Unlock FortiGate's Power: Your Complete Guide To Accessing The CLI

Unlock FortiGate's Power: Your Complete Guide To Accessing The CLI

Andres
Discover Daily Updates 0049

Stuck trying to configure your FortiGate firewall through the graphical user interface (GUI) and wondering if there's a faster, more precise way? You're not alone. While the FortiGate GUI is user-friendly for everyday tasks, the Command Line Interface (CLI) is where network administrators truly unlock the device's full potential. It offers granular control, scripting capabilities for automation, and access to advanced features and diagnostics that the GUI sometimes hides. Whether you're troubleshooting a complex connectivity issue, deploying configurations across multiple units, or simply prefer the speed of keyboard commands, learning how to access the CLI on your FortiGate is an essential skill. This comprehensive guide will walk you through every method, from the simplest to the most advanced, ensuring you can connect and start commanding your firewall with confidence.

Why Bother with the CLI? Unmatched Power and Precision

Before diving into the "how," it's crucial to understand the "why." The FortiGate CLI isn't just a nostalgic throwback to older network devices; it's a powerhouse tool for modern network management. The CLI provides direct, unfiltered access to the entire FortiOS operating system, allowing for configurations that might be multi-step processes in the GUI. For instance, bulk user creation, complex policy manipulations, and detailed system diagnostics are often more efficient via command line.

According to Fortinet, a leader in the cybersecurity landscape, over 90% of Fortune 500 companies rely on FortiGate firewalls for their security infrastructure. In such large-scale deployments, network teams cannot rely on manual GUI clicks for every change. The CLI enables Infrastructure as Code (IaC) practices through scripts, ensuring consistent, repeatable, and auditable configurations across hundreds of devices. Furthermore, when the GUI is unresponsive due to high load or a misconfiguration, the CLI often remains accessible as a last-resort management channel. Mastering it transforms you from a basic operator into a proficient FortiGate engineer.

Prerequisites: What You Need Before You Connect

You can't access the CLI without the right tools and permissions. This foundational step is often overlooked, leading to connection failures.

First, you need physical or network connectivity to the FortiGate appliance. For physical access, this means a console cable (typically a USB to RJ45 or DB9 serial cable) and a terminal emulation program like PuTTY (Windows), Terminal (macOS/Linux), or Tera Term. For remote access, the FortiGate must have an interface configured with an IP address, and your management workstation must be on a network path that can reach it. Crucially, SSH must be enabled on the FortiGate for remote CLI access. This is done via the GUI under System > Settings > Admin & Security or via the initial console setup.

Second, you need valid administrator credentials. The user account must have the prof_admin or prof_readonly profile (or a custom profile with CLI access permissions). The default admin account always has full access. If you've locked yourself out, recovery typically requires physical console access to reset passwords.

Finally, ensure your terminal emulator settings are correct. For serial console connections, the standard settings are:

  • Baud Rate: 9600
  • Data Bits: 8
  • Stop Bits: 1
  • Parity: None
  • Flow Control: None

Mismatched settings will result in garbled text or no connection at all.

Method 1: Accessing CLI via SSH (The Standard Remote Method)

SSH (Secure Shell) is the most common and secure method for remote CLI access to a FortiGate. It encrypts all traffic, protecting your credentials and commands from eavesdropping.

Step-by-Step SSH Connection

  1. Enable SSH on FortiGate: Log into the FortiGate GUI. Navigate to System > Settings > Admin & Security. Under "Admin Ports," ensure SSH is checked. You can also change the default SSH port (22) here for security through obscurity.
  2. Configure an Admin Address (Optional but Recommended): In the same section, use "Trusted Hosts" to restrict which IP addresses can administer the device. Enter your management workstation's IP or subnet. This is a critical security step.
  3. Initiate Connection from Your Computer: Open your terminal emulator (e.g., PuTTY). For connection type, select SSH. Enter the FortiGate's management IP address and the SSH port (default 22).
  4. Authenticate: Upon connection, you'll see a security alert for the host key on first connection—verify and accept it. Then, you'll be prompted for the username and password.
  5. You're In! A successful login drops you directly into the CLI. The prompt will typically show the device hostname, like FGT60D3915800007 #. The # symbol indicates you are in privileged mode (read-write). A > would indicate normal mode (read-only).

Pro Tip: You can use command-line SSH clients directly. On macOS/Linux or Windows PowerShell/WSL, open a terminal and type:

ssh admin@192.168.1.99 -p 22

Replace admin with your username and 192.168.1.99 with your FortiGate's IP.

Method 2: Accessing CLI via the Console Port (The "Break-Glass" Method)

The console port is your lifeline when the network is down or you've lost remote access. It provides out-of-band management directly to the appliance's serial console.

Connecting via Console Cable

  1. Locate the Console Port: On most FortiGate appliances, this is a RJ45 jack labeled "CONSOLE" or a USB-C/mini-USB port. Refer to your model's hardware guide.
  2. Connect the Cable: Use the appropriate console cable to connect the FortiGate's console port to your computer's serial/USB port. If using USB, you may need to install a driver for the USB-to-serial adapter (common chipsets are FTDI or Prolific).
  3. Identify the COM Port (Windows) or Device (macOS/Linux):
    • Windows: Open Device Manager, look under "Ports (COM & LPT)" for the new COM port (e.g., COM3).
    • macOS/Linux: The device is typically /dev/tty.usbserial or /dev/ttyUSB0. Use ls /dev/tty* to list.
  4. Configure Terminal Emulator: Open PuTTY (or similar). Select the Serial connection type. Enter the correct COM port (Windows) or device path (macOS/Linux). Set the speed to 9600 baud and other parameters as listed in the prerequisites.
  5. Power On and Connect: With the terminal emulator open and settings correct, power on the FortiGate. You should immediately see the boot sequence text scroll by. Once booted, you'll be presented with a login prompt.
  6. Log In: Use your administrator credentials. The console session provides full CLI access, just like SSH.

Important Note: The console session does not time out like SSH might. Always log out (exit) when done, especially on shared lab equipment.

Method 3: Using the Web-Based CLI (GUI-Embedded)

Fortinet provides a convenient bridge between the GUI and CLI directly within the web interface. This is perfect for quick command execution without switching applications.

How to Use the Web CLI

  1. Log into your FortiGate's GUI via HTTPS.
  2. Navigate to Dashboard > Status. In the main status widget, look for a link or button labeled "CLI Console" or a small terminal icon. Its exact location can vary slightly by FortiOS version (e.g., in FortiOS 7.0+, it's often in the top-right user menu under "CLI Console").
  3. Click it. A new window or pane will open, presenting a text-based CLI interface.
  4. You are now in the CLI. The behavior is identical to an SSH session, but the traffic is encapsulated within your existing HTTPS connection. You still need GUI-level admin privileges to access this.

Limitation: The web CLI can sometimes be less responsive than a native SSH client, especially with complex output or slow connections. It's ideal for simple commands (get system status, diagnose sys top) but not for lengthy configuration sessions.

Once logged in, understanding the CLI's hierarchical structure is key. It uses a tree-based configuration system, similar to navigating directories in a filesystem.

  • Prompt Levels: The prompt changes as you navigate. FGT60D3915800007 # is the root (global) level. Entering config system interface changes it to (interface) #. You must end or next to return up a level.
  • Essential Navigation Commands:
    • get system status: The first command you should always run. It shows the FortiOS version, serial number, uptime, and operational mode (HA, etc.). It confirms you're connected to the right device.
    • show: Displays the current configuration at your current level. show alone shows everything, but show firewall policy is more specific.
    • get: Retrieves runtime status and information. get interface shows physical port status, get router info routing-table all shows the kernel routing table.
    • config <object>: Enters configuration mode for a specific section (e.g., config firewall address, config system interface).
    • edit <name>: Within a config section, selects a specific entry to edit (e.g., edit "LAN").
    • set <property> <value>: Sets a parameter for the object you are editing.
    • next: Saves the current object and creates a new one in the list.
    • end: Exits configuration mode and returns to the root, saving all changes made in that config block.
    • abort: Exits configuration mode without saving changes.
    • exit or logout: Terminates your CLI session.

Example Workflow: Creating a Firewall Address Object

FGT60D3915800007 # config firewall address FGT60D3915800007 (address) # edit "Web-Server-1" FGT60D3915800007 (address-1) # set type ipmask FGT60D3915800007 (address-1) # set subnet 10.0.1.100 255.255.255.255 FGT60D3915800007 (address-1) # next FGT60D3915800007 (address) # end FGT60D3915800007 #

This creates a single IP address object. Notice the prompt evolution.

Troubleshooting: When You Can't Get In

Even with correct steps, issues arise. Here’s how to diagnose them.

  • "Connection refused" or "Timeout" (SSH):
    • Verify SSH is enabled on the FortiGate (GUI check).
    • Check the Trusted Hosts list. Your IP might be blocked. If you have console access, you can config system global and set ssh-ip to 0.0.0.0.0 temporarily.
    • Ping the FortiGate's management IP. If no ping, check local network connectivity, VLANs, and interface IP configuration.
    • Check for a firewall policy blocking SSH to the management interface. This is a common catch-22; you might need console access to fix it.
  • Garbled Text (Console):Baud rate mismatch. Ensure your terminal emulator is set to 9600 baud, 8N1, no flow control.
  • "Login incorrect": Double-check your username and password. Remember that FortiGate usernames are case-sensitive. If using an LDAP or RADIUS server, ensure the server is reachable from the FortiGate.
  • Session Drops Immediately After Login: This can happen if your account has no CLI profile assigned or if the account is restricted to GUI-only. Use the show system admin command (if you have read access) or check via GUI under System > Administrator.
  • No Power to Console Port: Some FortiGate models require a specific console cable or have a separate management port. Consult your model's documentation.

Security Best Practices for CLI Access

The CLI is a powerful administrative gateway. Securing it is non-negotiable.

  1. Use Strong, Unique Passwords: This is rule number one. Avoid default credentials.
  2. Restrict Source IPs (Trusted Hosts): As mentioned, limit SSH and HTTPS management to specific management subnets. This drastically reduces the attack surface.
  3. Change the Default SSH Port: While not true security, moving from port 22 to a high-numbered port (e.g., 2222) reduces automated scan noise.
  4. Use Public Key Authentication (PKI): For environments with many administrators, configure SSH public key authentication. This eliminates password brute-force attacks and allows for key revocation without changing a shared password. Set this under config system admin -> edit <username> -> set ssh-public-key1 "ssh-rsa AAAAB3NzaC...".
  5. Implement Account Lockout: Configure config system global -> set admin-lockout-threshold <number> and set admin-lockout-duration <minutes> to lock accounts after failed attempts.
  6. Use Different Accounts for Different Roles: Don't share the admin account. Create individual accounts with the minimum required privileges (prof_readonly for auditors, prof_admin for engineers).
  7. Log Everything: Ensure event logging is enabled (config log eventfilter setting -> set event 1) and that logs are being sent to a secure, remote FortiAnalyzer or syslog server. CLI sessions are logged by default in the event log.

Advanced Tips and Common Pitfalls

  • Tab Completion is Your Friend: Press Tab after a partial command or object name. The CLI will auto-complete or show possible options. This prevents typos and helps discover object names.
  • Use ? for Help: At any prompt, type ? to see a list of available commands at that level. get ? shows all get subcommands.
  • The diagnose Tree is Powerful: For deep troubleshooting, diagnose commands are invaluable. diagnose debug application filter -1 enables live packet filter debugging. Use with caution on production systems, as it can generate massive logs.
  • Configuration is in Two Places: Remember the distinction:
    • show / get: Shows running configuration (current active state).
    • show full-configuration: Shows the entire saved configuration, including default values.
    • Changes made with set are in the running config but not saved to disk until you end the config block. To save permanently to the config file, use execute backup config or write memory (older versions).
  • Don't Forget the next Command: When creating multiple objects in a list (like multiple firewall policies), you must use next to move to the next entry. Forgetting this and using end will only save the last object you edited in that session.
  • Use execute for System Actions: Commands that perform actions (reboot, backup, restore) are under the execute tree. execute reboot, execute backup config, execute format logdisk.

Conclusion: From Novice to FortiGate CLI Power User

Accessing the CLI on your FortiGate firewall is the gateway to true mastery of your network security infrastructure. Whether you choose the reliability of the console port, the convenience of the web-based CLI, or the standard practice of SSH, the fundamental commands and navigation remain the same. Start with the essential get system status and show commands to orient yourself. Practice creating simple objects in a lab environment before touching production. Embrace the hierarchical structure, leverage tab completion, and always, always double-check your configuration context before running set commands.

The initial learning curve is real, but the payoff is immense. You'll troubleshoot faster, automate tedious tasks, and understand your FortiGate's inner workings in a way the GUI simply cannot provide. In today's complex threat landscape, where every second of downtime counts and configuration consistency is paramount, the CLI is not just an alternative interface—it's the professional's tool of choice. So connect to your FortiGate, open that terminal, and start exploring. The command line awaits.

Beauty Benefits of Curd: Your Complete Guide | Clinikally
True Happiness: Your Complete Guide to Emotional Health | Walmart Canada
The Telegraph Tax Guide 2025: Your Complete Guide to the Tax Return for

YOU MIGHT ALSO LIKE