Use the CLI (Web Console and SSH)

The GUI covers most tasks, but the CLI is faster, more precise, and sometimes the only way to fix things (recovery, debugging, advanced configs that don't have a GUI page). Every FortiGate admin should be comfortable in both.

There are three ways to reach the CLI:

1. Web console — a CLI terminal inside the GUI. Best for quick one-off commands.
2. SSH — a real terminal. Best for sustained work and scripting.
3. Console cable — direct serial. Required when the network is broken or you're doing a firmware recovery. See Connect via the Console Cable.

Web Console

In the GUI, click the CLI Console icon (looks like a >_ terminal) in the upper-right corner of any page. A terminal panel opens at the bottom or as a popup.

Type CLI commands directly. The web console shares the GUI session, so it auto-authenticates.

SSH

ssh admin@<fortigate-ip>

You're at the FortiGate prompt:

FGT60E #

If SSH is disabled on the interface, enable it: in the GUI, Network → Interfaces → → Administrative Access, check SSH, save.

CLI Basics

FortiOS CLI has a structured shell. Commands go into "configuration trees" and you navigate them like directories.

# Show top-level commands:
help

# Show system info:
get system status

# Show all interfaces:
get system interface

# Enter the configuration tree for interfaces:
config system interface

# Inside config tree, list available subcommands:
?

# Edit a specific interface:
edit wan1

# Show current settings of this edit context:
show

# Change a setting:
set status up

# Apply and exit the edit:
next

# Exit the config tree (saves everything in this tree):
end

Useful Diagnostic Commands

# System summary:
get system status
get system performance status

# Interface state:
get system interface physical
get hardware nic <interface>

# Routing table:
get router info routing-table all

# ARP table:
get system arp

# Active sessions:
diagnose sys session list
get system session list

# Firewall policy hit count:
diagnose firewall iprope show 100004

# DNS lookup from the FortiGate:
execute ping <hostname>
execute traceroute <hostname>
execute nslookup <hostname>

Save vs Auto-Save

Most config changes save automatically when you end out of a tree. The CLI shows the prompt change as you navigate:

FGT60E # config system interface
FGT60E (interface) # edit wan1
FGT60E (wan1) # set status up
FGT60E (wan1) # next
FGT60E (interface) # end
FGT60E #

If a change doesn't take effect, you may have used abort instead of end, or forgot to next/end at the right level.

Common Issues

• CLI says "command parse error". A typo or wrong context. Use ? at any prompt to see valid options.
• Settings vanish after reboot. Configuration not saved properly. Always end your way out of config trees. After major changes, run execute backup config flash to flash-save.
• SSH disabled / port closed. Re-enable via GUI on the interface, or via console cable.
• Commands work but GUI doesn't reflect them. Hard-refresh the browser. GUI caches state.

Related Pages

• First Login and the Dashboard
• Connect via the Console Cable
• Use Debug Flow