Console Mode Commands

Console Mode Commands

This section provides further details on the Console mode commands. Before logging onto serial console via HyperTerminal, please ensure the following settings are in place: Bits per second: 9600; Data bits: 8; Parity: None; Stop bits: 1; Flow control: None (See “Connecting to the Web UI and the CLI”).

Note that for some standard utilities such as tcpdump or traceroute, the options that are not listed here are not supported by FortiWAN.

help: Displays the help menu

help [COMMAND]

Show a list of console commands.

arp: Manipulate (add and delete entries) or display the IPv4 network neighbor cache.

arp [-i <port>] -a [<hostname>] arp [-i <port>] -e

arp -i <port> -s <hostname> <hw_addr> arp -i <port> -d <hostname>

-a [<hostname>]: Display the entries of the specified hostname. All the entries will be displayed if no hostname is specified. Hostnames will be displayed in alternate BSD style output format.

-e: Display entries in default (Linux) style.

-s <hostname> <hw_addr>: Manually create an ARP entry mapping for the host hostname with the hardware address hw_addr. This requires specifying a port via -i port.

-d <hostname>: Remove the entries for the specified host hostname. This requires specifying a port via -i port.

-i <port>: Specify an network interface (port) of FortiWAN to display, create or remove entries.

<port>: Specify an network interface (port) of FortiWAN in format port#, e.g. port1, port2 and etc.

<hostname>: Specify the target IP address or domain name.

<hw_addr>: Specify the MAC address.

Note: If domain name is to be used in the hostname parameter, the DNS Server must be set in the Web UI [System]->[Network Settings]->[DNS Server].

arping: Discover and prob hosts on a network by sending ARP requests

arping <hostname> <link> <index>

Send an ARP request to ask the MAC address of an IP address and display the result.

<hostname>: Specify the target IP address or domain name (MAC address is not supported). Note that domain name is valid only if parameter <link> is specified as “wan”.

<link>: Specify the link or ports that the ARP request is sent through. The valid values are “wan”, “dmz” and “lan”.

<index>: Specify the index of a WAN link if <link> is specified as “wan”. The valid values are 1, 2, 3, …,etc. Example:

arping 192.168.2.100 lan will send an ARP request through LAN ports to ask the MAC address of host 192.168.2.100.

arping 10.10.10.10 wan 1 will send an ARP request through WAN link 1 to ask the MAC address of host

10.10.10.10.

Note: If domain name is to be used in the hostname parameter, the DNS Server must be set in the Web UI [System]->[Network Settings]->[DNS Server].

diagnose: Get diagnostic information of FortiWAN hardware

diagnose hardware deviceinfo cpu diagnose hardware deviceinfo disk diagnose hardware deviceinfo mem diagnose hardware deviceinfo nic

Get information of FortiWAN’s CPU, disk, memory and network interface controllers (NICs).

diagnose hardware ethtool

Display and change parameters of the network interface controllers (NICs) of FortiWAN by the standard Linux utility ethtool (V3.7). Execute diagnose hardware ethtool -h to get a short help message.

diagnose hardware lspci

Get information about PCI buses in FortiWAN system and the devices connected to them.

diagnose hardware smartctl

Control and monitor the storage system of FortiWAN by the standard utility smartctl (V6.3). Execute diagnose hardware smartctl -h to get a help message or refer to https://www.smartmontools.org for details.

disablefw: Disable all the firewall rules

disablefw

Disable all the configured firewall rules to allow any traffic accessing or passing through FortiWAN. This command rescues Web UI accessing from being inadvertently locked by incorrect firewall rules deployment. System will re-confirm, press [y] to proceed or [n] to cancel.

enforcearp: Force FortiWAN’s surrounding machines to update their ARP tables

enforcearp

Sytem will send gratuitous ARP packets to update their ARP tables. This is for cases where after the initial installation of FortiWAN, machines or servers sitting in the DMZ are unable to be able to connect to the internet.

export: Display configurations of NAT, Multihoming and Virtual Server

export <config_name>

Display the configurations of FortiWAN’s NAT, Multihoming and Virtual Server in the command line interface. You can export the configurations by copying the displayed content to a text file.

<config_name>: Specify the configuration to be displayed. Values of the parameter are nat, multihoming and virtual-server for options.

get: Get the version and serial number information of a FortiWAN apparatus

get sys status

Display the firmware version, serial number and BIOS version of the FortiWAN apparatus.

httpctl: Control the web server that Web UI is running on

httpctl restart httpctl showport httpctl setport <port>

System will restart the web server running on FortiWAN for the Web UI, or display the port number occupied by the web server, or specify port number to the web server. restart: Restart the web server. showport: Display the port number that web server is listening. setport: Set the port number for the web server with indicating parameter port.

<port>: Specify the port number for setport.

import: Import the configurations of NAT, Multihoming and Virtual Server

import

Type import [Enter] to import the configurations of NAT, Multihoming and Virtual Server to FortiWAN. You have to manually input the configuration in text after the command prompt “import>” line by line.

Example:

> import

Please enter configuration. terminate with a line constaining exactly: 1) ‘apply’ to apply, or 2) ‘abort’ to abort. import> nat { import> wan-array { import> wan@1 { import> rule-array { import> rule { #1 import> source 10.10.10.55-10.10.10.77 import> destination 10.12.10.55-10.12.10.70 import> translated 10.12.104.232 import> } import> } import> } import> } import> } import> apply

Start to apply configuration of nat…

Settings are applied for page Service -> Nat >

Type abort in command prompt import> to leave the prompt any time. Please refer to the exported configurations (displayed by command export or saved via Web UI. See “Configuration File” in “Administration”) for the import format.

init_reports_db: Set Reports database to factory default

init_reports_db

Set FortiWAN’s Reports database to factory default. All the report data will be deleted. Please make sure the database is backed up if it is necessary (See Reports Database Tool and Database Data Utility). Note that executing this command will bring system an automatic reboot.

jframe: Enable jumbo frames to support specified MTU size for FortiWAN’s LAN ports

jframe show

Get the port number and the MTU size of FortiWAN’s LAN ports jframe set <port> <mtu>

Enable jumbo frames on the LAN port by specifying a MTU size that is larger than 1500.

<port>: The port# of LAN port, such as port1, port2…and etc.

<mtu>: The MTU size.

Note that applying for Network Setting resets the MTU on LAN ports to 1500.

logout: Exit Console mode

logout

Exit the Console mode. The system will re-confirm, press [y] to proceed or [n] to cancel.

ping: Test network connectivity

ping <hostname> <link> <index>

Ping a HOST machine to detect the current WAN link status. HOST is the machine/device to be pinged. The LINK parameter can be WAN, LAN or DMZ. If the LINK is WAN then also specify the WAN port number.

<hostname>: The parameter in specifying the target IP address or domain name. Note that domain name is valid only if parameter <link> is specified as “wan”.

<link>: The parameter in specifying the link or ports that the ICMP PING REQUEST packets are sent through. The valid values are “wan”, “dmz” and “lan”.

<index>: The parameter in specifying the index of a WAN link if <link> is specified as “wan”. The valid values are 1, 2, 3, …,etc. (0 for private subnet).

Example:

ping www.hinet.net wan 1 to ping www.hinet.net via WAN #1.

Note: If domain name is used in the hostname parameter, DNS Server must be set in the Web UI [System]-> [Network Settings]->[DNS Server] (See “Set DNS server for FortiWAN”).

For more on ICMP related error messages please refer to other ICMP/PING materials.

reactivate: Reactivate the FortiWAN apparatus

reactivate

Reactivating the FortiWAN apparatus will:

  • Reset all system configurations to factory default (See “Appendix A: Default Values” for the details) l Return the system to base-bandwidth (See “License Control” in “Administration”) l Reset Reports database to factory default. All the report data will be deleted.

Using this command will result in all system data being deleted as well as all bandwidth licenses. Before you attempt a reactivation, please make sure the following are complete:.

  • Backup any configuration data (See “Configuration File” in “Administration”). l Backup Reports database (See “Reports Database Tool”).
  • Locate your Bandwidth Upgrade Key if your system is not at base bandwidth, so that the bandwidth license the system had before can be activated by reentering the key.

Note that if your system is not at base bandwidth and you do not have your Bandwidth Upgrade Keys, please contact Fortinet CSS before attempting a reactivation.

reboot: Restart FortiWAN

reboot [-t <second>]

Restart FortiWAN immediately or restart it after a time period.

-t: Reboot FortiWAN after seconds. Parameter second is for this.

<second>: The parameter in specifying the time period (in second) system waits for to reboot.

Example: reboot -t 5 to restart the system after 5 seconds.

resetconfig: Reset system configurations to factory defaults

resetconfig

resetconfig <ip_address/netmask<@port>>

resetconfig <ip_address/netmask<@port>> <network_ip/netmask@gateway_ip>

Reset system configurations to factory default. This will delete all system settings including accounts of Web UI, network settings and all the other system settings and service settings (See “Appendix A: Default Values” for the details). Please backup all the configurations (See “Configuration File” in “Administration”) before executing this command. This command makes no changes to Reports database and bandwidth license, as opposed to command reactivate.

Since command resetconfig will return IP address of LAN and WAN ports to the default values such as 192.168.0.1/255.255.255.0, 192.168.1.1/255.255.255.0 and 192.168.2.1/255.255.255.0, users might need to change the IP address of their local computer to reconnect to the Web UI via the LAN or WAN port (See “Connecting to the Web UI and the CLI”). Note that resetconfig resets the port mappings to factory default, please connect to the correct network port (LAN or WAN) for accessing to Web UI (see Network interfaces and port mapping).

resetconfig provides two optional parameters, ip_address/netmask and @port, to specify a LAN port address and a LAN port mapping (map the LAN port to the specified physical port) while resetting the configurations. All the configurations will be reset to factory default and the LAN settings will be configured to the specified value, so that users can reconnect to Web UI via this port without changing network topology. Furthermore, a static routing entry can be specified to the FortiWAN appliance, so that you can access Web UI across subnets.

System will re-confirm, press [y] to proceed or [n] to cancel.

<ip_address/netmask<@port>>: The parameter in specifying the network configuration ip_ address/netmask to network port @port. The network configuration will be assigned to LAN port by default if parameter @port is not specified.

<network_ip/networkmask@gateway_ip>: The parameter in specifying the static routing entry.

Example:

Considering that the LAN port of a FortiWAN 200B appliance is mapped to the first physical port (port1), IP address 192.168.100.1/255.255.255.0 is assigned to the LAN port and a static routing rule is created to route packets destined to 192.168.200.0/255.255.255.0 to 192.168.100.254. Administrators in

192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0 can access Web UI via the LAN port. Here are the usages of command resetconfig in different ways:

Type “resetconfig [IP address/Netmask]” to specify IP configuration to LAN port from resetting system to factory default.

  • resetconfigresets all the configurations to factory default including LAN settings. In the default port mapping, port1 is mapped to WAN and port4 is mapped to LAN. IP address of the LAN port returns to

192.168.0.1/255.255.255.0. Administrators in 192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0 can not access to Web UI until appropriate changes to cable installation and network topology are done manually.

  • resetconfig 192.168.100.1/255.255.255.0 resets system to factory default, but set

192.168.100.1/255.255.255.0 to LAN port. However, without a specifying, port1 is mapped to WAN and port4 is mapped to LAN by default. Besides, the static routing rule for responding access requests coming from 192.168.200.0/255.255.255.0 is deleted as well. Therefore, it still requires manual changes to cable installation and network topology for administrators in 192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0 can access the Web UI.

  • resetconfig 192.168.100.1/255.255.255.0@port1 resets system to factory default, but map port1 to LAN and set 192.168.100.1/255.255.255.0 to the LAN port. Administrators in 192.168.100.0/255.255.255.0 can access Web UI via the LAN port without any change, but administrators in 192.168.200.0/255.255.255.0 can not access the Web UI until a correct routing rule is created.
  • resetconfig 192.168.100.1/255.255.255.0@port1

192.168.200.0/255.255.255.0@192.168.100.254 resets system to factory default, but map port1 to

LAN, set 192.168.100.1/255.255.255.0 to the LAN port and create a routing rule for packets destined to

192.168.200.0/255.255.255.0, where 192.168.100.254 is the router connecting subnets

192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0. Administrators in 192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0 so that can access Web UI via the LAN port without any change to network deployment.

Note that executing resetconfig without specifying the LAN port settings will reset port mapping to factory default, which implies the WAN links assigned to the default WAN ports are enabled. However, except the LAN port, there will be not port mappings set for WAN and DMZ if resetconfig is executed with specifying any parameter. In the case, there will be not default WAN and DMZ ports available (no default WAN links neither) after resetconfig, administrators have to re-login to Web UI via the LAN port to set the port mappings (see Connecting to the Web UI ).

resetpasswd: Reset FortiWAN’s Administrator and Monitor passwords to factory default

resetpasswd

System will re-confirm, press [y] to proceed or [n] to cancel.

setupport: Configure the transmission mode for all the FortiWAN port(s)

setupport show setupport change <port> auto setupport change <port> <speed> <mode>

show: Show the current transmission modes for all the network ports.

change: Change the transmission mode of the specified port to AUTO or specified speed and mode.

<port>: The parameter in specifying the port number. The valid values are 1, 2, 3, …,etc.

<speed>: The parameter in specifying the transmission speed. The valid values are 10, 100 and 1000.

<mode>: The parameter in specifying the transmission mode. The valid values are half and full.

Example:

setupport show setupport change 1 auto setupport change 2 100 full

Note:

Not all network devices support full 100M speed.

This command has no effect on fiber interface.

The port is the port number of the FortiWAN port interface; exact number varies according to product models.

shownetwork: Show the current status of all the WAN links available

shownetwork

Display WAN Type, Bandwidth, IP(s) on Local/WAN/DMZ, Netmask, Gateway, and WAN/DMZ Port.

Note: This Console command can only show the current network status. This setting can be changed in the Web UI under “Network Settings” (See “Configuring Network Interface (Network Setting)”).

showtrstat: Display tunnel status

showtrstat [TR GROUP NAME]

Display the status of specified tunnel group.

shutdown: Shut the FortiWAN system down

shutdown

This is command is used to shut FortiWAN system down, all the system processes and services will be terminated normally. Note that this command might not power the appliance off, please turn on/off the power switch or plug/unplug the power adapter to power on/off the appliance. sslcert: Set or unset SSL certificate for FortiWAN WebUI

sslcert show | sslcert set

Type sslcert show to display current SSL certificate that FortiWAN WebUI is working with. The RSA private key will not be displayed here for security issue.

Type sslcert set to set new SSL certificate for working with FortiWAN WebUI. You have to manually input the SSL private key and its correspondent certificate in text after the command prompt sslcert> line by line.

The content inputted for the private key and certificate must start with “—–BEGIN CERTIFICATE—–” and “—-BEGIN RSA PRIVATE KEY—–”, and end with “—–END CERTIFICATE—–” and “—-END RSA PRIVATE KEY—–”.

Example:

> sslcert set

Please enter the certificate. It should starts with

—–BEGIN CERTIFICATE—-and end with

—–END CERTIFICATE—–

To abort please enter an empty line: sslcert> —–BEGIN CERTIFICATE—-sslcert> …(data encoded in base64)…

sslcert> —–END CERTIFICATE—–

Please enter the private key. It should starts with

—–BEGIN RSA PRIVATE KEY—-and end with

—–END RSA PRIVATE KEY—-To abort please enter an empty line: sslcert> —–BEGIN RSA PRIVATE KEY—-sslcert> …(data encoded in base64)… sslcert> —–END RSA PRIVATE KEY—–

>

Type sslcert reset to reset to factory default, the self-signed certificate.

sysctl: Controls the system parameters

sysctl

Display the values of the system parameters.

sysctl <parameter>=<value|default>

Set the system parameter with the specified value. The system parameters are as followings:

VoIP Related – [sip-helper] and [h323-helper]
sip-helper   h323-helper

sysctl sip-helper=<0|1|default> sysctl h323-helper=<0|1|default>

sip-helper: to enable [1] or disable [0] SIP application gateway modules. Type default to set it default, which is disabled.

h323-helper: to enable [1] or disable [0] H323 application gateway modules. Type default to set it default, which is disabled.

Example:

sysctl sip-helper=0 disables the SIP application gateway modules. sysctl sip-helper=default set the SIP application gateway modules to default, which is disabled.

Note: SIP and H323 application gateway modules execute NAT transparent for SIP and H323. For some SIP and H323 devices that NAT transparent is a built-in function, it is suggested to disable the SIP or H323 gateway module in FortiWAN.

ICMP Timeout Related – [icmp-timeout] and [icmpv6-timeout]
icmp-timeout   icmpv6-timeout

sysctl icmp-timeout=<value|default>

Set ICMP timeout, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 3 seconds.

sysctl icmpv6-timeout=<value|default>

Set ICMPv6 timeout, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 3 seconds.

TCP Timeout Related –
tcp-timeout-close tcp-timeout-close-wait tcp-timeout-established
tcp-timeout-fin-wait tcp-timeout-last-ack tcp-timeout-max-retrans
tcp-timeout-syn-recv tcp-timeout-syn-sent tcp-timeout-time-wait
tcp-timeout-unacknowledged    

sysctl tcp-timeout-close=<value|default>

Set timeout for TCP connections in CLOSING state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 10 seconds.

sysctl tcp-timeout-close-wait=<value|default>

Set timeout for TCP connections in CLOSE WAIT state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 60 seconds.

sysctl tcp-timeout-established=<value|default>

Set timeout for TCP connections in ESTABLISHED state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 43200 seconds.

sysctl tcp-timeout-fin-wait=<value|default>

Set timeout for TCP connections in FIN WAIT state where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 120 seconds.

sysctl tcp-timeout-last-ack=<value|default>

Set timeout for TCP connections in LAST ACK state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 30 seconds.

sysctl tcp-timeout-max-retrans=<value|default>

Set timeout for the TCP connections that reach three retransmission without receiving an acceptable ACK from destinations, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 300 seconds.

sysctl tcp-timeout-syn-recv=<value|default>

Set timeout for TCP connections in SYN RECV state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 60 seconds.

sysctl tcp-timeout-syn-sent=<value|default>

Set timeout for TCP connections in SYN SENT state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 120 seconds.

sysctl tcp-timeout-time-wait=<value|default>

Set timeout for TCP connections in TIME WAIT state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 60 seconds.

sysctl tcp-timeout-unacknowledged=<value|default>

Set timeout for the segments that receive no acceptable ACKs from destinations, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 300 seconds.

UDP Timeout Related
udp-timeout udp-timeout-stream

sysctl udp-timeout=<value|default>

Set UDP timeout, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 30 seconds.

sysctl udp-timeout-stream=<value|default>

Set UDP stream timeout, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 180 seconds.

Other Timeout
frag6-timeout generic-timeout

sysctl frag6-timeout=<value|default>

Set timeout to keep an IPv6 fragment in memory, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 60 seconds sysctl generic-timeout=<value|default>

Set generic timeout for layer 4 unknown/unsupported protocols, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 600 seconds.

Tunnel Routing Related – [generic-receive-offload-<port>]

generic-receive-offload-<port>

sysctl generic-receive-offload-<port>=<0|1|default>

Disabling GRO (General Receive Offload) mechanism on the corresponding LAN ports and/or DMZ ports of a Tunnel Routing network can enhance the Tunnel Routing transmission performance (see How the Tunnel Routing Works and How to set up routing rules for Tunnel Routing).

generic-receive-offload-<port>: Enable [1] or disable [0] GRO (General Receive Offload) mechanism on the specified physical network interface <port>, where <port> is a variable. Type default to set the GRO on <port> to default, which is enabled.

<port>: Specify an network interface (port) of FortiWAN in format port#, e.g. port1, port2 and etc.

Example:

sysctl generic-receive-offload-port1=0 disables GRO mechanism on network interface port1.

sysctl generic-receive-offload-port2=default set GRO mechanism on network interface port2 to default, which is enabled.

Note that disabling GRO module on a network port can enhance the Tunnel Routing transmission performance on the port, but it also results in slight impact to non-Tunnel-Routing transmission on the port when the system is under heavy loading (there might be a slight decrease in transmission performance of non-Tunnel-Routing traffic through the network port). We suggest keeping GRO modules enabled on the network ports that does not participate in the Tunnel Routing transmission.

sysinfo: Display usage FortiWAN’s CPU, memory and disk

sysinfo

Get the usage of FortiWAN’s CPU, memory and disk space in percentage.

tcpdump: Dump network traffic

tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [-E algo:secret] [-i PORT] [-s snaplen] [-T type] [-y datalinktype] [expression]

<port>: The parameter in specifying an network interface (port) of FortiWAN in format port#, e.g. port1, port2 and etc.

For details of the options and parameters, please refer to http://www.tcpdump.org/tcpdump_man.html. Note that options not listed here are not supported by FortiWAN.

traceroute: Shows the packet routes between FortiWAN’s port to a specified destination

traceroute <hostname> <link> <index>

Show the packet routes between FortiWAN’s ports to the hostname.

<hostname>: The parameter in specifying the target IP address or domain name. Note that domain name is valid only if parameter <link> is specified as “wan”.

<link>: The parameter in specifying the link or ports that the traceroute packets start from. The valid values are “wan”, “dmz” and “lan”.

<index>: The parameter in specifying the index of a WAN link if <link> is specified as “wan”. The valid values are 1, 2, 3, …,etc.

Example:

traceroute www.hinet.net wan 1 showes the trace routes from WAN link1 to www.hinet.net.

Note: If domain name is to be used in the hostname parameter, the DNS Server must be set in the Web UI [System]->[Network Settings]->[DNS Server] (See “Set DNS server for FortiWAN”).

 

Set DNS server to FortiWAN


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.