FortiNAC-OS-F 7.2.4-CLI Reference Guide

FortiNAC-OS - CLI Reference Guide
Version F 7.2.4
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
October 24, 2023

FortiNAC-OS F 7.2.4 CLI Reference Guide
49-922-769106-20211216
TABLE OF CONTENTS
Overview 4
CLI basics 5
Pipe options for displaying content 6
Show commands 7
Get commands 8
Execute commands 10
Diagnose commands 17
Configuration commands 22
Global 22
DNS 22
Admin user 23
High Availability 24
Interface 25
NTP 27
Route 28
Shell Commands 30
FortiNAC-OS F 7.2.4 CLI Reference Guide 3

Fortinet Inc.
Overview
Overview
This document describes FortiNAC-OS CLI commands used to configure and manage a FortiNAC unit from the
command line interface (CLI).
Important: Any commands should be executed under guidance from Fortinet.

Fortinet Inc.
CLI basics
CLI basics
Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.
l At any point, the tab key can be used to list possibilities for the next command or auto-complete partially
filled in commands
l The CLI will restrict which commands are shown based on the current context the user is in. When first
launched, the user is in the base context, but running certain commands (such as config system interface)
will switch the user to the appropriate context, with a completely new set of commands available.
l When inside a context, hitting ctrl-c will ‘abort’ any unsaved changes and exit the context.
l Attempting to run an incomplete command (e.g. config system) will show the usage info for the next
available possible parameters for that command.
Top Level Commands
Command Description
help Display usage
diagnose Diagnostic Tools
get Get system information
config Configure object
execute Execute static commands
show Show configuration
exit Exit

Fortinet Inc.
Pipe options for displaying content
Pipe options for displaying content
The options in the table below are available for many commands that display content, such as “get”, “show” and
“diagnose” commands.
Grep usage: Available options:
<pattern> Pattern to grep for

show system interface |
grep [-cinv] [-
-A=<trailingCount> Print NUM lines of trailing context
A=<trailingCount>] -B=<leadingCount> Print NUM lines of leading context
-c Display only count of matching lines
[-B=<leadingCount>]
-C=<outputContextCount> Print NUM lines of output context
[- -i Ignore case
C=<outputContextCount>] -n Print line number with output lines
<pattern>
-v Display non-matching lines
Less usage:
show system interface |
less

Fortinet Inc.
Show commands
Show commands
These commands are run from the base context.

Available commands
Command Description
show system Show the currently active configuration for the specified subsystem
Available options:
admin Display admin configuration
dns Display DNS configuration
global Display global configuration
ha Display High-Availability configuration

interface Display interface configuration
ntp Display NTP configuration
route Display route configuration
show full- Shows the currently active configuration across all subsystems
configuration

Fortinet Inc.
Get commands
Get commands
These commands are run from the base context.

Available commands
Command Description
get hardware memory Get information about the system memory
get hardware nic List the available interfaces on the system (port 1, port 2, etc)
get hardware status Retrieve an overview of the system:
l Model Name
l UUID
l MAC
l CPU
l Number of CPU cores
l RAM
l Hard disk (partition information)
get system public-key Retrieve the root user’s public key, which can then be used for configuring
HA on other systems. If multiple keys are present, it will prioritize the
ed25519 key
get system status Retrieve an overview of the FortiNAC status:
l FortiNAC Version
l Serial-Number
l License Status (Valid or expired)
l License Expiration Date
l Hostname
l Release Version Information (GA or interim)
l System time
get system license Print License Information
Available options:
-check Check if each license key is valid for this

appliance.
TEXT Format only
-file=<fileName> The filename to be used in conjunction with -

key FILE
-fmt=<fmt> Format to display. JSON can be useful

programmatically

Fortinet Inc.
Get commands
Command Description
TEXT, JSON
-key=<keys> Add a License Key to display. If none

specified, this list will contain EFFECTIVE,
which means what is
used by this appliance.
Use FILE in combination with the

-file option to specify a file to read from
EFFECTIVE, APPLIANCE, WPRIMARY,
MANAGER, HARDWARE, FILE
get hardware cpu Display detailed information for all installed CPU(s).
get system interface Get interface configuration.
<portName>

Fortinet Inc.
Execute commands
Execute commands
Execute commands are used for the tasks listed below. These commands are run from the base context.
l Backup
l Factory Reset
l License
l Ping and traceroute
l SSH
l Reboot and shutdown
l Restore image
l Restore config
l Important: Any configuration that isn’t explicitly defined in the backup configuration will be removed
upon restore. The one exception is admin user settings (which are left untouched). All other config
(interface, route, etc) will be reset to default and then have the configuration present in the provided
config applied.
l All methods of restore will first create a back-up configuration prior to applying the new config.
Available commands
Command Description
execute enter-shell Enters a shell to interact with the appliance more directly. See shell
commands for details.
execute help Lists the available commands under execute
execute db-shell Enters the database shell
execute sensors list Show sensor information.
execute time <time> Set the system system time (hh:mm:ss format, hh: 0-23 mm: 0-59 ss: 0-59).
execute date <date> Set the system date (yyyy-mm-dd format, yyyy: 2023, mm: 1-12, dd: 1-31).
execute reset Reset configuration and disk partition to factory default
execute factoryreset Reset to factory default and shutdown
all-shutdown
execute factoryreset Reset to factory default and reboot.

all-settings

Fortinet Inc.
Execute commands
Command Description
execute tcpdump [-v] Sniff packets on the specified interface.
[-c=<count>] [-
G=<seconds>] [- Available options:
i=<port>] [-
Q=<direction>] [- [<filter>...] Sniffer filter
s=<snaplen>] [-
-c=<count> Maximum number of packets to capture
w=<file>] [-x | -xx |
-X | -XX] -G=<seconds> Maximum duration in seconds to capture
[<filter>...]
-i=<port> Port to sniff packets on
-Q=<direction> Packet direction(s) to capture [in|out|inout]
-s=<snaplen> Number of bytes to snarf from each packet
-v, --verbose Enable verbose output
-w=<file> Write captured packets to specified file
-x Display packet data (minus link level header) in
hex
-X Display packet data (minus link level header) in
hex and ASCII
-xx Display packet data (including link level header)
in hex
-XX Display packet data (including link level header)
in hex and ASCII
help Display usage
Execute a tcpdump. All options correspond with their tcpdump

equivalents. Additionally, file specified via –w only uses the filename
portion (all files are stored in the user’s home directory).

Fortinet Inc.
Execute commands

Fortinet Inc.
Execute commands
Backup
execute backup config Backs up the current "config system" CLI configuration locally to disk
local (/bsc/backups/). See Configuration commands.
execute backup config ftp Backs up the current system configuration via FTP to the remote
[<remote filename>] [<ftp destination using the provided username and password.
server:port>] [<username>] The port option may be omitted if the destination uses the default FTP
[<password>] port (21)
execute backup config scp Backs up the current system configuration remotely via SCP to the
[<remote filename>] [<scp destination provided.
server:port>] [<username>] The port option may be omitted if the destination uses the default SSH
[<password>] port (22)
execute backup config tftp Backs up the current system configuration to the specified TFTP
[<remote filename>] [<tftp destination
server>]
License
execute license add Add the raw license string to the system
[<license>]
execute license import Import the specified remote license file on the specified tftp host
tftp [<remote host>]
[<remote file>]
execute license import scp Import the specified remote license file from the specified host via
[<remote file>] [<remote SCP
host>] [<username>]
[<password>]
PING & Traceroute

execute ping [<host>] PING the specified host
execute ping6 [<host>] PING the specified IPv6 host
execute traceroute Trace the route between this system and the specified host
[<host>]
Shutdown & Reboot

execute reboot Reboots the system
execute shutdown Shuts down the system
Restore
execute restore image scp Install the .out image located on the specified remote host. Image is
[<remote out file>] downloaded via SCP
[<host>] [<username>] Note: This command is used for upgrading the software on the
[<password>] system.

Fortinet Inc.
Execute commands
execute restore image ftp Install the .out image located on the specified remote host. Image is
[<remote out file>] downloaded via FTP.
[<host>] [<username>]
[<password>]
Note: This command is used for upgrading the software on the
system.
execute restore image tftp Install the .out image located on the specified remote host. Image is
[<remote out file>] downloaded via TFTP
[<host>]
Note: This command is used for upgrading the software on the
system.
execute restore config Restore the "config system" CLI configuration stored locally. Tab
local [<local config completion can be used to list the available configuration backups.
backup>] See Configuration commands.
execute restore config scp Restore the "config system" CLI configuration stored on the remote
[<remote file>] [<host>] host at the specified location. Configuration downloaded via SCP.
[<username>] [<password>] See Configuration commands.
execute restore config ftp Restore the "config system" CLI configuration stored on the remote
[<remote file>] [<host>] host at the specified location. Configuration downloaded via FTP. See
[<username>] [<password>] Configuration commands.
execute restore config Restore the "config system" CLI configuration stored on the remote
tftp [<remote file>] host at the specified location. Configuration downloaded via TFTP.
[<host>] See Configuration commands.
execute restore legacy- Used for migrating CentOS configurations to new FortiNAC-OS
migrate [COMMAND] platform. Important: Do not use without first reviewing the CentOS to
FortiNAC-OS Migration documentation in the Documentation Library.
Available options:
local Import legacy config from a local bundle
remote Import legacy config from a remote system
execute restore database Restore database using a local database backup

local <filename>
execute restore database Restore database using a remote database backup downloaded via
scp <host> <username> scp
<password> <backup-path> Argument descriptions:
<host> Remote host
<username> Remote username
<password> Remote password
<backup> Path to database backup on remote host (.gz)
SSH

Fortinet Inc.
Execute commands
execute ssh [<user@host>] SSH to the specified host as the specified user
execute ssh-known-hosts Remove the specified known host fingerprint
remove-host [<host>]
execute ssh-known-hosts Removes all the SSH host fingerprints from the known hosts
remove-all
execute ssh-authorized- Adds the specified public key to the user's authorized hosts
keys add <public key
string>
execute ssh-authorized- Import the specified public key from a specified host, using the
keys import scp <file specified credentials, into the user's authorized hosts via scp
path> <host> <username>
<password>
execute ssh-authorized- Displays the user's authorized hosts

keys list
execute ssh-authorized- Removes any authorized host keys that match the specified host. Tab
keys remove <host> completion of the <host> is supported.
Disk
execute disk checkhealth Perform a read-only filesystem check for errors on the specified
<partition> partition
execute disk list List partitions and mountpoints
execute disk scan Perform a (fsck) filesystem check on the specified partition
<partition>
Service
execute service is-active Display if a specified service is active
<service>... Arguments
<service>...
Service = nac, naccontrol, nacapplication, nacprobe, p0f, dhcpd,
mysqld, apache2, named
execute service restart Restart a specified service
<service>...
execute service start Start a specified service
<service>...

Fortinet Inc.
Execute commands
execute service status Retrieve status of a specified service

<service>...
execute service stop Stop a specified service
<service>...
execute ssh-known-hosts Add a ssh host fingerprint to known hosts
add [current-user|nac] Arguments
<user> <ip>
[current-user|nac]
"current-user" for your known hosts, or "nac" for the FortiNAC
system's known hosts
<user>
Remote host user
<ip>
Remote host ip / hostname
execute ssh-known-hosts Remove all ssh host fingerprints from known hosts
remove-all [current- Arguments
user|nac]
[current-user|nac]
execute ssh-known-hosts Remove the specified host fingerprint from known hosts
remove-host [current- Arguments
user|nac] <host>
[current-user|nac]
<host>
Host to remove
execute ssh-known-hosts show Display fingerprints from known hosts
[current-user|nac]
Arguments
[current-user|nac]

Fortinet Inc.
Diagnose commands
Diagnose commands
Diagnose commands are used for debugging/troubleshooting purposes. These commands are executed from
the base context.
Tail: Run this command to display the entries of a specific log file as they are printed in real time. Plugins
and/or loggers may need to be enabled prior to running this command for more in-depth data gathering.
Debug Plugin: Debug plugin commands are used for listing, enabling, disabling, and getting performance
metrics for the running FortiNAC plugins.
Debug Logger: Debug logger commands are used for listing loggers and setting their log levels.
Available commands
Command Description
diagnose tail (-F|-f|-k <numKB>) [<file>] Tails the specified logfile.

Example:
diagnose tail -F output.master
Tab completion can be used to list the

files available to tail.
Ctrl-C stops tail.
Available options:
-F Follow the file changes

as it is updated. Follow
through the file being
replaced
-f Follow the file changes
as it is updated. Does
not follow if the file is
replaced
-k Display only the last
<numKB> numKB kibibytes of the
file
diagnose debug logger list Lists all the loggers available

diagnose debug logger set Sets the log level for the specified logger
[config|fine|finer|finest|info|severe|warning] to the chosen log level (eg info, severe,
[<logger>] etc)
diagnose debug logger unset [<logger>] Unset the specified loggers log level
back to INHERIT

Fortinet Inc.
Diagnose commands
Command Description
diagnose debug plugin list Lists all the plugins, their associated
loader, and their debug status. Type “q”
to return to prompt
diagnose debug plugin list-debug-enabled Lists all the debug-enabled plugins
along with their associated loader
diagnose debug plugin perf [<plugin>] Display the performance metrics for the
specified plugin
diagnose debug plugin [enable|disable] Enable or disable debug for the
[<plugin>] specified plugin
diagnose send-test-email [-file=<fileName>] - Send a Test email to verify Email server
message=<message> -subject=<subject> - configuration.
to=<mailTo>
diagnose entitlements [-debug] [-poll] Print out entitlements information.

diagnose dump-dpc-rules [COMMAND] Displays and manipulates Device
Profiling rule information.
Available options:
display- Display all Device

all Profiling Rules
display- Display a DPC Rule
by-id by ID
display- Dump DPC Rule by
by-name name
size Display the scan
queue size
export Export Device
Profiling rules to
specified file
import Import Device
Profiling rules from
specified file
flush Flush scan queue
scan-all Scan all rogues
scan Scan a specified
MAC address
help Display usage

Fortinet Inc.
Diagnose commands
Command Description
diagnose dump-dpc-hosts [COMMAND] Displays Host Device Profiling
information
Available options:
display- Display all Device

all Profiling host
information
display- Display Device
by-rule- Profiling host
id information for
Display specified rule id
by-rule- Profiling host
name information for
specified rule name
by- Profiling host
sponsor- information with
username matching sponsor
username
by- Profiling host
sponsor- information with
id matching sponsor id
display- Display host device
by- profiling information
profile- by profile name
name
display- Display host device

by- profiling information
profile- by profile id
id
help help Display usage
diagnose dump-admin-profile [COMMAND] Displays Admin Profile information
Available options:
display- Display all Admin

all Profiles

Fortinet Inc.
Diagnose commands
Command Description
display- Display a specified

by-name Admin Profile by
name
display- Display a specified
by-id Admin Profile by ID
help Display usage
diagnose group [COMMAND] Display and manipulate group model

information
Available options:
display- Display all groups

all
display- Display group
group-by- information and/or
name elements by group
name
display- Display group
group-by- information and/or
id elements using group
ID
delete- Delete the selected
group-by- group using database
id ID
delete- Delete the selected
group-by- group
name
clear- Clear valid/inactive

time-by- times for elements in
name the the Host group
clear- Clear valid/inactive
time-by- times for elements in
id the the Host group
delete- Delete an element
from- referenced by name
group-by- from the selected
name group

Fortinet Inc.
Diagnose commands
Command Description
add- Add an element to the

element- selected group
to-group
help Display usage
diagnose hardware deviceinfo disk Display information of all disks.

diagnose hardware deviceinfo tpm Display TPM information.
diagnose hardware info Show hardware info.
diagnose hardware lspci [-v] List PCI parameters.
Option
-v : Display verbose output
diagnose hardware psu Show power supply info
diagnose system disk info Show the SMART information.
diagnose system disk health Show the SMART health status.
diagnose system disk errors Show the SMART error logs.
diagnose system disk attributes Show vendor specific SMART attributes.
diagnose system raid status Show RAID status.

Fortinet Inc.
Configuration commands
Global
Global configuration is handled within the global context. This is for settings that apply to the system as a whole
(such as hostname) that otherwise do not fit in other contexts.
To enter the global context, from the base context run:
config system global
Available commands
Command Description
abort Cancels any edits made since entering the context, and
returns to the base context
end Saves changes made since entering the context, and

help Shows the available commands

show Show the current configuration, including uncommitted
edits
set admin-idle-timeout [1-480] Sets the administrator idle timeout to the specified
minutes, between 1 and 480
set hostname [<hostname>] Sets the hostname to the specified value

set timezone [<time zone id>] Sets the time zone to the specified time zone id. To see a
list of time zones and their ids, leave time zone id blank
set timezone help Alternative method to get the list of timezone ids and their
corresponding timezone
set strong-crypto [disable|enable] Enables or disables strong-crypto mode, which will ensure
running services utilize only secure cryptographic
configurations
unset [admin-idle- Resets the specified configuration to the default value
timeout|hostname|timezone|strong-
crypto]
DNS
DNS configuration is handled within the DNS context.

Fortinet Inc.
To enter the DNS configuration, from the base context run:

config system dns
Available commands
Command Description
abort Cancels any edits made since entering the context, and returns to the base
context
end Saves changes made since entering the context, and returns to the base
context

show Show the current configuration, including uncommitted edits
set primary [<primary Sets the primary DNS address (ip or hostname)
address>]
set secondary Sets the secondary DNS address(ip or hostname)

[<secondary address>]
unset Unsets the primary or secondary address

[primary|secondary]
Admin user
Administrator user configuration is handled in the admin context

To enter the admin context, from the base context run:
config system admin
Available commands
Command Description
context
context

delete [<admin name>] Delete the specified administrator
edit [<admin name>] Brings up the admin user context for the specified user. If admin name
doesn’t match an existing user, a new user will be created when the
changes are committed

Fortinet Inc.
Admin User Context
Available commands
Command Description
context
context
next Readies the changes for commit, but does not push them until end is called
on the admin context. Returns to the admin context.
set password Sets the user’s password to the specified value. Must be between 8 and
[<password>] 128 characters long
High Availability
High Availability configuration is handled inside the ha context

To enter the ha context, from the base context run:
config system ha
Available commands
Command Description
context
context
set public-key add Add the specified SSH public key for use with high-availability connectivity
[<key contents>]

Fortinet Inc.
Command Description
set public-key import Import the specified remote SSH public key for use with high-availability
[<remote key path>] connectivity by copying it from the specified remotely accessible SSH host
[<remote host>]
[<remote username>]
[<remote password>]
Interface
Interface configuration is handled in the global interface context. To enter the global interface context, from the
base context run:
config system interface
Available commands
Command Description
context
context
edit [<interface>] Enter the specified interface’s context, in order to edit that interface’s
configuration
port1 Management
port2 Portal/Isolation interface
port3 Available network port

Fortinet Inc.
Specific Interface Context
Inside a specific interface’s context, the following commands are available:
Command Description
abort Cancels any edits made since entering the context, and returns to the
base context
end Saves changes made since entering the context, and returns to the
base context
next Readies the changes for commit, but does not push them until end is
called on the global interface context. Returns to the global interface
context
set allowaccess [[protocol Enables access to this interface via the specified protocol. Multiple
list]] options must be specified at once to enable both.
Example: Enable both http and https:
set allowaccess http https
Available options:
dhcp DHCP (UDP ports 67, 68, 546, 547) [Portal

and Management]
dns DNS (TCP/UDP port 53) [Portal]
fsso FSSO (TCP port 8000) [Management]

http HTTP (TCP port 80) [Portal]
http-adminui Admin UI HTTP (TCP port 8080)
[Management]
https HTTPS (TCP port 443) [Portal]
https-adminui Admin UI HTTPS (TCP port 8443)
[Management]
netflow NetFlow (UDP port 2055) [Management]
nac-agent FortiNAC Agent (TCP port 4568) [Portal]
nac-ipc NAC IPC (TCP ports 1050, 5555, 30000-
64000) [Management]

Fortinet Inc.
Command Description
ping Ping (ICMP) [Management]

radius RADIUS (TCP/UDP port 1812) [Management]
radius-acct RADIUS Accounting (TCP/UDP port 1813)
[Management]
radius-local Local RADIUS (TCP/UDP port 1645)
[Management]
radius-local- Local RADIUS RadSec (TCP/UDP port 2083)
radsec [Management]
snmp SNMP (UDP ports 161 and 162)
[Management]
ssh SSH (TCP port 22) [Management]
syslog Syslog (UDP port 53) [Management]
set allowaccess help Alternative method to get the help for all the options available for
allowaccess
set ip [<ip/cidr>] Specifies the interface’s IPv4 address and subnet mask. For
example:
set ip 192.0.2.5/24
set ip6 [<ip6/cidr>] Specifies the interface’s IPv6 address and subnet mask
set mode [static|dhcp] Sets the interface’s IP mode to be either static or dynamically
allocated
unset Unset the specified configuration back to the default value

[allowaccess|ip|ip6|mode]
NTP
NTP configuration is handled inside the ntp context

To enter the ntp context, from the base context run:
config system ntp
Available commands

Fortinet Inc.
Command Description
abort Cancels any edits made since entering the context, and
end Saves changes made since entering the context, and

set ntpserver [<ntp address>] Sets the NTP server address list. You may specify up to 10
addresses, space separated. All addresses must be
reachable
set ntpsync [disable|enable] Enable or disable syncing time with specified ntp servers
set syncinterval [1-1440] Set the interval to sync in minutes, between 1 and 1440
unset Unset the configured value for the specified property, and
[ntpserver|ntpsync|syncinterval] reset it to default
Route
Route configuration is handled inside the global route context

To enter the global route context, from the base context run:
config system route
Available commands
Command Description
context
context

delete [<route id>] Deletes the specified route

Fortinet Inc.
Command Description
purge Deletes all configured routes
rename [<route id>] to Rename a route id to the specified new id
[<new route id>]
edit [<route id>] Opens the specific route context for the specified route id
Specific Route Context
Inside a specific route context, the following commands are available:
Command Description
context
context
next Readies the changes for commit, but does not push them until end is called
on the global interface context. Returns to the global interface context
set device [<interface Set the interface for this route to the specified interface
name>]
set dst [<ipv4/cidr>] Set the destination subnet for this route to the specified IPv4 Address and
CIDR mask.
Example:
set dst 192.0.2.0/24
set gateway [<gateway Set the gateway IP used for this route
ip>]
unset Unset the specified configuration and reset it to the default value
[device|dst|gateway]

Fortinet Inc.
Shell Commands
Shell Commands
Enters a shell to interact with the appliance more directly. Once in this mode, many of the commands used in
CentOS are the same.
It is handled inside the shell context
To enter the shell context, from the base context run:
execute enter-shell
The following commands are available:
Command Description
DeviceImport Imports (create) devices based on the contents of the input CSV file. This
tool only supports importing SNMP devices that are managed using
SNMPv1
For usage details see CLI import tool in the Administration Guide.
All entries in the file should be for devices of the same type.
EntitlementsTool The poll function uses the serial number to look up entitlements
getDefaultGW Displays port1 default gateway
getIPAddr Displays port1 IP address
device -ip <device ip> To support per-device SSH authentication customizations.

-setAttr -name <name> Available options:
-value <value>
Name Value
SSH_KEX A quoted string containing names of key
exchange algorithms separated by a space.
(Order is preserved)
SSH_CIPHERS A quoted string containing names of ciphers
separated by a space
SSH_MACS A quoted string containing names macs separated
by a space
SSH_KBD_ A string containing true or false. Enables/Disables
ENABLED keyboard-interactive. Disabled by default
Example 1 - Override the default kex list:

device -ip 10.12.228.126 -setAttr -name SSH_KEX -value
"diffie-hellman-group1-sha1 diffie-hellman--sha1"
Example 2 - Eable keyboard-interactive:

Fortinet Inc.
Shell Commands
Command Description
device -ip 10.12.228.126 -setAttr -name SSH_KBD_ENABLED -
value true
Example 3 - Remove or restore default settings (remove the

attribute):
device -ip 10.12.228.126 -delAttr -name SSH_KBD_ENABLED
sudo grab-log-snapshot Creates a one-time snapshot of the logs available on the appliance. For
details see KB article 190755
For Admin UI instructions see Download logs in the Administration Guide
SendCoA This program will exercise the Radius rfc5176 functionality
Selection Options:
-ip <NAS device IP>
-mac <Mac address of client to impact>
-dis <disconnect command>
-policy <VLAN/Role/etc to change for the client

using CoA command>
If no operation is specified, then this message is displayed

Example 1 - To issue a disconnect command to a device.
SendCoA -ip 10.1.0.25 -mac 00:1B:77:11:CE:2F -dis
Example 2 - To change the policy on a client.

SendCoA -ip 10.1.0.25 -mac 00:1B:77:11:CE:2F -
policy Production
shutdownNAC Shuts down FortiNAC processes

No option: Stops Yams process & idles system (if HA system, will not
failover)
-kill: Stops Yams and CampusManager processes
(If done without idling system first, will force failover on HA systems)
startupNAC Starts up FortiNAC processes (Yams & CampusManager)
sudo systemctl status Confirm running state of the DHCP service. Type “q” to return to prompt
dhcpd
sudo ydb_dated_backup Database backup with timestamp included in filename. Backs up locally to
disk (/bsc/backups/).
For Admin UI instructions see Database backup/restore in the

Administration Guide
sudo systemctl status Confirm running state of the named service. Type “q” to return to prompt
named

Fortinet Inc.
Shell Commands
Command Description
uptime The number of days/min/sec since last power up or reboot.
sudo ydb_restore_full_ Load a previously saved database backup. For Admin UI instructions see
backup Database backup/restore in the Administration Guide

Fortinet Inc.
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiNAC-OS-F 7.2.4-CLI Reference Guide

Uploaded by

Copyright:

Available Formats

FortiNAC-OS-F 7.2.4-CLI Reference Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiNAC-OS-F 7.2.4-CLI Reference Guide

Uploaded by

Copyright:

Available Formats

FortiNAC-OS - CLI Reference Guide

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

October 24, 2023

FortiNAC-OS F 7.2.4 CLI Reference Guide 3

FortiNAC-OS F 7.2.4 CLI Reference Guide 4

FortiNAC-OS F 7.2.4 CLI Reference Guide 5

Pipe options for displaying content

Grep usage: Available options:

<pattern> Pattern to grep for

FortiNAC-OS F 7.2.4 CLI Reference Guide 6

These commands are run from the base context.

admin Display admin configuration

dns Display DNS configuration

global Display global configuration

ha Display High-Availability configuration

route Display route configuration

FortiNAC-OS F 7.2.4 CLI Reference Guide 7

These commands are run from the base context.

-check Check if each license key is valid for this

-file=<fileName> The filename to be used in conjunction with -

-fmt=<fmt> Format to display. JSON can be useful

FortiNAC-OS F 7.2.4 CLI Reference Guide 8

-key=<keys> Add a License Key to display. If none

Use FILE in combination with the

FortiNAC-OS F 7.2.4 CLI Reference Guide 9

execute factoryreset Reset to factory default and reboot.

FortiNAC-OS F 7.2.4 CLI Reference Guide 10

Execute a tcpdump. All options correspond with their tcpdump

FortiNAC-OS F 7.2.4 CLI Reference Guide 11

FortiNAC-OS F 7.2.4 CLI Reference Guide 12

PING & Traceroute

Shutdown & Reboot

FortiNAC-OS F 7.2.4 CLI Reference Guide 13

local Import legacy config from a local bundle

remote Import legacy config from a remote system

execute restore database Restore database using a local database backup

FortiNAC-OS F 7.2.4 CLI Reference Guide 14

execute ssh-authorized- Displays the user's authorized hosts

FortiNAC-OS F 7.2.4 CLI Reference Guide 15

execute service status Retrieve status of a specified service

FortiNAC-OS F 7.2.4 CLI Reference Guide 16

diagnose tail (-F|-f|-k <numKB>) [<file>] Tails the specified logfile.

Tab completion can be used to list the

-F Follow the file changes

diagnose debug logger list Lists all the loggers available

FortiNAC-OS F 7.2.4 CLI Reference Guide 17

diagnose entitlements [-debug] [-poll] Print out entitlements information.

display- Display all Device

FortiNAC-OS F 7.2.4 CLI Reference Guide 18

display- Display all Device

display- Display host device

help help Display usage

diagnose dump-admin-profile [COMMAND] Displays Admin Profile information

display- Display all Admin

FortiNAC-OS F 7.2.4 CLI Reference Guide 19

display- Display a specified