntax
config system locallog disk setting set status {enable | disable} set severity {alert | critical | debug | emergency | error | information | notification | warning} set max-log-file-size <size_int> set roll-schedule {none | daily | weekly} set roll-day <string> set roll-time <hh:mm> set diskfull {nolog | overwrite} set log-disk-full-percentage <integer> set upload {disable | enable} set uploadip <ipv4> set server-type {faz | ftp | scp | sftp} set uploadport <port_int> set uploaduser <user_str> set uploadpass <passwd_str> set uploaddir <dir_str> set uploadtype <event> set uploadzip {disable | enable} set uploadsched {disable | enable} set upload-time <hh:mm> set upload-delete-files {disable | enable} end

system

Page 62

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable status {enable | disable}

Description Enter enable to begin logging. Default: disable

severity {alert | critical | debug | emergency | error | information | notification | warning}

Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert and emergency level messages. Default: alert The logging levels in descending order are: emergency alert critical error warning The unit is unusable. Immediate action is required. Functionality is affected. Functionality is probably affected. Functionality might be affected.

notification Information about normal events. information debug max-log-file-size <size_int> General information about unit operations. Information used for diagnosis or debugging.

Enter the size at which the log is rolled. The range is from 1 to 1024 megabytes. Default: 100

roll-schedule Enter the period for the scheduled rolling of a log file. If {none | daily | weekly} roll-schedule is none, the log rolls when max-log-file-size is reached. Default: none roll-day <string> Enter the day for the scheduled rolling of a log file. Default: none roll-time <hh:mm> Enter the time for the scheduled rolling of a log file. Default: none diskfull {nolog | overwrite} Enter action to take when the disk is full: nolog: Stop logging when disk full overwrite: Overwrites oldest log entries Default: overwrite log-disk-full-percentage <integer> Enter the percentage at which the log disk will be considered full.

system

Page 63

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable upload {disable | enable}

Description Enable to permit uploading of logs. Default: disable

uploadip <ipv4>

Enter IP address of the destination server. Default: 0.0.0.0

server-type {faz | ftp | scp | sftp}

Enter the type the server to use to store the logs. Select one of the following: faz: Log to FortiAnalyzer ftp: Log to an FTP server scp: Log to an SCP server sftp: Log to an SFTP server

uploadport <port_int>

Enter the port to use when communicating with the destination server. Default: 21

uploaduser <user_str> uploadpass <passwd_str> uploaddir <dir_str> uploadtype <event>

Enter the user account on the destination server. Enter the password of the user account on the destination server. Enter the destination directory on the remote server. Enter to upload the event log files. Default: event

uploadzip {disable | enable} Enable to compress uploaded log files. Default: disable uploadsched {disable | enable} upload-time <hh:mm> upload-delete-files {disable | enable} Enable to schedule log uploads. Enter to configure when to schedule an upload. Enable to delete log files after uploading. Default: enable

system

Page 64

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
In this example, the logs are uploaded to an upload server and are not deleted after they are uploaded. config system locallog disk setting set status enable set severity information set max-log-file-size 1000MB set roll-schedule daily set upload enable set uploadip 10.10.10.1 set uploadport port 443 set uploaduser myname2 set uploadpass 12345 set uploadtype event set uploadzip enable set uploadsched enable set upload-time 06:45 set upload-delete-file disable end

locallog filter
Use this command to configure filters for local logs. All variables are visible only when event is enabled.

Syntax
config system locallog [memory| disk | fortianalyzer | syslogd | syslogd2 | syslogd3] filter set dvm {disable | enable} set event {disable | enable} set iolog {disable | enable} set system {disable | enable} end Variable dvm {disable | enable} Description Enable to log device manager messages. Default: disable event {disable | enable} Enable to configure log filter messages. Default: disable iolog {disable | enable} Enable input/output log activity messages. Default: disable system {disable | enable} Enable to log system manager messages. Default: disable

system

Page 65

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
In this example, the local log filters are log and report manager, and system settings. Events in these areas of the FortiAnalyzer unit will be logged. config system locallog filter set event enable set iolog enable set system enable end

locallog fortianalyzer setting


Use this command to enable or disable, and select the severity threshold of, remote logging to the FortiAnalyzer unit entered in system log fortianalyzer. Refer to system locallog filter on page 65. The severity threshold required to forward a log message to the FortiAnalyzer unit is separate from event, syslog, and local logging severity thresholds.

Syntax
config system locallog fortianalyzer setting set severity {emergency | alert | critical | error | warning | notification | information | debug} set status {disable | enable} end Variable severity {emergency | alert | critical | error | warning | notification | information | debug} Description Enter the severity threshold that a log message must meet or exceed to be logged to the FortiAnalyzer unit. For details on severity levels, see severity {alert | critical | debug | emergency | error | information | notification | warning} on page 63. Default: alert status {disable | enable} Enable or disable remote logging to the FortiAnalyzer unit. Default: disable

Example
You might enable remote logging to the FortiAnalyzer unit configured. Events at the information level and higher, which is everything except debug level events, would be sent to the FortiAnalyzer unit. config system locallog fortianalyzer setting set status enable set severity information end

system

Page 66

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

locallog memory setting


Use this command to configure memory settings for local logging purposes. Refer to system locallog filter on page 65.

Syntax
config system locallog memory setting set severity {emergency | alert | critical | error | warning | notification | information | debug} set status <disable | enable> end Variable severity {emergency | alert | critical | error | warning | notification | information | debug} status <disable | enable> Description Enter to configure the severity level to log files. See severity {alert | critical | debug | emergency | error | information | notification | warning} on page 63 for more information on the severity levels. Default: alert Enable or disable the memory buffer log. Default: disable

Example
This example shows how to enable logging to memory for all events at the notification level and above. At this level of logging, only information and debug events will not be logged. config system locallog memory set severity notification set status enable end

system

Page 67

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

locallog syslogd (syslogd2, syslogd3) setting


Use this command to configure the settings for logging to a syslog server. You can configure up to three syslogd servers, syslogd, syslogd2 and syslogd3.

Syntax
config system locallog {syslogd | syslogd2 | syslogd3} setting set csv {disable | enable} set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp} set port <port_int> set server <address_ipv4> set severity {emergency | alert | critical | error | warning | notification | information | debug} set status {enable | disable} end Variable csv {disable | enable} Description Enable to produce the log in comma separated value (CSV) format. If you do not enable CSV format the FortiAnalyzer unit produces space separated log files. Default: disable

system

Page 68

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Description Enter the facility type. facility identifies the source of the log message to syslog. Change facility to distinguish log messages from different FortiAnalyzer units so you can determine the source of the log messages. Default: local7 Available facility types are: alert: log alert audit: log audit auth: security/authorization messages authpriv: security/authorization messages (private) clock: clock daemon cron: cron daemon performing scheduled commands daemon: system daemons running background system processes ftp: File Transfer Protocol (FTP) daemon kernel: kernel messages local0 local7: reserved for local use lpr: line printer subsystem mail: email system news: network news subsystem ntp: Network Time Protocol (NTP) daemon syslog: messages generated internally by the syslog daemon

port <port_int>

Enter the port number for communication with the syslog server. Default: 514

server <address_ipv4>

Enter the IP address of the syslog server that stores the logs.

system

Page 69

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable severity {emergency | alert | critical | error | warning | notification | information | debug}

Description Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert and emergency level messages. The logging levels in descending order are: emergency alert critical error warning notification information debug The unit is unusable. Immediate action is required. Functionality is affected. Functionality is probably affected. Functionality might be affected. Information about normal events. General information about unit operations. Information used for diagnosis or debugging.

status {enable | disable} Enter enable to begin logging.

Example
In this example, the logs are uploaded to a syslog server at IP address 10.10.10.8. The FortiAnalyzer unit is identified as facility local0. config system locallog syslogd setting set facility local0 set server 10.10.10.8 set status enable set severity information end

log alert
Use this command to set log based alert settings.

Syntax
config system log alert set max-alert-count <alert count range between 100 and 1000> end

system

Page 70

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

log fortianalyzer
Use this command to configure a connection with the FortiAnalyzer unit which will be used as the FortiAnalyzers remote log server. You must configure the FortiAnalyzer unit to accept web service connections. Refer to system locallog filter on page 65 for details of the filters.

Syntax
config system log fortianalyzer set status {disable | enable} set ip <ipv4> set secure_connection {disable | enable} set localid <string> set psk <passwd> set username <username_str> set passwd <pass_str> set auto_install {enable | disable} end Variable status {disable | enable} Description Enable or disable to configure the connection to the FortiAnalyzer unit. Default: disable ip <ipv4> secure_connection {disable | enable} localid <string> psk <passwd> username <username_str> Enter the IP address of the FortiAnalyzer unit. Enable or disable secure connection with the FortiAnalyzer unit. Enter the local ID. Enter the preshared key with the FortiAnalyzer unit. Enter the FortiAnalyzer administrator login that the FortiAnalyzer unit will use to administer the FortiAnalyzer unit. Enter the FortiAnalyzer administrator password for the account specified in username. Enable to automatically update the FortiAnalyzer settings as they are changed on the FortiAnalyzer unit. Default: disable

passwd <pass_str> auto_install {enable | disable}

system

Page 71

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
You can configure a secure tunnel for logs and other communications with the FortiAnalyzer unit. config system log fortianalyzer set status enable set ip 192.168.1.100 set username admin set passwd wert5W34bNg end

log setting
Use this command to configure settings for logs.

Syntax
config system log setting set FCH-custom-field1 <string> set FCH-custom-field2 <string> set FCH-custom-field3 <string> set FCH-custom-field4 <string> set FCH-custom-field5 <string> set FCT-custom-field1 <string> set FCT-custom-field2 <string> set FCT-custom-field3 <string> set FCT-custom-field4 <string> set FCT-custom-field5 <string> set FGT-custom-field1 <string> set FGT-custom-field2 <string> set FGT-custom-field3 <string> set FGT-custom-field4 <string> set FGT-custom-field5 <string> set FML-custom-field1 <string> set FML-custom-field2 <string> set FML-custom-field3 <string> set FML-custom-field4 <string> set FML-custom-field5 <string> set FWB-custom-field1 <string> set FWB-custom-field2 <string> set FWB-custom-field3 <string> set FWB-custom-field4 <string> set FWB-custom-field5 <string> set analyzer {enable | disable} set analyzer-interface <string> set analyzer-quota <integer> set analyzer-quota-full {overwrite | stop} set analyzer-settings {custom | device} set local {enable | disable}
system Page 72 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

set local-level {alert | critical | debug | emergency | error | information | notification | warning} set local-quota <integer> set local-quota-full {overwrite | stop} set local-settings {custom | device} set syslog {enable | disable} set syslog-csv {enable | disable} set syslog-filter {config | ipsec | login | none | system} set syslog-ip <ip> set syslog-level {alert | critical | debug | emergency | error | information | notification | warning} set syslog-port <integer> end Variable FCH-custom-field1 <string> FCH-custom-field2 <string> FCH-custom-field3 <string> FCH-custom-field4 <string> FCH-custom-field5 <string> FCT-custom-field1 <string> FCT-custom-field2 <string> FCT-custom-field3 <string> FCT-custom-field4 <string> FCT-custom-field5 <string> FGT-custom-field1 <string> FGT-custom-field2 <string> FGT-custom-field3 <string> FGT-custom-field4 <string> FGT-custom-field5 <string> FML-custom-field1 <string> FML-custom-field2 <string> FML-custom-field3 <string> FML-custom-field4 <string> FML-custom-field5 <string> FWB-custom-field1 <string> Description Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index.

system

Page 73

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable FWB-custom-field2 <string> FWB-custom-field3 <string> FWB-custom-field4 <string> FWB-custom-field5 <string> analyzer {enable | disable} analyzer-interface <string> analyzer-quota <integer> analyzer-quota-full {overwrite | stop} analyzer-settings {custom | device} local {enable | disable} local-level {alert | critical | debug | emergency | error | information | notification | warning} local-quota <integer> local-quota-full {overwrite | stop} local-settings {custom | device} syslog {enable | disable}

Description Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Name of custom log field to index. Enable or disable the Network Analyzer. Network interface from which the Network analyzer will record traffic. Allocated space (MB) for Network Analyzer logs. Action when Network Analyzer quota has been reached. Network Analyzer rolling/uploading settings. Enable or disable local logging. Local log level. Logs of lower priority are not recorded.

Allocated space (MB) for local logs. Action when local logs quota has been reached. Local logs rolling/uploading settings. Enable or disable sending local logs to a syslog server.

syslog-csv {enable | disable} Enable or disable CSV format for logs sent to the syslog server. syslog-filter {config | ipsec Syslog log type(s) selection. | login | none | system} syslog-ip <ip> syslog-level {alert | critical | debug | emergency | error | information | notification | warning} syslog-port <integer> Syslog IP address. Syslog log level. Logs of lower priority are not sent.

Syslog port number.

system

Page 74

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
The following commands enable local logging on the FortiAnalyzer unit. config log settings set local enable set local-settings custom set local-quota 100 set local-quota-full overwrite set local-level error end

config rolling-analyzer, rolling-local, and rolling-regular


Use the rolling-analyzer subcommand to configure the log rolling of the Network Analyzer logs. You must first set the analyzer-settings to custom so that you can view this subcommand. Use the rolling-local subcommand to configure the log rolling of the FortiAnalyzer unit local logs. You must first set the local-settings to custom so that you can view this subcommand. Use the rolling-regular subcommand to configure the log rolling of the device logs. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.

Syntax
config rolling-analyzer | rolling-local | rolling-regular set days {mon | tue | wed | thu | fri | sat | sun} set del-files {enable | disable} set directory <dir_str> set file-size <size_int> set gzip-format {enable | disable} set hour <hour_int> set ip <server_ipv4> set log-format {csv | native | text} set min <minute_int> set server_type {FTP | SCP | SFTP} set upload {enable | disable} set upload-hour <hour_int> set upload-trigger {on-roll | on-schedule} set username <user_str> set password <password_str> set when {daily | weekly | none} end

system

Page 75

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable days {mon | tue | wed | thu | fri | sat | sun}

Description Enter day of the week when the FortiAnalyzer rolls the traffic analyzer logs. This variable becomes available when setting the when variable to weekly.

del-files {enable | disable} Enable to delete the log files from the FortiAnalyzer hard disk one uploading is complete. directory <dir_str> Select a directory on the upload server where the FortiAnalyzer unit stores the uploaded logs. The maximum length is 128 characters. The maximum size of the current log file that the FortiAnalyzer unit saves to the disk. When the log file reaches the specified maximum size, the FortiAnalyzer unit saves the current log file and starts a new active log file. When a log file reaches its maximum size, the FortiAnalyzer unit saves the log files with an incremental number, and starts a new log file with the same name. Default: 100 gzip-format {enable | disable} hour <hour_int> Enable to compress the log files using the gzip format. Default: disable Enter the hour of the day when the when the FortiAnalyzer rolls the traffic analyzer logs. Default: 0 ip <server_ipv4> Enter the servers IP address. Default: 0.0.0.0 log-format {csv | native | text} Format of the uploaded log files. Select from the following: csv: CSV (comma-separated value) format native: Native format (text or compact) text: Text format (convert if necessary) min <minute_int> Enter the minute when the FortiAnalyzer rolls the traffic analyzer logs. Default: 0 server_type {FTP | SCP | SFTP} upload {enable | disable} Select the type of upload server. Default: FTP Enable the FortiAnalyzer unit to upload the rolled log file to an FTP site. When selecting yes, use set host_ip and set port_int to define the FTP location. Default: disable

file-size <size_int>

system

Page 76

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable upload-hour <hour_int>

Description Enter the hour that you want to upload the log files. The default is zero. Enter the number, without minutes, in the 24-hour format (0-24). Default: 0

upload-trigger {on-roll | on-schedule}

Enter what type of trigger will upload log files. The trigger on-roll will upload log files whenever they roll. The trigger on-schedule will upload log files on a scheduled basis. Default: on-roll

username <user_str> password <password_str>

Enter the user name for the upload server. The maximum length is 36 characters. Enter the password for the upload server user name.

when {daily | weekly | none} Set the frequency of when the FortiAnalyzer unit saves the current log file and starts a new active log file. Select this option if you want to start new log files even if the maximum log file size has not been reached. For example, you want to roll a daily log on a FortiAnalyzer unit that does not see a lot of activity. Default: none

Example
The following sub-commands enables log rolling when log files are 100 MB. config log settings config rolling-analyzer set filesize 100 end end

system

Page 77

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

mail
Use this command to configure mail servers on your FortiAnalyzer unit.

Syntax
config system mail edit <server> set auth {enable | diasble} set passwd <passwd> set port <integer> set user <string> end Variable <server> auth {enable | diasble} passwd <passwd> port <integer> user <string> Description Enter the name of the mail server. Enable or disable authentication. Enter the SMTP account password value. Enter the SMTP server port. Enter the SMTP account user name.

system

Page 78

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

ntp
Use this command to configure automatic time setting using a network time protocol (NTP) server.

Syntax
config system ntp set status {enable | disable} set sync_interval <min_str> config ntpserver edit <id> set ntpv3 {disable | enable} set server {<ipv4> | <fqdn_str>} set authentication {disable | enable} set key <passwd> set key-id <integer> end end Variable status {enable | disable} Description Enable or disable NTP time setting. Default: disable sync_interval <min_str> Enter time, in minutes, how often the FortiAnalyzer unit synchronizes its time with the NTP server. Default: 60 Variable for config ntpserver subcommand: ntpv3 {disable | enable} Enable or disable NTPV3. Default: disable server {<ipv4> | <fqdn_str>} authentication {disable | enable} key <passwd> key-id <integer> Enter the IP address or fully qualified domain name of the NTP server. Enable or disable MD5 authentication. Default: disable The authentication key. The key ID for authentication. Default: 0

system

Page 79

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

password-policy
Use this command to configure access password policies.

Syntax
config system password-policy set status {disable | enable} set minimum-length <integer> set must-contain <lower-case-letter | non-alphanumeric | number | upper-case-letter> set change-4-characters {disable | enable} set expire <integer> end Variable Description

status {disable | enable} Enable or disable the password policy. Default: enable minimum-length <integer> Set the passwords minimum length. Must contain between 8 and 256 characters. Default: 8 must-contain <lower-case-letter | non-alphanumeric | number | upper-case-letter> Characters that a password must contain. lower-case-letter: The password must contain at least one lower case letter non-alphanumeric: The password must contain at least one non-alphanumeric characters number: The password must contain at least one number upper-case-letter: The password must contain at least one upper case letter. change-4-characters {disable | enable} Enable or disable changing at least 4 characters for a new password. Default: disable expire <integer> Set the number of days after which admin users' password will expire; 0 means never. Default: 0

Related topics
admin profile

system

Page 80

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

route
Use this command to view or configure static routing table entries on your FortiAnalyzer unit.

Syntax
config system route edit <seq_int> set device <port_str> set dst <dst_ipv4mask> set gateway <gateway_ipv4> end Variable <seq_int> device <port_str> dst <dst_ipv4mask> gateway <gateway_ipv4> Description Enter an unused routing sequence number to create a new route. Enter an existing route number to edit that route. Enter the port used for this route. Enter the IP address and mask for the destination network. Enter the default gateway IP address for this network.

route6
Use this command to view or configure static IPv6 routing table entries on your FortiAnalyzer unit.

Syntax
config system route6 edit <seq_int> set device <port_str> set dst <dst_ipv4mask> set gateway <gateway_ipv4> end Variable <seq_int> device <string> dst <IPv6 prefix> gateway <IPv6 addr> Description Enter an unused routing sequence number to create a new route. Enter an existing route number to edit that route. Enter the port used for this route. Enter the IP address and mask for the destination network. Enter the default gateway IP address for this network.

system

Page 81

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

snmp community
Use this command to configure SNMP communities on your FortiAnalyzer unit. You add SNMP communities so that SNMP managers, typically applications running on computers to monitor SNMP status information, can connect to the FortiAnalyzer unit (the SNMP agent) to view system information and receive SNMP traps. SNMP traps are triggered when system events happen such as when there is a system restart, or when the log disk is almost full. You can add up to three SNMP communities, and each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiAnalyzer unit for a different set of events. Hosts are the SNMP managers that make up this SNMP community. Host information includes the IP address and interface that connects it to the FortiAnalyzer unit. For more information on SNMP traps and variables see the FortiAnalyzer Administration Guide, or the Fortinet Knowledge Base online. Part of configuring an SNMP manager is to list it as a host in a community on the FortiAnalyzer unit that it will be monitoring. Otherwise that SNMP manager will not receive any traps or events from the FortiAnalyzer unit, and will be unable to query the FortiAnalyzer unit as well.

Syntax
config system snmp community edit <index_number> set events <events_list> set name <community_name> set query-v1-port <port_number> set query-v1-status {enable | disable} set query-v2c-port <port_number> set query-v2c-status {enable | disable} set status {enable | disable} set trap-v1-rport <port_number> set trap-v1-status {enable | disable} set trap-v2c-rport <port_number> set trap-v2c-status {enable | disable} config hosts edit <host_number> set interface <if_name> set ip <address_ipv4> end end

system

Page 82

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variables edit <index_number>

Description Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new SNMP community. Enable the events for which the FortiAnalyzer unit should send traps to the SNMP managers in this community. cpu_high: The CPU usage is too high. disk_low: The log disk is getting close to being full. intf_ip_chg: An interface IP address has changed. log-alert: Log based alert message. log-data-rate: High incoming log data rate detected. log-rate: High incoming log rate detected. mem_low: The available memory is low. sys_reboot: The FortiAnalyzer unit has rebooted. Default: All events enabled

events <events_list>

name <community_name>

Enter the name of the SNMP community. Names can be used to distinguish between the roles of the hosts in the groups. For example the Logging and Reporting group would be interested in the disk_low events, but likely not the other events. The name is included in SNMP v2c trap packets to the SNMP manager, and is also present in query packets from, the SNMP manager.

query-v1-port <port_number>

Enter the SNMP v1 query port number used when SNMP managers query the FortiAnalyzer unit. Default: 161

query-v1-status {enable | disable}

Enable or disable SNMP v1 queries for this SNMP community. Default: enable

query-v2c-port <port_number>

Enter the SNMP v2c query port number used when SNMP managers query the FortiAnalyzer unit. SNMP v2c queries will include the name of the community. Default: 161

query-v2c-status {enable | disable}

Enable or disable SNMP v2c queries for this SNMP community. Default: enable

status {enable | disable}

Enable or disable this SNMP community. Default: enable

system

Page 83

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variables trap-v1-rport <port_number>

Description Enter the SNMP v1 remote port number used for sending traps to the SNMP managers. Default: 162

trap-v1-status {enable | disable}

Enable or disable SNMP v1 traps for this SNMP community. Default: enable

trap-v2c-rport <port_number>

Enter the SNMP v2c remote port number used for sending traps to the SNMP managers. Default: 162

trap-v2c-status {enable | disable}

Enable or disable SNMP v2c traps for this SNMP community. SNMP v2c traps sent out to SNMP managers include the community name. Default: enable

hosts variables edit <host_number> interface <if_name> ip <address_ipv4> Enter the index number of the host in the table. Enter an unused index number to create a new host. Enter the name of the FortiAnalyzer unit that connects to the SNMP manager. Enter the IP address of the SNMP manager. Default: 0.0.0.0

Example
This example shows how to add a new SNMP community named SNMP_Com1. The default configuration can be used in most cases with only a few modifications. In the example below the community is added, given a name, and then because this community is for an SNMP manager that is SNMP v1 compatible, all v2c functionality is disabled. After the community is configured the SNMP manager, or host, is added. The SNMP manager IP address is 192.168.20.34 and it connects to the FortiAnalyzer unit internal interface. config system snmp community edit 1 set name SNMP_Com1 set query-v2c-status disable set trap-v2c-status disable config hosts edit 1 set interface internal set ip 192.168.10.34 end end

system

Page 84

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Related topics
snmp sysinfo snmp user

snmp sysinfo
Use this command to enable the FortiAnalyzer SNMP agent and to enter basic system information used by the SNMP agent. Enter information about the FortiAnalyzer unit to identify it. When your SNMP manager receives traps from the FortiAnalyzer unit, you will know which unit sent the information. Some SNMP traps indicate high CPU usage, log full, or low memory. For more information on SNMP traps and variables, see the Fortinet Technical Documentation, or the Fortinet Knowledge Base online.

Syntax
config system snmp sysinfo set contact-info <info_str> set description <description> set engine-id <string> set location <location> set status {enable | disable} set trap-high-cpu-threshold <percentage> set trap-low-memory-threshold <percentage> end Variable contact-info <info_str> Description Add the contact information for the person responsible for this FortiAnalyzer unit. The contact information can be up to 35 characters long.

description <description> Add a name or description of the FortiAnalyzer unit. The description can be up to 35 characters long. engine-id <string> location <location> Local SNMP engine ID string (maximum 24 characters). Describe the physical location of the FortiAnalyzer unit. The system location description can be up to 35 characters long.

status {enable | disable} Enable or disable the FortiAnalyzer SNMP agent. Default: disable trap-high-cpu-threshold <percentage> CPU usage when trap is set. Default: 80

trap-low-memory-threshold Memory usage when trap is set. <percentage> Default: 80

system

Page 85

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This example shows how to enable the FortiAnalyzer SNMP agent and add basic SNMP information. config system snmp sysinfo set status enable set contact-info 'System Admin ext 245' set description 'Internal network unit' set location 'Server Room A121' end

Related topics
snmp community snmp user

snmp user
Use this command to configure SNMP users on your FortiAnalyzer unit. For more information on SNMP traps and variables, see the Fortinet Technical Documentation, or the Fortinet Knowledge Base online.

Syntax
config system snmp user edit <name> set auth-proto {md5 | sha} set auth-pwd <passwd> set events <events_list> set notify-hosts <ip> set priv-proto {aes | des} set priv-pwd <passwd> set queries {enable | disable} set query-port <port_number> set security-level {auth-no-priv | auth-priv | no-auth-no-priv} end end Variable auth-proto {md5 | sha} Description Authentication protocol. The security level must be set to auth-no-priv or auth-priv to use this variable. Select one of the following: md5: HMAC-MD5-96 authentication protocol sha: HMAC-SHA-96 authentication protocol Default: sha auth-pwd <passwd> Password for the authentication protocol. The security level must be set to auth-no-priv or auth-priv to use this variable.

system

Page 86

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable events <events_list>

Description Enable the events for which the FortiAnalyzer unit should send traps to the SNMP managers in this community. cpu_high: The CPU usage is too high. disk_low: The log disk is getting close to being full. intf_ip_chg: An interface IP address has changed. log-alert: Log based alert message. log-data-rate: High incoming log data rate detected. log-rate: High incoming log rate detected. mem_low: The available memory is low. sys_reboot: The FortiAnalyzer unit has rebooted. Default: All events enabled.

notify-hosts <ip> priv-proto {aes | des}

Hosts to send notifications (traps) to. Privacy (encryption) protocol. The security level must be set to auth-no-priv or auth-priv to use this variable. Select one of the following: aes: CFB128-AES-128 symmetric encryption protocol des: CBC-DES symmetric encryption protocol Default: aes

priv-pwd <passwd>

Password for the privacy (encryption) protocol. The security level must be set to auth-no-priv or auth-priv to use this variable.

queries {enable | disable} Enable or disable queries for this user. Default: enable query-port <port_number> SNMPv3 query port. Default: 161 security-level {auth-no-priv | auth-priv | no-auth-no-priv} Security level for message authentication and encryption. Select one of the following: auth-no-priv: Message with authentication but no privacy (encryption) auth-priv: Message with authentication and privacy (encryption) no-auth-no-priv: Message with no authentication and no privacy (encryption). Default: no-auth-no-priv

system

Page 87

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

sql
Syntax
config system sql set auto-table-upgrade {enable | disable} set database-name <string> set database-type <mysql> set logtype {none | app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | webfilter | netscan} set prompt-sql-upgrade {enable | disable} set password <passwd> set reset {enable | disable} set server <string> set start-time <hh>:<mm> <yyyy>/<mm>/<dd> set status {disable | local | remote} set username <string> end Variable Description

auto-table-upgrade Upgrade log tables if applicable at start time. {enable | disable} database-name <string> Remote SQL database name. The maximum length is 64 characters. Command only available when status is set to remote. Database type. Command only available when status is set to local or remote. Log type. Command only available when status is set to local or remote.

database-type <mysql> logtype {none | app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | webfilter | netscan} password <passwd>

The password that the Fortinet unit will use to authenticate with the remote database. Command only available when status is set to remote.

prompt-sql-upgrade Prompt to convert log database into SQL database at start {enable | disable} time on GUI. reset {enable | disable} server <string> This command is hidden. The IP address or host name of the remote database server. The maximum length is 64 characters. Command only available when status is set to remote.

system

Page 88

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable start-time <hh>:<mm> <yyyy>/<mm>/<dd> status {disable | local | remote} username <string>

Description Start date and time <hh:mm yyyy/mm/dd>. Command only available when status is set to local or remote. SQL database status. The user name that the Fortinet unit will use to authenticate with the remote database. The maximum length is 64 characters. Command only available when status is set to remote.

syslog
Use this command to configure Syslog servers.

Syntax
config system syslog edit <name> set ip <string> set port <integer> end end Variable <name> ip <string> port <integer> Description Syslog server name. Syslog server IP address or hostname. Syslog server port.

system

Page 89

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

execute
1. execute
The execute commands perform immediate operations on the FortiAnalyzer unit. You can: Back up and restore the system settings, or reset the unit to factory settings. Set the unit date and time. Use ping to diagnose network problems. View the processes running on the FortiAnalyzer unit. Start and stop the FortiAnalyzer unit. Reset or shut down the FortiAnalyzer unit. This chapter contains following sections: add-vm-license backup bootimage certificate console date device devicelog factory-license fgfm format log device disk_quota log-aggregation lvm ping ping6 raid reboot remove reset reset-sqllog-transfer restore shutdown sql-local sql-query-dataset sql-query-generic sql-report run ssh time top traceroute traceroute6

add-vm-license
Add a VM license to the FortiAnalyzer.

Syntax
execute add-vm-license <vm license>

This command is only available on FortiAnalyzer VM.

execute

Page 90

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

backup
backup all-settings
Backup the FortiAnalyzer unit settings. When you back up the unit settings from the vdom_admin account, the backup file contains global settings and the settings for each VDOM. When you back up the unit settings from a regular administrator account, the backup file contains the global settings and only the settings for the VDOM to which the administrator belongs.

Syntax
execute backup all-settings ftp <ip> <string> <user> <password> <crptpasswd> execute backup all-settings scp <ip> <string> <user> <password> <crptpasswd> Variables <ip> <string> <user> <password> <crptpasswd> Description Enter FTP server IP address. Enter the file name for the backup and if required, enter the path to where the file will be backed up to on the backup server. Enter username to use to log on the backup server. Enter the password for the username on the backup server. Enter an encryption key (password) to encrypt data. (optional)

Related topics
restore

backup logs
Backup device logs to a specified server.

Syntax
execute backup logs <device name(s)| all> <service> <ip> <user name> <password> <directory> Variables <device name(s)| all> <service> <ip> <user name> Description Device name(s) separated by commas, or all for all devices. Transfer protocol. One of FTP, SFTP, or SCP. The server IP address Username on the server

execute

Page 91

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variables <password> <directory>

Description The password, or '-' for none. The directory on the server, or press <Enter> for none.

backup logs-only
Backup device logs only to a specified server.

Syntax
execute backup logs-only <device name(s)> <service> <ip> <user name> <password> <directory> Variables <device name(s)> <service> <ip> <user name> <password> <directory> Description Device name(s) separated by commas, or all for all devices. Transfer protocol. One of FTP, SFTP, or SCP. The server IP address Username on the server The password, or '-' for none. The directory on the server, or press <Enter> for none.

backup reports
Backup reports to a specified server.

Syntax
execute backup reports <report schedule name(s)>/<report name pattern> <service> <ip> <user name> <password> <directory> Variables <report schedule name(s)> <report name pattern> Description The report name(s) separated by commas, or all for all reports. Backup reports with names containing given pattern. A '?' matches any single character. A '*' matches any string, including the empty string, e.g.: foo: for exact match *foo: for report names ending with foo foo*: for report names starting with foo *foo*: for report names containing foo substring

execute

Page 92

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variables <service>

Description Transfer protocol. One of: ftp, sftp, scp.

<ip> <user name> <password> <directory>

The server IP address Username on the server The password, or '-' for none. The directory on the server, or press <Enter> for none.

backup reports-config
Backup the report configuration to a specified server.

Syntax
execute backup <reports-config> {<adom_name> | all]} <service> <ip> <user name> <password> <directory> Variables <reports-config> {<adom_name> | all]} <service> Description Backup report configuration to a specified server. Select to backup a specific ADOM or all ADOMs. Transfer protocol. One of: ftp, sftp, scp. <ip> <user name> <password> <directory> The server IP address Username on the server The password, or '-' for none. The directory on the server, or press <Enter> for none.

execute

Page 93

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

bootimage
Set the image from which the FortiAnalyzer unit will boot the next time it is restarted.

Syntax
execute bootimage {primary | secondary} If you do not specify primary or secondary, the command will report whether it last booted from the primary or secondary boot image. If your FortiAnalyzer unit does not have a secondary image, the bootimage command will inform you that option is not available. To reboot your FortiAnalyzer unit, use: execute reboot

Related topics
reboot

certificate
certificate ca
Use these commands to list CA certificates, and to import or export CA certificates.

Syntax
To list the CA certificates installed on the FortiAnalyzer unit: execute certificate ca list To export or import CA certificates: execute certificate ca {<export>|<import>} <cert_name> <tftp_ip> Variables <export> <import> list <cert_name> <tftp_ip> Description Export CA certificate to TFTP server. Import CA certificate from a TFTP server. Generate a list of CA certificates on the FortiAnalyzer system. Name of the certificate. IP address of the TFTP server.

execute

Page 94

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

certificate local
Use these commands to list, import, export, and generate local certificates.

Syntax
To list the local certificates installed on the FortiAnalyzer unit: execute certificate local list To export or import local certificates: execute certificate local {<export>|<import>} <cert_name> <tftp_ip> To generate local certificates: execute certificate local generate <certificate-name_str> <key_size> <subject> <country> <state> <city> <org> <unit> <email> Variables <export> <import> list generate <cert_name> <tftp_ip> Description Export CA certificate to TFTP server. Import CA certificate from a TFTP server. Generate a list of CA certificates on the FortiAnalyzer system. Generate a certificate request. Name of the certificate. IP address of the TFTP server.

<certificate-name_ Enter a name for the certificate. The name can contain numbers str> (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. <key_size> <subject> Enter 512, 1024, 1536 or 2048 for the size in bits of the encryption key. Enter one of the following pieces of information to identify the FortiAnalyzer unit being certified: the FortiAnalyzer unit IP address the fully qualified domain name of the FortiAnalyzer unit an email address that identifies the FortiAnalyzer unit An IP address or domain name is preferable to an email address. <country> <state> <city> <org> Enter the country name, country code, or null for none. Enter the name of the state or province where the FortiAnalyzer unit is located. Enter the name of the city, or town, where the person or organization certifying the FortiAnalyzer unit resides. Enter the name of the organization that is requesting the certificate for the FortiAnalyzer unit.

execute

Page 95

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

<unit>

Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiAnalyzer unit. Enter a contact e-mail address for the FortiAnalyzer unit.

<email>

console
console baudrate
Use this command to get or set the console baudrate.

Syntax
execute console baudrate [9600 | 19200 | 38400 | 57600 | 115200] If you do not specify a baudrate, the command returns the current baudrate. Setting the baudrate will disconnect your console session.

Example
Get the baudrate: execute console baudrate The response is displayed: current baud rate is: 115200 Set the baudrate to 9600: execute console baudrate 9600

date
Get or set the FortiAnalyzer system date.

Syntax
execute date [<date_str>] date_str has the form mm/dd/yyyy, where mm is the month and can be 1 to 12 dd is the day of the month and can be 1 to 31 yyyy is the year and can be 2001 to 2037 If you do not specify a date, the command returns the current system date. Dates entered will be validated - mm and dd require one or two digits, and yyyy requires four digits. Entering fewer digits will result in an error.

Example
This example sets the date to 29 September 2013: execute date 9/29/2013

execute

Page 96

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

device
Use this command to change a devices serial number when changing devices due to a hardware issue, or to change a devices password.

Syntax
To replace a devices password: execute device replace pw <name> <pw> To change a devices serial number: execute device replace sn <name> <SN> Variables pw sn <name> <pw> <SN> Description Replace the device password. Replace the device serial number. The name of the device. The new password for the new device. The new serial number for the new device.

devicelog
devicelog clear
Use this command to clear a device log.

Syntax
execute devicelog clear <device> Variables <device> Description The serial number of the device.

factory-license
Use this command to enter a factory license key. This command is hidden.

Syntax
execute factory-license <key> Variables <key> Description Enter the factory license key.

execute

Page 97

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

fgfm
fgfm reclaim-dev-tunnel
Use this command to reclaim a management tunnel.

Syntax
execute fgfm reclaim-dev-tunnel <devicename> end Variables <devicename> Description Enter the device name. (optional)

format
Format the hard disk on the FortiAnalyzer system. If RAID is configured, change the variable disk-ext4 with <Raid Level>.

Syntax
execute format {disk | disk-ext4} <Raid Level> When you run this command, you will be prompted to confirm the request.

Executing this command will erase all device settings/images, VPN & Update Manager databases, and log data on the FortiAnalyzer systems hard drive. FortiAnalyzers IP address, and routing information will be preserved.

Variables {disk | disk-ext4} <Raid Level>

Description Format the hard disk or the ext4 hard disk. Raid level to which to format the disk.

Related topics
restore

execute

Page 98

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

log device disk_quota


Set the log device disk quota.

Syntax
execute log device disk_quota <device_id><value> Variables <device_id> <value> Description The log device ID, or select All for all devices. Enter the disk quota value in MB.

Example
The following example sets all log device disk quota values to 200MB. FAZ1000C # execute log device disk_quota All 200 This will set all devices' disk quota to 200(MB). Do you want to continue? (y/n)y Successfully set FG600C3912800438 disk quota to 200 Successfully set FG600C3912800830 disk quota to 200 Successfully set FGT20C1241584MDL disk quota to 200 Successfully set FWF40C3911000061 disk quota to 200 Successfully set FE-1002410201202 disk quota to 200 Successfully set FGT1001111111111 disk quota to 200 Successfully set FGT1001111111112 disk quota to 200 Successfully set FG100A2104400006 disk quota to 200 Successfully set FG100D3G12809721 disk quota to 200 Successfully set FG100D3G12811597 disk quota to 200

(MB). (MB). (MB). (MB). (MB). (MB). (MB). (MB). (MB). (MB).

log-aggregation
Immediately upload the log to the server.

Syntax
execute log-aggregation

execute

Page 99

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

lvm
With Logical Volume Manager (LVM), a FortiAnalyzer-VM device can have up to eight total log disks added to an instance. More space can be added by adding another disk and running the LVM extend command.

Syntax
execute lvm extend execute lvm info execute lvm start Variables extend info start Description Extend the LVM logical volume. Get system LVM information. Start using LVM.

Example
View LVM information: execute lvm info disk01 In use disk02 Not present disk03 Not present disk04 Not present disk05 Not present disk06 Not present disk07 Not present disk08 Not present 80.0(GB)

ping
Send an ICMP echo request (ping) to test the network connection between the FortiAnalyzer system and another network device.

Syntax
execute ping {<ip> | <hostname>} Variables <ip> <hostname> Description IP address of network device to contact. DNS resolvable hostname of network device to contact.

Example
This example shows how to ping a host with the IP address 192.168.1.23: execute ping 192.168.1.23

execute

Page 100

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Related topics
traceroute

ping6
Send an ICMP echo request (ping) to test the network connection between the FortiAnalyzer system and another network device.

Syntax
execute ping6 {<ip> | <hostname>} Variables <ip> <hostname> Description IPv6 address of network device to contact. DNS resolvable hostname of network device to contact.

Example
This example shows how to ping a host with the IP address 8001:0DB8:AC10:FE01:0:0:0:0: execute ping6 8001:0DB8:AC10:FE01:0:0:0:0:

Related topics
traceroute

raid
This command allows you to add, and delete RAID disks, and rebuild the ECC table.

Syntax
execute raid add-disk <disk index> execute raid delete-disk <disk index> execute raid rebuild-ecc {enable | disable} Variables add-disk <disk index> delete-disk <disk index> rebuild-ecc {enable | disable} Description Enables you to add a disk and giving it a number. Enables you to delete the selected disk. Enables you to build the ECC table.

Example
The following example shows that disk 5 is added, disk 2 is deleted and rebuild-ecc is enabled. execute raid add-disk 5 execute raid delete-disk 2 execute raid rebuild-ecc enable end
execute Page 101 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

reboot
Restart the FortiAnalyzer system. This command will disconnect all sessions on the FortiAnalyzer system.

Syntax
execute reboot The system will be rebooted. Do you want to continue? (y/n)

Related topics
reset restore shutdown

remove
Use this command to remove all reports from the FortiAnalyzer system.

Syntax
execute remove reports

reset
Use this command to reset the FortiAnalyzer unit to factory defaults. This command will disconnect all sessions and restart the FortiAnalyzer unit.

Syntax
execute reset all-settings

Example
execute reset all-settings This operation will reset all settings to factory defaults Do you want to continue? (y/n)

reset-sqllog-transfer
Use this command to reset SQL logs to the database.

Syntax
execute reset-sqllog-transfer <enter>

execute

Page 102

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
execute reset-sqllog-transfer WARNING: This operation will re-transfer all logs into database. Do you want to continue? (y/n)

restore
Use this command to: restore the configuration or database from a file change the FortiAnalyzer unit image Restore device logs, DLP archives, and reports from specified servers. This command will disconnect all sessions and restart the FortiAnalyzer unit.

restore all-settings
Syntax
execute restore all-settings ftp <ip> <string> <username> <password> <crptpasswd> [option1+option2+...] execute restore all-settings scp <ip> <string> <username> <ssh-cert> <crptpasswd> [option1+option2+...] Variables all-settings Description Restore all FortiAnalyzer settings from a file on a TFTP server. The new settings replace the existing settings, including administrator accounts and passwords. IP address of the server to get the file from. The file to get from the server. You can enter a path with the filename, if required. The username to log on to the SCP server. This option is not available for restore operations from FTP servers. The password for username on the FTP server. This option is not available for restore operations from TFTP servers. The SSH certificate used for user authentication on the SCP server. This option is not available for restore operations from FTP servers. Password to protect backup content. Use any for no password.(optional) Select whether to keep IP, and routing info on the original unit.

<ip> <string> <username> <password> <ssh-cert>

<crptpasswd> [option1+option2+...]

Example
This example shows how to upload a configuration file from a FTP server to the FortiAnalyzer unit. The name of the configuration file on the FTP server is backupconfig. The IP address of

execute

Page 103

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

the FTP server is 192.168.1.23. The user is admin with a password of mypassword. The configuration file is located in the /usr/local/backups/ directory on the TFTP server. execute restore all-settings FTP 192.168.1.23 /usr/local/backups/backupconfig admin mypassword

restore image
Use this command to restore an image to the FortiAnalyzer.

Syntax
execute restore image ftp <filepath> <ip> <username> <password> execute restore image tftp <string> <ip> Variables image Description Upload a firmware image from a TFTP server to the FortiAnalyzer unit. The FortiAnalyzer unit reboots, loading the new firmware. The file path on the FTP server. The image file name on the TFPT server. IP address of the server to get the file from. The username to log on to the SCP server. This option is not available for restore operations from FTP servers. The password for username on the FTP server. This option is not available for restore operations from TFTP servers.

<filepath> <string> <ip> <username> <password>

restore {logs | logs-only}


Use this command to restore logs and DLP archives from a specified server.

Syntax
execute restore <password> execute restore <password> Variables logs logs-only <device name> <service> <ip> logs <device name> <service> <ip> <user name> <directory> logs-only <device name> <service> <ip> <user name> <directory> Description Restore device logs and DLP archives from a specified server. Restore device logs from a specified server. Device name or names, separated by commas, or all for all devices. Transfer protocol. One of FTP, SFTP, or SCP. IP address of the server to get the file from.

execute

Page 104

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variables <user name> <password> <directory>

Description The username to log on to the SCP server. This option is not available for restore operations from FTP servers. The password for username on the FTP server. This option is not available for restore operations from TFTP servers. Directory on the server.

restore reports
Use this command to restore reports from a specified server.

Syntax
execute restore reports {<report name> | all | <report name pattern} <service> <ip> <user name> <password> <directory> Variables reports Description Restore reports from a specified server.

{<report name> | all | Backup specific reports, all reports, or reports with names <report name patt containing given pattern. ern} A '?' matches any single character. A '*' matches any string, including the empty string, e.g.: foo: for exact match *foo: for report names ending with foo foo*: for report names starting with foo *foo*: for report names containing foo substring <service> <ip> <user name> <password> <directory> Transfer protocol. One of FTP, SFTP, or SCP. IP address of the server to get the file from. The username to log on to the SCP server. This option is not available for restore operations from FTP servers. The password for username on the FTP server. This option is not available for restore operations from TFTP servers. Directory on the server.

restore reports-config
Use this command to restore a report configuration from a specified server.

execute

Page 105

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Syntax
execute restore <reports-config> {<adom_name> | all]} <service> <ip> <user name> <password> <directory> Variables <reports-config> {<adom_name> | all]} <service> Description Backup report configuration to a specified server. Select to backup a specific ADOM or all ADOMs. Transfer protocol. One of: ftp, sftp, scp. <ip> <user name> <password> <directory> Example Note: This command restores all reports config from a specified server which were backed up previously. All reports schedule will be cleared after restoration! Do you want to continue? (y/n) The server IP address Username on the server The password, or '-' for none. The directory on the server, or press <Enter> for none.

shutdown
Shut down the FortiAnalyzer system. This command will disconnect all sessions.

Syntax
execute shutdown

Example
execute shutdown The system will be halted. Do you want to continue? (y/n)

sql-local
Use this command to remove the SQL database and logs from the FortiAnalyzer system.

sql-local remove-db
Use this command to remove an entire local SQL database.

execute

Page 106

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Syntax
execute sql-local remove-db

sql-local remove-device
Use this command to remove all log entries of the designated device.

Syntax
execute sql-local remove-device <Device ID> Variables <Device ID> Description Enter the device ID. Example: FWF40C3911000061

Example
This example removes all logs of device FG5A253E07600124 from the local SQL database: execute sql-local remove-device FG5A253E07600124

sql-local remove-logs
Use this command to remove SQL logs within a time period.

Syntax
execute sql-local remove-logs <Device ID> Variables <Device ID> Description Enter the device ID. Example: FWF40C3911000061

sql-local remove-logtype
Use this command to remove all log entries of the designated log type.

Syntax
execute sql-local remove-logtype <log type> Variables <log type> Description Enter the log type from available log types. Example: app-ctrl

Example
execute sql-local remove-logtype app-ctrl All SQL logs with log type 'app-ctrl' will be erased! Do you want to continue? (y/n)

execute

Page 107

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

sql-query-dataset
Use this command to execute a SQL dataset against the FortiAnalyzer system.

Syntax
execute sql-query-dataset <dataset-name> <device/group name> <faz/dev> <start-time> <end-time> Variables <dataset-name> <device/group name> <faz/dev> <start-time> <end-time> Description Enter the dataset name. Enter the name of the device or device group. Enter the name of the FortiAnalyzer. Enter the log start time. Enter the log end time.

Example
execute sql-query-dataset Top-App-By-Bandwidth

sql-query-generic
Use this command to execute a SQL statement against the FortiAnalyzer system.

Syntax
execute sql-query-generic <string> Variables <string> Description Enter the SQL statement to run.

sql-report run
Use this command to run a SQL report schedule once against the FortiAnalyzer system.

Syntax
execute sql-report run <schedule-name> Variables <schedule-name> <adom> Description Select one of the available SQL report schedule names. Specify the ADOM name.

execute

Page 108

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
The following command runs a specific report (6) against an ADOM (Test). execute sql-report run 6 Test Number of threads is invalid or exceeds the limit (6), use default value (2). layout_num:1 start [0] get layout-id:6. start report_process, layout-id:6, layout title:Doc. device list:All_FortiGates. reports num:1. device list[0].FGT20C1241584MDL[root]. device list[1].FWF40C3911000061[root]. device list[2].FG100D3G12809721[root]. device list[3].FG100D3G12809721[vdom1]. device list[4].FG100D3G12811597[root]. device list[5].FG100D3G12811597[vdom1]. > running (D-6_t6-2013-03-11-1141) ... > rendering (D-6_t6-2013-03-11-1141) (en) ... sql_rpt_render_dir : start pdfv2_rpt_init:774 ---------PDF report init.----Language: en--------set_msg_lvl:108 current pdfv2 message level: 1 pdfv2_rpt_page_begin:999 info: create new page 0 pdfv2_rpt_page_begin:999 info: create new page 1 pdfv2_rpt_page_begin:999 info: create new page 2 pdfv2_rpt_section:1254 info: create outline (Appendix A) level 1 pdfv2_rpt_page_begin:999 info: create new page 3 pdfv2_rpt_page_begin:999 info: create new page 4 pdfv2_rpt_section:1254 info: create outline (Appendix B) level 1 pdfv2_rpt_clean:683 Saved PDF report to /Storage/Reports/ADOMs/root/2013_03_11/D-6_t6-2013-03-11-1141 /FortiAnalyzer_Report.pdf Report [D-6_t6-2013-03-11-1141] finished at Mon (1) 2013-03-11 11:41:24.

ssh
Use this command to establish an SSH session with another system.

Syntax
execute ssh <destination> <username> Variables <destination> <username> Description Enter the IP or FQ DNS resolvable hostname of the system you are connecting to. Enter the user name to use to log on to the remote system.

execute

Page 109

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

To leave the SSH session type exit. To confirm you are connected or disconnected from the SSH session, verify that the command prompt has changed.

time
Get or set the system time.

Syntax
execute time [<time_str>] time_str has the form hh:mm:ss, where hh is the hour and can be 00 to 23 mm is the minutes and can be 00 to 59 ss is the seconds and can be 00 to 59 All parts of the time are required. Single digits are allowed for each of hh, mm, and ss. If you do not specify a time, the command returns the current system time. execute time <enter> current time is: 12:54:22

Example
This example sets the system time to 15:31:03: execute time 15:31:03

top
Use this command to view the processes running on the FortiAnalyzer system.

Syntax
execute top

execute top help menu


Command Z,B l,t,m 1,I f,o F or O <,> R,H
execute

Description Global: 'Z' change color mappings; 'B' disable/enable bold Toggle Summaries: 'l' load average; 't' task/cpu statistics; 'm' memory information Toggle SMP view: '1' single/separate states; 'I' Irix/Solaris mode Fields/Columns: 'f' add or remove; 'o' change display order Select sort field Move sort field: '<' next column left; '>' next column right Toggle: 'R' normal/reverse sort; 'H' show threads
Page 110 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

c,i,S x,y z,b u n or # k,r d or s W q

Toggle: 'c' command name/line; 'i' idle tasks; 'S' cumulative time Toggle highlights: 'x' sort field; 'y' running tasks Toggle: 'z' color/mono; 'b' bold/reverse (only if 'x' or 'y') Show specific user only Set maximum tasks displayed Manipulate tasks: 'k' kill; 'r' renice Set update interval Write configuration file Quit

Example
The execute top command displays the following information: top_bin - 13:14:18 up 21:17, 0 users, load average: 0.02, 0.05, 0.05 Tasks: 152 total, 1 running, 151 sleeping, 0 stopped, 0 zombie Cpu(s): 0.8%us, 0.2%sy, 0.0%ni, 99.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 3080612k total, 1478800k used, 1601812k free, 95016k buffers Swap: 2076536k total, 0k used, 2076536k free, 782268k cached H PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3943 root 20 0 210m 181m 11m S 0 6.0 0:43.42 gui control 4022 root 20 0 11072 4504 1972 S 0 0.1 1:30.95 udm_statd 1 root 20 0 194m 167m 5104 S 0 5.6 0:14.69 initXXXXXXXXXXX 2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd 3 root 20 0 0 0 0 S 0 0.0 0:00.13 ksoftirqd/0 4 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/0:0 6 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/0 7 root RT 0 0 0 0 S 0 0.0 0:00.03 migration/1 8 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:0 9 root 20 0 0 0 0 S 0 0.0 0:00.13 ksoftirqd/1 10 root 20 0 0 0 0 S 0 0.0 0:02.80 kworker/0:1 11 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2 12 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:0 13 root 20 0 0 0 0 S 0 0.0 0:00.08 ksoftirqd/2 14 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3 15 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/3:0

execute

Page 111

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

traceroute
Test the connection between the FortiAnalyzer system and another network device, and display information about the network hops between the device and the FortiAnalyzer system.

Syntax
execute traceroute <host> Variables <host> Description IP address or hostname of network device.

Example
This example shows how trace the route to a host with the IP address 172.18.4.95: execute traceroute 172.18.4.95 traceroute to 172.18.4.95 (172.18.4.95), 32 hops max, 72 byte packets 1 172.18.4.95 0 ms 0 ms 0 ms 2 172.18.4.95 0 ms 0 ms 0 ms

traceroute6
Test the connection between the FortiAnalyzer system and another network device, and display information about the network hops between the device and the FortiAnalyzer system.

Syntax
execute traceroute6 <host> Variables <host> Description IPv6 address or hostname of network device.

Example
This example shows how trace the route to a host with the IPv6 address 8001:0DB8:AC10:FE01:0:0:0:0: execute traceroute6 8001:0DB8:AC10:FE01:0:0:0:0

execute

Page 112

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

diagnose
2. diagnose
cdb check debug application debug cli debug console debug crashlog debug disable debug dpm debug enable debug info debug service debug sysinfo debug sysinfo-log debug sysinfo-log-backup debug sysinfo-log-list debug timestamp debug vminfo dlp-archives quar-cache dlp-archives rebuild-quar-db dlp-archives statistics dlp-archives status The diagnose commands display diagnostic information that help you to troubleshoot problems. This chapter describes the following diagnose commands: dvm adom dvm chassis dvm check-integrity dvm debug dvm device dvm device-tree-update dvm group dvm lock dvm proc dvm supported-platforms dvm task dvm transaction-flag fgfm fmnetwork arp fmnetwork interface fmnetwork netstat fortilogd hardware log device sniffer sql system admin-session system disk system export system flash system fsck system ntp system print system process system raid system route system route6 system server test application test policy-check test search test sftp upload clear upload force-retry upload status

diagnose

Page 113

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

cdb check
Use this command to check the object configuration database integrity and the global policy assignment table.

Syntax
diagnose cdb check objcfg-integrity diagnose cdb check policy-assignment Variable objcfg-integrity policy-assignment Description Check object config database integrity. Check the global policy assignment table.

Example
This example shows the output for diagnose cdb check objcfg-integrity: Checking object config database ... correct This example shows the output for diagnose cdb check policy-assignment: Checking global policy assignment ... correct

debug application
Use this command to set the debug levels for the FortiAnalyzer applications.

Syntax
diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose
diagnose

debug debug debug debug debug debug debug debug debug debug debug debug debug debug debug debug debug debug debug debug debug

application application application application application application application application application application application application application application application application application application application application application

alertmail <Integer> ddmd <Integer> depmanager <Integer> dmapi <Integer> fazcfgd <Integer> fazsvcd <Integer> fgdsvr <Integer> fgdupd <Integer> fgfmsd <Integer> fnbam <Integer> fortilogd <Integer> fortimanagerws <Integer> gui <Integer> ike <Integer> localmod <Integer> log-aggregate <Integer> logd <Integer> logfiled <Integer> lrm <Integer> ntpd <Integer> oftpd <Integer>
FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Page 114

diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose Variable

debug debug debug debug debug debug debug debug debug debug debug debug

application application application application application application application application application application application application

ptmgr <Integer> ptsessionmgr <Integer> securityconsole <Integer> snmpd <Integer> sql_dashboard_rpt <Integer> sql-integration <Integer> sqlplugind <Integer> sqlrptcached <Integer> srchd <Integer> ssh <Integer> storaged <Integer> uploadd <Integer> Description Set the debug level of the alert email daemon. Default: 0

alertmail <Integer>

ddmd <Integer>

Set the debug level of the dynamic data monster. Default: 0

depmanager <Integer>

Set the debug level of the deployment manager. Default: 0

dmapi <Integer>

Set the debug level of the dmapi daemon. Default: 0

fazcfgd <Integer>

Set the debug level of the fazcfgd daemon. Default: 0

fazsvcd <Integer>

Set the debug level of the fazsvcd daemon. Default: 0

fgdsvr <Integer>

Set the debug level of the FortiGuard query daemon. Default: 0

fgdupd <Integer>

Set the debug level of the FortiGuard update daemon. Default: 0

fgfmsd <Integer>

Set the debug level of FGFM daemon. Default: 0

fnbam <Integer>

Set the debug level of the Fortinet authentication module. Default: 0

fortilogd <Integer>

Set the debug level of the fortilogd daemon. Default: 0

diagnose

Page 115

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable fortimanagerws <Integer>

Description Set the debug level of the FortiAnalyzer Web Service. Default: 0

gui <Integer>

Set the debug level of the Web-based Manager. Default: 0

ike <Integer>

Set the debug level of the IKE daemon. Default: 0

localmod <Integer>

Set the debug level of the localmod daemon. Default: 0

log-aggregate <Integer>

Set the debug level of the log aggregate daemon. Default: 0

logd <Integer>

Set the debug level of the log daemon. Default: 0

logfiled <Integer>

Set the debug level of the logfilled daemon. Default: 0

lrm <Integer>

Set the debug level of the Log and Report Manager. Default: 0

ntpd <Integer>

Set the debug level of the Network Time Protocol (NTP) daemon. Default: 0

oftpd <Integer>

Set the debug level of the oftpd daemon. Default: 0

ptmgr <Integer>

Set the debug level of the Portal Manager. Default: 0

ptsessionmgr <Integer>

Set the debug level of the Portal Session Manager. Default: 0

securityconsole <Integer>

Set the debug level of the security console daemon. Default: 0

snmpd <Integer>

Set the debug level of the SNMP daemon from 0-8. Default: 0

sql_dashboard_rpt <Integer>

Set the debug level of the SQL dashboard report daemon. Default: 0

diagnose

Page 116

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable sql-integration <Integer>

Description Set the debug level of SQL applications. Default: 0

sqlplugind <Integer>

Set the debug level of the SQL plugin daemon. Default: 0

sqlrptcached <Integer>

Set the debug level of the SQL report caching daemon. Default: 0

srchd <Integer>

Set the debug level of the SRCHD. Default: 0

ssh <Integer>

Set the debug level of SSH protocol transactions. Default: 0

storaged <Integer>

Set the debug level of communication with java clients. Default: 0

uploadd <Integer>

Set the debug level of the upload daemon. Default: 0

Example
This example shows how to set the debug level to 7 for the upload daemon: diagnose debug application uploadd 7

debug cli
Use this command to set the debug level of CLI.

Syntax
diagnose debug cli <Integer> Variable <Integer> Description Set the debug level of the CLI from 0-8. Default: 3

Example
This example shows how to set the CLI debug level to 5: diagnose debug cli 5

debug console
Use this command to enable or disable console debugging.

diagnose

Page 117

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Syntax
diagnose debug console {enable | disable} Variable {enable | disable} Description enable or disable console debugging.

debug crashlog
Use this command to manage crash logs.

Syntax
diagnose debug crashlog clear Variable clear Description Delete backtrace and core files.

debug disable
Use this command to disable debug.

Syntax
diagnose debug disable

debug dpm
Use this command to manage the deployment manager.

Syntax
diagnose debug dpm comm-trace {enable | diable | status} diagnose debug dpm conf-trace {enable | diable | status} diagnose debug dpm probe-device <ip> Variable comm-trace {enable | diable | status} conf-trace {enable | diable | status} probe-device <ip> Description Enable a DPM to FortiGate communication trace. Enable a DPM to FortiGate configuration trace. Check device status.

Example
This example shows how to enable a communication trace between the DPM and a FortiGate: diagnose debug dpm comm-trace enable
diagnose Page 118 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

This example show how to check the status of the DPM to FortiGate communication trace: diagnose debug dpm comm-trace status current level is disabled

debug enable
Use this command to enable debug.

Syntax
diagnose debug enable

debug info
Use this command to show active debug level settings.

Syntax
diagnose debug info

Example
This is an example of the output from diagnose debug info: terminal session debug output:enable console debug output:enable debug timestamps: disable cli debug level:5 fgfmsd debug filter:disable uploadd debug level:1

debug service
Use this command to debug service daemons.

Syntax
diagnose diagnose diagnose diagnose diagnose daignose debug debug debug debug debug debug service service service service service service cdb <Integer> cmdb <Integer> dvmdb <Integer> fazconf <Integer> main <Integer> sys <Integer>

diagnose debug service task <Integer> Variable <Integer> Description Debug level.

diagnose

Page 119

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

debug sysinfo
Use this command to show system information.

Syntax
diagnose debug sysinfo

Example
The following example shows the system information with a 3 second interval.
diagnose debug sysinfo collecting information with interval=3 seconds... === file system information === Filesystem 1K-blocks Used Available Use% Mounted on none 65536 0 65536 0% /dev/shm none 65536 24 65512 1% /tmp /dev/xda1 38733 34203 2530 94% /data /dev/mda 961434520 8391960 904204440 1% /var /dev/mda 961434520 8391960 904204440 1% /drive0 /dev/mda 961434520 8391960 904204440 1% /Storage /dev/loop0 9911 1121 8278 12% /var/dm/tcl-root === /tmp system information === drwxrwxrwx 2 root root 40 Mar 11 08:36 FortiManagerWS srwxrwxrwx 1 root root 0 Mar 11 08:36 alertd.req -rw-rw-rw1 root root 4 Mar 11 08:36 cmdb_lock srwxrwxrwx 1 root root 0 Mar 11 08:36 cmdbsocket -rw-r--r-1 root root 225 Mar 11 11:53 crontab -rw-r--r-1 root root 0 Mar 11 08:37 crontab.lock srw-rw-rw1 root root 0 Mar 11 08:36 ddmclt.sock -rw-rw-rw1 root root 5 Mar 11 08:36 django.pid -rw-rw-rw1 root root 0 Mar 11 08:36 dvm_sync_init -rw-rw-rw1 root root 4 Mar 11 08:37 dvm_timestamp drwx-----2 root root 40 Mar 11 08:36 dynamic srwxrwxrwx 1 root root 0 Mar 11 08:36 faz_svc srwxrwxrwx 1 root root 0 Mar 11 08:36 fcgi.sock srwxrwxrwx 1 root root 0 Mar 11 08:36 fmgd.domain -rw-rw-rw1 root root 149 Mar 11 08:36 fortilogd_status.txt srwxrwxrwx 1 root root 0 Mar 11 08:36 httpcli.msg srwxrwxrwx 1 root root 0 Mar 11 11:56 httpcli.msg1324 srwxrwxrwx 1 root root 0 Mar 11 11:53 httpcli.msg24606 srw-rw-rw1 root root 0 Mar 11 08:36 hwmond.req srwxrwxrwx 1 root root 0 Mar 11 08:36 log_stat.svr srwxrwxrwx 1 root root 0 Mar 11 08:36 reliable_logging_path srwxrwxrwx 1 root root 0 Mar 11 08:36 snmpd.traps srwxrwxrwx 1 root root 0 Mar 11 08:36 sql_plugin srwxrwxrwx 1 root root 0 Mar 11 08:36 sql_report --wS-----1 root root 0 Mar 11 11:41 sqlrpt.lck srw-rw-rw1 root root 0 Mar 11 08:36 srchd.sock === resource use information === Program uses most memory: [gui FMGHeartBeat], pid 1703, size 178m Program uses most cpu: [crontab], pid 3541, percent 0% === db locks information ===

diagnose

Page 120

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

debug sysinfo-log
Use this command to generate one system log information log file every two minutes.

Syntax
diagnose debug sysinfo-log

Example
The following example shows how to turn the system log on. diagnose debug sysinfo-log on

debug sysinfo-log-backup
Use this command to backup all system information log files to an FTP server.

Syntax
diagnose debug sysinfo-log-backup <server><filepath><user><password>

debug sysinfo-log-list
Use this command to show system information logs.

Syntax
diagnose debug sysinfo-log-list <Intege> Variable <Intege> Description Display the last n elogs, default value of n is 10.

Example
diagnose debug sysinfo-log-list 10 ******** 2013-3-11 12:3:15 ******** === file system information === Filesystem 1K-blocks Used Available Use% Mounted on none 65536 0 65536 0% /dev/shm none 65536 24 65512 1% /tmp /dev/xda1 38733 34203 2530 94% /data /dev/mda 961434520 8392080 904204320 1% /var /dev/mda 961434520 8392080 904204320 1% /drive0 /dev/mda 961434520 8392080 904204320 1% /Storage /dev/loop0 9911 1121 8278 12% /var/dm/tcl-root === /tmp system information === drwxrwxrwx 2 root root 40 Mar 11 08:36 FortiManagerWS srwxrwxrwx 1 root root 0 Mar 11 08:36 alertd.req -rw-rw-rw1 root root 4 Mar 11 08:36 cmdb_lock
diagnose Page 121 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

srwxrwxrwx 1 root root 0 Mar 11 08:36 cmdbsocket -rw-r--r-1 root root 225 Mar 11 11:53 crontab -rw-r--r-1 root root 0 Mar 11 08:37 crontab.lock srw-rw-rw1 root root 0 Mar 11 08:36 ddmclt.sock -rw-rw-rw1 root root 5 Mar 11 08:36 django.pid -rw-rw-rw1 root root 0 Mar 11 08:36 dvm_sync_init -rw-rw-rw1 root root 4 Mar 11 08:37 dvm_timestamp drwx-----2 root root 40 Mar 11 08:36 dynamic srwxrwxrwx 1 root root 0 Mar 11 08:36 faz_svc srwxrwxrwx 1 root root 0 Mar 11 08:36 fcgi.sock srwxrwxrwx 1 root root 0 Mar 11 08:36 fmgd.domain -rw-rw-rw1 root root 149 Mar 11 08:36 fortilogd_status.txt srwxrwxrwx 1 root root 0 Mar 11 08:36 httpcli.msg srwxrwxrwx 1 root root 0 Mar 11 12:02 httpcli.msg1324 srwxrwxrwx 1 root root 0 Mar 11 11:53 httpcli.msg24606 srw-rw-rw1 root root 0 Mar 11 08:36 hwmond.req srwxrwxrwx 1 root root 0 Mar 11 08:36 log_stat.svr srwxrwxrwx 1 root root 0 Mar 11 08:36 reliable_logging_path srwxrwxrwx 1 root root 0 Mar 11 08:36 snmpd.traps srwxrwxrwx 1 root root 0 Mar 11 08:36 sql_plugin srwxrwxrwx 1 root root 0 Mar 11 08:36 sql_report --wS-----1 root root 0 Mar 11 11:41 sqlrpt.lck srw-rw-rw1 root root 0 Mar 11 08:36 srchd.sock === resource use information === --- top ten cpu usage processes --top_bin - 12:03:16 up 3:27, 0 users, load average: 0.05, 0.10, 0.13 Tasks: 163 total, 1 running, 162 sleeping, 0 stopped, 0 zombie Cpu(s): 2.4%us, 0.3%sy, 0.2%ni, 96.6%id, 0.4%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 3080612k total, 1444868k used, 1635744k free, 89176k buffers Swap: 2076536k total, 0k used, 2076536k free, 702820k cached %CPU %MEM PID USER PR NI VIRT RES SHR S TIME+ COMMAND 0 5.4 1 root 20 0 192m 163m 4160 S 0:14.12 initXXXXXXXXXXX 0 0.0 2 root 20 0 0 0 0 S 0:00.00 kthreadd 0 0.0 3 root 20 0 0 0 0 S 0:00.06 ksoftirqd/0 0 0.0 6 root RT 0 0 0 0 S 0:00.00 migration/0 0 0.0 7 root RT 0 0 0 0 S 0:00.00 migration/1 0 0.0 8 root 20 0 0 0 0 S 0:00.00 kworker/1:0 0 0.0 9 root 20 0 0 0 0 S 0:00.03 ksoftirqd/1 0 0.0 10 root 20 0 0 0 0 S 0:01.05 kworker/0:1 0 0.0 11 root RT 0 0 0 0 S 0:00.00 migration/2 0 0.0 12 root 20 0 0 0 0 S 0:00.00 kworker/2:0 --- top ten memory usage processes --diagnose Page 122 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

top_bin - 12:03:17 up 3:27, 0 users, load average: 0.05, 0.10, 0.13 Tasks: 163 total, 1 running, 162 sleeping, 0 stopped, 0 zombie Cpu(s): 2.4%us, 0.3%sy, 0.2%ni, 96.6%id, 0.4%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 3080612k total, 1444744k used, 1635868k free, 89176k buffers Swap: 2076536k total, 0k used, 2076536k free, 702824k cached %MEM %CPU PID USER PR NI VIRT RES SHR S TIME+ COMMAND 5.9 0 3534 root 20 0 209m 178m 11m S 0:22.82 gui control 5.5 0 3579 root 20 0 193m 164m 3548 S 0:00.44 svc main 5.4 0 3533 root 20 0 193m 163m 3564 S 0:00.25 ptmgr 5.4 0 1 root 20 0 192m 163m 4160 S 0:14.12 initXXXXXXXXXXX 5.4 0 3928 root 20 0 193m 163m 2376 S 0:01.77 svc dvmdb reade 5.4 0 3932 root 20 0 193m 163m 2372 S 0:00.44 svc ncmdb reade 5.4 0 3934 root 20 0 193m 163m 2372 S 0:00.24 svc cmdb reader 5.4 0 3929 root 20 0 193m 163m 2216 S 0:00.20 svc dvmdb write 5.4 0 3930 root 20 0 193m 163m 2216 S 0:00.21 svc task reader === dvm locks information === Global database pending read: unlocked Global database pending write: unlocked Global database reserved read: unlocked Global database reserved write: unlocked Global database shared read: unlocked Global database shared write: unlocked

debug timestamp
Use this command to enable or disable debug timestamp.

Syntax
diagnose debug timestamp {enable | disable}

debug vminfo
Use this command to show VMware license information.

Syntax
diagnose debug vminfo

diagnose

Page 123

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This is an example of the output from diagnose debug vminfo: ValidLicense Type: Basic Table size: Maximum dev: 10

dlp-archives quar-cache
Use this command to view the quarantine cache.

Syntax
diagnose dlp-archives quar-cache Variable list-all-process Description List all processes using the quarantine cache.

Example
This is an example of the output from diagnose dlp-archives quar-cache: 1 : oftpd (pid=3964)Connected Time: 2013-02-18 10:27:32 (9397 sec)

dlp-archives rebuild-quar-db
Use this command to rebuild the quarantine cache database.

Syntax
diagnose dlp-archives rebuild-quar-db

Example
This is an example of the output from diagnose dlp-archives rebuild-quar-db: diagnose dlp-archives rebuild-quar-db Warning! You are about to rebuild the Quarantine Cache DB. The main oftpd process and all processes connected with the Quaranine Cache DB will be killed. Do you want to continue? (y/n)

diagnose

Page 124

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

dlp-archives statistics
Use this command to view and flush the quarantined and DLP archived file statistics.

Syntax
diagnose dlp-archives statistics <flush> diagnose dlp-archives statistics <show> Variable <flush> <show> Description Flush the quarantined and DLP archived file statistics. Display the quarantined and DLP archived file statistics.

Example
This is an example of the output from diagnose dlp-archives statistics flush: DLP archive statistics are flushed. Statistics since 2013-02-18 13:15:02 Type Files Duplicates Bytes --------------------------------------------------------------Web_Archive 0 0 0 Email_Archive 0 0 0 File_Transfer_Archive 0 0 0 IM_Archive 0 0 0 MMS_Archive 0 0 0 AV_Quarantine 0 0 0 IPS_Packets 0 0 0 -------------------------------------------------------------Total 0 0 0

dlp-archives status
Use this command to view the DLP archive status.

Syntax
diagnose dlp-archives staus

dvm adom
Use this command to list ADOMs.

Syntax
diagnose dvm adom list Variable list
diagnose

Description List the ADOMs configured on the FortiAnalyzer.


Page 125 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This is an example of the output from diagnose dvm adom list: There are currently 2 ADOMs: OID STATE MODE OSVER MR 103 enabled GMS 5.0 0 3 enabled GMS 5.0 0 ---End ADOM list--NAME others root

dvm chassis
Use this command to list chassis.

Syntax
diagnose dvm chassis list Variable list Description List chassis.

dvm check-integrity
Use this command to check the DVM database integrity.

Syntax
diagnose dvm check-integrity

Example
This is an example of the output from diagnose dvm check-integrity: [1/9] Checking object memberships [2/9] Checking device nodes [3/9] Checking device vdoms [4/9] Checking device ADOM memberships [5/9] Checking devices being deleted [6/9] Checking groups [7/9] Checking group membership [8/9] Checking device locks [9/9] Checking task database Checking Configuration DB ...correct ... ... ... ... ... ... ... ... ... correct correct correct correct correct correct correct correct correct

diagnose

Page 126

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

dvm debug
Use this command to enable or disable debug channels.

Syntax
diagnose dvm debug enable <channel> diagnose dvm debug disable <channel> Variable enable <channel> Description Select to enable debug channel including: all, dvm_db, dvm_dev, shelfmgr, ipmi, lib, dvmcmd, dvmcore, gui, monitor, json_api. Select to disable debug channel including: all, dvm_db, dvm_dev, shelfmgr, ipmi, lib, dvmcmd, dvmcore, gui, monitor, json_api.

disable <channel>

dvm device
Use this command to list devices or objects referencing a device.

Syntax
diagnose dvm device dynobj <device> diagnose dvm device list Variable dynobj <device> list Description List dynamic objects on this device. List devices.

dvm device-tree-update
Use this command to enable or disable device tree automatic updates.

Syntax
diagnose dvm device-tree-update {enable | disable}

diagnose

Page 127

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

dvm group
Use this command to list groups.

Syntax
diagnose dvm group list Variable list Description List groups.

dvm lock
Use this command to print the DVM lock states.

Syntax
diagnose dvm lock

Example
This is an example of the output from diagnose dvm lock: DVM lock state = unlocked Global database pending read: unlocked Global database pending write: unlocked Global database reserved read: unlocked Global database reserved write: unlocked Global database shared read: unlocked Global database shared write: unlocked

dvm proc
Use this command to list DVM processes.

Syntax
diagnose dvm proc list Variable list Description List DVM process information.

Example
This is an example of the output from diagnose dvm proc list: dvmcmd group id=3939 dvmcmd process 3939 is running control Process is healthy. dvmcore is running normally.

diagnose

Page 128

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

dvm supported-platforms
Use this command to list supported platforms.

Syntax
diagnose dvm supported-platforms list Variable list Description List supported platform information including device type and firmware versions.

dvm task
Use this command to repair or reset the task database.

Syntax
diagnose dvm task repair diagnose dvm task reset Variable repair reset Description Repair the task database while preserving existing data where possible. The FortiAnalyzer will reboot after the repairs. Reset the task database to its factory default state. All existing tasks and the task history will be erased. The FortiAnalyzer will reboot after the reset.

Example
This is an example of the output from diagnose dvm task repair: This command will attempt to repair the task database while preserving existing data where possible. WARNING: NEW TASKS MUST NOT BE INITIATED WHILE THIS COMMAND IS RUNNING. System will reboot after the repair. Do you want to continue? (y/n)

dvm transaction-flag
Use this command to edit or display DVM transaction flags.

Syntax
diagnose dvm transaction-flag {abort | debug | none}

diagnose

Page 129

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

fgfm
Use this command to get installation session, object, and session lists.

Syntax
diagnose fgfm install-session diagnose fgfm object-list diagnose fgfm session-list <device id> Variable install-session object-list Description Get installations session lists. Get object lists.

session-list <device id> Get session lists.

fmnetwork arp
Use this command to manage ARP.

Syntax
diagnose fmnetwork arp del <intf-name> <ip> diagnose fmnetwork arp list Variable del <intf-name> <ip> list Description Delete an ARP entry. List ARP entries.

Example
This is an example of the output from diagnose fmnetwork arp list: index=4 ifname=port1 172.16.81.101 00:40:f4:91:a2:2b state=00000002 use=1038517 confirm=23 update=679410 ref=2 index=1 ifname=lo 0.0.0.0 00:00:00:00:00:00 state=00000040 use=4691 confirm=296238 update=6828799 ref=2 index=4 ifname=port1 172.16.81.1 00:09:0f:30:1b:c1 state=00000002 use=4731 confirm=0 update=3016 ref=11

diagnose

Page 130

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

fmnetwork interface
Use this command to view interface information.

Syntax
diagnose fmnetwork interface detail <portX> diagnose fmnetwork interface list Variable detail <portX> list Description View a specific interfaces details. List all interface details.

Example
Here is an example of the output from diagnose fmnetwork interface detail port1: Status: up Speed 1000Mb/s : Duplex : Full

fmnetwork netstat
Use this command to view network statistics.

Syntax
diagnose fmnetwork netstat list [-r] diagnose fmnetwork netstat tcp [-r] diagnose fmnetwork netstat udp [-r] Variable list [-r] tcp [-r] udp [-r] Description List all connections, or use -r to list only resolved IP addresses. List all TCP connections, or use -r to list only resolved IP addresses. List all UDP connections, or use -r to list only resolved IP addresses.

Example
This is an example of the output from diagnose fmnetwork netstat tcp -r: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address tcp 0 0 FMG-VM:9090 *:* tcp 0 0 *:6020 *:* tcp 0 0 *:8900 *:* tcp 0 0 *:8901 *:* State LISTEN LISTEN LISTEN LISTEN

diagnose

Page 131

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

tcp tcp tcp tcp tcp tcp

0 0 0 0 0 0

0 0 0 0 0 0

*:8080 *:22 *:telnet *:8890 *:8891 *:541

*:* *:* *:* *:* *:* *:*

LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN

fortilogd
Use this command to view FortiLog daemon information.

Syntax
diagnose diagnose diagnose diagnose diagnose diagnose Variable msgrate msgrate-device msgrate-total msgrate-type msgstat status fortilogd fortilogd fortilogd fortilogd fortilogd fortilogd msgrate msgrate-device msgrate-total msgrate-type msgstat status Description Display log message rate. Display log message rate devices. Display log message rate totals. Display log message rate types. Display log message status. Running status.

Example
This is an example of the output of diagnose fortilogd status: fortilogd is starting config socket OK cmdb socket OK cmdb register log.device OK cmdb register log.settings OK log socket OK reliable log socket OK

hardware
Use this command to view hardware information.

Syntax
diagnose hardware info
diagnose Page 132 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This an example of the output of diagnose hardware info. ### CPU info processor: 0 vendor_id: GenuineIntel cpu family: 6 model: 26 model name: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz stepping: 5 cpu MHz: 1995.102 cache size: 4096 KB physical id: 1 siblings: 4 core id: 0 cpu cores: 4 apicid: 16 initial apicid: 16 fpu: yes fpu_exception: yes cpuid level: 11 wp: yes flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 sse4_2 popcnt lahf_lm dts tpr_shadow vnmi flexpriority ept vpid bogomips: 3990.20 clflush size: 64 cache_alignment: 64 address sizes: 40 bits physical, 48 bits virtual power management: processor: 1 vendor_id: GenuineIntel cpu family: 6 model: 26 model name: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz stepping: 5 cpu MHz: 1995.102 cache size: 4096 KB physical id: 1 siblings: 4 core id: 1 cpu cores: 4 apicid: 18 initial apicid: 18 fpu: yes fpu_exception: yes cpuid level: 11
diagnose Page 133 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

wp: yes flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 sse4_2 popcnt lahf_lm dts tpr_shadow vnmi flexpriority ept vpid bogomips: 3989.79 clflush size: 64 cache_alignment: 64 address sizes: 40 bits physical, 48 bits virtual power management: processor: 2 vendor_id: GenuineIntel cpu family: 6 model: 26 model name: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz stepping: 5 cpu MHz: 1995.102 cache size: 4096 KB physical id: 1 siblings: 4 core id: 2 cpu cores: 4 apicid: 20 initial apicid: 20 fpu: yes fpu_exception: yes cpuid level: 11 wp: yes flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 sse4_2 popcnt lahf_lm dts tpr_shadow vnmi flexpriority ept vpid bogomips: 3989.81 clflush size: 64 cache_alignment: 64 address sizes: 40 bits physical, 48 bits virtual power management: processor: 3 vendor_id: GenuineIntel cpu family: 6 model: 26 model name: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz stepping: 5 cpu MHz: 1995.102 cache size: 4096 KB physical id: 1
diagnose Page 134 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

siblings: 4 core id: 3 cpu cores: 4 apicid: 22 initial apicid: 22 fpu: yes fpu_exception: yes cpuid level: 11 wp: yes flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 sse4_2 popcnt lahf_lm dts tpr_shadow vnmi flexpriority ept vpid bogomips: 3989.80 clflush size: 64 cache_alignment: 64 address sizes: 40 bits physical, 48 bits virtual power management: ### Memory info MemTotal: 3080612 kB MemFree: 1425656 kB Buffers: 182684 kB Cached: 827064 kB SwapCached: 0 kB Active: 1243804 kB Inactive: 294484 kB Active(anon): 637792 kB Inactive(anon): 57292 kB Active(file): 606012 kB Inactive(file): 237192 kB Unevictable: 10172 kB Mlocked: 10172 kB SwapTotal: 2076536 kB SwapFree: 2076536 kB Dirty: 120 kB Writeback: 0 kB AnonPages: 538732 kB Mapped: 181280 kB Shmem: 166576 kB Slab: 78220 kB SReclaimable: 52980 kB SUnreclaim: 25240 kB KernelStack: 1592 kB PageTables: 14496 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB

diagnose

Page 135

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

CommitLimit: 3616840 kB Committed_AS: 5729904 kB VmallocTotal: 34359738367 kB VmallocUsed: 3532 kB VmallocChunk: 34359719588 kB DirectMap4k: 2660 kB DirectMap2M: 3133440 kB ### Disk info major minor #blocks name 7 0 10240 loop0 8 32 976762584 sdc 8 48 976762584 sdd 8 0 976762584 sda 8 16 976762584 sdb 8 64 1927168 sde 8 65 40000 sde1 8 66 40000 sde2 254 8128 976762448 md_d127 ### RAID info RAID Level: Raid-1 RAID Status: OK RAID Size: 976GB Disk 1: OK Used Disk 2: OK Used Disk 3: OK Used Disk 4: OK Used ### System time local time: Thu Mar 14 09:52:00 2013 UTC time: Thu Mar 14 16:52:00 2013

976GB 976GB 976GB 976GB

log device
Use this command to view device log usage.

Syntax
diagnose log device

diagnose

Page 136

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This is an example of the output of diagnose log device:
Device Name 600C_Up 600C_Down dddd FWF40C3911000061 abc_FG100A Test FGT1001111111111 FGT1001111111112 Device ID FG600C3912800438 FG600C3912800830 FGT20C1241584MDL FWF40C3911000061 FG100A2104400006 FE-1002410201202 FGT1001111111111 FGT1001111111112 Used Space(logs/database/quar/content/IPS) Allocated Space 234MB(71 387MB(79 0MB(0 30MB(6 138MB(43 0MB(0 0MB(0 0MB(0 / 162 / 0 / 308 / 0 / 0 / 24 / 81 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 12 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 / 0 ) ) ) ) ) ) ) ) 1000MB 1000MB 1000MB 1000MB 1000MB 1000MB 1000MB 1000MB % Used 23.40% 38.70% 0.00% 3.00% 13.80% 0.00% 0.00% 0.00%

sniffer
Use this command to perform a packet trace on one or more network interfaces. Packet capture, also known as sniffing, records some or all of the packets seen by a network interface. By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect. FortiAnalyzer units have a built-in sniffer. Packet capture on FortiAnalyzer units is similar to that of FortiGate units. Packet capture is displayed on the CLI, which you may be able to save to a file for later analysis, depending on your CLI client. Packet capture output is printed to your CLI display until you stop it by pressing Ctrl + C, or until it reaches the number of packets that you have specified to capture. Packet capture can be very resource intensive. To minimize the performance impact on your FortiAnalyzer unit, use packet capture only during periods of minimal traffic, with a serial console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.

diagnose

Page 137

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Syntax
diagnose sniffer packet <interface_name> <filter_str> <verbose> <count> Variable <interface_name> Description Default

Type the name of a network interface whose No packets you want to capture, such as port1, or default type any to capture packets on all network interfaces. Type either none to capture all packets, or type none a filter that specifies which protocols and port numbers that you do or do not want to capture, such as 'tcp port 25'. Surround the filter string in quotes. The filter uses the following syntax: '[[src|dst] host {<host1_fqdn> | <host1_ipv4>}] [and|or] [[src|dst] host {<host2_fqdn> | <host2_ipv4>}] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port1_int>] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port2_int>]' To display only the traffic between two hosts, specify the IP addresses of both hosts. To display only forward or only reply packets, indicate which host is the source, and which is the destination. For example, to display UDP port 1812 traffic between 1.example.com and either 2.example.com or 3.example.com, you would enter: 'udp and port 1812 and src host 1.example.com and dst \( 2.example.com or 2.example.com \)'

<filter_str>

diagnose

Page 138

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Variable <verbose>

Description

Default

Type one of the following numbers indicating the 1 depth of packet headers and payloads to capture: 1: header only 2: IP header and payload 3: Ethernet header and payload For troubleshooting purposes, Fortinet Technical Support may request the most verbose level (3).

<count>

Type the number of packets to capture before stopping. If you do not specify a number, the command will continue to capture packets until you press Ctrl + C.

Packet capture continues until Ctrl + C is pressed.

Example
The following example captures the first three packets worth of traffic, of any port number or protocol and between any source and destination (a filter of none), that passes through the network interface named port1. The capture uses a low level of verbosity (indicated by 1). Commands that you would type are highlighted in bold; responses from the Fortinet unit are not in bold. FortiAnalyzer# diag sniffer packet port1 none interfaces=[port1] filters=[none] 0.918957 192.168.0.1.36701 -> 192.168.0.2.22: 0.919024 192.168.0.2.22 -> 192.168.0.1.36701: 2587945850 0.919061 192.168.0.2.22 -> 192.168.0.1.36701: 2587945850 1 3

ack 2598697710 psh 2598697710 ack psh 2598697826 ack

If you are familiar with the TCP protocol, you may notice that the packets are from the middle of a TCP connection. Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be from an SSH session.

Example
The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1 and 192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either host as the source or destination in the IP header (src or dst), the sniffer captures both forward and reply traffic. A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Ctrl + C. The sniffer then confirms that five packets were seen by that network interface. Commands that you would type are highlighted in bold; responses from the Fortinet unit are not in bold. FortiAnalyzer# diag sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp port 80' 1 192.168.0.2.3625 -> 192.168.0.1.80: syn 2057246590
diagnose Page 139 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

192.168.0.1.80 -> 192.168.0.2.3625: 192.168.0.2.3625 -> 192.168.0.1.80: 192.168.0.2.3625 -> 192.168.0.1.80: 192.168.0.1.80 -> 192.168.0.2.3625: 5 packets received by filter 0 packets dropped by kernel

syn ack psh ack

3291168205 ack 2057246591 3291168206 2057246591 ack 3291168206 2057247265

Example
The following example captures all TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its source or destination IP address. The capture uses a high level of verbosity (indicated by 3). A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Ctrl + C. The sniffer then confirms that five packets were seen by that network interface. Verbose output can be very long. As a result, output shown below is truncated after only one packet. Commands that you would type are highlighted in bold; responses from the Fortinet unit are not in bold. FortiAnalyzer # diag sniffer port1 'tcp port 443' 3 interfaces=[port1] filters=[tcp port 443] 10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898 0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E. 0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W.... 0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........ 0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............ 0x0040 86bb 0000 0000 0103 0303 .......... Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using encodings other than US-ASCII. It is usually preferable to analyze the output by loading it into in a network protocol analyzer application such as Wireshark (http://www.wireshark.org/). For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output. Methods may vary. See the documentation for your CLI client. Requirements terminal emulation software such as PuTTY a plain text editor such as Notepad a Perl interpreter network protocol analyzer software such as Wireshark To view packet capture output using PuTTY and Wireshark: 1. On your management computer, start PuTTY.

diagnose

Page 140

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

2. Use PuTTY to connect to the Fortinet appliance using either a local serial console, SSH, or Telnet connection. 3. Type the packet capture command, such as: diag sniffer packet port1 'tcp port 541' 3 100 but do not press Enter yet. 4. In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select Change Settings. A dialog appears where you can configure PuTTY to save output to a plain text file. 5. In the Category tree on the left, go to Session > Logging. 6. In Session logging, select Printable output. 7. In Log file name, click the Browse button, then choose a directory path and file name such as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. (You do not need to save it with the .log file extension.) 8. Click Apply. 9. Press Enter to send the CLI command to the FortiMail unit, beginning packet capture. 10. If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze, press Ctrl + C to stop the capture. 11. Close the PuTTY window. 12. Open the packet capture file using a plain text editor such as Notepad. 13. Delete the first and last lines, which look like this: =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~= Fortinet-2000 # These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not delete them, they could interfere with the script in the next step. 14. Convert the plain text file to a format recognizable by your network protocol analyzer application. You can convert the plain text file to a format (.pcap) recognizable by Wireshark using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer.

The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and requires that you first install a Perl module compatible with your operating system.

To use fgt2eth.pl, open a command prompt, then enter a command such as the following:

Methods to open a command prompt vary by operating system. On Windows XP, go to Start > Run and enter cmd. On Windows 7, click the Start (Windows logo) menu to open it, then enter cmd.

fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap where: fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is indicated by the command prompt
diagnose Page 141 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

packet_capture.txt is the name of the packet captures output file; include the directory path relative to your current directory packet_capture.pcap is the name of the conversion scripts output file; include the directory path relative to your current directory where you want the converted output to be saved Figure 1: Converting sniffer output to .pcap format

15. Open the converted file in your network protocol analyzer application. For further instructions, see the documentation for that application. Figure 2: Viewing sniffer output in Wireshark

For additional information on packet capture, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer.

diagnose

Page 142

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

sql
Use this command to diagnose the SQL database.

Syntax
diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose Variable auto-hcache {enable | diasble} config debug-filter set <string> config debug-filter test <string> sql sql sql sql sql sql sql sql sql sql sql auto-hcache {enable | diasble} config debug-filter set <string> config debug-filter test <string> config deferred-index-timespan <string> gui-rpt-shm <list-all> process list process kill <pid>d remove hcache <device-id> remove tmp-table show <db-size | hcache-size} status {run_sql_rpt | sqlplugind | sqlreportd} Description Disable or enable the auto-hcache. Set the sqlplugin debug filter. Test the sqlplugin debug filter

config Set the timespan for the deferred index. deferred-index-timespan <string> gui-rpt-shm <list-all> process list process kill <pid> remove hcache <device-id> remove tmp-table List all async GUI report shared memory slot information. List running query processes. Kill a running query. Remove hcache. Remove temporary tables.

show <db-size | hcache-size} Show the database or hcache size. status {run_sql_rpt | sqlplugind | sqlreportd} Show run_sql_rpt, sqlplugind, or sqlreportd status.

system admin-session
Use this command to view login session information.

diagnose

Page 143

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Syntax
diagnose system admin-session list diagnose system admin-session status Variable list status Description List login sessions. Show the current session.

Example
This is an example of the output from diagnose system admin-session status: session_id: 31521 (seq: 4) username: admin admin template: admin from: jsconsole(10.2.0.250) profile: Super_User (type 3) adom: root session length: 198 (seconds)

system disk
Use this command to view disk diagnostic information.

Syntax
diagnose diagnose diagnose diagnose diagnose Variable attributes disable enable health info system system system system system disk disk disk disk disk attributes disable enable health info Description Show vendor specific SMART attributes. Disable SMART support. Enable SMART support. Show the SMART health status. Show the SMART information.

Example
This is an example of the output from diagnose system disk health: Disk 1: SMART overall-health self-assessment test result: Disk 2: SMART overall-health self-assessment test result: Disk 3: SMART overall-health self-assessment test result: Disk 4: SMART overall-health self-assessment test result:
diagnose Page 144

PASSED PASSED PASSED PASSED

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system export
Use this command to export logs.

Syntax
diagnose system export crashlog <server> <user> <password> [remote path] [filename] diagnose system export dminstallog <devid> <server> <user> <password> [remote path] [filename] diagnose system export umlog {ftp | sftp} <type> <server> <user> <password> [remote path] [filename] diagnose system export upgradelog <ftp server> Variable crashlog <server> <user> <password> [remote path] [filename] dminstallog <devid> <server> <user> <password> [remote path] [filename] umlog {ftp | sftp} <type> <server> <user> <password> [remote path] [filename] upgradelog <ftp server> Description Export the crash log.

Export deployment manager install log.

Export the update manager and firmware manager log files. The type option are: fdslinkd, fctlinkd, fgdlinkd, usvr, update, service, misc, umad, fwmlinkd Export the upgrade error log.

system flash
Use this command to diagnose the flash memory.

Syntax
diagnose system flash list Variable list Description List flash images.

diagnose

Page 145

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system fsck
Use this command to check and repair the filesystem.

Syntax
diagnose system fsck harddisk Variable harddisk Description Check and repair the file system, then reboot the system.

system ntp
Use this command to list NTP server information.

Syntax
diagnose system ntp status Variable status Description List NTP servers information.

Example
This is an example of the output from diagnose system ntp status: server ntp1.fortinet.net (208.91.112.50) -- Clock is synchronized server-version=4, stratum=2 reference time is d4a03db3.52abe82f -- UTC Tue Jan 15 20:42:27 2013 clock offset is 0.210216 msec, root delay is 1649 msec root dispersion is 2075 msec, peer dispersion is 2 msec

system print
Use this command to print server information.

Syntax
diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose diagnose system system system system system system system system system system print print print print print print print print print print certificate cpuinfo df hosts interface <interface> loadavg netstat partitions route rtcache

diagnose

Page 146

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

diagnose system print slabinfo diagnose system print sockets diagnose system print uptime Variable certificate cpuinfo df hosts interface <interface> loadavg netstat partitions route rtcache slabinfo sockets uptime Description Print the IPsec certificate. Print the CPU information. Print the file system disk space usage. Print the static table lookup for host names. Print the information of the interface Print the average load of the system. Print the network statistics. Print the partition information of the system. Print the main route list. Print the contents of the routing cache. Print the slab allocator statistics. Print the currently used socket ports. Print how long the system has been running.

Example
This is an example of the output from diagnose system print df: Filesystem 1K-blocks none 65536 none 65536 /dev/sda1 47595 /dev/sdb3 9803784 /dev/sdb2 61927420 /dev/sdb4 9803784 /dev/sdb4 9803784 /dev/sdb4 9803784 /dev/loop0 9911 /var/dm/tcl-root Used Available Use% Mounted on 0 65536 0% /dev/shm 20 65516 1% /tmp 28965 16173 65% /data 723128 8582652 8% /var 224212 58557480 1% /var/static 132164 9173616 2% /var/misc 132164 9173616 2% /drive0 132164 9173616 2% /Storage 1043 8356 12%

diagnose

Page 147

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

This is an example of the output from diagnose system print interface port1: Status: up Speed: 1000Mb/s Duplex: Full Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised auto-negotiation: Yes

system process
Use this command to view and kill processes.

Syntax
diagnose system process kill -<signal> <pid> diagnose system process killall <module> diagnose system process list Variable kill -<signal> <pid> Description Kill a process. e.g. -9 or -KILL killall <module> list Kill all the related processes. List all processes.

system raid
Use this command to view RAID information.

Syntax
diagnose system raid hwinfo diagnose system raid status Variable hwinfo status Description Show RAID controller hardware information. Show RAID status.

diagnose

Page 148

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
Here is an example of the output from diagnose system raid status: RAID Level: Raid-1 RAID Status: OK RAID Size: 1953GB Disk 1: OK Disk 2: Unavailable Disk 3: Unavailable Disk 4: Unavailable

Used Not-Used Not-Used Not-Used

1953GB 0GB 0GB 0GB

system route
Use this command to diagnose routes.

Syntax
diagnose system route list Variable list Description List all routes.

system route6
Use this command to diagnose IPv6 routes.

Syntax
diagnose system route6 list Variable list Description List all IPv6 routes.

system server
Use this command to start the FortiAnalyzer server.

Syntax
diagnose system server start Variable start Description Start the server.

diagnose

Page 149

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

test application
Use this command to test application daemons.

Syntax
diagnose diagnose diagnose diagnose diagnose diagnose Variable fazcfgd <Integer> logfiled <Integer> oftpd <Integer> snmpd <Integer> sqllogd <Integer> sqlrptcached <Integer> test test test test test test application application application application application application fazcfgd <Integer> logfiled <Integer> oftpd <Integer> snmpd <Integer> sqllogd <Integer> sqlrptcached <Integer> Description Test the FortiAnalyzer config daemon. Test the FortiAnalyzer log file daemon. Test the FortiAnalyzer oftpd daemon. Test the FortiAnalyzer snmpd daemon. Test the FortiAnalyzer sqllog daemon. Test the FortiAnalyzer sqlrptcache daemon.

test policy-check
Use this command to test applications.

Syntax
diagnose test policy-check flush diagnose test policy-check list Variable flush list Description Flush all policy check sessions. List all policy check sessions.

diagnose

Page 150

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

test search
Use this command to test the search daemon.

Syntax
diagnose test search flush diagnose test search list Variable flush list Description Flush all search sessions. List all search sessions.

test sftp
Use this command to test the secure file transfer protocol (SFTP).

Syntax
diagnose test sftp auth <sftp server> <username> <password> <directory> Variable auth <sftp server> <username> <password> <directory> Description Test the scheduled backup. The directory variable represents the directory on the SFTP server where you want to put the file. The default directory is "/".

upload clear
Use this command to clear the upload request.

Syntax
diagnose upload clear all diagnose upload clear failed Variable all failed Description Clear all upload requests. Clear the failed upload requests.

diagnose

Page 151

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

upload force-retry
Use this command to retry the last failed upload request.

Syntax
diagnose upload force-retry

upload status
Use this command to get the running status.

Syntax
diagnose upload status

diagnose

Page 152

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

get
3. get
The get commands display a part of your FortiAnalyzer units configuration in the form of a list of settings and their values.

Although not explicitly shown in this section, for all config commands there are related get and show commands that display that part of the configuration. get and show commands use the same syntax as their related config command, unless otherwise specified.

The get command displays all settings, even if they are still in their default state. Unlike the show command, get requires that the object or table whose settings you want to display are specified, unless the command is being used from within an object or table. For example, at the root prompt, this command would be valid: get system status and this command would not: get This chapter describes the following get commands: system admin setting system aggregation-client system aggregation-service system alert-console system alertemail system backup all-settings system backup status system certificate ca system certificate local system certificate ssh system dns system fips system global system interface system locallog disk setting system locallog disk filter system locallog fortianalyzer setting system locallog fortianalyzer filter system locallog memory setting system locallog memory filter system locallog syslogd setting (also syslogd2 and syslogd3) system locallog syslogd filter (also syslogd2 and syslogd3) system log alert system log fortianalyzer system log settings system mail system ntp system password-policy system performance system snmp community system snmp sysinfo system snmp user system route system route6 system sql system status system syslog

get

Page 153

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system admin setting


Use this command to view system administrator settings.

Syntax
get system admin settings

Example
This example shows the output for get system admin setting: access-banner : disable admin_server_cert : server.crt allow_register : disable auto-update : enable banner-message : (null) demo-mode : disable device_sync_status : enable http_port : 80 https_port : 443 idle_timeout : 480 install-ifpolicy-only: disable mgmt-addr : (null) mgmt-fqdn : (null) offline_mode : disable register_passwd : * show-add-multiple : disable show-adom-central-nat-policies: disable show-adom-devman : disable show-adom-dos-policies: disable show-adom-dynamic-objects: enable show-adom-forticonsole-button: disable show-adom-icap-policies: disable show-adom-implicit-policy: disable show-adom-ipv6-settings: enable show-adom-policy-consistency-button: disable show-adom-rtmlog : disable show-adom-sniffer-policies: disable show-adom-taskmon-button: enable show-adom-terminal-button: disable show-adom-voip-policies: disable show-adom-vpnman : enable show-device-import-export: disable show-foc-settings : enable show-fortimail-settings: enable show-fsw-settings : enable show-global-object-settings: enable show-global-policy-settings: enable show_automatic_script: disable show_grouping_script: disable
get Page 154 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

show_tcl_script unreg_dev_opt webadmin_language

: disable : add_allow_service : auto_detect

system aggregation-client
Use this command to view log aggregation settings.

Syntax
get system aggregation-client <id>

Example
This example shows the output for get system aggregation-client: id mode fwd-facility fwd-log-source-ip fwd-min-level fwd-remote-server server-ip : : : : : : : 1 realtime local7 local_ip information fortianalyzer 1.1.11.1

system aggregation-service
Use this command to view log aggregation service settings.

Syntax
get system aggregation-service

system alert-console
Use this command to view the alert console settings.

Syntax
get system alert-console

Example
This example shows the output for get system alert-console: period severity-level : 7 : information

get

Page 155

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system alert-event
Use this command to view alert event settings.

Syntax
get system alert-event <alert name>

Example
This example shows the output for get system alert-event: name : Test alert-destination: == 1 == enable-generic-text : enable enable-severity-filter: enable event-time-period : 0.5 generic-text : Test num-events : 1 severity-filter : medium-low severity-level-comp : = severity-level-logs : information

system alertemail
Use this command to view alertemail settings.

Syntax
get system alertemail

Example
This example shows the output for get system alertemail: authentication fromaddress fromname smtppassword smtpport smtpserver smtpuser : : : : : : : enable (null) (null) * 25 (null) (null)

system backup all-settings


Use this command to view the backup settings.

Syntax
get system backup all-settings

get

Page 156

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This example shows the output for get system backup all-settings: status server user directory week_days time protocol passwd crptpasswd : : : : : : : : : disable (null) (null) (null) (null) sftp * *

system backup status


Use this command to view the backup status on your FortiAnalyzer unit.

Syntax
get system backup status

Example
This example shows the output for get system backup status: All-Settings Backup Last Backup: Tue Jan 15 16:55:35 2013 Next Backup: N/A

system certificate ca
Use this command to view CA certificates on your device.

Syntax
get system certificate ca

system certificate local


Use this command to view local certificates on your device.

Syntax
get system certificate local

get

Page 157

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system certificate ssh


Use this command to view SSH certificates on your device.

Syntax
get system certificate ssh

system dns
Use this command to view DNS settings.

Syntax
get system dns

Example
This example shows the output for get system dns: primary secondary : 208.91.112.53 : 208.91.112.63

system fips
Use this command to view FIPS settings.

Syntax
get system fips

system global
Use this command to view global system settings.

Syntax
get system global

Example
This example shows the output for get system global: admin-lockout-duration: 60 admin-lockout-threshold: 3 admintimeout : 5 adom-mode : normal adom-status : disable console-output : standard daylightsavetime : enable default-disk-quota : 1000 enc-algorithm : low

get

Page 158

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

hostname : language : ldapconntimeout : log-mode : max-concurrent-users: max-running-reports : pre-login-banner : remoteauthtimeout : ssl-low-encryption : swapmem : timezone :

FAZ1000C english 60000 analyzer 20 1 disable 10 enable enable (GMT-8:00)Pacific Time(US&Canada)

system interface
Use this command to view interface configuration.

Syntax
get system interface

Example
This example shows the output for get system interface: == [ port1 ] name: port1 auto == [ port2 ] name: port2 == [ port3 ] name: port3 == [ port4 ] name: port4 status: up ip: 172.16.81.30 255.255.255.0 speed:

status: up status: up status: up

ip: 1.1.1.1 255.255.255.0 ip: 0.0.0.0 0.0.0.0 ip: 0.0.0.0 0.0.0.0

speed: auto

speed: auto speed: auto

system locallog disk setting


Use this command to view log disk settings.

Syntax
get system locallog disk setting

Example
This example shows the output for get system localllog disk setting: status severity upload server-type max-log-file-size roll-schedule
get

: : : : : :

enable information disable FTP 100 none


Page 159 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

diskfull : overwrite log-disk-full-percentage: 80

system locallog disk filter


Use this command to view the filter for disk logging.

Syntax
get system locallog disk filter

Example
This example shows the output for get system locallog disk filter: event dvm iolog system : : : : enable enable enable enable

system locallog fortianalyzer setting


Use this command to view settings for FortiAnalyzer logging.

Syntax
get system locallog fortianalyzer setting

Example
This example shows the output for get system locallog fortianalyzer setting: severity status : notification : disable

system locallog fortianalyzer filter


Use this command to view the filter for FortiAnalyzer logging.

Syntax
get system locallog fortianalzyer filter

Example
This example shows the output for get system locallog fortianalyzer filter: event dvm iolog system : : : : enable enable enable enable

get

Page 160

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system locallog memory setting


Use this command to view settings for logging to memory.

Syntax
get system locallog memory setting

Example
This example shows the output for get system locallog memory setting: severity status : notification : disable

system locallog memory filter


Use this command to view the filter for memory logging.

Syntax
get system locallog memory filter

Example
This example shows the output for get system locallog memory filter: event dvm iolog system : : : : enable enable enable enable

system locallog syslogd setting (also syslogd2 and syslogd3)


Use this command to view settings for logging to remote syslog server.

Syntax
get system locallog syslogd setting

Example
This example shows the output for get system locallog syslogd setting: csv facility port server severity status : : : : : : disable local7 514 (null) notification disable

get

Page 161

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system locallog syslogd filter (also syslogd2 and syslogd3)


Use this command to view the filter for syslog logging.

Syntax
get system locallog syslogd filter

Example
This example shows the output for get system locallog syslogd filter: event dvm iolog system : : : : enable enable enable enable

system log alert


Use this command to view log alert settings.

Syntax
get system log alert

Example
This example shows the output for get system log alert: max-alert-count : 200

system log fortianalyzer


Use this command to view FortiAnalyzer log configuration.

Syntax
get system log fortianalyzer

Example
This example shows the output for get system log fortianalyzer: status ip secure_connection username passwd auto_install : : : : : : disable 0.0.0.0 disable admin * disable

get

Page 162

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system log settings


Use this command to view log settings.

Syntax
get system log settings

Example
This example shows the output for get system log settings: FCH-custom-field1 FCH-custom-field2 FCH-custom-field3 FCH-custom-field4 FCH-custom-field5 FCT-custom-field1 FCT-custom-field2 FCT-custom-field3 FCT-custom-field4 FCT-custom-field5 FGT-custom-field1 FGT-custom-field2 FGT-custom-field3 FGT-custom-field4 FGT-custom-field5 FML-custom-field1 FML-custom-field2 FML-custom-field3 FML-custom-field4 FML-custom-field5 FWB-custom-field1 FWB-custom-field2 FWB-custom-field3 FWB-custom-field4 FWB-custom-field5 analyzer analyzer-interface analyzer-quota analyzer-quota-full analyzer-settings local local-level local-quota local-quota-full local-settings rolling-regular: syslog syslog-csv syslog-filter
get

: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

(null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) enable port1 1000 overwrite device enable information 1000 overwrite device

: disable : disable :
Page 163 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

syslog-ip syslog-level syslog-port

: 0.0.0.0 : emergency : 514

system mail
Use this command to view alert email configuration.

Syntax
get system mail <server name>

Example
This example shows the output for get system mail Test2: server auth passwd port user : : : : : Test2 enable * 25 test@fortinet.com

system ntp
Use this command to view NTP settings.

Syntax
get system ntp

Example
This example shows the output for get system ntp: ntpserver: == [ 1 ] id: 1 status sync_interval

: enable : 60

system password-policy
Use this command to view the system password policy.

Syntax
get system password-policy

get

Page 164

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This example shows the output for get system password-policy: status : minimum-length : must-contain : non-alphanumeric change-4-characters : expire : enable 8 upper-case-letter lower-case-letter number disable 60

system performance
Use this command to view performance statistics on your FortiAnalyzer unit.

Syntax
get system performance

Example
This example shows the output for get system performance: CPU: Used: Used(Excluded NICE):0.5% CPU_num: 2. CPU[0] usage: 0% CPU[1] usage: 2% Memory: Total: Used: Hard Disk: Total: Used: Flash Disk: Total: Used: 6,199,628 KB 703,880 KB 961,434,656 KB 86,170,876 KB 253,871 KB 37,825 KB 11.4% 0.6%

9.0%

14.9%

system snmp community


Use this command to view SNMP community information.

Syntax
get system snmp community <community ID>

get

Page 165

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system snmp sysinfo


Use this command to view SNMP configuration.

Syntax
get system snmp sysinfo

Example
This example shows the output for get system snmp sysinfo: contact_info : (null) description : (null) engine-id : (null) location : (null) status : enable trap-high-cpu-threshold: 80 trap-low-memory-threshold: 80

system snmp user


Use this command to view SNMP user configuration.

Syntax
get system snmp user <name>

Example
This example shows the output for get system snmp user 1: name : 1 events : disk_low intf_ip_chg sys_reboot cpu_high mem_low raid_changed log-alert log-rate log-data-rate notify-hosts : 1.2.3.4 queries : enable query-port : 161 security-level : auth-priv auth-proto : sha auth-pwd : * priv-proto : aes priv-pwd : *

system route
Use this command to view routing table configuration.

Syntax
get system route <seq_num>

get

Page 166

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This example shows the output for get system route 1: seq_num device dst gateway : : : : 1 port1 0.0.0.0 0.0.0.0 172.16.81.1

system route6
Use this command to view IPv6 routing table configuration.

Syntax
get system route6 <entry number>

system sql
Use this command to view SQL settings.

Syntax
get system sql

Example
This example shows the output for get system sql: prompt-sql-upgrade : enable status : local auto-table-upgrade : disable database-type : postgres logtype : app-ctrl attack content dlp emailfilter event generic history traffic virus voip webfilter netscan start-time : 16:59 2013/03/18 table-partition-mode: auto table-partition-time-range: 86400 table-partition-time-range-max: 604800 table-partition-time-range-min: 10

system status
Use this command to view the status of your FortiAnalyzer unit.

Syntax
get system status

get

Page 167

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Example
This example shows the output for get system status: Platform Type Version Serial Number BIOS version System Part-Number Hostname Max Number of Admin Domains Max Number of Device Groups Admin Domain Configuration FIPS Mode Branch Point Release Version Information Current Time Daylight Time Saving Time Zone Disk Usage : : : : : : : : : : : : : : : : FAZ200D v5.0-build0150 130327 (GA Patch 2) FL200D3A12000004 00010003 P11737-01 FAZ200D 150 150 Disabled Disabled 150 (GA Patch 2) Thu Mar 28 17:38:20 PDT 2013 Yes (GMT-8:00)Pacific Time(US&Canada) Free 834.72GB, Total 916.90GB

system syslog
Use this command to view syslog information.

Syntax
get system syslog <name of syslog server>

Example
This example shows the output for get system syslog Test: name ip port : Test : 172.16.86.1 : 514

get

Page 168

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

show
The show commands display a part of your Fortinet units configuration in the form of commands that are required to achieve that configuration from the firmwares default state.

Although not explicitly shown in this section, for all config commands, there are related show commands that display that part of the configuration.The show commands use the same syntax as their related config command.

Unlike the get command, show does not display settings that are assumed to remain in their default state. The following examples show the difference between the output of the show command branch and the get command branch.

Example show command


show system dns config system dns set primary 208.91.112.53 set secondary 208.91.112.63 end

Example get command


get system dns primary secondary : 208.91.112.53 : 208.91.112.63

show

Page 169

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Appendix A: Object Tables


Global object categories
38 "webfilter ftgd-local-cat" 52 "vpn certificate ca" 64 "spamfilter mheader" 140 "firewall address" 145 "user radius" 148 "user peer" 254 "firewall service predefined" 171 "firewall schedule recurring" 288 "ips sensor" 296 "firewall ldb-monitor" 1043 "wanopt peer" 1076 "system replacemsg-group" 47 "webfilter urlfilter" 56 "spamfilter bword" 67 "spamfilter iptrust" 142 "firewall addrgrp" 146 "user ldap" 152 "user group" 168 "firewall service group" 172 "firewall ippool" 292 "log custom-field" 1028 "application list" 1044 "wanopt auth-group" 1097 "firewall mms-profile" 51 "webfilter ftgd-local-rating" 60 "spamfilter dnsbl" 85 "ips custom" 255 "user adgrp" 147 "user local" 167 "firewall service custom" 170 "firewall schedule onetime" 173 "firewall vip" 293 "user tacacs+" 1038 "dlp sensor" 1054 "vpn ssl web portal" 1203 "firewall gtp" 1327 "webfilter content" 1364 "firewall shaper traffic-shaper" 1370 "vpn ssl web host-check-software" 1433 "spamfilter profile" 150 "system object-tag" 335 "dlp filepattern" 321 "user fsso" 457 "wanopt profile" 475 "user device-category" 800 "dynamic interface" 1005 "vpnmgr node" 822 "sql-report chart" 827 "sql-report layout"

1213 "firewall carrier-endpoint-bwl" 1216 "antivirus notification" 1337 "endpoint-control profile" 1338 "firewall schedule group"

1365 "firewall shaper per-ip-shaper" 1367 "vpn ssl web virtual-desktop-app-list" 1413 "webfilter profile" 1472 "antivirus mms-checksum" 184 "user fortitoken" 343 "icap server" 390 "system sms-server" 384 "firewall service category" 476 "user device" 810 "dynamic address" 1100 "system meta" 824 "sql-report dataset" 1420 "antivirus profile" 1482 "voip profile" 273 "web-proxy forward-server" 344 "icap profile" 397 "spamfilter bwl" 474 "application custom" 492 "firewall deep-inspection-options" 1004 "vpnmgr vpntable" 820 "report output" 825 "sql-report dashboard"

Object Tables

Page 170

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

1494 "dynamic vip" 1509 "dynamic vpntunnel"

1495 "dynamic ippool"

1504 "dynamic certificate local"

Device object ID values


1 "system vdom" 8 "system interface" 18 "system replacemsg ftp" 21 "system replacemsg fortiguard-wf" 24 "system replacemsg auth" 28 "system snmp community" 47 "webfilter urlfilter" 53 "vpn certificate local" 56 "spamfilter bword" 67 "spamfilter iptrust" 76 "imp2p msn-user" 117 "system session-helper" 128 "antivirus quarfilepattern" 131 "system gre-tunnel" 137 "system dhcp reserved-address" 142 "firewall addrgrp" 146 "user ldap" 152 "user group" 157 "vpn ipsec manualkey" 167 "firewall service custom" 170 "firewall schedule onetime" 173 "firewall vip" 189 "firewall dnstranslation" 200 "router access-list" 206 "router key-chain"
Object Tables

3 "system accprofile" 16 "system replacemsg mail" 19 "system replacemsg nntp" 22 "system replacemsg spam" 25 "system replacemsg im" 38 "webfilter ftgd-local-cat" 51 "webfilter ftgd-local-rating" 54 "vpn certificate crl" 60 "spamfilter dnsbl" 74 "imp2p aim-user" 77 "imp2p yahoo-user" 118 "system tos-based-priority" 130 "system ipv6-tunnel" 132 "system arp-table" 138 "system zone" 255 "user adgrp" 147 "user local" 155 "vpn ipsec phase1" 158 "vpn ipsec concentrator" 254 "firewall service predefined" 171 "firewall schedule recurring" 178 "firewall ipmacbinding table" 190 "firewall multicast-policy" 202 "router aspath-list" 208 "router community-list"
Page 171

5 "system admin" 17 "system replacemsg http" 20 "system replacemsg alertmail" 23 "system replacemsg admin" 26 "system replacemsg sslvpn" 1300 "application recognition predefined" 52 "vpn certificate ca" 55 "vpn certificate remote" 64 "spamfilter mheader" 75 "imp2p icq-user" 85 "ips custom" 124 "antivirus service" 314 "system sit-tunnel" 135 "system dhcp server" 140 "firewall address" 145 "user radius" 148 "user peer" 156 "vpn ipsec phase2" 165 "vpn ipsec forticlient" 168 "firewall service group" 172 "firewall ippool" 181 "firewall policy" 199 "system mac-address-table" 204 "router prefix-list" 210 "router route-map"
FortiAnalyzer v5.0 Patch Release 2 CLI Reference

225 "router static" 284 "system switch-interface" 292 "log custom-field" 297 "ips decoder" 317 "system wccp"

226 "router policy" 285 "system session-sync" 293 "user tacacs+" 299 "ips rule" 318 "firewall interface-policy"

253 "system proxy-arp" 288 "ips sensor" 296 "firewall ldb-monitor" 307 "router auth-path" 1020 "system replacemsg ec" 1027 "application name" 1041 "user ban" 1045 "wanopt ssl-server" 1061 "system wireless ap-status" 1092 "system replacemsg mms" 1095 "system replacemsg mm4" 1203 "firewall gtp" 1326 "system replacemsg traffic-quota" 1338 "firewall schedule group"

1021 "system replacemsg nac-quar" 1022 "system snmp user" 1028 "application list" 1043 "wanopt peer" 1047 "wanopt storage" 1075 "system replacemsg-image" 1093 "system replacemsg mm1" 1096 "system replacemsg mm7" 1038 "dlp sensor" 1044 "wanopt auth-group" 1054 "vpn ssl web portal" 1076 "system replacemsg-group" 1094 "system replacemsg mm3" 1097 "firewall mms-profile"

1213 "firewall carrier-endpoint-bwl" 1216 "antivirus notification" 1327 "webfilter content" 1337 "endpoint-control profile"

1364 "firewall shaper traffic-shaper" 1365 "firewall shaper per-ip-shaper" 1367 "vpn ssl web virtual-desktop-app-list" 1370 "vpn ssl web host-check-software" 1382 "report summary" 1399 "wireless-controller wtp" 1413 "webfilter profile" 1440 "firewall profile-protocol-options" 1462 "report style" 1482 "voip profile" 1490 "report theme" 180 "system port-pair" 184 "user fortitoken" 273 "web-proxy forward-server" 335 "dlp filepattern" 1373 "report dataset" 1375 "report chart"

1387 "firewall sniff-interface-policy" 1396 "wireless-controller vap" 1402 "wireless-controller ap-status" 1412 "system replacemsg webproxy" 1420 "antivirus profile" 1453 "firewall profile-group" 1463 "report layout" 1485 "netscan assets" 150 "system object-tag" 182 "system 3g-modem custom" 212 "webfilter override" 330 "system ddns" 337 "dlp fp-sensitivity" 1433 "spamfilter profile" 1461 "system storage" 1472 "antivirus mms-checksum" 1487 "firewall central-nat" 169 "system dhcp6 server" 183 "application rule-settings" 270 "firewall local-in-policy" 331 "system replacemsg captive-portal-dflt" 338 "dlp fp-doc-source"

Object Tables

Page 172

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

342 "webfilter ftgd-warning" 352 "system monitors" 355 "router gwdetect" 390 "system sms-server" 406 "vpn certificate ocsp-server" 428 "firewall identity-based-route" 434 "firewall isf-acl"

343 "icap server" 354 "system sp" 386 "system physical-switch" 394 "system replacemsg utm" 408 "user password-policy" 431 "web-proxy debug-url" 435 "firewall DoS-policy"

344 "icap profile" 321 "user fsso" 388 "system virtual-switch" 397 "spamfilter bwl" 412 "webfilter search-engine" 432 "firewall ttl-policy" 437 "firewall sniffer" 441 "switch-controller managed-switch" 269 "firewall multicast-address" 467 "system geoip-override" 476 "user device" 492 "firewall deep-inspection-options"

438 "wireless-controller wids-profile" 439 "switch-controller vlan" 453 "firewall ip-translation" 384 "firewall service category" 474 "application custom" 483 "system server-probe" 457 "wanopt profile" 466 "system ips-urlfilter-dns" 475 "user device-category" 473 "system replacemsg device-detection-portal"

Object Tables

Page 173

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

Index
A
abbreviation 20 access privileges ADOMs 25 add-vm-license 90 admin ldap 29 profile 30 profileid 42 radius 34 setting 35 ssh-public-key 43 tacacs 39 trusted hosts 45 trusthost 42 user 40 user password 42 administrative access 61 administrative domains. See ADOMs administrator account password 42 ADOMs 25 access privileges 25 admin account privileges 25 config system global 25 maximum 26 permissions 25 aggregation-client 46 aggregation-service 48 alert-console 49 alertemail 52 alert-event 50 allowaccess interface 61 CLI abbreviate commands 20 command branches 12 command completion 20 editing commands 20 help 19 objects 12 recalling commands 20 syntax 11 config 14 ADOMs 25 delete 13 edit 13 get 13 purge 13 config system global ADOMs 25 connecting to the CLI 12 console baudrate 23, 96 crashlog 118, 145

D
daemon test 150 database configuration restoring 103 date 96 daylightsavetime 59 debug application 114 cli 117 console 117 crashlog 118 disable 118 dpm 118 enable 119 info 119 log levels 24 sysinfo 120 sysinfo-log 121 sysinfo-log backup 121 sysinfo-log-list 121 timestamp 123 vminfo 123 delete 13 device 97 devicelog 97

B
backup 91, 93 logs 91 logs-only 92 backup all-settings 53 baud rate changing 23 bootimage 94

C
cdb check 114 certificate 54, 55 ca 54, 94 local 55, 95 ssh 56 vpn local 55

Page 174

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

diagnose cdb 114 debug 114 dvm 125 fgfm 130 fmnetwork 130 fortilogd 132 hardware 132 sniffer 137 sql 143 system 143 test application 150 test search 151 test sftp 151 testpolicy-check 150 upload clear 151 upload status 152 dlp-archives quar-cache 124 rebuild-quar-db 124 statistics 125 status 125 dm 57 dminstalllog 145 dns 57 dvm adom 125 chassis 126 check-integrity 126 debug 127 device 127 device-tree-update 127 group 128 lock 128 proc 128 supported-platforms 129 task 129 transaction-flag 129

execute add-vm-license 90 backup 91 bootimage 94 certificate 94 console 96 console baudrate 23 date 96 device 97 devicelog 97 factory-license 97 fgfm 98 format 98 log-aggregation 99 ping 100 ping6 101 raid 101 reboot 102 remove reports 102 reports-config 93, 105 reset all-settings 102 reset-sqllog-transfer 102 restore 103 shell 106 shutdown 106 sql-local 106 sql-query-dataset 108 sql-query-generic 108 sql-report run 108 ssh 109 time 110 top 110 traceroute 112 traceroute6 112

F
factory-license 97 fgfm 130 reclaim-dev-tunnel 98 file system 146 filesystem repair 146 fips 57 firmware image uploading 104 flash memory 145 test 145 fmnetwork arp 130 interface 131 netstat 131 format 98 format disk execute 98 FortiAnalyzer server 149 fortilogd 132 Fortinet Technical Support 139

E
edit 13 encrypted password support 21

G
get 13
Index Page 175 FortiAnalyzer v5.0 Patch Release 2 CLI Reference

global system 58 global settings 58

H
hard disk 144 diagnostics 144 formatting 98 help 19 host-name execute traceroute 112 HTTP 61 HTTPS 61

I
image execute restore 104 interface ip 61 port 60 ip execute backup 91 IPv4 149 IPv6 149 routes 149

password-policy 80 path execute backup all-settings 91 permissions ADOMs 25 ping 61, 100 ping6 101 port configuring 60 process kill 148 view 148 profile 30 purge 13

R
RADUIS server 34 RAID 148 information 148 raid 101 reboot 102 remove 102 reset 102 reset-sqllog-transfer 102 restore 103, 105 execute 103 route 81 route6 81 routes IPv4 149

L
LDAP server 29 locallog disk setting 62 locallog filter 65 locallog fortianalyzer setting 66 locallog memory setting 67 locallog syslogd setting 68 log levels 24 log fortianalyzer 71 log setting 72 log-aggregation 99 logical volume manager. See LVM login session view 143 logs export 145 LVM 100

S
search daemon 151 secure file transfer protocol 151 server information 146 set 14 settings 35 shell 106 show 14 system interface 159 shutdown 106 sniffer 137 packet capture 137 packet trace 137 snmp community 82 snmp sysinfo 85 snmp user 86 sql 143 sql-local 106 sql-query-dataset 108 sql-query-generic 108 sql-report run 108 ssh 61, 109 syslog 89

M
mail 78 max-log-file-size 63

N
next 14 NTP 146 server information 146 ntp 79

P
password 21 encrypted 21 execute backup 91
Index

Page 176

FortiAnalyzer v5.0 Patch Release 2 CLI Reference

system 28 admin 29 admin-session 143 aggregation-client 46 aggregation-service 48 alert-console 49 alertemail 52 alert-event 50 backup all-settings 53 backup status 157 disk 144 dm 57 dns 57 export 145 fips 57 flash 145 fsck 146 interface 60, 159 locallog disk setting 62 locallog filter 65 locallog fortianalyzer setting 66 locallog memory setting 67 locallog syslogd setting 68 log fortianalyzer 71 log setting 72 mail 78 ntp 79, 146 password-policy 80 performance 165 print 146 process 148 raid 148 route 81, 149 route6 81, 149 server 149 snmp community 82 snmp sysinfo 85 snmp user 86 status 167 syslog 89

T
TACACS+ server 39 test application 150 test policy-check 150 test search 151 test sftp 151 time 110 top 110 traceroute 112 traceroute6 112 trusted hosts 45 trusthost 42

U
unset 14 upgradelog 145 upload clear 151 upload status 152 US-ASCII 140 user 40

V
vpn 54

Index

Page 177

FortiAnalyzer v5.0 Patch Release 2 CLI Reference