FortiBridge CLI Reference version 3.0.0
advertisement
FortiBridge CLI Reference
FortiBridge 3.0
FortiBridge: FortiBridge CLI Reference
9 November 2010
09-300-133020-20101109
for FortiBridge 3.0
© Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiBridge, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Introduction
7
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How this chapter is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
IP addresses . . . . . . . . . . .
Example Network configuration .
Cautions, Notes and Tips . . . .
Typographical conventions . . . .
CLI command syntax conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. . 8
. 10
. 11
. 12
. 12
Entering FortiBridge configuration data. . . . . . . . . . . . . . . . . . . . . . . . .
Entering text strings (names).
Entering numeric values . . .
Selecting options from a list .
Enabling or disabling options.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
14
.
.
.
.
14
15
15
15
Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . .
15
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
Fortinet Tools and Documentation CD . . . . . . . . . . . . . . . . . . . . . . .
Fortinet Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . .
16
16
16
Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . .
16
config
17
alertemail setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
18
19
log syslogd setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
20
21
probe probe_list {ping | http | ftp | pop3 | smtp | imap | mm1 | mm3 | mm4 | mm7} . .
22
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
23
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
3
Contents
Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
probe setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
24
24
system accprofile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
26
26
system admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
28
28
system console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
29
system dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
30
get system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
system fail_close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
32
system global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
34
system interface {internal | external} . . . . . . . . . . . . . . . . . . . . . . . . . .
35
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35
35
system manageip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
36
36
system route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
Command syntax pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
37
system snmp community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
Command syntax pattern
config hosts. . . . . . . . . .
Command syntax pattern
Example . . . . . . . . .
4
23
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
38
39
39
39
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
Contents
execute
41
backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
42
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
43
factoryreset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
45
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
47
switch-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
49
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
5
Contents
6
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
The FortiOS Handbook: FortiBridge CLI Reference describes the FortiBridge CLI
commands.
For instructions on how to install your FortiBridge unit and use the web-based manager,
see the FortiGate Hardware Guide or the Hardware chapter of The FortiOS Handbook.
This section contains the following topics:
•
Before you begin
•
How this chapter is organized
•
Document conventions
•
Entering FortiBridge configuration data
•
Registering your Fortinet product
•
Fortinet products End User License Agreement
•
Training
•
Documentation
•
Customer service and technical support
Before you begin
Before you begin using this guide, take a moment to note the following:
•
Administrators are assumed to be super_admin administrators unless otherwise
specified. Some restrictions will apply to other administrators.
•
Firewall policies limit access, and, while this and other similar features are a vital part
of securing your network, they are not covered in this guide.
•
If your FortiGate unit supports SSL acceleration, it also supports SSL content scanning
and inspection for HTTPS, IMAPS, POP3S, and SMTPS traffic.
How this chapter is organized
This FortiOS Handbook chapter contains these sections:
config lists and describes all of the CLI commands in the FortiBridge config command
structure. These are generally commands used to configure the FortiBridge unit.
execute lists and describes all of the CLI commands in the FortiBridge execute command
structure. These commands perform actions, including backing up and restoring the
FortiBridge configuration, switching between normal and bypass modes, and using the
ping command to test connectivity.
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
7
Document conventions
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Most of the examples in this document use the following IP addressing:
•
IP addresses are made up of A.B.C.D
•
A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918.
•
B - 168, or the branch / device / virtual device number.
•
•
•
Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.
•
Device or virtual device - allows multiple FortiGate units in this address space
(VDOMs).
•
Devices can be from x01 to x99.
C - interface - FortiGate units can have up to 40 interfaces, potentially more than one
on the same subnet
•
001 - 099- physical address ports, and non -virtual interfaces
•
100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
D - usage based addresses, this part is determined by what device is doing
•
The following gives 16 reserved, 140 users, and 100 servers in the subnet.
•
001 - 009 - reserved for networking hardware, like routers, gateways, etc.
•
010 - 099 - DHCP range - users
•
100 - 109 - FortiGate devices - typically only use 100
•
110 - 199 - servers in general (see later for details)
•
200 - 249 - static range - users
•
250 - 255 - reserved (255 is broadcast, 000 not used)
•
The D segment servers can be farther broken down into:
•
8
110 - 119 - Email servers
•
120 - 129 - Web servers
•
130 - 139 - Syslog servers
•
140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)
•
150 - 159 - VoIP / SIP servers / managers
•
160 - 169 - FortiAnalyzers
•
170 - 179 - FortiManagers
•
180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)
•
190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.)
•
Fortinet products, non-FortiGate, are found from 160 - 189.
FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
Document conventions
The following table shows some examples of how to choose an IP number for a device
based on the information given. For internal and dmz, it is assumed in this case there is
only one interface being used.
Table 1: Examples of the IP numbering
Location and device
Internal
Dmz
External
Head Office, one FortiGate
10.011.101.100
10.011.201.100
172.20.120.191
Head Office, second FortiGate
10.012.101.100
10.012.201.100
172.20.120.192
Branch Office, one FortiGate
10.021.101.100
10.021.201.100
172.20.120.193
Office 7, one FortiGate with 9
VDOMs
10.079.101.100
10.079.101.100
172.20.120.194
Office 3, one FortiGate, web
server
n/a
10.031.201.110
n/a
Bob in accounting on the
corporate user network (dhcp)
at Head Office, one FortiGate
10.0.11.101.200
n/a
n/a
Router outside the FortiGate
n/a
n/a
172.20.120.195
FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
9
Document conventions
Example Network configuration
The network configuration shown in Figure 1 or variations on it is used for many of the
examples in this document. In this example, the 172.20.120.0 network is equivalent to the
Internet. The network consists of a head office and two branch offices.
Figure 1: Example network configuration
WLAN: 10.12.101.100
SSID: example.com
Password: supermarine
DHCP range: 10.12.101.200-249
Linux PC
10.11.101.20
IN
10 T
.11
.10
FortiWiFi-80CM
Windows PC
10.11.101.10
1.1
01
Internal network
P
10 ort 2
.11
.10
1.1
FortiAnalyzer-100B
10
Switch
30
10
.11
10
.11
.11
.10 Po
1.1 rt 2
02
P
17 ort 1
2.2 (s
0 . 1 n i ff
20 er
FortiGate-82C
.14 mo
1
de
.10 Po
1.1 rt 2
00
.10 Por
1.1 t 1
10
P
17 ort 1
2.2
0.1
20
FortiGate-620B
HA cluster
.14
FortiMail-100C
1
f
rt 8 r o
Po mirro
(
Po
an rt 2
d3
Po
)
p
s
ort
2a
nd
3)
rt 1
Switch
He
P
10 ort 1
.21
.10
1.1
FortiGate-3810A
01
Linux PC
10.21.101.10
rt 1 10
Po 0.21.
1
1.1
Bra
17
nch
o ff
Bra
ice
nch
2.2
o ff
0.1
ice
ad
o ff
ice
20 WAN
.12 1
2
I
10 ntern
.31 al
.10
1.1
FortiGate-51B
0
0
60
Windows PC
10.31.101.10
FortiManager-3000B
10
rt 4
Po .100
1
.10
2
.2
Cluster
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.103
FortiSwitch-5003A
Port 1: 10.21.101.161
FortiGate-5050-SM
Port 1: 10.21.101.104
Engineering network
10.22.101.0
10
FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
Document conventions
Cautions, Notes and Tips
Fortinet technical documentation uses the following guidance and styles for cautions,
notes and tips.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Presents useful information, but usually focused on an alternative, optional method,
such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
11
Document conventions
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 2: Typographical conventions in Fortinet technical documentation
Convention
Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input
config system dns
set primary <address_ipv4>
end
CLI output
FGT-602803030703 # get system settings
comments
: (null)
opmode
: nat
Emphasis
HTTP connections are not secure and can be intercepted by a third
party.
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink
Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry
Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation
Go to VPN > IPSEC > Auto Key (IKE).
Publication
For details, see the FortiOS Handbook.
CLI command syntax conventions
This guide uses the following conventions to describe the syntax to use when entering
commands in the Command Line Interface (CLI).
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as <address_ipv4>, indicate which data types or string
patterns are acceptable value input.
Table 3: Command syntax notation
12
Convention
Description
Square brackets [ ]
A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and
its accompanying option, such as:
verbose 3
FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
Document conventions
Table 3: Command syntax notation (Continued)
Convention
Description
Angle brackets < >
A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the
valid data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
• <xxx_name>: A name referring to another part of the
configuration, such as policy_A.
• <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
• <xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
• <xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
• <xxx_email>: An email address, such as
admin@mail.example.com.
• <xxx_url>: A uniform resource locator (URL) and its associated
protocol and host name prefix, which together form a uniform
resource identifier (URI), such as
http://www.fortinet./com/.
• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as
192.168.1.99 255.255.255.0.
• <xxx_ipv4/mask>: A dotted decimal IPv4 address and
CIDR-notation netmask separated by a slash, such as such as
192.168.1.99/24.
• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
• <xxx_v6mask>: An IPv6 netmask, such as /96.
• <xxx_ipv6mask>: An IPv6 address and netmask separated by a
space.
• <xxx_str>: A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences.
• <xxx_int>: An integer number that is not another data type,
such as 15 for the number of minutes.
FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
13
Entering FortiBridge configuration data
Table 3: Command syntax notation (Continued)
Convention
Description
Curly braces { }
A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Options
delimited by
vertical bars |
Mutually exclusive options. For example:
{enable | disable}
indicates that you must enter either enable or disable, but must
not enter both.
Options
delimited by
spaces
Non-mutually exclusive options. For example:
{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.
Entering FortiBridge configuration data
The configuration of a FortiGate unit is stored as a series of configuration settings in the
FortiBridge configuration database. To change the configuration you can use the
web-based manager or CLI to add, delete or change configuration settings. These
configuration changes are stored in the configuration database as they are made.
Individual settings in the configuration database can be text strings, numeric values,
selections from a list of allowed options, or on/off (enable/disable).
Entering text strings (names)
Text strings are used to name entities in the configuration. For example, the name of a
firewall address, administrative user, and so on. You can enter any character in a
FortiGate configuration text string except, to prevent Cross-Site Scripting (XSS)
vulnerabilities, text strings in FortiGate configuration names cannot include the following
characters:
" (double quote), & (ampersand), ' (single quote), < (less than) and < (greater than)
You can determine the limit to the number of characters that are allowed in a text string by
determining how many characters the web-based manager or CLI allows for a given name
field. From the CLI, you can also use the tree command to view the number of
characters that are allowed. For example, firewall address names can contain up to 64
characters. When you add a firewall address to the web-based manager you are limited to
entering 64 characters in the firewall address name field. From the CLI you can do the
following to confirm that the firewall address name field allows 64 characters.
config firewall address
tree
-- [address] --*name (64)
|- subnet
|- type
|- start-ip
|- end-ip
14
FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
Registering your Fortinet product
|||||+-
fqdn (256)
cache-ttl (0,86400)
wildcard
comment (64 xss)
associated-interface (16)
color (0,32)
Note that the tree command output also shows the number of characters allowed for other
firewall address name settings. For example, the fully-qualified domain name (fqdn) field
can contain up to 256 characters.
Entering numeric values
Numeric values are used to configure various sizes, rates, numeric addresses, or other
numeric values. For example, a static routing priority of 10, a port number of 8080, or an
IP address of 10.10.10.1. Numeric values can be entered as a series of digits without
spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the
IP address 10.10.10.1) or as in the case of MAC or IPv6 addresses separated by colons
(for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard
base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal
numbers.
Most web-based manager numeric value configuration fields limit the number of numeric
digits that you can add or contain extra information to make it easier to add the acceptable
number of digits and to add numbers in the allowed range. CLI help includes information
about allowed numeric value ranges. Both the web-based manager and the CLI prevent
you from entering invalid numbers.
Selecting options from a list
If a configuration field can only contain one of a number of selected options, the
web-based manager and CLI present you a list of acceptable options and you can select
one from the list. No other input is allowed. From the CLI you must spell the selection
name correctly.
Enabling or disabling options
If a configuration field can only be on or off (enabled or disabled) the web-based manager
presents a check box or other control that can only be enabled or disabled. From the CLI
you can set the option to enable or disable.
Registering your Fortinet product
Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Center article Registration Frequently
Asked Questions.
Fortinet products End User License Agreement
See the Fortinet products End User License Agreement.
FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
15
Training
Training
Fortinet Training Services provides courses that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.
Fortinet Tools and Documentation CD
Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Base
The Fortinet Knowledge Base provides additional Fortinet technical documentation, such
as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and
more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this or any Fortinet technical
document to techdoc@fortinet.com.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your Fortinet
products install quickly, configure easily, and operate reliably in your network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article FortiGate
Troubleshooting Guide - Technical Support Requirements.
16
FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
alertemail setting
system admin
system global
log syslogd setting
system console
system interface {internal |
external}
probe probe_list {ping | http | ftp | system dns
pop3 | smtp | imap | mm1 | mm3 | get system status
mm4 | mm7}
system fail_close
probe setting
system manageip
system route
system snmp community
system accprofile
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
17
alertemail setting
config
alertemail setting
Use this command to configure the FortiBridge unit to send alert email to up to three
recipients when action on failure is set to send a alert email message.
Command syntax pattern
config alertemail setting
set <keyword> <variable>
end
config alertemail setting
unset <keyword>
get alertemail setting
show alertemail setting
Keywords and variables
Description
Default
authenticate
{disable | enable}
Enable SMTP authentication if the FortiBridge unit is
required to authenticate to connect to the SMTP
server.
disable
mailto1
<email-address_str>
Enter an email address. This is one of the email
addresses to which the FortiBridge unit sends alert
email.
No
default.
mailto2
<email-address_str>
Enter an email address. This is one of the email
addresses to which the FortiBridge unit sends alert
email.
No
default.
mailto3
<email-address_str>
Enter an email address. This is one of the email
addresses to which the FortiBridge unit sends alert
email.
No
default.
password
<password_str>
Enter the password that the FortiBridge unit needs to
access the SMTP server.
No
default.
server
{<name_str> |
<address_ipv4>}
Enter the name of the SMTP server, in the format
smtp.domain.com, to which the FortiBridge unit
should send email. The SMTP server can be located
on any network connected to the FortiBridge unit.
No
default.
username
<user-name_str>
Enter a valid email address in the format
user@domain.com. This address appears in the
From header of the alert email.
No
default.
Examples
This example shows how to configure the SMTP server and user name and password,
enable authentication and add two email addresses.
config alertemail setting
set server mail.ourcompany.com
set username fortigate@ourcompany.com
set authenticate enable
set password pwd23
set mailto1 admin1@ourcompany.com
set mailto2 admin2@ourcompany.com
end
18
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
alertemail setting
This example shows how to display the alertemail settings.
get alertemail setting
This example shows how to display the configuration of the alertemail setting
command.
show alertemail setting
Related Commands
•
probe setting
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
19
log syslogd setting
config
log syslogd setting
Use this command to configure the FortiBridge unit to send a syslog message to a remote
syslog server when action on failure is set to send a syslog message.
Command syntax pattern
config log syslogd setting
set <keyword> <variable>
end
config log syslogd setting
unset <keyword>
get log syslogd setting
show log syslogd setting
Keywords and variables
Description
Default
csv {disable | enable}
Enable formatting log messages in Comma
Separated Value (CSV) format. If you do not
enable CSV format the FortiBridge unit produces
plain text log messages.
disable
facility {alert | audit |
auth | authpriv | clock |
cron | daemon | ftp |
kernel | local0 | local1
| local2 | local3 |
local4 | local5 | local6
| local7 | lpr | mail |
news | ntp | syslog |
user | uucp}
Enter the facility type, which identifies the source local7
of the log message to the syslog server. You might
want to change facility to distinguish log
messages from different FortiBridge units.
port <port_integer>
Enter the port number for communication with the 514
syslog server.
server <address_ipv4>
Enter the IP address of the syslog server that
stores the logs.
status {disable | enable} Enter enable to enable logging to a remote
syslog server.
No default.
disable
Example
This example shows how to enable logging to a remote syslog server, configure an IP
address and port for the server, and enable logging in CSV format.
config log syslogd setting
set status enable
set server 220.210.200.190
set port 601
set csv enable
end
This example shows how to display the log setting for logging to a remote syslog server.
get log syslogd setting
20
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
log syslogd setting
This example shows how to display the configuration for logging to a remote syslog
server.
show log syslogd setting
If the show command returns you to the prompt, the settings are at default.
Related Commands
•
probe setting
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
21
probe probe_list {ping | http | ftp | pop3 | smtp | imap | mm1 | mm3 | mm4 | mm7}
config
probe probe_list {ping | http | ftp | pop3 | smtp | imap | mm1 | mm3 |
mm4 | mm7}
Use this command to configure probes for ping, HTTP, FTP, POP3, SMTP, and IMAP
traffic. Probes monitor different types of traffic. For each protocol you configure the time
interval between probes (interval) and how many lost probes are required to register a
failure (threshold). You can also enable each probe and in all cases except ping you can
specify the port used by the probe.
Command syntax pattern
config probe probe_list {ping | http | ftp | pop3 | smtp | imap
| mm1 | mm3 | mm4 | mm7}
set <keyword>
end
config probe probe_list {ping | http | ftp | pop3 | smtp | imap
| mm1 | mm3 | mm4 | mm7}
unset <keyword>
end
get probe probe_list {ping | http | ftp | pop3 | smtp | imap |
mm1 | mm3 | mm4 | mm7}
show probe probe_list {ping | http | ftp | pop3 | smtp | imap |
mm1 | mm3 | mm4 | mm7}
Keywords and variables
Description
failure_threshold
<threshold_integer>
The number of probe packets that are lost
3
before the FortiBridge unit determines that the
FortiGate unit has failed.
Default
probe_interval
<probe_integer>
The number of seconds between probe
packets.
status {disable | enable} Enable or disable sending probe packets for
the current probe protocol
test_port
<port-number_integer>
22
The port number on which the probe sends
packets for a give protocol.
1
disable
ping (none)
http 80
ftp 21
pop3 110
smtp 25
imap 143
mm1 8191
mm3 8193
mm4 8194
mm7 8197
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
probe probe_list {ping | http | ftp | pop3 | smtp | imap | mm1 | mm3 | mm4 | mm7}
Example
Use the following command to enable HTTP probes and change the HTTP failure
threshold to 5 and the probe interval to 3.
config probe probe_list http
set status enable
set failure_threshold 5
set probe_interval 3
end
This example shows how to display the settings for the probe probe_list command.
get probe probe_list
This example shows how to display the settings for the http probe.
get probe probe_list http
This example shows how to display the configuration for the probe probe_list
command.
show probe probe_list
Related Commands
•
probe setting
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
23
probe setting
config
probe setting
Use this command to configure how the FortiBridge unit responds when a probe
determines that the FortiGate unit has failed. You can also configure the dynamic IP
pattern used by probes and add the FortiGate serial number, which is used in FortiBridge
alert messages.
Command syntax pattern
config probe setting
set <keyword>
end
config probe setting
unset <keyword>
end
get probe setting
show probe setting
Keywords and variables
Description
Default
action_on_failure
{alertmail failcutoff
failopen snmp syslog}
Set how the FortiBridge unit responds when a
probe detects that the FortiGate unit has failed.
You can enter one or more of the action types
separated by spaces. Enter all of the action
options required. If you want to remove an option
from the list or add an option to the list, you must
retype the list with the option removed or added.
failopen
dynamic_ip_pattern
<address_ipv4>.*
Configure the INT2 and EXT2 interfaces with
none
dynamic probe IP addresses. The dynamic probe
IP addresses should not conflict with IP addresses
on the network that the FortiGate unit is
connected to. These IP addresses are not visible
from the outside network, but they should not
conflict with IP addresses in packets passing
through the FortiBridge unit. You cannot change
the dynamic IP pattern if any probes are enabled.
fgt_serial <serial_str>
The serial number of the FortiGate unit that the
FortiBridge unit is connected to. This number is
used in FortiBridge alert messages to identify the
FortiGate unit.
none
Example
Use the following command to configure the FortiBridge unit to send alert email and fail
open when a probe detects a failure, set the IP pattern to 2.2.2.* and add the
FGT8002803923050 FortiGate serial number
config probe setting
set action_on_failure alertmail failopen
set dynamic_ip_pattern 2.2.2.*
set fgt_serial FGT8002803923050
end
Related Commands
•
24
probe probe_list {ping | http | ftp | pop3 | smtp | imap | mm1 | mm3 | mm4 | mm7}
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
system accprofile
system accprofile
Use this command to add access profiles that control administrator access to FortiBridge
features. Each administrator account must include an access profile. You can create
access profiles that deny access to or allow read only, write only, or both read and write
access to FortiBridge features.
Command syntax pattern
config system accprofile
edit <profile-name_str>
set <keyword> <variable>
end
config system accprofile
edit <profile-name_str>
unset <keyword>
end
config system accprofile
delete <profile-name_str>
end
get system accprofile [<profile-name_str>]
show system accprofile [<profile-name_str>]
Keywords and variables
Description
admingrp {none | r | rw | w} Control administrator access to FortiBridge
administrator accounts and access profiles.
none deny access.
r read only access.
rw read write access.
w write only access.
Default
none
loggrp {none | r | rw | w}
Control administrator access to log and alert
email settings.
none deny access.
r read only access.
rw read write access.
w write only access.
none
sysgrp {none | r | rw | w}
Control administrator access to system
configuration settings.
none deny access.
r read only access.
rw read write access.
w write only access.
none
sysshutdowngrp {none | r |
rw | w}
Control administrator access to system
none
shutdown, system, reboot, and firmware upgrade
functions.
none deny access.
r read only access.
rw read write access.
w write only access.
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
25
system accprofile
config
Example
Use the following commands to add a new access profile named policy_profile that
allows read and write access system shutdown. An administrator account with this access
profile can shutdown the system and upgrade firmware.
config system accprofile
edit policy_profile
set secgrp rw
end
This example shows how to display the settings for the system accprofile command.
get system accprofile
This example shows how to display the settings for the policy_profile access profile.
get system accprofile policy_profile
This example shows how to display the configuration for the system accprofile
command.
show system accprofile
This example shows how to display the configuration for the policy_profile access
profile.
get system accprofile policy_profile
Related Commands
•
26
system admin
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
system admin
system admin
Use this command to add, edit, and delete administrator accounts.
Use the admin account or an account with system configuration read and write privileges
to add new administrator accounts and control their permission levels. Each administrator
account must include an access profile. You cannot delete the admin administrator
account. You cannot change the admin administrator account permissions.
Command syntax pattern
config system admin
edit <name_str>
set <keyword> <variable>
end
config system admin
edit <name_str>
unset <keyword>
end
config system admin
delete <name_str>
end
get system admin [<name_str>]
show system admin [<name_str>]
Keywords and variables
Description
Default
accprofile
<profile-name_str>
Enter the name of the access profile to assign to this
administrator account. Access profiles control
administrator access to FortiBridge features.
No
default.
password <password_str> Enter a password for the administrator account. For
improved security, the password should be at least 6
characters long.
No
default.
trusthost1
<address_ipv4mask>
An IP address or subnet address and netmask from
0.0.0.0/
which the administrator can connect to the FortiBridge 0.0.0.0
unit.
If you want the administrator to be able to access the
FortiBridge unit from any address, set one of the trusted
hosts to 0.0.0.0 and the netmask to 0.0.0.0.
trusthost2
<address_ipv4mask>
An IP address or subnet address and netmask from
0.0.0.0/
which the administrator can connect to the FortiBridge 0.0.0.0
unit.
If you want the administrator to be able to access the
FortiBridge unit from any address, set one of the trusted
hosts to 0.0.0.0 and the netmask to 0.0.0.0.
trusthost3
<address_ipv4mask>
An IP address or subnet address and netmask from
0.0.0.0/
which the administrator can connect to the FortiBridge 0.0.0.0
unit.
If you want the administrator to be able to access the
FortiBridge unit from any address, set one of the trusted
hosts to 0.0.0.0 and the netmask to 0.0.0.0.
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
27
system admin
config
Example
Use the following commands to add a new administrator account named new_admin with
the password set to p8ssw0rd and that includes an access profile named
policy_profile. Administrators that log in to this account will have administrator
access to the FortiBridge unit from any IP address.
config system admin
edit new_admin
set password p8ssw0rd
set accprofile policy_profile
end
This example shows how to display the settings for the system admin command.
get system admin
This example shows how to display the settings for the new_admin administrator
account.
get system admin new_admin
This example shows how to display the configuration for the system admin command.
show system admin
Related Commands
•
28
system accprofile
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
system console
system console
Use this command to set the console command mode and output setting.
Command syntax pattern
config system console
set <keyword> <variable>
end
config system console
unset <keyword>
end
get system console
show system console
Keywords and variables
Description
Default
mode {batch | line}
Set the console mode to line or batch. Used for
auto testing only.
line
output {standard | more}
Set console output to standard (no pause) or more standard
(pause after each screen, resume on keypress).
Example
This example shows how to set the number of lines per page to 25.
config system console
set page 25
end
This example shows how to display the settings for the console command.
get system console
This example shows how to display the configuration for the console command.
show system console
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
29
system dns
config
system dns
Use this command to set the DNS server addresses. Several FortiBridge functions,
including sending email alerts and URL blocking, use DNS.
On models numbered 100 and lower, you can use this command to set up DNS
forwarding.
Command syntax pattern
config system dns
set primary <address_ipv4>
set secondary <address_ipv4>
end
config system dns
unset primary
unset secondary
end
get system dns
show system dns
Keywords and variables
Description
Default
primary <address_ipv4>
Enter the primary DNS server IP address.
65.39.139.53
secondary <address_ipv4> Enter the secondary DNS IP server
address.
65.39.139.63
Example
This example shows how to set the primary FortiBridge DNS server IP address to
45.37.121.76 and the secondary FortiBridge DNS server IP address to
45.37.121.77.
config system dns
set primary 45.37.121.76
set secondary 45.37.121.77
end
This example shows how to display the settings for the system dns command.
get system dns
This example shows how to display the configuration for the system dns command.
show system dns
30
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
get system status
get system status
Use this command to display system status information. This command displays:
•
FortiBridge unit firmware version and build number
•
FortiBridge unit host name
•
FortiBridge unit operation mode (normal or bypass)
•
FortiBridge unit serial number
Command syntax pattern
get system status
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
31
system fail_close
config
system fail_close
Use this command to configure the fail close feature.
Command syntax pattern
config system fail_close
set <keyword> <variable>
end
config system fail_close
unset <keyword>
end
get system fail_close
show system fail_close
Keywords and variables Description
status {disable |
fail_close}
threshold
<seconds_integer>
Default
When the FortiBridge detects an upstream or
disable
downstream network disconnection (whether due to a
cut/disconnected cable, failure of the connected device,
or failure of the FortiBridge unit’s own interface), it will
bring down its own network interface after waiting the
amount of time set for the threshold variable. If the fail
close status is set to fail_close and a switch
connected to EXT1 fails, the FortiBridge would bring
down its own INT1. This way, the device connected to
INT1 will be able to determine there is a problem
Similarly, if a device connected to INT1 fails, the
FortiBridge would bring down its own EXT1.
When the problem is corrected, the FortiBridge will
enable its own network interface after waiting the amount
of time set for the threshold variable.
Enter how long, in seconds, the FortiBridge will wait after 3
detecting a network problem before activating the fail
close feature. The FortiBridge will wait the specified time
before deactivating the fail close feature when the
problem is corrected.
Example
This example shows how to enable the FortiBridge fail_close feature, and set the
threshold time to five seconds.
config system fail_close
set status fail_close
set threshold 5
end
This example shows how to display the configuration for the system fail_close
command.
show system fail_close
32
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
system global
system global
Use this command to configure global settings that affect various FortiBridge systems and
configurations.
Command syntax pattern
config system global
set <keyword> <variable>
end
config system global
unset <keyword>
end
get system global
show system global
Keywords and variables
Description
admintimeout
<minutes_integer>
Set the administrator idle timeout to
5
control the amount of inactive time before
the administrator must log in again. The
maximum admintimeout is 480
minutes (8 hours). To improve security
keep the idle timeout at the default value.
dst {disable | enable}
Enable or disable daylight saving time.
If you enable daylight saving time, the
FortiBridge unit adjusts the system time
when the time zone changes to daylight
saving time and back to standard time.
disable
heartbeat {disable |
enable }
For future use.
disable
hostname <name_str>
Type a name for this FortiBridge unit.
FortiBridge model
name.
interface-speed {100full
| 100half | 10full |
10half | auto }
This command is only available for the
FBG-2002.
Set the network interface speed or allow
each interface to auto-sense the correct
speed. Set to auto, each FortiBridge
network interface will autosense the
correct speed and adjust accordingly. If
the interface-speed command is
used to specify a speed, all FortiBridge
interfaces are locked to the selected
speed.
Although the FortiBridge supports
10/100/1000mbps speeds when set to
auto, 1000half and 1000full are not
available for manual selection.
auto
ntpserver {<name_str> |
<address_ipv4>}
Enter the domain name or IP address of
a Network Time Protocol (NTP) server.
132.246.168.148
ntpsync {disable |
enable}
Enable or disable automatically updating disable
the system date and time by connecting
to a Network Time Protocol (NTP) server.
For more information about NTP and to
find the IP address of an NTP server that
you can use, see http://www.ntp.org.
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
Default
33
system global
config
Keywords and variables
Description
Default
syncinterval
<minutes_integer>
Enter how often, in minutes, the
60
FortiGate unit should synchronize its time
with the Network Time Protocol (NTP)
server. The syncinterval number can
be 1 to 1440; 0 disables time
synchronization.
timezone
<timezone_integer>
The number corresponding to your time 00
zone. Press ? to list time zones and their
numbers. Choose the time zone for the
FortiBridge unit from the list and enter the
correct number.
Example
This example shows how to set the FortiBridge system timezone, add the IP address of an
NTP server, and enable synchronization with the NTP server. The IP address of the NTP
server is 192.168.20.1.
config system global
set timezone 16
set ntpserver 192.168.20.1
set ntpsync enable
end
This example shows how to display the settings for the system global command.
get system global
This example shows how to display the configuration for the system global command.
show system global
34
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
system interface {internal | external}
system interface {internal | external}
Use this command to configure management access to the FortiBridge internal or external
interface. The internal interface in the INT1 interface. The external interface is the EXT1
interface.
Command syntax pattern
Entering a name string for the edit keyword that is not the name of a physical interface
adds a VLAN subinterface.
config system interface {internal | external}
set <keyword> <variable>
end
config system interface {internal | external}
unset <keyword>
end
get system interface <name_str>
show system interface <name_str>
Keywords and variables
Description
Default
allowaccess {ping
ssh telnet}
Allow management access to the interface. You can enter
one or more of the management access types separated
by spaces. Enter all the management access options for
the interface. Use a space to separate the options. If you
want to remove an option from the list or add an option to
the list, you must retype the list with the option removed or
added.
INT1
(internal)
ping,
ssh,
telnet
EXT1
(external)
none
Example
This example shows how to set management access for the INT1 interface to ping, and
ssh.
config system interface internal
set allowaccess ping ssh
end
This example shows how to display the settings for the INT1interface.
get system interface internal
This example shows how to display the configuration for the INT1interface.
show system interface internal
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
35
system manageip
config
system manageip
Configure the FortiBridge management IP address. Use the management IP address for
management access to the FortiBridge unit.
Command syntax pattern
config system manageip
set <keyword> <variable>
end
config system manageip
unset <keyword>
end
get system manageip
show system manageip
Keywords and variables
Description
Default
ip <address_ipv4mask>
Set the IP address and netmask of the
FortiBridge management interface.
192.168.1.99
255.255.255.0
Example
This example shows how to set the management IP address to 192.168.2.80 and the
netmask to 255.255.255.0.
config system manageip
set ip 192.168.2.80 255.255.255.0
end
This example shows how to display the settings for the manageip command.
get system manageip
This example shows how to display the configuration for the manageip command.
show system manageip
Related Commands
•
36
system interface {internal | external}
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
system route
system route
Use this command to add or edit FortiBridge static routes.
Command syntax pattern
config system route
edit <sequence_integer>
set <keyword> <variable>
end
config router static
unset <keyword>
get system route
show system route
Keywords and variables
Description
distance
<distance_integer>
The administrative distance for the route. Using
10
administrative distance you can specify the relative
priorities of different routes to the same destination. A
lower administrative distance indicates a more preferred
route. Distance can be an integer from 1-255.
Default
dst <destinationaddress_ipv4mask>
The destination IP address and netmask for this route.
0.0.0.0
Enter 0.0.0.0 0.0.0.0 for the destination IP address 0.0.0.0
and netmask to add a default route.
gateway <gatewayaddress_ipv4>
The IP address of the first next hop router to which this
route directs traffic.
No
default.
Example
This example shows how to edit a FortiBridge static route.
config system route
edit 2
set dst 192.168.22.0 255.255.255.0
set gateway 192.168.22.44
end
This example shows how to display the list of static route numbers.
get system route
This example shows how to display the settings for static route 2.
get system route 2
This example shows how to display the static route configuration.
show system route
This example shows how to display the configuration for static route 2.
show system route 2
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
37
system snmp community
config
system snmp community
Use this command to configure SNMP communities. Add SNMP communities so that the
FortiBridge unit can send SNMP v1 and v2c traps to SNMP managers when action on
failure is set to send SNMP traps. You can add up to three SNMP communities. Each
community can have a different configuration for SNMP traps. You can also the add IP
addresses of up to 8 SNMP managers to each community.
Command syntax pattern
config system snmp community
edit <id_integer>
set <keyword> <variable>
end
config system snmp community
edit <id_integer>
unset <keyword>
end
config system snmp community
delete <id_integer>
end
get system snmp community [<id_integer>]
show system snmp community [<id_integer>]
The config system snmp community command has one subcommand.
config hosts
Keywords and variables
Description
Default
name <name_str>
The name of the SNMP community.
No default.
status {disable | enable} Enable or disable the SNMP community.
38
enable
trap_v1_lport
<local-port_integer>
SNMP v1 local port number used for sending
162
traps to the SNMP managers added to this SNMP
community.
trap_v1_rport
<remote-port_integer>
SNMP v1 remote port number used for sending
162
traps to the SNMP managers added to this SNMP
community.
trap_v1_status
| enable}
Enable or disable SNMP v1 traps for this SNMP
community.
{disable
enable
trap_v2c_lport
<local-port_integer>
SNMP v2c local port number used for sending
162
traps to the SNMP managers added to this SNMP
community.
trap_v2c_rport
<remote-port_integer>
SNMP v2c remote port number used for sending 162
traps to the SNMP managers added to this SNMP
community.
trap_v2c_status {disable
| enable}
Enable or disable SNMP v2c traps for this SNMP enable
community.
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
config
system snmp community
config hosts
Access the hosts subcommand using the snmp community command. Use this
command to add SNMP manager IP addresses to an SNMP community.
Command syntax pattern
config hosts
edit <id_integer>
set <keyword> <variable>
end
config hosts
edit <id_integer>
unset <keyword>
end
config hosts
delete <id_integer>
end
get system snmp community [<id_integer>]
show system snmp community [<id_integer>]
Keywords and variables
Description
Default
ip <address_ipv4>
The IP address of the SNMP manager.
0.0.0.0
Example
This example shows how to add a new SNMP community named SNMP_Com1. The
default configuration can be used in most cases with only a few modifications. In the
example below the community is added, given a name, and then because this community
is for an SNMP manager that is SNMP v1 compatible, v2c functionality is disabled. After
the community is configured the SNMP manager is added. The SNMP manager IP
address is 192.168.20.34.
config system snmp community
edit 1
set name SNMP_Com1
set trap_v2c_status disable
config hosts
edit 1
set ip 192.168.10.34
end
end
This example shows how to display the settings for the system snmp community
command.
get system snmp community
This example shows how to display the settings for the SNMP community with ID 1.
get system snmp community 1
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
39
system snmp community
config
This example shows how to display the configuration for the snmp community
command.
show system snmp community
This example shows how to display the configuration for the SNMP community with ID 1.
show system snmp community 1
40
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
execute
backup
reboot
date
restore
factoryreset
switch-mode
ping
time
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
41
backup
execute
backup
Backup the FortiBridge configuration to a file on a TFTP server.
Command syntax
execute backup config <filename_str> <tftp-server_ipv4>
Keywords and variables
Description
config
Back up the FortiBridge configuration.
<filename_str>
The name to give the file that is copied to the TFTP
server.
<tftp-server_ipv4>
The TFTP server IP address.
Example
This example shows how to backup a system configuration file from the FortiBridge unit to
a TFTP server. The name to give the configuration file on the TFTP server is fbdg.cfg.
The IP address of the TFTP server is 192.168.1.23.
execute backup config fbdg.cfg 192.168.1.23
42
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
execute
date
date
Get or set the system date.
Command syntax
execute date [<date_str>]
date_str has the form mm/dd/yyyy, where
•
mm is the month and can be 01 to 12
•
dd is the day of the month and can be 01 to 31
•
yyyy is the year and can be 2001 to 2100
If you do not specify a date, the command returns the current system date.
Example
This example sets the date to 17 September 2004:
execute date 09/17/2004
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
43
factoryreset
execute
factoryreset
Reset the FortiBridge configuration to factory default settings.
Command syntax
execute factoryreset
Caution: This procedure deletes all changes that you have made to the FortiBridge
configuration and reverts the system to its original configuration, including resetting the
management IP address.
44
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
execute
ping
ping
Send five ICMP echo requests (pings) to test the network connection between the
FortiBridge unit and another network device.
Command syntax
execute ping {<address_ipv4> | <host-name_str>}
Example
This example shows how to ping a host with the IP address 192.168.1.23.
execute ping 192.168.1.23
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
45
reboot
execute
reboot
Restart the FortiBridge unit.
Command syntax
execute reboot
46
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
execute
restore
restore
Use this command to restore a backup configuration and to change the FortiBridge
firmware.
Command syntax
execute restore config <filename_str> <tftp-server_ipv4>
execute restore image <filename_str> <tftp-server_ipv4>
Keywords and variables
Description
config
Restore a system configuration. The new configuration
replaces the existing configuration, including administrator
accounts and passwords.
image
Upload a firmware image from a TFTP server to the
FortiBridge unit. The FortiBridge unit reboots, loading the new
firmware.
<filename_str>
The name of file that is uploaded from the TFTP server.
<tftp-server_ipv4>
The TFTP server IP address.
Example
This example shows how to upload a configuration file from a TFTP server to the
FortiBridge unit and restart the FortiBridge unit with this configuration. The name of the
configuration file on the TFTP server is backupconfig. The IP address of the TFTP
server is 192.168.1.23.
execute restore config backupconfig 192.168.1.23
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
47
switch-mode
execute
switch-mode
Use this command to switch between bypass and normal mode.
Command syntax
execute switch-mode
48
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
execute
time
time
Get or set the system time.
Command syntax
execute time [<time_str>]
time_str has the form hh:mm:ss, where
•
hh is the hour and can be 00 to 23
•
mm is the minutes and can be 00 to 59
•
ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current system time.
Example
This example sets the system time to 15:31:03:
execute time 15:31:03
FortiBridge 3.0: FortiBridge CLI Reference
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
49
time
50
execute
FortiBridge CLI Reference for FortiBridge 3.0
09-300-133020-20101109
http://docs.fortinet.com/ • Feedback
